NSA Able To Crack Basic Web Encryption
SCOTT SIMON, HOST:
This is WEEKEND EDITION from NPR News. I'm Scott Simon. This week, new reporting revealed that the electronic communication we may think is private is actually not. That includes everything from our medical records to banking information. The National Security Agency has been able to crack encryption technology, giving the government access to the private details that we type into encrypted websites. Now, we know this because of documents released by the former NSA contractor Edward Snowden. These documents resulted in a story that was published simultaneously in yesterday's New York Times, the Guardian, and on the website of the nonprofit news organization ProPublica. They did so despite the objections of intelligence agencies. Jeff Larson of ProPublica co-authored the article and he spoke to us from New York. And we began by asking him whether he knows how many of these encrypted sites have been cracked.
JEFF LARSON: We don't actually know exactly what the NSA and GCHQ have cracked. They...
SIMON: GCHQ is the British equivalent of the NSA.
LARSON: Right. Yes. They protect this information with a special classification level. We can only sort of infer by the fact that they say that they've cracked vast amounts of encrypted communications traveling over the wire.
SIMON: That sounds far-reaching and maybe even a little chilling - or more than a little chilling to a lot of people. But on the other hand, how much interest does NSA or GCHQ really have in what any of us spends at Starbucks? I mean, are we getting carried away with this?
LARSON: In one of the documents, they specify that they want to begin a program of - and this document was dated a couple years back, three or four years back - they want to begin a program of opportunistic decryption, which mean they crack everything that they can and then look for intelligence value later. So the fact that these communications are private and companies take great lengths to encrypt them as they travel over the wire, the fact that they're doing this sort of opportunistic decryption is troubling, to say the least.
SIMON: Does the NSA need the cooperation of private tech companies to do this?
LARSON: Part of their 2013 budget requests mentions this program called the Sagan Enabling Project, which infers that they do need the help of tech companies to do this. A large portion of what they're doing and part of their success is to insert back doors and work with companies to make those back doors only usable by them. So, it seems that they do need this industry cooperation.
SIMON: We should explain that Google, I gather, has denied that they participate.
LARSON: Yes. We found a reference to new access opportunities to Google, and they wrote back to us saying that they don't have any evidence that the NSA has secretly hacked or that they're cooperating with the NSA in this capacity.
SIMON: When you refuse to honor the request of a government agency that says please don't publish this because this could in so many ways hurt people, a lot of Americans get upset about that. They think that you are raising journalism above the need to protect the American people.
LARSON: Sure. You know, to a certain extent, the fact that the NSA are code breakers isn't really news. They're an agency that started long ago to break encryption and collect signals...
SIMON: I mean, that's what they do.
LARSON: Sure. What we didn't know that they do is we didn't know that they secretly worked with companies to enter these back doors. And, look, we had this debate about back doors and due encryption in the '90s. It was a very public debate. It was a very passionate debate. And the NSA lost that debate. And so, you know, over the course of the 2000s they've been sort of surreptitiously going about it by weakening encryption that everybody uses. And I think that's something people need to know.
SIMON: Jeff Larson of ProPublica in New York. Thanks very much for being with us.
LARSON: Thank you so much.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.