Secret documents reveal NSA spying on encrypted internet communications

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

1984, by George Orwell.If you haven’t read the articles in the New York Times or The Guardian today, you probably should.

If true, it’s one of the most shocking things you will ever read about the internet.

In a nutshell, documents obtained by The Guardian have revealed that the NSA works with technology companies to “covertly influence” product designs, helping them to collect “vast amounts” of encrypted data.

According to the documents provided by whistleblower Edward Snowden, encryption tools that the NSA has had some success in hacking include:

Sign up to our free newsletter.
Security news, advice, and tips.
  • VPNs (Virtual Private Networks), commonly used by businesses to allow workers to access their office networks remotely.
  • Encrypted chat programs which provide end-to-end encryption. Such systems should not allow data to be decrypted at any point during the message transfer.
  • HTTPS – the long-standing method of encrypting data (such as passwords and financial information) between a web browser and a secure website, such as your online bank, your webmail or social networking site. If you’ve ever visited a website whose URL begins https:// and displays a small padlock, you’re using HTTPS to secure your communications.
  • TLS/SSL (Transport Layer Security / Secure Sockets Layer – used by HTTPS.
  • Encrypted VoIP (Internet telephony) services. Skype and Apple FaceTime are examples of free services that offer encrypted phone and video calls. The leaked documents suggest that the NSA is working with some VoIP services to obtain access to messages before they are encrypted.

The documents reveal the NSA was covertly working with technology firms to not only weaken encryption but also to introduce exploitable backdoors that could be used for surveillance

Perhaps most shockingly of all, the NSA appears to have been promoting deliberately weakened or vulnerable cryptography, and influencing standards.

The Guardian specifically highlights the National Institute of Standards and Technology (NIST) for a standard they published in 2006.

Part of leaked document

  • Insert vulnerabilities into commercial encryption systems, IT systems, network, and endpoint communications devices used by targets.
  • Influence policies, standards and specifications for commercial public key technologies.
  • The story is very important, and many will find it highly disturbing.

    If any weakness is inserted into the technologies used to protect the privacy of many millions of internet users it could be exploited not just by law enforcement and surveillance agencies in the USA or United Kingdom, but also foreign nations and online criminals. A backdoor in a security systems fundamentally compromises the security of all users.

    Quote from George Orwell's 1984

    We’re used to hearing stories of abusive surveillance by the likes of China, Russia, and others… but it appears that the United States and UK have betrayed all users of the internet as well, by undermining technologies that are trusted billions of times every day online.

    Further reading:

    NSA and GCHQ unlock privacy and security on the internet – The Guardian.
    NSA Able to Foil Basic Safeguards of Privacy on Web – New York Times.
    Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security – ProPublica.
    How to remain secure against NSA surveillance – Bruce Schneier, The Guardian.


    Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

    3 comments on “Secret documents reveal NSA spying on encrypted internet communications”

    1. Typo alert: "If you’ve ever visited a website whose URL begins http://" should probably finish 'https', not 'http'.

    2. Spryte

      Disturbing… somewhat.

      Surprising… not in the least.

    Leave a Reply to Spryte Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.