The Intercept has published a series of documents obtained from NSA whistle-blower Edward Snowden, which show how the NSA:
- Spied on hundreds of telecoms companies across the world, including those based in counties closely allied to the US, such as the UK and Australia
- Has plans to introduce weaknesses into international communications systems so that they can be more easily tapped (weaknesses that criminals and terrorists may themselves be able to exploit)
- Intercepted over 1,200 email accounts belonging to employees of major cellphone networks in order to obtain confidential company planning papers that could be used to compromise the companies’ communications systems
- Targeted the high-profile GSM Association (‘an influential U.K.-headquartered trade group that works closely with large U.S.-based firms including Microsoft, Facebook, AT&T, and Cisco, and is currently being funded by the U.S. government to develop privacy-enhancing technologies,’ and ‘which represents the interests of more than 800 major cellphone, software, and internet companies from 220 countries.’)
The operation, codenamed AURORAGOLD, recalls past scandals about the NSA building backdoors into, and deliberately weakening, international encryption standards. ‘Leading cellphone security expert and cryptographer’, Karsten Nohl told The Intercept that,
‘The operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.’
He then went on to explain that ‘collecting an inventory [like this] on world networks has big ramifications,’ as a weakness for the NSA is weakness for anybody,
‘Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities, because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it.’
This is a view echoed by Mikko Hypponen, a security expert at Finland-based F-Secure,
‘If there are vulnerabilities on those systems known to the NSA that are not being patched on purpose, it’s quite likely they are being misused by completely other kinds of attackers. When they start to introduce new vulnerabilities, it affects everybody who uses that technology; it makes all of us less secure.’
As of May 2012 the NSA had collected technical data on the vulnerabilities of 700 of the world’s 1,000 cellphone networks, and shared any information gathered with its Five Eyes spying partners.
Exact details of which companies have been targeted was not revealed by the documents, but one of the documents does show a map indicating that ‘network coverage’ is available on every continent, and includes coverage of countries that have so far been less than impressed by NSA tampering, including France and Germany.
Last December a surveillance review panel put together by President Obama concluded that the NSA should not ‘in any way subvert, undermine, weaken, or make vulnerable generally available commercial software,’ and recommended that, if the NSA did find vulnerabilities, it should inform the relevant company (unless the case involved ‘high priority intelligence collection’).
Unsurprisingly, the NSA has only provided stock responses to the revelations,
‘NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements—regardless of the technical means used by foreign targets, or the means by which those targets attempt to hide their communications.’