encryption

After XKeyscore, is encryption the next big thing?

The fallout from the latest revelations about the National Security Agency’s surveillance programs has yet to be measured, but one possible outcome could be an increased interest in encryption.

The U.K. publication Guardian reported on the NSA’s XKeyscore program, which collects millions of e-mails, Web browser sessions, chats and other communications in search of activity it deems suspicious. According to the Guardian, the NSA claims to have 700 XKeyscore servers at 150 sites around the world, and during one 30-day period in 2012 it collected more than 41 billion records.

In addition to collecting metadata, the NSA has the ability to sift through all kinds of unencrypted communications, monitoring “nearly everything a typical user does on the Internet,” according to the report, based in part on a 32-page 2008 slideshow summarizing the program. Would encryption make a difference with a program like this?

As it has since the Guardian, with documents supplied by former NSA contractor Edward Snowden, first reported on NSA’s surveillance programs, the agency insists that the program targets foreign terrorists and has strict oversight and compliance mechanisms.

On that score, NSA director Keith Alexander faced a roomful of skeptical hackers and security experts at the opening of the Black Hat conference Wednesday to try to convince them of the necessity, and the probity, of the operation.

But that hasn’t stopped people from becoming more interested in protecting their communications, nor has it stopped agencies, concerned about leaks and potential spying from other countries, from doing the same. After the initial reports that the NSA was collecting metadata on millions of domestic phone calls, Silent Circle, a company that provides peer-to-peer encryption, said its business shot up 420 percent in two-and-a-half weeks — and most of the interest came from government.

Whether news of XKeyscore has the same tangential effect on agencies for e-mail and Web encryption remains to be seen, but if nothing else it could raise awareness about a practice that has been regularly recommended and frequently ignored.

Some basic encryption has become commonplace on the Web, in the form of Secure Sockets Layer, (designated by HTTPS in the URL, instead of HTTP). Not too long ago, websites using SSL were pretty much limited to those handling financial transactions; other sites didn’t use it, in part because SSL slowed things down. But with increased bandwidth, SSL is becoming standard for some sites, especially social media sites. Google searches, Gmail and Twitter use SSL by default, for example, and Facebook gives users the option. Free tools such as HTTPS Everywhere, for Firefox and Chrome, encrypt connections to most sites. And sometimes it can even be as easy as adding an “s” to the “http” in the address line.

Encrypting e-mail is another option that could see increased interest. Outlook and Gmail already offer an option setting for encryption, and there are a number of commercial services, such as Voltage SecureMail (which has cloud and mobile versions) and Proofpoint. There also are free services such as Hushmail and Lockbin.

Agencies, of course, already use encryption for classified and other sensitive communications, but in the age of big data, analytics, social media interactions and nation-state Internet surveillance, even everyday communications could need to be protected. As the NSA’s programs show, intell gathering isn’t limited to trying to hack into government networks. 

Reader Comments

Thu, Aug 8, 2013

I could pretty much guarantee that unless it is brand new, as in at this minute, there is not an encryption program in use that cannot be unencrypted by nsa and probably without too much effort.

Mon, Aug 5, 2013 earth

I can foresee a new business opportunity for the Cayman Islands and other “secret bank account” countries. That being the supplying of encryption certificates that are guaranteed not to have big brother secretly supplied with the private key. I have no doubt that as encryption of all communication takes hold the “civilized” countries will pass laws requiring the security apparatus to be supplied with everyone’s private keys so their messages can be decrypted. The only way public key infrastructure can be trusted in the future is for a registration system that accepts privately generated public keys, which has its own spoofing problems, to be created or trustable certificate authorities resistant to the influence of untrustworthy (if they have to say “trust me” you shouldn’t) countries.
This has already cost online storage companies in the US a lot of business and I don’t see this tax payer funded anti-competitive practice going away. The damage has only just begun, a cost of the “unbreakable relationship”. Pity the nation that will do to others what it would not accept being done to itself.

Fri, Aug 2, 2013 Jeff Rockville

Security and surveillance of data and behavior is like jello. The more you squeeze, the less you discover is left in your hand.
Data storage, communication hubs, and encryption is just moving off shore. Chalk that up to short sighted boys playing cops without parental oversight.
Although snooping on all communications may seem critical to them, we die en mass from everything else- flu, auto collisions, preventable lung cancer, vaccine preventable illnesses, medical mistakes, prescription drug abuse, hand guns, heart disease, etc
We should be focusing more on what actually kills us rather than someone’s worst imagination or what makes money for big gov’t contracts and military industry. It's time for science based policy in truely securing America.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above