September 7, 2013

In Which I Muddy the Waters on the Edward Snowden Crypto Bombshell


Earlier today, in a post about the latest Edward Snowden leak, I wrote that “I’m a lot less certain that this one should have seen the light of day.” After some further thought and conversation, I’m now a lot less certain I should have said that.

Here’s the problem. The Guardian and New York Times stories basically revealed two things:

  • The NSA has been working to deliberately weaken commercial crypto standards and insert back doors that only they have privileged access to. This is horrific public policy for at least a couple of reasons. First, the NSA tried to do this publicly in the mid-90s with the Clipper chip and export restrictions on crypto technology, and they lost. Now they’re covertly doing what Congress refused to let them do overtly. Second, deliberately weakening commercial crypto exposes everyone who uses it to possible interception from bad actors who manage to discover the NSA’s handiwork. There’s no way the NSA can guarantee that other groups won’t learn the weaknesses it’s introduced (indeed, it’s already happened in some cases) or somehow get access to its back doors. I have no problem at all with the Times and the Guardian disclosing this, and I’d very much like Congress to put a stop to it. 
  • In addition, the NSA has been working to to improve its decryption capabilities in ways that don’t degrade commercial crypto for anyone else. The details are unclear. It might involve new mathematical techniques. It might involve new computational techniques or improved computational power. It might involve old school hacking. It might involve stealing encryption keys or getting companies to give them up. It might involve the discovery of weaknesses that already exist. This is all stuff that NSA is chartered to do, and it does nothing to harm general use of commercial cryptography. However, revealing the extent of NSA’s success in this area might indeed warn terrorists and others away from commercial crypto that they thought was safe, and thus degrade NSA’s ability to track them. I have a hard time believing that the public interest in this outweighs the damage done to U.S. intelligence efforts.

Needless to say, not everyone agrees with my second bullet. Judging from my Twitter stream, there are people who seem to think that it’s illegal for the NSA to engage in decryption. Others apparently believe that foreign surveillance serves no actual purpose and is really just a sham to keep the power elite in power. Still others seem to think that governments should never keep anything secret. There’s not much to say to these people except to disagree with them.

But for the rest of us, this is a tough issue. If NSA is actively weakening internet security in ways that could blow back on us all, it absolutely ought to be reported. But to the extent that NSA is simply figuring out new decryption techniques that don’t weaken security, they’re just doing the job we’ve asked them to do. I don’t see much sense in alerting anyone to the details or scope of how successful they’ve been.

The problem is that a close reading of the Times and Guardian stories makes it really hard to figure out how much of these two things the NSA is doing. The Guardian says categorically that inserting back doors and vulnerabilities into commercial crypto systems is the “key component” of the NSA’s efforts. The Times is more circumspect, and the documents available to the Guardian and the Times are apparently fairly vague on this point. In 2010, for example, NSA says it developed “groundbreaking capabilities” against web encryption. Is this the product of a decade-long effort to insert vulnerabilities into commercial systems? Or something else?

We don’t know, though there are several hints that NSA is spending an awful lot of time and money on decryption capabilities that have no connection to back doors or inserted weaknesses. And the companies that have responded so far to this story have mostly denied having allowed anything like this.

For now, then, I’ll just say that I’m more uncertain about this than I was yesterday when I first read these stories. Some of the stuff they revealed I have no problem with. Some of it I think I do. I realize I’m breaking the pundit code that says we should all have absolute and unchangeable views on every subject, but I just don’t this time. I need to learn more, and unfortunately I’m not likely to.

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate