NSA Code-Cracking Revelations Are Bad for Business

Disclosures that the National Security Agency can crack codes protecting the online traffic of the world's largest Internet companies will inflict more damage than earlier reports of complicity in government spying, according to technology and intelligence specialists.

The agency has fulfilled a decades-long quest to break the encryption of e-mail, online purchases, electronic medical records and other Web activities, the New York Times, the U.K.'s Guardian and ProPublica reported yesterday. The NSA also has been given access to — or found ways to enter — databases of major U.S. Internet companies operating the most popular e-mail and social-media platforms, the news organizations reported.

The reports, based on documents from former intelligence contractor Edward Snowden, emerged amid an expanding debate over whether NSA surveillance activities undermine civil liberties. The revelations raise fresh questions about the security of data held by companies including Google Inc., Facebook Inc. and Microsoft Corp. just as more commerce shifts online.

"This is a fundamental attack on how the Internet works," Joseph Lorenzo Hall, senior staff technologist at the Washington-based policy group Center for Democracy & Technology, said in an interview. "Secure communications technologies are the backbone of e-commerce" including the transfer of medical records and financial exchanges.

"People in business will either not engage in those activities, or find other ways," Hall said.

The reports in the Guardian, the Times and the non-profit ProPublica news website said that NSA spends more than $250 million a year on a program working with technology companies to "covertly influence" product designs. The reports didn't name the companies cooperating with the NSA and didn't describe the extent to which the agency was using its code-breaking capability on the Internet.

The classified documents are the latest to be exposed by Snowden revealing previously secret NSA programs. The 30-year- old former employee of government contractor Booz Allen Hamilton Holding Corp. faces espionage charges in the U.S. and is in Russia under temporary asylum.

President Barack Obama's administration has been coping with increasing public backlash over U.S. spying activities since top-secret documents leaked by Snowden began emerging in June. Foreign governments, including Brazil and Germany, have objected to U.S. surveillance and spying operations.

Brazilian authorities canceled a trip to Washington this week to prepare for President Dilma Rousseff's state visit in October to protest allegations that the U.S. intercepted communications between top officials in Latin America's largest economy.

U.S. companies that are "household names" gave the NSA access to all communications, said Cedric Leighton, a former U.S. Air Force intelligence officer and a former training director for NSA. Companies gave easy access to NSA because their managers believed it was necessary and they trusted that the government agency wouldn't do anything wrong, Leighton said.

"But this takes the cake," Leighton said. "This has done a lot of damage to our ability to collect intelligence."

Even before the latest reports, U.S. technology companies offering network infrastructure services such as cloud computing and popular social networking applications were facing the prospect of losing business overseas.

Companies offering cloud services — in which businesses pay a third party to provide databases, storage and computing power — may lose as much as $35 billion by 2016 as foreign companies avoid U.S. solutions because of the fear the NSA may have access to the data, according to a study released last month by the Information Technology & Innovation Foundation.

"This is a hugely disappointing revelation," Daniel Castro, author of the Washington-based group's study, said in an e-mail. "This most recent news will certainly contribute to the perception that U.S. Internet companies cannot be trusted."

Michael Birmingham, a spokesman for the Office of the Director of National Intelligence, which oversees U.S. intelligence agencies, declined to comment on the reports.

Obama and officials from intelligence agencies have defended the NSA's surveillance programs as essential to thwarting possible terrorist attacks. U.S. officials have told lawmakers that the programs are legal and subject to oversight by a federal court and members of Congress.

Sixty-six percent of U.S. Internet users polled believe current laws aren't good enough to protect people's privacy online, according to a survey released yesterday by the Pew Research Center. That compared with 24 percent who believe current laws provide reasonable protections, Pew said. The July 11-14 telephone survey of 792 Internet users has a margin of error of plus or minus 3.8 percentage points.

Amid increasing public unease over the surveillance programs, Obama said Aug. 9 he would ask Congress to change the section of the Patriot Act allowing collection of telephone records, to increase oversight and transparency.

The president also said he'll propose a legal advocate to serve as an adversary when spy agencies make requests in the secret sessions of the Foreign Intelligence Surveillance Court, which vets requests for electronic eavesdropping. Last week, he met for the first time with a panel he requested to review U.S. surveillance initiatives.

Leslie Miller, spokeswoman for Google, said in an e-mail that the company doesn't "provide any government, including the U.S. government," access to its systems.

"As for recent reports that the U.S. government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring," Miller said. "We provide user data to governments only in accordance with the law."

Microsoft provides the U.S. government information when "legally obligated to comply with demands," according to a July 15 blog post by Brad Smith, general counsel for the Redmond, Washington-based company. "To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys."

Smith's comments apply to yesterday's reports, said Dominic Carr, a spokesman for Microsoft.

Sara Gorman, a spokeswoman for Yahoo! Inc., and Facebook's spokeswoman Sarah Feinberg, didn't immediately respond to requests for comment.

Google, Microsoft, Apple Inc. and 19 other technology companies sent a letter in July to Obama and congressional leaders urging that the companies be allowed to report statistics concerning requests for user data received from intelligence agencies.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER