I’m going to admit that I didn’t really care that much about the whole NSA spying thing for a while.  Maybe because I’d assumed it was always already kinda happening.

Then I read an article by the New York Times, which made me care, as it explained exactly how the NSA had managed to do all this spying, including weakening international cryptography standards, which I found most alarming.  If you have time, I highly recommend reading the article, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, by Nicole Perlroth, Jeff Larson and Scott Shane (September 5, 2013).

If not, I’ve attempted to summarise the main points here, with a little restructuring of information to get around newspaper format, which can be repetitive and/or confusing.  I’ve copied text straight from the article when convenient and skipped parts people might already have known/suspected.

Introduction

In the 1990s the NSA attempted to legally insert a government ‘back door’ into all encryption (the Clipper Chip).  This means that they would be able to bypass encryption efforts so that they would be able to access anything they’d want, but the proposition was deeply unpopular and they eventually backed down in 1996.  But rather than stopping there, they went on to try to gain access to anything they wanted through stealth and trickery.

Working with, coercing and deceiving companies

The NSA hacked into computers to retrieve messages before they were encrypted, used super fast computers (I take it they mean supercomputers) to break codes and worked with technology companies in the US and abroad into building in back doors into their security.  Some say they were coerced, and there are cases where companies shut down rather than compromise themselves and their customers.  Lavabit, an e-mail encryption company closed while Silent Circle ended its e-mail service.

According to a leaked intelligence budget document, the NSA spends more than $250 million a year on its Signit Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make the “exploitable”.  In one instance after learning that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped.

Still others have been compromised without them knowing it.  In 2012 GCHQ (the British NSA counterpart) had developed new ‘access opportunities’ into Google’s systems.  Google denied giving any government access and said it had no evidence its systems had been breached (This later article describes what might have happened).

The agency maintains an internal database of encryption keys for specific commercial products, which can automatically decode many messages.  Independent cryptographers say many of the keys are probably acquired by hacking into companies’ computer servers where they are stored.  To hide what the NSA were doing, only keys that have been acquired through legal means (i.e. not hacking) could be shared with other agencies.

Weakening Cryptography standards

Another tool the NSA have been attempting to use to aid them in obtaining information is to introduce weaknesses into encryption standards followed by hardware and software developers around the world. This is a dangerous game for the NSA to play, because although by weakening cryptography standards they are able to access communications from potential enemies, they’re also compromising the security of American communications.

The NSA wrote a standard for cryptography which was adopted by the National Institute of Standards and Technology in 2006 and later by the International Organization for Standardization, of which 163 countries are members.  In 2007 Microsoft cryptographers found fatal weakness in the standard, which classified NSA memos appear to confirm were engineered by the agency.  The article claims the standard was aggressively pushed on the international group.