Earlier today, in a post about the latest Edward Snowden leak, I wrote that “I’m a lot less certain that this one should have seen the light of day.” After some further thought and conversation, I’m now a lot less certain I should have said that.
Here’s the problem. The Guardian and New York Times stories basically revealed two things:
- The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they’re covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA’s handiwork. There’s no way the NSA can guarantee that other groups won’t learn the weaknesses it’s introduced (indeed, it’s already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I’d very much like Congress to put a stop to it.
- In addition, the NSA has been working to to improve its decryption capabilities in ways that don’t degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA’s success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA’s ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.
Needless to say, not everyone agrees with my second bullet. Judging from my Twitter stream, there are people who seem to think that it’s illegal for the NSA to engage in decryption. Others apparently believe that foreign surveillance serves no actual purpose and is really just a sham to keep the power elite in power. Still others seem to think that governments should never keep anything secret. There’s not much to say to these people except to disagree with them.
But for the rest of us, this is a tough issue. If NSA is actively weakening internet security in ways that could blow back on us all, it absolutely ought to be reported. But to the extent that NSA is simply figuring out new decryption techniques that don’t weaken security, they’re just doing the job we’ve asked them to do. I don’t see much sense in alerting anyone to the details or scope of how successful they’ve been.
The problem is that a close reading of the Times and Guardian stories makes it really hard to figure out how much of these two things the NSA is doing. The Guardian says categorically that inserting back doors and vulnerabilities into commercial crypto systems is the “key component” of the NSA’s efforts. The Times is more circumspect, and the documents available to the Guardian and the Times are apparently fairly vague on this point. In 2010, for example, NSA says it developed “groundbreaking capabilities” against web encryption. Is this the product of a decade-long effort to insert vulnerabilities into commercial systems? Or something else?
We don’t know, though there are several hints that NSA is spending an awful lot of time and money on decryption capabilities that have no connection to back doors or inserted weaknesses. And the companies that have responded so far to this story have mostly denied having allowed anything like this.
For now, then, I’ll just say that I’m more uncertain about this than I was yesterday when I first read these stories. Some of the stuff they revealed I have no problem with. Some of it I think I do. I realize I’m breaking the pundit code that says we should all have absolute and unchangeable views on every subject, but I just don’t this time. I need to learn more, and unfortunately I’m not likely to.