As reporters at the New York Times, the Guardian and ProPublica dig deeper into the documents leaked by Edward Snowden, new and disturbing revelations continue to be made. Two programs, dubbed Bullrun (NSA) and Edgehill (GCHQ), have just come to light, that focus on circumventing or breaking the security and encryption tools used across the internet. The effort dwarfs the $20 million Prism program that simply gobbled up data. Under the auspices of "Sigint (signals intelligence) enabling" in a recent budget request, the NSA was allocated roughly $255 million dollars this year alone to fund its anti-encryption program.
The agencies' efforts are multi-tiered, and start with a strong cracking tool. Not much detail about the methods or software are known, but a leaked memo indicates that the NSA successfully unlocked "vast amounts" of data in 2010. By then it was already collecting massive quantities of data from taps on internet pipelines, but much of it was safely protected by industry standard encryption protocols. Once that wall fell, what was once simply a torrent of scrambled ones and zeros, became a font of "exploitable" information. HTTPS, VoIP and SSL are all confirmed to have been compromised through Bullrun, though, it appears that some solutions to the NSA's "problem" are less elegant than others. In some cases a super computer and simple brute force are necessary to peel back the layers of encryption.
More alarming than work by the NSA and Government Communications Headquarters (GCHQ) to simply break popular encryption methods are its efforts to work with companies and standard-setting bodies to weaken protection schemes. Though no particular companies are named in the leaked documents, the NSA expects to gain access to a hub for a "major communications provider" and a "major internet peer-to-peer voice and text communications system" by the end of 2013. Some companies may have complied with the agency's requests willing, but it's clear from the documents that the NSA exerted pressure on many, forcing them to create backdoors in security and encryption tools. According to another memo, the NSA was even the primary editor of a set of security standards passed by the US National Institute of Standards and Technology in 2006.
The GCHQ for its part has been focusing heavily on email providers and VPN networks. In fact, Hotmail, Google, Yahoo and Facebook are singled out as targets that need to be cracked. Its efforts also go well beyond simple hacking and strong-arming: the documents also reveal that the British agency has covert operatives inside the telecommunications industry.
These capabilities do not mean that the NSA is actively intercepting and decrypting your most embarrassing Amazon purchases or reading your emails. The law still prevents the agency from targeting the communications of American citizens without a warrant. But, it does mean that almost none of your data is truly private or safe from prying eyes. And it may only be a matter of time before a criminal or terrorist organization discovers and exploits these same vulnerabilities theoretically left in place so the NSA could combat such adversaries.