Risk
6/21/2013
11:39 AM
Connect Directly
RSS
E-Mail
50%
50%

Want NSA Attention? Use Encrypted Communications

Bad news has emerged for fans of PGP and other encryption services. The NSA is taking a gloves-off approach when you go this route.

Bad news for fans of anonymizing Tor networks, PGP and other encryption services: If you're attempting to avoid the National Security Agency's digital dragnet, you may be making yourself a target, as well as legally allowing the agency to retain your communications indefinitely -- and even use them to test the latest code-breaking tools.

Those revelations come via leaked documents that detail the operating guidelines for secret NSA surveillance programs authorized by Congress in 2008. Those documents include a one-page memorandum from a U.S. Foreign Intelligence Surveillance Court (FISA) judge, saying that the guidelines don't violate Fourth Amendment protections against unreasonable searches.

Another one of the leaked documents, first published Thursday by the Guardian, was signed by U.S. Attorney General Eric Holder on July 28, 2009 and submitted to FISA. Titled "Procedures used by NSA to minimize data collection from US persons," it details the steps that the agency's analysts are required to follow when collecting and analyzing data intercepted by the agency's surveillance programs.

Subsequently, the The Washington Post published those documents, plus two more, including the judge's secret memorandum.

[ How vulnerable is your enterprise's data? See NSA Dragnet Debacle: What It Means To IT. ]

Based on the documents, the good news is that the NSA guidelines include substantial restrictions on how agency analysts are allowed to review information relating to Americans, unless they first obtain a warrant. In general, the guidelines require strict "minimization" techniques to ensure that analysts don't collect or analyze Americans' communications, and they require analysts to delete any information that's been improperly collected -- albeit with some intelligence and law enforcement exceptions. The NSA also maintains records of Americans' names, telephone numbers and electronic communications addresses, but it uses this list to help ensure it doesn't target any of those people's communications.

"Assuming that the documents are genuine, they are broadly reassuring," said Stewart A. Baker, an attorney at Steptoe & Johnson LLP who recently served as first assistant secretary for policy for the Department of Homeland Security, in a blog post. "There are elaborate sections on making sure that attorney-client communications aren't retained, that inadvertent collections of Americans are destroyed as soon as possible, etc., etc."

When encryption is encountered, however, the gloves can come off, with analysts being allowed to retain "communications that are enciphered or reasonably believed to contain secret meaning" for any period of time. The guidelines allow this retention to occur not just for recovering the source communications but for any cryptanalysis use, suggesting that the NSA could retain encrypted communications to use as target practice for future code-breaking techniques.

Furthermore, as noted by Ars Technica, encryption may mask not only a person's identity, but also their physical location. Since the NSA guidelines say that a person "will not be treated as a United States person" without a positive identification based on name, address, electronic communication addresses or geographic location, encryption users may because classified -- at least temporarily -- as non-U.S. residents by NSA analysts.

In the event of an emergency, meanwhile, NSA analysts are allowed to throw the guidelines out the window. "If NSA determines that it must take action in apparent departure from these minimization procedures to protect against an immediate threat to human life force protection or hostage situations and that it is not feasible to obtain a timely modification of these procedures, NSA may take such action," according to the guidelines. That said, NSA is then required to report its actions to the Office of the Director of National Intelligence as well and to the Department of Justice, which is then charged with notifying FISA.

In general, the guidelines say that NSA analysts may retain, for six months, communications that don't contain "foreign intelligence information" but that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," and they may share that information with the FBI. "There's a lot of leeway to use 'inadvertently' acquired domestic communications," Gregory Nojeim, senior counsel for the Center for Democracy and Technology, told The Washington Post.

Any information the NSA turns up on information security vulnerabilities -- such as zero-day exploits -- are also fair game, as the guidelines allow the agency to share the information with the FBI and other government agencies as it sees fit, and to retain those communications indefinitely.

How likely is it that the NSA might stumble upon evidence of a crime or act on it? That's unclear, although the scale of the NSA's surveillance operations is staggering. According to documents published last week by the Guardian, the NSA gleaned 3 billion pieces of intelligence from U.S. communications networks just in March 2013. That follows a Washington Post report in 2010 that said "every day, collection systems at the [NSA] intercept and store 1.7 billion e-mails, phone calls and other types of communications."

To address criticism that the NSA program is overbroad or operating on shaky legal footing, President Obama planned to meet Friday with the Privacy and Civil Liberties Oversight Board (PCLOB), a five-person independent agency that's charged with reviewing how the government balances surveillance requirements with people's civil liberties and right to privacy, reported Reuters. The board has been largely inactive since 2008, which is the year when Congress authorized the most recent secret NSA surveillance programs.

OCLOB chairman David Medine told Reuters that the board plans to hold a public hearing in July to solicit input from legal scholars and civil rights advocates on the NSA's surveillance programs. "Based on what we've learned so far, the board believes further questions are warranted," he said.

At Obama's direction, homeland security adviser Lisa Monaco asked the director of national intelligence Thursday to review information relating to FISA court opinions and see what additional information could be declassified and released to the public.

That initiative "builds on the administration's ongoing effort to declassify a significant amount of information regarding these programs," according to a White House statement. "The president's direction is that as much information as possible be made public while being mindful of the need to protect sources and methods and national security."

But Snowden's leaked documents -- of which there are reported to be at least dozens of interest -- appear to be detailing the previously withheld legal justifications for the NSA's monitoring programs faster.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
FranciscoM006
50%
50%
FranciscoM006,
User Rank: Apprentice
6/21/2013 | 4:51:55 PM
re: Want NSA Attention? Use Encrypted Communications
This sounds ilogical, because all the connections for buying, E-mail (TLS) and other stuff is encripted, then that means more than 80% of the traffic on internet is the Objective of the NSA, Enterprises, Business (white zone, gray zone, and dark zone), Emails (from personal to firms of any size), and now must add, the Serbanes Oxley regulation, that some enterprises have to had every computer, mail, etc. encrypted, with remote wipe, that means that NSA watch the business secrets.

Everything that matters is encrypted!

Follow the presumption, "I don't have to encrypt anything because I have nothing to hide" may apply to those people that does not make any online transaction, save pictures of his family, neither chat with them, have no mail/voicemail to check, in other words have no online life.

It's surprising that NSA does not go like other governments arround the world, using Open Source Intelligence and spend huge amount of money and effort to spy his own citizens (in the best case).

It's the worst scenario, can't encrypt because your government spies you, and cannot live without encrypting because any one can read it/ access your company information, in a less worst case, "it's ok that your government read everything about your encrypted enterprise information", how you can trust than that guy that is reading it, is not going to go with your competence and sell your secrets?, how you can call it Democratic Nation if it acts exactly like URRS and CUBA? (but in a Digital Era)

Safety is not in war with Privacy, but Safety does not means Privacy is avoided.
frankinpan
50%
50%
frankinpan,
User Rank: Apprentice
6/23/2013 | 1:56:16 PM
re: Want NSA Attention? Use Encrypted Communications
The writer does not do English well and left me somewhat confused, reading not so well constructed sentences. I feel like encrypting everything I do online now, just to annoy the bastards in Washington DC and their over zealous deeds that only have dreadful unintended consequences including the bankruptcy of the US treasury. Please read your posts as they have much value, but they can only be digested if the wording is simple and exact. Examples are always helpful, which you do provide, thanks! How would I encrypt my email, if you can say?
EddieV404
50%
50%
EddieV404,
User Rank: Apprentice
8/9/2013 | 3:30:12 PM
re: Want NSA Attention? Use Encrypted Communications
Download and install GPG, Thunderbird mail, and Enigmail plugin for Thunderbird.
PressEnter
50%
50%
PressEnter,
User Rank: Apprentice
8/10/2013 | 9:14:33 PM
re: Want NSA Attention? Use Encrypted Communications
" because all the connections for buying, E-mail
(TLS) and other stuff is encrypted, then that means more than 80% of the
traffic on internet is the Objective of the NSA, Enterprises, Busines.."

Now you are getting it. They spy on anything and everything. Select information is then passed on to the elite to allow them to game the system. Insider information and technology under development are stolen by the NSA and company on a regular business. The USA has been caught red handed doing this.
pcbackup
50%
50%
pcbackup,
User Rank: Apprentice
6/23/2013 | 5:48:37 PM
re: Want NSA Attention? Use Encrypted Communications
Since using encryption could be thought of as the equivalent of locking the doors of your home, applying the NSA logic means you must be hiding a crime in your home, and they are then authorized to break into your house and report anything criminal they find to the appropriate authorities. Only a criminal would lock their home, right?
EddieV404
50%
50%
EddieV404,
User Rank: Apprentice
8/9/2013 | 3:31:31 PM
re: Want NSA Attention? Use Encrypted Communications
Do forget to leave your windows open also... unless you have something to hide.
builder7
50%
50%
builder7,
User Rank: Apprentice
6/24/2013 | 2:57:00 AM
re: Want NSA Attention? Use Encrypted Communications
This is exactly why the government should not be doing this. If they get their hackles up that people take measures to ensure that they have private communications because people desire privacy, the government should not take that as suspicion that person is a criminal or other undesirable.
builder7
50%
50%
builder7,
User Rank: Apprentice
6/24/2013 | 2:59:03 AM
re: Want NSA Attention? Use Encrypted Communications
As I was saying, the government can decrypt encrypted messages easily if they are 128 bit or less. They may not tell us that but it is true with supercomputers. Also, large companies that provide applications leave back doors where the government can get into people's computer anyway!
Palpatine
50%
50%
Palpatine,
User Rank: Apprentice
6/24/2013 | 2:18:00 PM
re: Want NSA Attention? Use Encrypted Communications
I'm wearing tin foil hat, and I'm not letting go out without tiny tin foil hats any message below 128 bit.
JohnnyD076
50%
50%
JohnnyD076,
User Rank: Apprentice
9/19/2013 | 3:30:51 AM
re: Want NSA Attention? Use Encrypted Communications
And I believe that you truly believe everything that your just wrote. So sad.
builder7
50%
50%
builder7,
User Rank: Apprentice
9/22/2013 | 11:53:20 PM
re: Want NSA Attention? Use Encrypted Communications
Yeah, I believe it and it has already been proven to be so. Right now large companies like Microsoft and Google are scrambling to get out from under this, but can they, being snoopers for big brother while the entire time they have been telling everybody that they respect privacy. I'll bet that there are private databases also that are used by companies, for use only by certain trusted people that have enough money to pay for them, that contain all of this information!
mark jumaga
50%
50%
mark jumaga,
User Rank: Apprentice
8/9/2013 | 3:54:05 PM
re: Want NSA Attention? Use Encrypted Communications
You can stop this only one place. Vote every single congressional proponent out of office permanently. Educate yourself how your rep voted. Destroy this cancer on the consitution.
JohnnyD076
50%
50%
JohnnyD076,
User Rank: Apprentice
9/19/2013 | 3:29:36 AM
re: Want NSA Attention? Use Encrypted Communications
The NSA is welcome to keep all of my 256 bit encrypted data because they will never be able to do anything with it. This is basically propaganda being spread by an author that thinks that he is doing something positive for the people but in reality he is just spreading BS. The NSA wants us to believe that we will be targeted but guess what--EVERYONE is. I for one am not going to make things easy for the NSA to spy on me, in fact I am going to make it impossible for them to spy on me and that just pisses them off so they spread BS about targeting freedom lovers-- fuch 'em. OpenVPN and encryption software for anything that should be private such as my business.
builder7
50%
50%
builder7,
User Rank: Apprentice
9/22/2013 | 11:49:05 PM
re: Want NSA Attention? Use Encrypted Communications
You are right unless they have an encryption key to open all algorithms on the open market. It has recently been revealed that they have that capability, thanks to companies providing it to them. You haven't heard because it is against the law for them to tell you or for the contractors and employees of them to tell. Of course, sometimes there is a true patriot like Edward Snowden who exposed the entire secret police state that they have been building for the last 50 years!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio