New NSA revelations and why encryption still matters
Today the Washington Post reported that, according to documents provided by Edward Snowden, the National Security Agency had broken into the communication links between data centers belonging to Google and Yahoo. Over a 30 day period, the NSA allegedly gathered 181,280,466 records including email metadata, text, audio, and video. Based on statements given to the Post by Google and Yahoo, it does not appear that either company was aware that this was taking place. When two engineers close to Google were shown a cute diagram the NSA had allegedly drawn to illustrate how the data could be intercepted, the engineers "exploded in profanity" and said, "I hope you publish it." The Post did.
Within an hour or so, NSA director Keith Alexander came on Bloomberg TV to say that his agency never infiltrated the companies' servers, calling the report "spurious." Fair enough, but the Post story didn't say the NSA had infiltrated any servers. It merely said the agency intercepted communications between data centers that weren't even encrypted, according to the report. And besides, as some pointed out on Twitter, the NSA is deft at achieving the bare-minimum requirements for plausible deniability. (One observer wrote, "Latest NSA rhetorical device: 'we don't do X' means 'we don't do X, a foreign partner agency does X and gives us the data.'")
But if the report is true, and there's a lesson to be learned from it (aside from "WTF, are you serious, NSA?") it's that despite the rhetoric coming from some security experts in recent weeks, encryption still matters. A lot.
Last month, ProPublica, the Guardian, and the New York Times published a report stating that the NSA had been conducting a "secret war on encryption," working with American and foreign tech companies to deliberately install weaknesses into commercial encryption software that they could later exploit to collect data on users. Does that mean we should just give up trying to protect our data? Not at all, argued security specialist Bruce Schneier who saw this as a teachable moment, encouraging people to beef up their encryption to fight back.
But others called the rallying cry for more encryption a fool's errand. Union Square Ventures' Albert Wenger wrote:
We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home. Our homes are safe from thieves and from government not because they couldn’t get in if they wanted to but because the law and its enforcement prevents them from doing so... Surveillance is a political and legal problem, not a technical problem.In other words, what use is a 10-inch steel door if the intruder has the key?
Wenger is right that this is a political and legal problem. But just because the NSA may have the key to your house, that doesn't excuse leaving your door unlocked at night. Just look at the latest revelations surrounding Google and Yahoo. Last month, Google announced it was racing to encrypt the communication channels between its data centers, implying that some or all of its connections were laid bare at one point or another. “It’s an arms race,” Eric Grosse, vice president for security engineering at Google, told the Post. “We see these government agencies as among the most skilled players in this game.”
For its part, Yahoo has not said it will encrypt the channels between its data centers.
And it's not just big companies looking to strengthen encryption. Secure email clients Lavabit and Silent Circle, both of which suspended operations under pressure of authorities, announced an alliance today centered around providing secure and private email. Known as the "Dark Mail Alliance," the two companies call it the "next generation" of secure communications.
Of course, just because companies big and small get their act together on encryption, that doesn't mean the NSA won't pressure companies to give up the data knowingly, with or without subpoenas. Even if companies use the so-called uncrackable "quantum encryption" (which by the way is very well-suited to the type of point-to-point server connections the NSA is said to have cracked into), it won't make a difference as long as the government continues to "compel" tech firms to hand over the goods.
But without robust encryption standards, there's no way to keep large tech companies accountable for their data. Google and Yahoo can simply say, "We didn't know!" like a man who "accidentally" leaves the backdoor unlocked, so a murderer can kill his wife, and they can split the insurance money. If the doors are dead-bolted, and the NSA still gets in, then we know something's not right. But we shouldn't let companies hide behind incompetency and the notion that "encryption doesn't matter."