Risk
6/21/2013
11:39 AM
Connect Directly
RSS
E-Mail
50%
50%

Want NSA Attention? Use Encrypted Communications

Bad news has emerged for fans of PGP and other encryption services. The NSA is taking a gloves-off approach when you go this route.

Bad news for fans of anonymizing Tor networks, PGP and other encryption services: If you're attempting to avoid the National Security Agency's digital dragnet, you may be making yourself a target, as well as legally allowing the agency to retain your communications indefinitely -- and even use them to test the latest code-breaking tools.

Those revelations come via leaked documents that detail the operating guidelines for secret NSA surveillance programs authorized by Congress in 2008. Those documents include a one-page memorandum from a U.S. Foreign Intelligence Surveillance Court (FISA) judge, saying that the guidelines don't violate Fourth Amendment protections against unreasonable searches.

Another one of the leaked documents, first published Thursday by the Guardian, was signed by U.S. Attorney General Eric Holder on July 28, 2009 and submitted to FISA. Titled "Procedures used by NSA to minimize data collection from US persons," it details the steps that the agency's analysts are required to follow when collecting and analyzing data intercepted by the agency's surveillance programs.

Subsequently, the The Washington Post published those documents, plus two more, including the judge's secret memorandum.

[ How vulnerable is your enterprise's data? See NSA Dragnet Debacle: What It Means To IT. ]

Based on the documents, the good news is that the NSA guidelines include substantial restrictions on how agency analysts are allowed to review information relating to Americans, unless they first obtain a warrant. In general, the guidelines require strict "minimization" techniques to ensure that analysts don't collect or analyze Americans' communications, and they require analysts to delete any information that's been improperly collected -- albeit with some intelligence and law enforcement exceptions. The NSA also maintains records of Americans' names, telephone numbers and electronic communications addresses, but it uses this list to help ensure it doesn't target any of those people's communications.

"Assuming that the documents are genuine, they are broadly reassuring," said Stewart A. Baker, an attorney at Steptoe & Johnson LLP who recently served as first assistant secretary for policy for the Department of Homeland Security, in a blog post. "There are elaborate sections on making sure that attorney-client communications aren't retained, that inadvertent collections of Americans are destroyed as soon as possible, etc., etc."

When encryption is encountered, however, the gloves can come off, with analysts being allowed to retain "communications that are enciphered or reasonably believed to contain secret meaning" for any period of time. The guidelines allow this retention to occur not just for recovering the source communications but for any cryptanalysis use, suggesting that the NSA could retain encrypted communications to use as target practice for future code-breaking techniques.

Furthermore, as noted by Ars Technica, encryption may mask not only a person's identity, but also their physical location. Since the NSA guidelines say that a person "will not be treated as a United States person" without a positive identification based on name, address, electronic communication addresses or geographic location, encryption users may because classified -- at least temporarily -- as non-U.S. residents by NSA analysts.

In the event of an emergency, meanwhile, NSA analysts are allowed to throw the guidelines out the window. "If NSA determines that it must take action in apparent departure from these minimization procedures to protect against an immediate threat to human life force protection or hostage situations and that it is not feasible to obtain a timely modification of these procedures, NSA may take such action," according to the guidelines. That said, NSA is then required to report its actions to the Office of the Director of National Intelligence as well and to the Department of Justice, which is then charged with notifying FISA.

In general, the guidelines say that NSA analysts may retain, for six months, communications that don't contain "foreign intelligence information" but that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," and they may share that information with the FBI. "There's a lot of leeway to use 'inadvertently' acquired domestic communications," Gregory Nojeim, senior counsel for the Center for Democracy and Technology, told The Washington Post.

Any information the NSA turns up on information security vulnerabilities -- such as zero-day exploits -- are also fair game, as the guidelines allow the agency to share the information with the FBI and other government agencies as it sees fit, and to retain those communications indefinitely.

How likely is it that the NSA might stumble upon evidence of a crime or act on it? That's unclear, although the scale of the NSA's surveillance operations is staggering. According to documents published last week by the Guardian, the NSA gleaned 3 billion pieces of intelligence from U.S. communications networks just in March 2013. That follows a Washington Post report in 2010 that said "every day, collection systems at the [NSA] intercept and store 1.7 billion e-mails, phone calls and other types of communications."

To address criticism that the NSA program is overbroad or operating on shaky legal footing, President Obama planned to meet Friday with the Privacy and Civil Liberties Oversight Board (PCLOB), a five-person independent agency that's charged with reviewing how the government balances surveillance requirements with people's civil liberties and right to privacy, reported Reuters. The board has been largely inactive since 2008, which is the year when Congress authorized the most recent secret NSA surveillance programs.

OCLOB chairman David Medine told Reuters that the board plans to hold a public hearing in July to solicit input from legal scholars and civil rights advocates on the NSA's surveillance programs. "Based on what we've learned so far, the board believes further questions are warranted," he said.

At Obama's direction, homeland security adviser Lisa Monaco asked the director of national intelligence Thursday to review information relating to FISA court opinions and see what additional information could be declassified and released to the public.

That initiative "builds on the administration's ongoing effort to declassify a significant amount of information regarding these programs," according to a White House statement. "The president's direction is that as much information as possible be made public while being mindful of the need to protect sources and methods and national security."

But Snowden's leaked documents -- of which there are reported to be at least dozens of interest -- appear to be detailing the previously withheld legal justifications for the NSA's monitoring programs faster.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
builder7
50%
50%
builder7,
User Rank: Apprentice
9/22/2013 | 11:53:20 PM
re: Want NSA Attention? Use Encrypted Communications
Yeah, I believe it and it has already been proven to be so. Right now large companies like Microsoft and Google are scrambling to get out from under this, but can they, being snoopers for big brother while the entire time they have been telling everybody that they respect privacy. I'll bet that there are private databases also that are used by companies, for use only by certain trusted people that have enough money to pay for them, that contain all of this information!
builder7
50%
50%
builder7,
User Rank: Apprentice
9/22/2013 | 11:49:05 PM
re: Want NSA Attention? Use Encrypted Communications
You are right unless they have an encryption key to open all algorithms on the open market. It has recently been revealed that they have that capability, thanks to companies providing it to them. You haven't heard because it is against the law for them to tell you or for the contractors and employees of them to tell. Of course, sometimes there is a true patriot like Edward Snowden who exposed the entire secret police state that they have been building for the last 50 years!
JohnnyD076
50%
50%
JohnnyD076,
User Rank: Apprentice
9/19/2013 | 3:30:51 AM
re: Want NSA Attention? Use Encrypted Communications
And I believe that you truly believe everything that your just wrote. So sad.
JohnnyD076
50%
50%
JohnnyD076,
User Rank: Apprentice
9/19/2013 | 3:29:36 AM
re: Want NSA Attention? Use Encrypted Communications
The NSA is welcome to keep all of my 256 bit encrypted data because they will never be able to do anything with it. This is basically propaganda being spread by an author that thinks that he is doing something positive for the people but in reality he is just spreading BS. The NSA wants us to believe that we will be targeted but guess what--EVERYONE is. I for one am not going to make things easy for the NSA to spy on me, in fact I am going to make it impossible for them to spy on me and that just pisses them off so they spread BS about targeting freedom lovers-- fuch 'em. OpenVPN and encryption software for anything that should be private such as my business.
PressEnter
50%
50%
PressEnter,
User Rank: Apprentice
8/10/2013 | 9:14:33 PM
re: Want NSA Attention? Use Encrypted Communications
" because all the connections for buying, E-mail
(TLS) and other stuff is encrypted, then that means more than 80% of the
traffic on internet is the Objective of the NSA, Enterprises, Busines.."

Now you are getting it. They spy on anything and everything. Select information is then passed on to the elite to allow them to game the system. Insider information and technology under development are stolen by the NSA and company on a regular business. The USA has been caught red handed doing this.
mark jumaga
50%
50%
mark jumaga,
User Rank: Apprentice
8/9/2013 | 3:54:05 PM
re: Want NSA Attention? Use Encrypted Communications
You can stop this only one place. Vote every single congressional proponent out of office permanently. Educate yourself how your rep voted. Destroy this cancer on the consitution.
EddieV404
50%
50%
EddieV404,
User Rank: Apprentice
8/9/2013 | 3:31:31 PM
re: Want NSA Attention? Use Encrypted Communications
Do forget to leave your windows open also... unless you have something to hide.
EddieV404
50%
50%
EddieV404,
User Rank: Apprentice
8/9/2013 | 3:30:12 PM
re: Want NSA Attention? Use Encrypted Communications
Download and install GPG, Thunderbird mail, and Enigmail plugin for Thunderbird.
Palpatine
50%
50%
Palpatine,
User Rank: Apprentice
6/24/2013 | 2:18:00 PM
re: Want NSA Attention? Use Encrypted Communications
I'm wearing tin foil hat, and I'm not letting go out without tiny tin foil hats any message below 128 bit.
builder7
50%
50%
builder7,
User Rank: Apprentice
6/24/2013 | 2:59:03 AM
re: Want NSA Attention? Use Encrypted Communications
As I was saying, the government can decrypt encrypted messages easily if they are 128 bit or less. They may not tell us that but it is true with supercomputers. Also, large companies that provide applications leave back doors where the government can get into people's computer anyway!
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.