The New York Times

September 6, 2013

Legislation Seeks to Bar N.S.A. Tactic in Encryption

By and

After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.

Representative Rush D. Holt, a New Jersey Democrat who is also a physicist, said Friday that he believed the N.S.A. was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced.

“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”

Mr. Holt, whose Surveillance State Repeal Act would eliminate much of the escalation in the government’s spying powers undertaken after the 2001 terrorist attacks, was responding to news reports about N.S.A. documents showing that the agency has spent billions of dollars over the last decade in an effort to defeat or bypass encryption. The reports, by The New York Times, ProPublica and The Guardian, were posted online on Thursday.

The agency has encouraged or coerced companies to install back doors in encryption software and hardware, worked to weaken international standards for encryption and employed custom-built supercomputers to break codes or find mathematical vulnerabilities to exploit, according to the documents, disclosed by Edward J. Snowden, the former N.S.A. contractor.

The documents show that N.S.A. cryptographers have made major progress in breaking the encryption in common use for everyday transactions on the Web, like Secure Sockets Layer, or SSL, as well as the virtual private networks, or VPNs, that many businesses use for confidential communications among employees.

Intelligence officials say that many of their most important targets, including terrorist groups, use the same Webmail and other Internet services that many Americans use, so it is crucial to be able to penetrate the encryption that protects them. In an intense competition with other sophisticated cyberespionage services, including those of China and Russia, the N.S.A. cannot rule large parts of the Internet off limits, the officials argue.

A statement from the director of national intelligence, James R. Clapper Jr., criticized the reports, saying that it was “not news” that the N.S.A. works to break encryption, and that the articles would damage American intelligence collection.

The reports, the statement said, “reveal specific and classified details about how we conduct this critical intelligence activity.”

“Anything that yesterday’s disclosures add to the ongoing public debate,” it continued, “is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”

But if intelligence officials felt a sense of betrayal by the disclosures, Internet security experts felt a similar letdown — at the N.S.A. actions.  

“There’s widespread disappointment,” said Dan Kaminsky, a prominent security researcher. “This has been the stuff of wild-eyed accusations for years. A lot of people are heartbroken to find out it’s not just wild-eyed accusations.”

Sascha Meinrath, the director of the Open Technology Institute, a research group in Washington, said the reports were “a startling indication that the U.S. has been a remarkably irresponsible steward of the Internet,” which he said the N.S.A. was trying to turn into “a massive platform for detailed, intrusive and unrestrained surveillance.”

Companies like Google and Facebook have been moving to new systems that, in principle, would make government eavesdropping more difficult. Google is in the process of encrypting all data that travels via fiber-optic lines between its data centers. The company speeded up the process in June after the initial N.S.A. disclosures, according to two people who were briefed on Google’s plans but were not authorized to speak publicly about them. The acceleration of the process was first reported Friday by The Washington Post.

For services like Gmail, once data reaches a user’s computer it has been encrypted. But as messages and other data like search queries travel internally among Google’s data centers they are not encrypted, largely because it is technically complicated and expensive to do.

Facebook announced last month that it would also transition to a novel encryption method, called perfect forward secrecy, that makes eavesdropping far more difficult.

Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a civil liberties group in Washington, said the quandary posed by the N.S.A.’s efforts against encryption began with its dual role: eavesdropping on foreign communications while protecting American communications.

“Invariably the two missions collide,” he said. “We don’t dispute that their ability to capture foreign intelligence is quite important. The question is whether their pursuit of that mission threatens to undermine the security and privacy of Internet communications.”

Mr. Rotenberg is a veteran of what were known as the “crypto wars” of the 1990s, when the N.S.A. proposed the Clipper Chip, a government back door that would be built into every encryption program.

That proposal was defeated by a diverse coalition of technology businesses and privacy advocates, including Mr. Rotenberg’s organization. But the documents make clear that the N.S.A. never gave up on the goal of being able to read everything and has made what memos call “breakthroughs” in recent years in its efforts.

A complicating factor is the role of the major American Internet companies, which have been the target of counterencryption efforts by both the N.S.A. and its closely allied British counterpart, GCHQ. One document describes “new access opportunities” in Google systems; the company said on Thursday that it had not given the agencies access and was aware of no breach of its security.

But the perception of an N.S.A. intrusion into the networks of major Internet companies, whether surreptitious or with the companies’ cooperation, could hurt business, especially in international markets.

“What buyer is going to purchase a product that has been deliberately made less secure?” asked Mr. Holt, the congressman. “Even if N.S.A. does it with the purest motive, it can ruin the reputations of billion-dollar companies.”

In addition, news that the N.S.A. is inserting vulnerabilities into widely used technologies could put American lawmakers and technology companies in a bind with regard to China.

Over the last two years, American lawmakers have accused two of China’s largest telecommunications companies, Huawei Technologies and ZTE, of doing something parallel to what the N.S.A. has done: planting back doors into their equipment to allow for eavesdropping by the Chinese government and military.

Both companies have denied collaborating with the Chinese government, but the allegations have eliminated the companies’ hopes for significant business growth in the United States. After an investigation last year, the House Intelligence Committee concluded that government agencies should be barred from doing business with Huawei and ZTE, and that American companies should avoid buying their equipment.

Some foreign governments and companies have also said that they would not rely on the Chinese companies’ equipment out of security concerns. Last year, Australia barred Huawei from bidding on contracts in Australia’s $38 billion national broadband network. And this year, as part of its effort to acquire Sprint Nextel, SoftBank of Japan pledged that it would not use Huawei equipment in Sprint’s cellphone network.

Claire Cain Miller contributed reporting.