NSA can tap most sensitive data saved on smartphones, including contact lists, SMS and location information, Germany’s Der Spiegel has argued citing some secret NSA documents, which is claims to have. The article published Sunday doesn’t say how the magazine obtained the documents, but one of its authors is Laura Poitras, an American filmmaker with close contacts to NSA leaker Edward Snowden.
According to the papers, NSA is able to infiltrate iPhones as they sync to a user’s computer via programs called scripts, which provide access to at least 38 additional iPhone features. The programs could access BlackBerries and Android-running phones, as well.
Smartphone makers, especially Apple, have always claimed that agencies can’t read the encrypted messages that are sent between devices of the same type (like iMessage and BBM). However, since those messages are sent through a company-owned server, it is possible to tap and control them.
The documents suggest the NSA has been able to crack the code to enter the BlackBerry mail system, which is both encrypted and secure on the company’s servers and on its phones. The company has issued a statement denying that it had created a “back door” to its servers for the NSA. BlackBerry has issued similar denials in other contexts, though in the past it has admitted to providing the government of India some level of access in compliance with local law.
Apparently the NSA was unable to tap into some BlackBerry devices at one point in 2009, but one memo details a 2010 breakthrough in that regard and the memo allegedly noted the success by stating “champagne!”
Bruce Schneier, a security technologist and author commented on the revelations in an interview with the VoR.
“They do it through a variety of means. They do it through hacking -- the kind of things you'd see criminals do -- they do it through secret agreements with the companies that build hardware and software, with the telecoms around the world and they do it pervasively,” says Schneier. “They do it all around the internet.”
Schneier says the NSA has been able to hack into standard web security known as Secure Socket Layer or SSL. Partially through the agreements mentioned, the NSA can circumvent any site that uses a secure server such as Facebook, Gmail or Hotmail. Secure servers are identified by the “https” in front of a site's URL.
The NSA, Schneier says, holds similar agreements with the companies that power smartphones, so forget about any security of your data.
Ryan Ellis, a postdoctoral Research Fellow of Science, Technology, and Public Policy at Harvard University, reinforces Schneier's point. “Mechanisms that many people use to conduct private or what we presume to be private communications over the Internet, in fact, can be subverted or worked around,” the expert says.
Ellis added the newest revelations aren't surprising, though they do go into a level of detail not shared before.
“What's interesting about the most recent disclosures is that it starts to paint the picture of exactly how that happens,” said Ellis. “How they are able to attack devices and work within the network to get around standard, traditionally used forms of encryption.”
Der Spiegel pledged to reveal more details in a series of articles, which are coming soon.
The NSA documents apparently reveal that the agency has set up working groups for each mobile operating system, meaning that sets of employees are dedicated to cracking the security of these devices.
Der Spiegel says the documents indicate that the NSA used the technique in specific cases or to eavesdrop on specific individuals and this has not been a mass surveillance of phone users.
The CBS reports that the article comes right after another report claiming the NSA, in cooperation with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data safe.
The NSA has bypassed or cracked much of the digital encryption used by businesses and everyday Web users, according to reports in The New York Times, The Guardian and the nonprofit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone’s secrets available.
The NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert “back doors” into their software, the reports said. Such a practice would give the government access to users’ digital information before it was encrypted and sent over the Internet.
VoR’s Elly Mui reports that according to recently declassified materials, the Obama administration sought greater access for the NSA in 2011. Previously, the NSA could not search its own massive databases of collected phone calls and emails. The Washington Post reported Saturday that the Foreign Intelligence Surveillance Court reversed that restriction upon the White House’s request, giving the NSA permission to search for American residents using names and email addresses without a warrant.
Patrick Toomey, a security fellow at the American Civil Liberties Union, called this decision by the FISA court an unfair maneuver by the NSA and that all American citizens deserve a greater guarantee of privacy.
“We think that Americans and others located inside the United States are entitled to have the full protection of the constitution when the NSA goes to look at their emails,” says Toomey. "And therefore, just like if you were a criminal suspect, [if] the government [tries] to investigate terrorism through traditional criminal channels, they would need to go to court and get a warrant and the same should be true if the NSA wants to look at people inside the United States for those reasons.”
The NSA also won the ability to keep records on American citizens for up to six years and possibly even longer. Toomey calls this practice questionable.
“The NSA believes the longer that it holds the records, the better its ability to draw connections between different targets and their communications with one another. And that by aggregating this information over time it can build a more complete picture of the activities its interested in and potential threats to the United States,” says Toomey. “The ACLU believes this information has a limited shelf life and at a certain point it becomes much more intrusive on Americans’ privacy.”
Toomey says the government’s overreach has been in question for years, saying that their justification for counter-terrorism does not hold up to the information that is being released.
“The ACLU has been warning for years that the definition of foreign intelligence information encompasses not just information related to terrorism but anything really that the government considers related to foreign affairs of the United States,” Toomey said. “Therefore it does sweep in business information, political information, diplomatic information, cyber security information; it goes far beyond the narrow class of terrorism data the government usually invokes with the government tries to justify these programs.”
The BBC's Steve Evans in Berlin admitted the reports do seem to indicate that the British and American security agencies have the ability to read private communications beyond what might have previously been thought possible - or desirable by those who fear the intrusion of the state.
As new revelations are coming out, the very notion of privacy is seeming more and more non-existent. Expert Schneier says there is nothing anyone can do except call for greater laws that prohibit government surveillance.
“You have to agitate for our Congress, for the courts to reign in this rogue agency. They have systematically perverted the internet and turned it into a spying platform. The only defense is political,” says Schneier.