[ExI] After NSA revelations, end-to-end encryption is more important than ever

Eugen Leitl eugen at leitl.org
Wed Jun 12 15:28:06 UTC 2013


Spy stoppers: meet the companies benefiting from the PRISM privacy scare

After NSA revelations, end-to-end encryption is more important than ever

By Russell Brandom on June 12, 2013 09:49 am Email 11COMMENTS

The world is still reeling from the leaked details of the NSA's PRISM
program, reported to give the government's top spies access to personal user
data collected by Google, Apple, Microsoft, and other services. But while the
mainstream is fighting over the precise nature of PRISM, the world of
cryptography is feeling strangely validated. "People put their trust in
Apple, Google, Yahoo, Microsoft, but now they see it's being handed over,"
said Mike Janke, CEO of the iPhone encryption service Silent Circle. "It
takes something like this for people to wake up."

Nadim Kobeissi, founder of Cryptocat, took a similar line. "This is how you
develop security software," Kobeissi told The Verge. "You always assume the
very worst."


While PRISM is bad news for privacy advocates, it's good news for
cryptography software, which has seen a range of previously obscure features
become newly relevant in light of the government’s mass surveillance
operations. The most important function in programs like Cryptocat is
end-to-end encryption, a design feature that prevents the company handling
your email from being able to open your data up to the NSA. In end-to-end
encryption, only users have copies of the keys — so if a government agency
wants access, they need to get it directly from you. This stands in contrast
to services like Gmail, which use SSL encryption as a standard but keep the
keys on the company servers and are able to decrypt messages at will. Last
week that wasn't a worrying thought, but with the allegations that the NSA
has direct access to such servers, it's a newly sensitive point.

Many programs offer end-to-end encryption, from paid services like Silent
Circle to free and open source projects like GnuPG and Cryptocat, but they
all involve venturing outside the familiar world of large corporations and
friendly user interfaces. Still, it may be a leap many consumers are willing
to take. In a recent survey more than half the country described itself as
uncomfortable with email surveillance, and some programs have already seen
numbers rise. Kobeissi says in the days following the first leaks, Cryptocat
saw nearly double its normal usage. On Tuesday, Silent Circle announced a
half-off deal "in light of the latest wave of concerns."


At the same time, developers are careful to acknowledge the limits of this
approach. Kobeissi says up front, "If you're Edward Snowden, none of these
tools will save you." The problem isn't the encryption itself, but the
difficulty of maintaining security through every step of the process. An
airtight encryption protocol can protect messages in transit, but any
would-be snoopers could still find a way to break into the phones on either
end, or find a weak spot in the program's implementation. Developers look
hard for these kinds of weaknesses, but the NSA is presumably looking harder,
and with more resources to throw behind the effort. Even more troubling are
tools like weaponized malware built on unpublished exploits, which government
agencies have been buying up at an alarming pace in recent years. If a user
were to be successfully targeted by these programs, all the encryption in the
world wouldn't keep the NSA out of their phone or computer.

The result is that, despite forward-thinking assumptions, most cryptography
tools are still only partial solutions — something cryptographers will often
be the first to admit. As Kobeissi put it, "These tools are just shims.
They're not a substitute for policy and having a political discussion."

More information about the extropy-chat mailing list