NEW YORK — The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data such as trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats, and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data are safe from prying eyes, including those of the government, and the NSA wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former NSA contractor.
Beginning in 2000, as encryption tools were gradually blanketing the Web, the NSA invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
‘We are investing in ground-breaking cryptanalytic capabilities to defeat adversarial cryptography.’ — James Clapper Jr., National intelligence director
The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
“For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about NSA accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
An intelligence budget document makes clear that the effort is still going strong.
“We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.
The NSA’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. NSA rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.
The NSA, which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of foreign adversaries, the United States will be at serious risk, agency officials say.
Some experts say the NSA’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of US communications.
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including the protection used on smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail or buy something online.
For at least three years, one document says, Britain’s GCHQ, almost certainly in close collaboration with the NSA, has been looking for ways into protected traffic of the most popular Internet companies: Google, Yahoo, Facebook, and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against US communications, too.”