How did they do it? The answer is that looking in on private conversations is much easier than most people realize. The good news is that consumers can make the practice far more difficult for government officials than it has been.
The Guardian's reports are based on materials leaked by Edward Snowden. GCHQ has not admitted to any of the charges that have appeared in the ongoing disclosures. Here is a statement that the organization sent to CBS MoneyWatch:
It is a longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.The National Security Agency did not respond to questions about the practice or whether it, too, was involved and monitoring and documenting personal communications. However, Snowden's discosures suggest that the NSA, and possibly other government bodies, have regularly intercepted all manner of online communications.
The reported spying has Yahoo concerned. Says a company spokesperson in a statement:
We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable and we strongly call on the world's governments to reform surveillance law consistent with the principles we outlined in December. We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services.As to how this could happen, the key is revealed in the last sentence of Yahoo's statement noting that it continues efforts to expand encryption across all its services. The fact is that the vast majority of communications over the Internet -- including text, video, and audio over Yahoo Messenger -- is sent without encryption, so anyone who intercepts a message or image can view it.
If previous reports are correct that GCHQ and the NSA have regularly intercepted communications, getting the actual contents and not an encoded version would be easy.
Users can add a layer of privacy to Internet messaging. There are encryption plug-ins for Yahoo Messenger, AOL's AIM and even third-party software like Pidgin that connect to major messaging systems. Both parties must be running compatible plug-ins. Instead of plain text and standard image files traveling over the Internet, now the two people are sending scrambled data that can't be easily broken into.
There is a caveat, though. Standard encryption may be hard to break, but there are factors that give the NSA, in particular, a much easier time decoding it. Edward Frenkel, a professor of mathematics at the University of California-Berkeley, explains the problem in this video from the Numberphile podcast:
The short version is that encryption, as broadly implemented, depends on some math. Ultimately, the point is to create a series of seemingly random numbers that makes it impossible to predict the next number to come. That's fundamental to encryption.
To make this relatively easy to undertake, the U.S. National Institute of Standards and Technology (NIST) years ago provided the basics of the whole process. Companies could tailor the encryption a bit, but they all used the same standard mechanism.
If an organization understood the relationship between two pairs of solutions to the equation, they could observe the scrambled data and, eventually, pinpoint the tailoring the company did and predict how the series would proceed. The organization could then crack the encryption and see the message.
The NSA apparently had a hand in the encryption standards and worked out a pair of solutions to which they knew the relationship. That is the pair of solutions that NIST used as the standard. That means that with enough computer power -- something the NSA has in relative abundance -- the organization can crack virtually any data encrypted with the standard approaches.