UK spies ‘gobsmacked’ by extent of US encryption hacking

The National Security Agency and GCHQ have gained access to the personal data of hundreds of millions of people by breaking internet encryption and secretly compromising global coding standards, according to a report published by the Guardian.

The US and British spy agencies have also been working with technology companies and internet service providers to develop “covert partnerships” and embed secret vulnerabilities – otherwise known as trap doors – into commercial encryption software, said the paper.

Meanwhile, a GCHQ team has been developing ways to read the encrypted data traffic of Hotmail (provided by Microsoft), Google, Yahoo and Facebook, it said. All four companies told Channel 4 News they do not give the US government access to their systems.

‘Gobsmacked’

A 10-year NSA programme designed to tackle encryption reportedly made a breakthrough in 2010 which made available “vast amounts” of previously untapped data. The agency spends $250m a year on its encryption project.

An internal NSA memo said that British data analysts not previously aware of these efforts “were gobsmacked” when they learned of them.

The vulnerabilities inserted by the NSA into commercial encryption systems were designed to remain unknown to internet users, but raise questions over whether they could be exploited by hackers.

During 2013 the NSA expects the project to allow access to “data flowing through a hub for a major communications provider” and to a “major internet peer-to-peer voice and text communications system,, said the Guardian.

The NSA named its decryption programme after a battle in the US civil war, Bullrun, while its UK counterpart Edgehill is named after the first major engagement of the English civil war.

Bullrun has made progress against some widely used online protocols including HTTPS, voice-over-IP and secure sockets layer (SSL), which is used to encrypt online banking and shopping. However, the documents obtained by the Guardian suggest that the NSA and GCHQ have not yet managed to crack all encryption technologies.

Agent running

GCHQ also set up a human intelligence team which was “responsible for identifying, recruiting and running covert agents in the global telecommunications industry” to tackle “some of the most challenging targets”, according to documents quoted by the Guardian.

Revelations of US and UK efforts to break encryption follow reports of an NSA programme called Prism, which was used to monitor and assess communications metadata, and a UK effort named Tempora, which taps into transatlantic cables carrying masses of communications data.

Edward Snowden received temporary asylum in Russia after his initial leaks on the Prism programme. Russian President Vladimir Putin met US President Barack Obama for half an hour before the close of the G20 summit in St Petersburg, and said that Mr Obama did not request the extradition of former spy agency contractor Edward Snowden.

Extradition would be impossible because Snowden “did not commit a crime on our territory”, Putin told a news conference.

Responding to media claims that the US government has found ways to circumvent its security systems, a spokesman for Google said that the company “have no evidence of any such thing ever occurring”.

“The security of our users’ data is a top priority,” he added. “We do not provide any government, including the US government, with access to our systems… We provide user data to governments only in accordance with the law.”

We do not provide any government organization with direct access to Facebook servers. Facebook spokesman

A spokesman for Microsoft told Channel 4 News: “We do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys.”

“When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency. Microsoft does not provide any government with direct and unfettered access to our customer’s data.”

When asked about involvement in inserting software ‘backdoors’ or aiding decryption efforts by the NSA and GCHQ, a Facebook spokesman said the company had “nothing new to add” to its previous statements on Mr Snowden’s revelations.

“Facebook is not and has never been part of any program to give the US or any other government direct access to our servers,” Facebook reiterated. “We do not provide any government organization with direct access to Facebook servers.”

Yahoo told Channel 4 News: “We are unaware of and do not participate in such an effort, and if it exists, it offers substantial potential for abuse.

“Yahoo zealously defends our users’ privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law.”

The Guardian’s report was jointly published by the New York Times and Propublica.