In the wake of recent revelations that the U.S. National Security Agency has circumvented or cracked much of the encryption technology that protects users' online confidentiality, it might seem that online confidentiality is dead.
Security and privacy experts, however, say that isn't true -- at least not yet.
The Guardian, the New York Times and ProPublica all reported last week that everything from email and online chats to financial transactions and medical records was not safe from the NSA's prying eyes -- based on documents leaked by former NSA contractor Edward J. Snowden.
The agency has engaged in a multi-billion-dollar campaign over the last 13 years, said the reports, to conquer the safeguards that scramble digital information for privacy and security purposes. The news agencies reported that NSA's methods supposedly range from developing super-fast computers to crack codes to covertly using its influence to introduce intentional flaws into the encryption standards followed by hardware and software developers, which the agency can then exploit.
But while the NSA's eavesdroppers have chipped away at some of the privacy safeguards that Internet users take for granted, there are still encryption technologies that they probably can't yet defeat.
Moreover, even less than state-of-the-art encryption still makes it sufficiently difficult and time-consuming for code-breakers to decipher messages that they can't conduct "dragnet" searches, in which they would sift through millions of users' emails, calls or chats in search of some word or phrase.
"Think of encryption as being like a safe," explained Ashkan Soltani, an encryption expert who consults with the Electronic Privacy Information Center, a Washington, D.C.-based watchdog group. "When you buy a safe, it's rated based upon the number of hours it would take an expert safe-cracker to break in. So you can buy a 5-hour safe, or a 30-hour safe, depending upon how much security you think you need."
Similarly, he explains, an encryption software developer can lengthen the key -- the sequence of numbers that unlocks the message -- or make the algorithms in the program more complex.
To follow Soltani's metaphor, the NSA has long wanted to be able to flip a switch and open all of the nation's safes at once. In the 1990s, according to news reports, the agency sought to compel encryption software makers to include a universal backdoor key, that would enable it to unlock anyone's communications. When NSA failed to get that power, it then started trying to find ways to get around encryption systems.
One approach was to beef up the agency's computing power. "A 2-kilobyte encryption key was designed to take 15 years for a computer to crack," Soltani explained. "But with advances in supercomputing, some of that protection goes away."
But NSA seems to have relied more heavily upon guile than muscle. The Snowden documents indicate that the agency used its influence to plant subtle flaws in the technical standards used by the encryption industry.