[liberationtech] NSA is very likely storing all encrypted communications it is intercepting

[Joseph Lorenzo Hall]

Am I off in thinking that this is a good time to push more web 
properties to use forwardly secret SSL key exchange (like Google does 
with ECDHE_RSA)?

best, Joe

On Fri Jun 21 08:32:46 2013, Eugen Leitl wrote:
>
> http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/
>
> Leaked NSA Doc Says It Can Collect And Keep Your Encrypted Data As Long As It
> Takes To Crack It
>
> If you use privacy tools, according to the apparent logic of the National
> Security Agency, it doesn’t much matter if you’re a foreigner or an American:
> Your communications are subject to an extra dose of surveillance.
>
> Since 29-year-old systems administrator Edward Snowden began leaking secret
> documentation of the NSA’s broad surveillance programs, the agency has
> reassured Americans that it doesn’t indiscriminately collect their data
> without a warrant, and that what it does collect is deleted after five years.
> But according to a document signed by U.S. Attorney General Eric Holder and
> published Thursday by the Guardian, it seems the NSA is allowed to make
> ambiguous exceptions for a laundry list of data it gathers from Internet and
> phone companies. One of those exceptions applies specifically to encrypted
> information, allowing it to gather the data regardless of its U.S. or foreign
> origin and to hold it for as long as it takes to crack the data’s privacy
> protections.
>
> The agency can collect and indefinitely keep any information gathered for
> “cryptanalytic, traffic analysis, or signal exploitation purposes,” according
> to the leaked “minimization procedures” meant to restrict NSA surveillance of
> Americans. ”Such communications can be retained for a period sufficient to
> allow thorough exploitation and to permit access to data that are, or are
> reasonably believed likely to become, relevant to a future foreign
> intelligence requirement,” the procedures read.
>
> And one measure of that data’s relevance to foreign intelligence? The simple
> fact that the data is encrypted and that the NSA wants to crack it may be
> enough to let the agency keep it indefinitely. “In the context of
> cryptanalytic effort, maintenance of technical data bases requires retention
> of all communications that are enciphered or reasonably believed to contain
> secret meaning,” the criteria for the exception reads. “Sufficient duration
> [for retaining the data] may consist of any period of time during which
> encrypted material is subject to, or of use in, cryptanalysis.”
>
> That encryption exception is just one of many outlined in the document, which
> also allows NSA to give the FBI and other law enforcement any data from an
> American if it contains “significant foreign intelligence” information or
> information about a crime that has been or is about to be committed.
> Americans’ data can also be held if it’s “involved in the unauthorized
> disclosure of national security information” or necessary to “assess a
> communications security vulnerability.” Other “inadvertently acquired” data
> on Americans can be retained up to five years before being deleted.
>
> “Basically we’re in a situation where, if the NSA’s filters for
> distinguishing between domestic and foreign information stink, it gives them
> carte blanche to review those communications for evidence of crimes that are
> unrelated to espionage and terrorism,” says Kevin Bankston, a director of the
> Free Expression Project at the Center For Democracy and Technology. “If they
> don’t know where you are, they assume you’re not a US person. The default is
> that your communicatons are unprotected.”
>
> All of those exceptions seem to counter recent statements made by NSA and FBI
> officials who have argued that any collection of Americans’ data they perform
> is strictly limited by the Foreign Intelligence Surveillance Act (FISA)
> Court, a special judiciary body assigned to oversea the National Security
> Agency. “We get great oversight by all branches of government,” NSA director
> Alexander said in an on-stage interview at the Aspen Institute last year.
> “You know I must have been bad when I was a kid. We get supervised by the
> Defense Departmnet, the Justice Department the White House, by Congress… and
> by the [FISA] Court. So all branches of government can see that what we’re
> doing is correct.”
>
> But the latest leaked document bolsters a claim made by Edward Snowden, the
> 29-year-old Booz Allen contractor who has leaked a series of top secret NSA
> documents to the media after taking refuge in Hong Kong. In a live Q&A with
> the public Monday he argued that NSA analysts often make independent
> decisions about surveillance of Americans not subject to judicial review.
> “The reality is that…Americans’ communications are collected and viewed on a
> daily basis on the certification of an analyst rather than a warrant,”
> Snowden wrote. “They excuse this as ‘incidental’ collection, but at the end
> of the day, someone at NSA still has the content of your communications.”
>
> However, the leaked document doesn’t exactly paint Snowden’s picture of a
> random NSA analyst determining who is surveilled. The guidelines do state
> that exceptions have to be “specifically” approved by the “Director (or
> Acting Director) of NSA…in writing.”
>
> Just how much actual surveillance the NSA’s exception for Americans’
> encrypted data allows also remains unclear. The Center for Democracy and
> Technology’s Kevin Bankston points out that a previously leaked slide from an
> NSA presentation makes reference to programs called FAIRVIEW and BLARNEY,
> which are described as “collection of communications on fiber cables and
> infrastructure as data flows past.”
>
> If the NSA is in fact tapping the Internet’s network infrastructure,
> Thursday’s leaked guidelines suggest it might be allowed to collect and
> retain all data protected with the common Web encryption Secure Sockets
> Layer, (SSL) used for run-of-the-mill private communications like the Web
> email offered by Google and Microsoft, social networking services like
> Twitter and Facebook, and online banking sites. “If they’re tapping at the
> [network] switches and they take full allowance of this ability to retain
> data, that could mean they’re storing an enormous amount of SSL traffic,
> including things like Gmail traffic,” Bankston says.
>
> In other words, privacy advocates may be facing a nasty Catch-22: Fail to
> encrypt your communications, and they’re vulnerable to any eavesdropper’s
> surveillance. But encrypt them, and they become legally subject to
> eavesdropping by the most powerful surveillance agency in the world.
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe at cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8