In wake of NSA encryption revelation, is privacy an illusion?


CBS/iStockphoto

That tiny lock symbol on your browser bar may make you feel secure about your data. But according to new reports from the New York Times, ProPublica and the Guardian, the most common types of encryption used can be cracked by the National Security Agency.

According to the reports, leaked documents from former NSA contractor Edward Snowden reveal that the agency used a variety of methods to penetrate banking systems, trade secrets, medical records, secure emails and other Web data.

Secure socket layer (SSL) is a type of cryptography that enables secure data to be sent online by scrambling the message as it travels through telecommunications lines.

But according to the leaked documents, SSL has been cracked by the NSA. The same has been reported about virtual private networks (VPN) and the encryption used on fourth-generation (4G) mobile networks. While it adds a layer of protection for basic Internet users, security experts have known that even SSL is not perfect.

"We do know that SSL, which is one of the most leveraged pieces of encryption technology, has been broken by non-state actor adversaries in a number of cases, so it stands to reason that it is vulnerable," Robert Hansen, security researcher at WhiteHat Security, told CBSNews.com over email.

Security experts have long believed that nothing online is impenetrable. But there is no simple answer for whether or not we have privacy. Stealing data can be accomplished by actual hacking, crafting spear-phishing emails or social engineering.

"As soon as you put anything online, or access anything online, we should consider that public," says Nish Bhalla, CEO of Security Compass.

Bhalla says that using encryption is useful against everyday hackers, but may not hold up against massive computer power. According to the leaked document obtained by the three news agencies, the NSA is using supercomputers to crack encryption. But even if a code can't be cracked now, it doesn't mean it's impenetrable.

"People forget that even if the NSA cannot break an algorithm today, because they have massive storage facilities, they may be able to break it later," Hansen says.

The NSA is constructing a 1-million-square-foot data center in Utah's Camp Williams that will soon be operational. According to the Washington Post, the U.S. intelligence community has a so-called "black budget" for fiscal year 2013 that allocated $52.6 billion, of which the NSA received $10.5 billion.

"Unless the information you are sending is only useful for a short period of time, this is probably the greatest threat to the data -- time. Cryptanalysis never gets worse -- it only gets better," Hansen says.

There are still options for people who are seeking privacy. The encryption programs like Pretty Good Privacy (PGP), Wickr, Silent Circle or Lavabit specialize in encrypting communications. However, Silent Circle and Lavabit, which Snowden reportedly used, have shut down their email services in recent weeks, citing fears that a government investigation would force the companies to reveal data about its customers.

"Nothing is 100 percent," says Wickr co-founder Nico Sell. The messaging app she co-founded uses military grade encryption. But even with all of the security measures in place, Sell believes there is plenty of room for human error.

What cryptographers aim to do is slow down potential eavesdroppers. Sell says this can be done by creating difficult, expensive and time-consuming obstacles. There are still several options for keeping a basic level of privacy. Sell suggests doing a factory reset on devices from time to time, to ensure malicious software is not installed. Several of the experts recommend using PGP.

"All of these things are better than doing nothing, and sending clear text," iSEC senior security consultant Shawn Fitzgerald says. Although he's concerned about the alleged breach of privacy, Fitzgerald doesn't believe that NSA snooping will not affect people's daily routine.

And it's not just the government that has an interest in collecting data online. Cybersecurity professionals believe that using privacy tools is still important because it can deter hackers who are looking for sensitive information.

"Something else to keep in mind is that the NSA is one of the most well provisioned agencies in the world, but they're not your only adversary," says Steve Weiss, founder and CTO of security firm PrivateCore. "Different degrees of privacy are still achievable. It's not a lost cause."