After XKeyscore, is encryption the next big thing?
- By Kevin McCaney
- Aug 01, 2013
The fallout from the latest revelations about the National Security Agency’s surveillance programs has yet to be measured, but one possible outcome could be an increased interest in encryption.
The U.K. publication Guardian reported on the NSA’s XKeyscore program, which collects millions of e-mails, Web browser sessions, chats and other communications in search of activity it deems suspicious. According to the Guardian, the NSA claims to have 700 XKeyscore servers at 150 sites around the world, and during one 30-day period in 2012 it collected more than 41 billion records.
In addition to collecting metadata, the NSA has the ability to sift through all kinds of unencrypted communications, monitoring “nearly everything a typical user does on the Internet,” according to the report, based in part on a 32-page 2008 slideshow summarizing the program. Would encryption make a difference with a program like this?
As it has since the Guardian, with documents supplied by former NSA contractor Edward Snowden, first reported on NSA’s surveillance programs, the agency insists that the program targets foreign terrorists and has strict oversight and compliance mechanisms.
On that score, NSA director Keith Alexander faced a roomful of skeptical hackers and security experts at the opening of the Black Hat conference Wednesday to try to convince them of the necessity, and the probity, of the operation.
But that hasn’t stopped people from becoming more interested in protecting their communications, nor has it stopped agencies, concerned about leaks and potential spying from other countries, from doing the same. After the initial reports that the NSA was collecting metadata on millions of domestic phone calls, Silent Circle, a company that provides peer-to-peer encryption, said its business shot up 420 percent in two-and-a-half weeks — and most of the interest came from government.
Whether news of XKeyscore has the same tangential effect on agencies for e-mail and Web encryption remains to be seen, but if nothing else it could raise awareness about a practice that has been regularly recommended and frequently ignored.
Some basic encryption has become commonplace on the Web, in the form of Secure Sockets Layer, (designated by HTTPS in the URL, instead of HTTP). Not too long ago, websites using SSL were pretty much limited to those handling financial transactions; other sites didn’t use it, in part because SSL slowed things down. But with increased bandwidth, SSL is becoming standard for some sites, especially social media sites. Google searches, Gmail and Twitter use SSL by default, for example, and Facebook gives users the option. Free tools such as HTTPS Everywhere, for Firefox and Chrome, encrypt connections to most sites. And sometimes it can even be as easy as adding an “s” to the “http” in the address line.
Encrypting e-mail is another option that could see increased interest. Outlook and Gmail already offer an option setting for encryption, and there are a number of commercial services, such as Voltage SecureMail (which has cloud and mobile versions) and Proofpoint. There also are free services such as Hushmail and Lockbin.
Agencies, of course, already use encryption for classified and other sensitive communications, but in the age of big data, analytics, social media interactions and nation-state Internet surveillance, even everyday communications could need to be protected. As the NSA’s programs show, intell gathering isn’t limited to trying to hack into government networks.
Kevin McCaney is a former editor of Defense Systems and GCN.