How the NSA is Tampering with Encrypted Communications (and how to fight back)

National Security Agency Headquarters. This photo has been released to the public domain via Wikimedia Commons.

National Security Agency Headquarters. This photo has been released to the public domain via Wikimedia Commons.

This post was co-authored by Dan Auerbach, staff technologist at the Electronic Frontier Foundation.

In one of the most significant leaks of information about US National Security Agency (NSA) spying, the New York Times, the Guardian, and ProPublica reported last week that the NSA has gone to extraordinary lengths to secretly undermine secure communications infrastructure online, collaborating with GCHQ (Britain's NSA equivalent) and a select few intelligence organizations worldwide.

These revelations imply that the NSA has pursued an aggressive program of obtaining private encryption keys for commercial products—allowing the agency to decrypt vast amounts of Internet traffic sent by users of these products. They also suggest that the agency has attempted to put backdoors (well-hidden ways to access data) into cryptographic standards designed to secure users’ communications. Additionally, the leaked documents make clear that companies that manufacture these products have been complicit in allowing this unprecedented spying to take place, though the identities of cooperating companies remain unknown.

Many important details about this program, codenamed Bullrun, are still unclear. What communications are targeted? What service providers or software developers are cooperating with the NSA? What percentage of private encryption keys of targeted commercial products are successfully obtained? Does this store of private encryption keys (presumably procured through theft or company cooperation) contain those of popular web-based communication providers like Facebook and Google?

What is clear is that these NSA programs are an egregious violation of user privacy. Under international human rights doctrine, users have a right to speak privately with fellow citizens and to freely associate and engage in political activism. If the NSA is allowed to continue building backdoors into our communications infrastructure, as law enforcement agencies have lobbied for, then the communications of billions of people risk being perpetually insecure against a variety of adversaries, ranging from governments to criminals to domestic spy agencies.

Faced with so much bad news, it's easy to give in to privacy nihilism and despair. After all, if the NSA has found ways to decrypt a significant portion of encrypted online communications, why should we bother using encryption at all? But this massive disruption of communications infrastructure need not be tolerated. Here are some of the steps you can take to fight back:

  • Use secure communications tools (read some useful tips by security expert Bruce Schneier). Your communications are still significantly more protected if you are using encrypted communications tools such as messaging over OTR or browsing the web using HTTPS Everywhere than if you are sending your communications without taking such precautions.
  • Finally, the engineers responsible for building our infrastructure can fight back by building and deploying better and more usable cryptosystems.

The NSA is attacking secure communications on many fronts; advocates must oppose them using every method they can. Engineers, policy makers, and netizens all have key roles to play in standing up to the unchecked surveillance state. The more we learn about the extent of the NSA's abuses, the more important it is for us to take steps to take back our privacy. Don't let the NSA's attack on secure communications be the end game.

The original version of this post appeared on the Electronic Frontier Foundation's Deeplinks blog.

1 comment

Join the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.