The myth of perfectly secure communication is dying.
Since the revelations of widespread intelligence-agency eavesdropping on the digital communications of millions of people in the United States and around the world, governments and technology companies have been under immense pressure to explain exactly how pervasive the monitoring has become. Users of e-mail and social networks provided by the likes of Google Inc., Apple Inc. and Microsoft Corp. have found themselves asking whether there are any means of keeping their data totally secure.
The short answer, it seems, is that there isn’t. And new revelations suggest that even the BlackBerry, touted by Research In Motion Ltd. as the most secure form of wireless communication in the market, could not block the prying eyes of government.
The Guardian newspaper reported that the Government Communications Headquarters, Britain’s intelligence agency, spied on the e-mail and phone communications of visiting foreign dignitaries during meetings in London in 2009. The paper reported that, among other things, the GCHQ had managed to “penetrate” the security of the visiting officials’ BlackBerrys.
Until now, RIM had avoided mention in most of the stories related to the intelligence program: the company’s Canadian headquarters and famously secure network-operating centres have long provided the company with its reputation for security and privacy.
A RIM spokeswoman declined to comment specifically on the media reports. “We remain confident in the superiority of BlackBerry’s mobile security platform for customers using our integrated device and enterprise server technology. … Our public statements and principles have long underscored that there is no back-door pipeline to that platform,” she said.
Asked whether RIM could assure its customers their communications will not be accessed by any government agency without RIM’s consent, the spokeswoman refused to comment.
Increasingly, RIM, Google, Apple and other major tech companies have been forced by public pressure to disclose more information about the extent of their relationships with intelligence and law-enforcement agencies. But many of these disclosures are limited by the nature of certain court orders, which not only give agencies access to user data but also forbid the companies that hold that data from talking about the court order.
“There’s a legal part and policy part to these things,” says Ronald Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “The legal part is a gag order – they’re are not permitted to speak about it by law. The policy part is about company image and making sure you do as much as possible to prevent sullying your brand.”
In the wake of the revelations about the U.S. intelligence program, called PRISM, several technology companies vehemently denied that they have ever given intelligence agencies “direct access” to their servers. However, those denials raised some eyebrows among critics, in part because many of them used very similar wording, prompting speculation about the extent to which the technology firms might offer indirect access.
On Monday, Mr. Deibert was equally wary of RIM’s statement about the nature of its relationship with government officials.
“I just don’t think that their public statements help alleviate some of the concerns many people have that they have not made special arrangement with governments for lawful access, back doors, or whatever you want to call it.”
While some companies, such as Twitter, have taken a much more aggressive stance on resisting requests for customer information, there is virtually no means of keeping information perfectly secure. Some measures, such as saving messages in an e-mail “drafts” folder rather than sending it, are rendered impotent if intelligence agencies have access to the e-mail services themselves.
Even secure messages sent from one user to another are likely to pass through several pit stops along the way – ranging from company servers to local carriers. At each point, the message is vulnerable to interception.
Basic encryption – or the coding of messages using very large numbers as cyphers – remains perhaps the most reliable way to protect communication. Still, even the strongest encryption algorithms can, theoretically, be broken.
Harvey Boulter, the chairman of Seecrypt, a mobile phone-call encryption app, describes the process by which the software works: the app generates a random encryption key for every phone call using ambient noise. Seecrypt then encrypts the conversation twice using a cypher so strong that it would take, on average, about 10 to the power of 600 guesses to break it – many times more than the estimated number of atoms in the universe.
The encryption can be broken, but even the most powerful computers would need months to decipher a single call.
Mr. Boulter says interest in his company’s encryption app has skyrocketed ever since the revelations about widespread eavesdropping, as more people try to make their information harder to obtain.
“We didn’t get enormous amounts of interest because people believed they were safe, then NSA’s PRISM came out and it just exploded,” he says.
“Many folks in the States and around the world think the Internet is for free. It is not for free – usually you’re paying for it by giving up your privacy.”