Is Encryption Effective Against Snooping? German Government Says No, Snowden Says Yes
from the maybe-not-the-real-problem dept
The revelations of Edward Snowden about the NSA's snooping of citizens both inside and outside the US are posing more questions than they answer at the moment. One key area is whether the use of encryption -- for example for email -- is effective against the techniques and raw power available to the NSA (and equivalents in other countries). That's something that has come up before in the context of the UK's Snooper's Charter. When a top official there was asked whether the proposed surveillance technology would be able to cope with encrypted streams, he replied: "it will." Snowden's claims about massive, global spying makes the issue even more pertinent.
Here's one view, from Germany. Politicians from the Die Linke party posed a number of questions to their government on the subject of the latter's use of surveillance techniques (original PDF in German). Most of the answers were the kind of thing you might expect -- "we can't possibly go into details" etc. etc. -- but one was surprising. To the question:
Is the technology used also capable of decrypting at least partially, or evaluating, encrypted communications (eg via SSH or PGP)?Back came the answer:
Yes, the technology used is generally able to do that, depending on the type and quality of the encryption.But Edward Snowden doesn't agree. When he was asked in an online Q&A session on the Guardian Web site the following question:
Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?He replied:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.In discussions about the German government's claim that it can crack encryption in certain circumstances, some suggested that maybe it could -- not directly, but using the malware that Techdirt has written about before. So even if the question as to the efficacy of encryption itself is still rather up in the air, there seems to be a consensus that the real weakness lies in letting people gain access to your system.