US and British intelligence agencies have unlocked much of the online encryption that protects the privacy of internet users’ personal data, online transactions and emails.
Many internet users assume that their online information, including medical records and bank details, is safe from snoopers but fresh documents released by US whistleblower Edward Snowden appear to show otherwise.
Classified briefings between the National Security Agency and its UK counterpart GCHQ, obtained by The Guardian newspaper, show the agencies celebrating their success at “defeating network security and privacy”.
A 2010 GCHQ document states: “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely used internet encryption technologies.
“Vast amounts of encrypted internet data which have up till now been discarded are now exploitable.”
The documents reveal various covert methods have been used to break down internet security, including a NSA programme, costing $250m (£160m) a year, which works with technology companies and internet service providers to insert weaknesses into their product designs.
Supercomputers have also been used to break encryption with “brute force” and in some cases companies say they were forced by the government to hand over their master encryption keys or build in a back door.
For at least three years, one document says, GCHQ has been working to develop ways into protected traffic on the “big four” service providers, named as Hotmail, Google, Yahoo and Facebook.
By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document, which Google has denied.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
The agencies defend code-breaking saying it is necessary to counter terrorism and gather foreign intelligence.
But security experts say the internet is being undermined as “cryptography forms the basis of trust online”.
Bruce Schneier, an encryption specialist at Harvard’s Berkman Center for Internet and Society, told The Guardian: “By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.”
The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the non-profit news organisation.
The full extent of the NSA’s decoding capabilities is known only to a limited group of top analysts from the NSA and its counterparts in Britain, Canada, Australia and New Zealand.
Only they are cleared for the Bullrun encryption-cracking programme, the successor to one called Manassas – both names of an American Civil War battle.
A parallel GCHQ counter-encryption programme is called Edgehill, named for the first battle of the English Civil War of the 17th century.