NSA Surveillance: Is There Any Way to Keep Web Communications Private?

NEWS ANALYSIS: There are still ways enterprises and individuals can keep communications private. But the quick and easy paths have already been compromised by the United States.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Thanks to NSA leaker Edward Snowden, we now know that most of the communications pathways you thought were secure can’t be relied on.

Most of the secure cloud storage, almost all of the online encryption to Websites, the 4G wireless communications you use and your WiFi encryption have been compromised by the U.S. National Security Agency and probably by the intelligence services of other nations. In some cases, the actual encryption has been cracked, and in other cases the encryption has been circumvented.

In a series of reports in the New York Times and other media, Snowden’s leaked secrets have revealed that most of the basic encryption you use, including SSL, has been broken. If it wants to, the agency can find out just what you bought from Amazon yesterday. But perhaps more important, the NSA can read what you’re storing on the public cloud, they can read your communications with Google when you send Gmail, and they can read your banking transactions.

The fact that the National Security Agency can crack this encryption should be no surprise. After all, the NSA was chartered in the early 1950s specifically for code-breaking. So cracking such encrypted communications is actually what the agency is supposed to be doing. This is, after all, how the NSA tracks the communications of terrorists in Yemen, or the Taliban in Pakistan. But we didn’t expect that this would eventually give them the capability to read our business and personal messages at home.

But Snowden also revealed something that the NSA probably would prefer that you didn’t know. Good encryption still works, and there are types that the NSA still hasn’t cracked, such as PGP. When Phil Zimmermann created Pretty Good Privacy 22 years ago, the government tried to block its implementation. During the Clinton administration, the government even tried to force the adoption of the “Clipper” chip to create a permanent back door into computer systems through an embedded encryption chip with a built-in back door.

PGP encryption is still out there, although it’s owned by Symantec these days, and it still works. In fact, the U.S. government is a major user of PGP encryption. But that doesn’t stop the NSA and the agencies of other governments from trying to get their hands on your communications, and most of the time they’re successful. The reason is that they don’t bother to crack encryption these days. They just siphon off unencrypted data before it’s encrypted or after it’s decrypted.

In addition, the NSA has been able to find and preserve encryption keys, with which decryption stops being an issue. Sometimes these keys are obtained legally, other times they’re retrieved through a back door to a server that holds the keys. But such back doors are limited to servers and encryption keys.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...