More released documents from Edward Snowden show that the US National Security Agency (NSA) has done the unimaginable – cracked encryption codes that secure most of our data. It’s an impressive feat even for the NSA which was created just for code-breaking and now sets the standard for encryption technology. Encryption is important because it’s the main tool used to ensure the security of your web communications whether its Skype video calls, online banking transactions, or sending electronic health records via health portals.
However, as this NPR piece explains, it isn’t so much that using encryption can’t protect data, rather that the NSA has found ways to get around data encryption. According to a Q&A with Snowden over the web, the NSA’s ability to actually break encrypted data are limited. Instead, the agency typically uses techniques that bypass encryption code-breaking, such as hacking into computer endpoints to gather data either before it has been encrypted or after it has been decrypted. The NSA also works with numerous companies to gather decryption keys or to insert backdoor surveillance technology into applications. Earlier Snowden document news reports identified some of the biggest Internet companies — Microsoft, Google, Facebook, Yahoo!, Apple — as all having been part of the NSA PRISM surveillance program, despite their stated privacy policies.
The documents also suggest that the NSA has used its influence to introduce weaknesses into its encryption standards (released in 2006), which are used by software and hardware developers worldwide. These weaknesses can then be used build back doors or to otherwise hack into programs using these standards.
This might be a good time to reconsider your videoconferencing options. Many of our favorite video conferences such as Vidyo, Google Hangouts, BlueJeans, WebEx use a computer architecture that make them a perfect target for NSA wannabes. These systems all send your media streams through a router or middleman server where your data will be decrypted and stored before being delivered to its final endpoint computer. As a sort of central switchboard through which gajillions of users’ videoconferencing sessions must pass, you can see how such servers would make juicy targets. (Btw, VSee never keeps any decryption keys or users’ video conversations on its servers. 🙂 ) The New York Times explains “How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored.”
photo credit: bocek.kevin via Flickr