The undercover war on your internet secrets

A black shrouded figure appears on the screen, looming over the rapt audience, talking about surveillance. But this is no Big Brother figure seeking obedience though, rather the opposite.Perhaps even his nemesis.

NSA contractor-turned-whistleblower Edward Snowden is explaining how his former employer and other intelligence agencies have worked to undermine privacy on the internet and beyond.

“We’re seeing systemic attacks on the fabrics of our systems, the fabric of our communications… by undermining the security of our communications, they enable surveillance,” he warns.

He is speaking at the conference via a video link from Russia, where he has taken refuge after leaking the documents detailing some of the NSA’s surveillance projects. The room behind him is in darkness, giving away nothing about his exact location.

“Surveillance is not possible when our movements and communications are safe and protected — a satellite cannot see you when you are inside your home — but an unprotected computer with an open webcam can,” he adds.

Edward Snowden speaking at the CeBIT tech show
Image: Deutsche Messe, Hannover

One of the most significant technologies being targeted by the intelligence services is encryption.

Online, encryption surrounds us, binds us, identifies us. It protects things like our credit card transactions and medical records, encoding them so that — unless you have the key — the data appears to be meaningless nonsense.

Encryption is one of the elemental forces of the web, even though it goes unnoticed and unremarked by the billions of people that use it every day.

But that doesn’t mean that the growth in the use of encryption isn’t controversial.

For some, strong encryption is the cornerstone of security and privacy in any digital communications, whether that’s for your selfies or for campaigners against an autocratic regime.

Others, mostly police and intelligence agencies, have become increasingly worried that the absolute secrecy that encryption provides could make it easier for criminals and terrorists to use the internet to plot without fear of discovery.

As such, the outcome of this war over privacy will have huge implications for the future of the web itself.

The code wars

Codes have been used to protect data in transit for thousands of years, and have long been a key tool in warfare: the Caesar cipher was named after the Roman emperor who used it to protect his military secrets from prying eyes.

These ciphers were extremely basic, of course: the Caesar cipher turned a message into code simply by replacing each letter with the one three down in the alphabet, so that ‘a’ became ‘d’.

Ciphers became more sophisticated, and harder to break, over the centuries, but it was the Second World War that demonstrated the real importance of encryption — and cracking it. The work done at Bletchley Park to crack German codes including Enigma had a famous impact on the course of the war.

As a result, once the war was over, encryption technology was put on the US Munitions List alongside tanks and guns as an ‘auxiliary military technology’, which put restrictions on its export.

The real fundamental problem is the internet and the protocol it’s all based on was never intended to be secure.” - ALAN WOODWARD, SURREY UNIVERSITY

In practice, these government controls didn’t make much difference to ordinary people, as there were few uses for code-making — that is, encryption — outside the military.

But all that changed with the arrival of the personal computer. It became an even bigger issue as the huge economic potential of the web became apparent.

“The internet and the protocol it’s all based on was never intended to be secure, so if we are going to rely on the internet as part of our critical national [and] international infrastructure, which we do, you’ve got to be able to secure it, and the only way to do that is to layer encryption over the top,” explains Professor Alan Woodward, a computer security expert at the University of Surrey.

Few would be willing to use online shopping if their credit card details, address, and what they were buying was being sent across the internet for any to see.

Encryption provides privacy by encoding data onto what appears to be meaningless junk, and it also creates trust by allowing us to prove who we are online — another essential element of doing business over the internet.

“A lot of cryptography isn’t just about keeping things secret, a lot of it is about proving identity,” says Bill Buchanan, professor of computing at Edinburgh Napier University. “There’s a lot of naïveté about cryptography as to thinking it’s just about keeping something safe on your disk.”

But the rise of the internet suddenly meant that access to cryptography became an issue of privacy and economics as well as one of national security, immediately sparking the clash that came to be known as ‘the crypto wars’.

Governments fought to control the use of encryption, while privacy advocates insisted its use was essential — not just for individual freedom, but also to protect the commercial development of the nascent internet.

What followed was a series of skirmishes, as the US government and others made increasingly desperate — and unsuccessful — efforts to reassert control over encryption technologies. One example in the mid-90s involved the NSA designing the Clipper chip, which was a way to give the agency access to the communications on any devices on which the chip was installed.

Another attempt at government control during this period came with the introduction of key escrow. Under the scheme, the US government would agree to license encryption providers, if they gave the state access to the keys used to decode communications.

On top of this were rules which only allowed products that used weak and easily-cracked encryption to be exported from the US.

Remarkably there was an unwelcome reminder of those days of watered-down encryption with the appearance of the recent FREAK flaw in the SSL security standard. The vulnerability could be used to force web browsers to default to the weaker “export-strength” encryption, which can be easily broken.

Few experts even knew that the option to use the weaker encryption still existed in the browsers commonly used today — a good example of the dangerous and unexpected consequences of attempts to control privacy technologies, long after the political decisions affecting it had been reversed and forgotten.

But by the early 2000s, it appeared that the privacy advocates had effectively won the crypto wars. The Clipper chip was abandoned, strong encryption software exports were allowed, key escrow failed, and governments realised it was all but impossible for them to control the use of encryption. It was understood that if they tried, the damage they would do to the internet economy would be too great.

Individual freedoms, and simple economics, had overwhelmed national security. In 2005, one campaigning group even cheerfully announced “The crypto wars are finally over and we won!”

They were wrong.

We now know that the crypto wars were never over. While privacy campaigners celebrated their victory, intelligence agencies were already at work breaking and undermining encryption. The second stage of the crypto wars — the spies’ secret war — had begun.

Editor’s note:

Steve Ranger. “The undercover war on your internet secrets: How online surveillance cracked our trust in the web– TechRepublic”

TechRepublic. N.p., Web. 26 May. 2016.