Agency, companies add vulnerabilities to secure traffic, Snowden docs show.
In one of the more remarkable and alarming revelations to come from the documents leaked to the press by Edward Snowden, a joint report from The New York Times, ProPublica, and The Guardian suggests that the NSA works with internet companies to add vulnerabilities to secure network traffic — and may be able to broadly decrypt online communications.
A less technical summary: The government has apparently introduced and/or pried open the systems that ensure privacy online. For privacy advocates, this is the worst-case scenario, which may be in part why The Times reports that the government asked they not publish the report. (The partner organizations "removed some specific facts.")
The topline, via The Times:
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
There appear to be two ways in which the agency (and its British corollary, GCHQ) have been able to do this. The first is by partnering with internet companies. The Guardian indicates that the GCHQ has "been working to develop ways into encrypted traffic on the 'big four' service providers, named as Hotmail, Google, Yahoo and Facebook." The Times picks up on that: "the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which 'actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs' to make them 'exploitable.'"
The second — and more alarming way — is by ensuring that international standards for encryption allow the intelligence agencies some (undescribed) pathway for decryption of traffic.