Thursday 24 October, 2013
Among the information leaked by former National Security Agency employee Edward Snowden, perhaps none is as shocking as Project Bull Run. This is an NSA program that that allows federal agents access to encrypted data. The UK counterpart of the NSA, known as the Government Communications Headquarters or GCHQ, instituted a similar program called Edgehill.
The NSA and Your Personal Information
Bull Run was a ten-year program that started in 2000 and proceeded just as the encryption types we use today were developed and spread. The clandestine government spy organization was there from the beginning. The program culminated in what has been called a ‘breakthrough’ in 2010, after which time it has had unfettered access. This program was among the US government’s most closely guarded secrets.
There were several ways the NSA managed to get through encryption. One was to infiltrate tech companies with its own spies who would then install back doors. Sometimes it worked directly with tech providers, who willingly handed over their encryption secrets. Other times, the NSA just used supercomputers to break in like criminal hackers.
One protocol the NSA can get through is HTTPS. This is supposed to be a secure protocol that protects online bank accounts, medical records, business trade secrets, personal emails, and so on. All of this is now accessible by the federal government.
Your Trusted Provider
The NSA spent $250 million a year working with tech companies who willingly betrayed their customers and gave away their encryption secrets. This is a flagrant violation of their customers’ trust. A small ecommerce or internet security firm would never dream of doing this because of the massive amount of business it would lose.
We’re still waiting to see the impact of this. Already, the NSA spying scandal is costing US cloud service providers, whose overseas clients don’t want their trade secrets to be seen by the US government.
A PR Nightmare
This story was so hot that when it broke, the US government begged The New York Times, The Guardian and Pro Publica, the three publications that carried it, not to report it. The feds said it would likely prompt foreign terrorists and criminals to seek new forms of encryption.
More likely, it was trying to avoid another PR disaster on the heels of other Snowden leaks which have cost US tech companies and the US government a great deal of credibility. Pro Publica replied to the request saying that it’s an important story people need to hear.
The NSA has described its decryption program as ‘the price of admission for the US to maintain unrestricted access to and use of cyberspace.’ It would be nice if they had let us know about this cost upfront. Again, not informing customers of something like that would be a rookie mistake for a small ecommerce store.