As it turns out, the NSA's $20m internet surveillance program PRISM, may very well be the least of our worries as internet users. Recent news suggests that US and UK spy agencies have successfully collaborated to make groundbreaking developments in cryptanalysis, namely cracking encryption used to protect emails, banking, and medical records. The NSA and the UK's GCHQ have, over the past decade, been working on making encrypted data collected from the internet "exploitable" by cracking their encryption. In 2010, they made a breakthrough which finally allowed them some access through or past encryption security. The NSA's and the GCHQ's decryption programs, BULLRUN and EDGEHILL respectively (named so after each nation's significant civil war battles), are being kept under tight wraps, with instructions being circulated saying to "not ask about or speculate on sources or methods" relating to the success of these programs, BULLRUN in particular. What is known, however, is that BULLRUN's $250m budget pays for a combination of cryptanalysis research and covert work with tech companies to provide the NSA with structural weaknesses and backdoors.
The NSA's BULLRUN undermines the integrity of software development by working having tech companies insert weaknesses into their products. However, this brings up a very valid question concerning us, the consumers; How can we know who to trust with our data? It's already difficult enough to discern who to trust without the worry of potential government backdoors, but this added element puts the paranoia overboard. One would assume that a company would have to post a notice of any such existing backdoors into their End User License Agreement. However, considering the shroud of secrecy regarding BULLRUN, there may be a precedent for permitting the omitting of any such clause. It is possible that no such precedent has even been set. The PRISM developments do not fit into this category because there is no formal End User License Agreement or Terms of Service for the internet as a whole. However, if one assumes the government to operate within or above the sphere of legality establish for a person, then we can look at corporations implicitly stating personhood, such as Facebook. Facebook is well known for selling the information of their users. They even state this in their terms of service, saying "We only provide data to our advertising partners or customers after we have removed your name or any other personally identifying information from it." However, they have been found to sell identifying email addresses and phone numbers. If government agencies followed corporate precedent, then we would be able to know when services we use are prime targets for domestic espionage. However, it is within the realm of possibility that the same government agencies find secrecy to be more important than public awareness, and purposely neglect to inform anyone of the backdoors embedded in the services, applications, and formats we use daily. Considering the clandestine nature of these organizations, this is more than likely.
Recent developments have Americans shocked to find that spies are not to be trusted. If one considers American citizens who use the internet as "American internet citizens," it is important to note that domestic espionage is the online equivalent to a police state. With the internet as prevalent as it is, a new frontier of information is slowly being taken over by the public sector. Our current laws are not up to date with the rapidly developing cyberspace. Our founding fathers intended for us, the American people, to update the Constitution regularly. This intention has rarely been realized, but now is a crucial time to do so. God Bless America.
The BULLRUN project was something I felt was the next logical step, but was unsure whether they were doing that. I wasn't really sure how they'd get into your email other than by having backdoors that the company gives them - although it turns out it was just by splitting a fiber optic. So, originally, I just assumed they asked the companies nicely and the companies gave them the information they wanted - this is kinda the same. Good post.
ReplyDeleteShould we be worried about the encrypted data we send now that will be crackable in the future? The encryption standards we use are not set in stone and have changed in the past. We know they will change in the future, so isn't it likely that the encrypted emails we send now can be cracked in another decade or so? It seems that even if our data is relatively safe now, it won't be later. If the NSA collects personal emails, even if they are encrypted, the content being crackable is inevitable. It is known the NSA actively spends millions of dollars on research in this field, but not commonly understood that the security of one's data is a relative illusion.
ReplyDeleteThe issue with that is that the internet is based on a set of standards. Currently, those standards are widely accepted and generally regulated by NIST (National Institute of Standards and Technology). As it turns out, the NIST standards for encryption have been influenced by the NSA. The NSA is basically controlling what encryption we use based on what is convenient for their information gathering purposes.
Delete