Most of us — at least the cynical ones — assume that the NSA has probably beaten most of the encryption technologies out there. But a new report from Der Spiegel that draws on documents from Edward Snowden's archive shows that this simply isn't true. There are some tools that the NSA, as recently as two years ago, couldn't crack.
"[Some users] think the intelligence agency experts are already so many steps ahead of them that they can crack any encryption program," explains the report. "This isn't true." In fact, there are several encryption technologies that gave the NSA trouble. First of all, the documents show that the NSA had "major" issues trying to break the encryption on both Tor and Zoho, the email service. Truecrypt, the now-defunct freeware service for encrypting files on your computer, was another thorn in the NSA's side, along with Off-the-Record, which encrypts instant messages.
Another good tool mentioned is Pretty Good Privacy, which is shocking given that the protocol is two decades old, originally written in 1991. But there are also combinations of tools that the NSA describes as "catastrophic" when attempting to crack. Here's how Der Spiegel describes the special sauce:
Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.
There are also plenty of seemingly secure services that the report shows are easy for the NSA to monitor, just as you might already assume — including VPNs and the HTTPS connections that many of us see on a daily basis when logging into banking sites and other supposedly "secure" websites. According to the report, the NSA intercepted 10 million of those https connections every day in 2012.
Then there are the details about how the NSA proactively fights encryption online, including attending meetings of groups that create the standards for encryption, like the Internet Engineering Task Force. This way, the NSA can influence — and water down — the internet-wide standards for privacy in a much longer-term way. In one of the more ironic sections of the new documents, we learn that while the NSA is responsible for recommending the best security standards to the US National Institute of Standards and Technology, at the same time it is looking for ways to break the tools it recommends.
It's a harrowing new look at the NSA's encryption-breaking prowess, but at the same time, a heartening glimpse of the freely available tools that still provide a modicum of privacy. More than anything, it's a reminder that the NSA is throwing all its weight into cracking these protocols — and none of us can ever assume that a single encryption tool is truly private. The entire report is well worth a read. [Der Spiegel]