In light of the revelation that the NSA has a variety of ways of accessing encrypted information, we reached out to the Electronic Frontier Foundation for their thoughts on what it meant for personal online communication. For example, could hackers take advantage of the NSA's encryption back doors to access your information? Well, no, hackers aren't much more likely to be looking at what you do online than they already are. You should do more to protect your privacy from them anyway.
"It does not come as a surprise," Eva Galperin, Global Policy Analyst for the EFF said about the new revelations. After all, she noted, the NSA (and its partner agency in Britain) is "attacking encryption on all fronts." She ran through the ways: They try to introduce weaker standards and they approach companies that use encryption to get them to grant access to encrypted data, both of which were reported on Thursday. They "use mass," throwing huge clusters of servers at brute force decryption. They read data from routers and switches. And "they go after end-points" — meaning people's computers. In other words, the NSA's ability to decrypt your data on the fly is not the only privacy challenge you could face.
(An aside: The NSA will assert that if the "you" to which we are referring is an American citizen, theycan't read your data, by law. Except that there are big loopholes, like "accidents" or if you are very loosely connected to an overseas suspect.)
Our question to Galperin was whether the NSA introducing back-doors to encryption standards or working with tech companies meant online communication was necessarily unsafe — or if hackers could use the same tools to access our information. Her answer, in short: it doesn't matter much. First, because of the list of ways the NSA can spy on you if it wants. But mostly because you should be using different encryption anyway if you're concerned about privacy.
The NSA has a "store of zero-day vulnerabilities," she said, a collection of known security flaws that have never been used publicly (ergo, have been known about for "zero days"). But it isn't just the NSA that does. "There are entire exploit markets out there," Galperin said, that allow hackers to share known exploits. Companies and the government buy zero-days and exploits from hackers; it's one of the reasons that the government is deliberate about building relationships with the hacking community. In other words, there are so many ways that your privacy is at risk and from so many actors.