Yes, the NSA Hacked Encryption — But You Have a Defense

In light of the new NSA revelations, we reached out to the EFF for their thoughts on what it meant for online communication. And: Whether or not the NSA's loopholes are used by hackers, your web use should be better protected anyway.

This article is from the archive of our partner .

In light of the revelation that the NSA has a variety of ways of accessing encrypted information, we reached out to the Electronic Frontier Foundation for their thoughts on what it meant for personal online communication. For example, could hackers take advantage of the NSA's encryption back doors to access your information? Well, no, hackers aren't much more likely to be looking at what you do online than they already are. You should do more to protect your privacy from them anyway.

"It does not come as a surprise," Eva Galperin, Global Policy Analyst for the EFF said about the new revelations. After all, she noted, the NSA (and its partner agency in Britain) is "attacking encryption on all fronts." She ran through the ways: They try to introduce weaker standards and they approach companies that use encryption to get them to grant access to encrypted data, both of which were reported on Thursday. They "use mass," throwing huge clusters of servers at brute force decryption. They read data from routers and switches. And "they go after end-points" — meaning people's computers. In other words, the NSA's ability to decrypt your data on the fly is not the only privacy challenge you could face.

(An aside: The NSA will assert that if the "you" to which we are referring is an American citizen, they can't read your data, by law. Except that there are big loopholes, like "accidents" or if you are very loosely connected to an overseas suspect.)

Our question to Galperin was whether the NSA introducing back-doors to encryption standards or working with tech companies meant online communication was necessarily unsafe — or if hackers could use the same tools to access our information. Her answer, in short: it doesn't matter much. First, because of the list of ways the NSA can spy on you if it wants. But mostly because you should be using different encryption anyway if you're concerned about privacy.

The NSA has a "store of zero-day vulnerabilities," she said, a collection of known security flaws that have never been used publicly (ergo, have been known about for "zero days"). But it isn't just the NSA that does. "There are entire exploit markets out there," Galperin said, that allow hackers to share known exploits. Companies and the government buy zero-days and exploits from hackers; it's one of the reasons that the government is deliberate about building relationships with the hacking community. In other words, there are so many ways that your privacy is at risk and from so many actors.

Galperin pointed to a Guardian article by computer security specialist Bruce Schneier, who wrote on Thursday, "Try to use public-domain encryption that has to be compatible with other implementations." By using open-source encryption tools, like PGP, entire communities of people watch the code to ensure that no back doors exist like the ones the NSA added to at least one international standard. ("The good news," Galperin said of that standard, "is that cryptographers had noticed before now that the standards were weaker.") By using that encryption, you force the NSA to use tools that either require "more overhead" — like banks of servers or analysts specifically targeting your computer — or that it can't reuse, like the zero-day exploits which could lose effectiveness after being used once.

Another of Schneier's points — "Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn't" — would resonate with Galperin. "Even though this is a big story about how the NSA owns everything," Galperin said, "it's really a call to action." Use more encryption in your communications — see our guide to doing so — and it makes the NSA's job more resource-intensive across the board. Once upon a time, internet users relied on "privacy through obscurity," the unwise idea that your own online existence was unknown enough as to ensure no one ever saw it. Now, a revision: "privacy through increased overhead." It's not a perfect response, but it is apparently one of the better responses we've got.

This article is from the archive of our partner The Wire.