11:39 AM

Want NSA Attention? Use Encrypted Communications

Bad news has emerged for fans of PGP and other encryption services. The NSA is taking a gloves-off approach when you go this route.

Bad news for fans of anonymizing Tor networks, PGP and other encryption services: If you're attempting to avoid the National Security Agency's digital dragnet, you may be making yourself a target, as well as legally allowing the agency to retain your communications indefinitely -- and even use them to test the latest code-breaking tools.

Those revelations come via leaked documents that detail the operating guidelines for secret NSA surveillance programs authorized by Congress in 2008. Those documents include a one-page memorandum from a U.S. Foreign Intelligence Surveillance Court (FISA) judge, saying that the guidelines don't violate Fourth Amendment protections against unreasonable searches.

Another one of the leaked documents, first published Thursday by the Guardian, was signed by U.S. Attorney General Eric Holder on July 28, 2009 and submitted to FISA. Titled "Procedures used by NSA to minimize data collection from US persons," it details the steps that the agency's analysts are required to follow when collecting and analyzing data intercepted by the agency's surveillance programs.

Subsequently, the The Washington Post published those documents, plus two more, including the judge's secret memorandum.

[ How vulnerable is your enterprise's data? See NSA Dragnet Debacle: What It Means To IT. ]

Based on the documents, the good news is that the NSA guidelines include substantial restrictions on how agency analysts are allowed to review information relating to Americans, unless they first obtain a warrant. In general, the guidelines require strict "minimization" techniques to ensure that analysts don't collect or analyze Americans' communications, and they require analysts to delete any information that's been improperly collected -- albeit with some intelligence and law enforcement exceptions. The NSA also maintains records of Americans' names, telephone numbers and electronic communications addresses, but it uses this list to help ensure it doesn't target any of those people's communications.

"Assuming that the documents are genuine, they are broadly reassuring," said Stewart A. Baker, an attorney at Steptoe & Johnson LLP who recently served as first assistant secretary for policy for the Department of Homeland Security, in a blog post. "There are elaborate sections on making sure that attorney-client communications aren't retained, that inadvertent collections of Americans are destroyed as soon as possible, etc., etc."

When encryption is encountered, however, the gloves can come off, with analysts being allowed to retain "communications that are enciphered or reasonably believed to contain secret meaning" for any period of time. The guidelines allow this retention to occur not just for recovering the source communications but for any cryptanalysis use, suggesting that the NSA could retain encrypted communications to use as target practice for future code-breaking techniques.

Furthermore, as noted by Ars Technica, encryption may mask not only a person's identity, but also their physical location. Since the NSA guidelines say that a person "will not be treated as a United States person" without a positive identification based on name, address, electronic communication addresses or geographic location, encryption users may because classified -- at least temporarily -- as non-U.S. residents by NSA analysts.

In the event of an emergency, meanwhile, NSA analysts are allowed to throw the guidelines out the window. "If NSA determines that it must take action in apparent departure from these minimization procedures to protect against an immediate threat to human life force protection or hostage situations and that it is not feasible to obtain a timely modification of these procedures, NSA may take such action," according to the guidelines. That said, NSA is then required to report its actions to the Office of the Director of National Intelligence as well and to the Department of Justice, which is then charged with notifying FISA.

In general, the guidelines say that NSA analysts may retain, for six months, communications that don't contain "foreign intelligence information" but that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," and they may share that information with the FBI. "There's a lot of leeway to use 'inadvertently' acquired domestic communications," Gregory Nojeim, senior counsel for the Center for Democracy and Technology, told The Washington Post.

Any information the NSA turns up on information security vulnerabilities -- such as zero-day exploits -- are also fair game, as the guidelines allow the agency to share the information with the FBI and other government agencies as it sees fit, and to retain those communications indefinitely.

How likely is it that the NSA might stumble upon evidence of a crime or act on it? That's unclear, although the scale of the NSA's surveillance operations is staggering. According to documents published last week by the Guardian, the NSA gleaned 3 billion pieces of intelligence from U.S. communications networks just in March 2013. That follows a Washington Post report in 2010 that said "every day, collection systems at the [NSA] intercept and store 1.7 billion e-mails, phone calls and other types of communications."

To address criticism that the NSA program is overbroad or operating on shaky legal footing, President Obama planned to meet Friday with the Privacy and Civil Liberties Oversight Board (PCLOB), a five-person independent agency that's charged with reviewing how the government balances surveillance requirements with people's civil liberties and right to privacy, reported Reuters. The board has been largely inactive since 2008, which is the year when Congress authorized the most recent secret NSA surveillance programs.

OCLOB chairman David Medine told Reuters that the board plans to hold a public hearing in July to solicit input from legal scholars and civil rights advocates on the NSA's surveillance programs. "Based on what we've learned so far, the board believes further questions are warranted," he said.

At Obama's direction, homeland security adviser Lisa Monaco asked the director of national intelligence Thursday to review information relating to FISA court opinions and see what additional information could be declassified and released to the public.

That initiative "builds on the administration's ongoing effort to declassify a significant amount of information regarding these programs," according to a White House statement. "The president's direction is that as much information as possible be made public while being mindful of the need to protect sources and methods and national security."

But Snowden's leaked documents -- of which there are reported to be at least dozens of interest -- appear to be detailing the previously withheld legal justifications for the NSA's monitoring programs faster.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
6/24/2013 | 2:57:00 AM
re: Want NSA Attention? Use Encrypted Communications
This is exactly why the government should not be doing this. If they get their hackles up that people take measures to ensure that they have private communications because people desire privacy, the government should not take that as suspicion that person is a criminal or other undesirable.
User Rank: Apprentice
6/23/2013 | 5:48:37 PM
re: Want NSA Attention? Use Encrypted Communications
Since using encryption could be thought of as the equivalent of locking the doors of your home, applying the NSA logic means you must be hiding a crime in your home, and they are then authorized to break into your house and report anything criminal they find to the appropriate authorities. Only a criminal would lock their home, right?
User Rank: Apprentice
6/23/2013 | 1:56:16 PM
re: Want NSA Attention? Use Encrypted Communications
The writer does not do English well and left me somewhat confused, reading not so well constructed sentences. I feel like encrypting everything I do online now, just to annoy the bastards in Washington DC and their over zealous deeds that only have dreadful unintended consequences including the bankruptcy of the US treasury. Please read your posts as they have much value, but they can only be digested if the wording is simple and exact. Examples are always helpful, which you do provide, thanks! How would I encrypt my email, if you can say?
User Rank: Apprentice
6/21/2013 | 4:51:55 PM
re: Want NSA Attention? Use Encrypted Communications
This sounds ilogical, because all the connections for buying, E-mail (TLS) and other stuff is encripted, then that means more than 80% of the traffic on internet is the Objective of the NSA, Enterprises, Business (white zone, gray zone, and dark zone), Emails (from personal to firms of any size), and now must add, the Serbanes Oxley regulation, that some enterprises have to had every computer, mail, etc. encrypted, with remote wipe, that means that NSA watch the business secrets.

Everything that matters is encrypted!

Follow the presumption, "I don't have to encrypt anything because I have nothing to hide" may apply to those people that does not make any online transaction, save pictures of his family, neither chat with them, have no mail/voicemail to check, in other words have no online life.

It's surprising that NSA does not go like other governments arround the world, using Open Source Intelligence and spend huge amount of money and effort to spy his own citizens (in the best case).

It's the worst scenario, can't encrypt because your government spies you, and cannot live without encrypting because any one can read it/ access your company information, in a less worst case, "it's ok that your government read everything about your encrypted enterprise information", how you can trust than that guy that is reading it, is not going to go with your competence and sell your secrets?, how you can call it Democratic Nation if it acts exactly like URRS and CUBA? (but in a Digital Era)

Safety is not in war with Privacy, but Safety does not means Privacy is avoided.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.