snowdenfeature

During a video conference hosted as part of the South by Southwest Interactive festival on Monday, Edward Snowden told attendees that encrypting Internet traffic might help stop the National Security Agency’s spying.

Today, however, the Intercept today reports that the National Security Agency plans to install malware on “millions” (those quotes from the Intercept’s own headline) of computers across the globe. That malware would allow the NSA to activate its targets’ webcams, prevent them from visiting designated websites, or monitor their computer activity in real-time. The Intercept writes:

[The NSA's malware] implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

According to the report, these implants can be installed through man-in-the-middle attacks, through which the NSA intercepts communications between a computer and the Internet, or man-on-the-side attacks through which the agency forces its targets to visit their servers and installs malware that way. The Intercept reports that the agency repeatedly impersonated Facebook’s servers to install malware with these attacks. (A Facebook spokesperson denied knowledge of the programs.)

But, reportedly, a computer needn’t be connected to the Internet to be infected by the NSA’s malware. The New York Times reported in September that the agency has compromised tens of thousands of computers, some of which weren’t online at the time of infection:

The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.

While most of the software is inserted by gaining access to computer networks, the NSA has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to NSA documents, computer experts and American officials.

And even if those computers avoid these implants and the NSA’s other efforts, the agency has reportedly compromised the encryption standards they use to keep their data secure. As the New York Times and ProPublica reported last year:

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

The NSA hasn’t only weakened encryption standards. It doesn’t simply infect computers without requiring that they be connected to the Internet. And it doesn’t just monitor some of its targets’ computer usage before it could ever be encrypted or otherwise protected from the agency’s unwavering gaze. It does all of those things and, possibly, much more.

None of which is to say that people shouldn’t encrypt their communications — we all should, of course, as Pando’s David Holmes has written before — but, if the Intercept’s report is accurate, that’s still not going to prevent the government from spying on us.

What’s surprising is that Snowden, who collected the documents used to report these stories and selected the journalists to whom they would be sent, didn’t mention that warning in his keynote. Indeed, the New Yorker reports that Snowden is convinced of encryption’s power:

Snowden, for his part, was even more optimistic about the promise of encryption. ‘The bottom line is that encryption does work,’ he said. In support of this argument, he pointed to his own use of secure communications. Since he revealed to the world the inner workings of the N.S.A., the U.S. government has had a huge team trying to track him and his work, he said, but as far as he knew they hadn’t succeeded.

Perhaps Snowden should read some of the stories based on the documents he leaked. Either the threat of NSA snooping enabled by compromised encryption standards and malware aren’t as terrifying as they are made out to be, or encryption — which he described as “defense against the dark arts” — isn’t quite as foolproof as he claims.

[Illustration by Brad Jonas for Pando]