These are the most damning indictments of the federal government's spying, demonstrating that its efforts are not only unconstitutional and destructive but criminal and fraudulent.
According to the ProPublica article, referring to the NSA: "The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world, the documents show."
NSA Headquarters: Fort Meade MD by National Security Agency
The three publications' reportage outlines a huge, expensive, and multi-faceted program designed to break all "encryption" in on-line communications (the Guardian's package of coverage is superb). The information gleaned is then stored and, using search and analysis methods previously reported on, it's sorted and some of it read.
Two of the most egregious and frightening aspects of the policies demand particular attention and explanation because they directly attack protections most Internet users take for granted.
With a conscious attempt to defeat Secure Socket Layers and encryption protocols, the government has attacked the very foundations of Internet communications. We have come to trust the privacy and security of the Internet when those features are offered, in part because they're offered. Now we find that they don't exist.
What it all means is that the forms you use for credit-card purchases, bank information, membership applications, website email -- the forms you use all the time believing your information is protected -- may well be carrying code that will allow the NSA to get your information. What's more, the encryption programs many Internet users employ to keep their communications, including email, private may carry "back door" code that will allow anyone with the proper program to decrypt and read them.
The government programs not only attack the functionality of privacy but completely destroy any rational confidence people can have in the privacy of their day-to-day communications. They also smash confidence in the government and the corporations that offer these protections because the certainty of privacy has been offered with the apparent full knowledge by these companies that there is no such certainty.
These latest revelations were delivered in about 50,000 documents Snowden released to news outlets this week. While they broaden the information he has delivered to the world about government spying, these revelations add a darker stroke to the drawing. Up to now, Snowden's information has demonstrated how governments and compliant corporations have facilitated the capture, storage, and analysis of Internet communications and our government has answered those charges with a PR-choreography designed to divert attention from the real issue at stake: privacy and the Constitution. It has said, all along, that its intent isn't to assault our privacy but to catch people who would do us harm.
These revelations demonstrate that the intent of government spying has been not only to assault privacy but to make it impossible to achieve. They rip the locked doors off all Internet privacy and make the application of Constitutional rights impossible.
Nowhere is this clearer than with the attack on Secure Socket-Layer protocol.
When you go to a website to purchase something or fill out a form with your personal information, you'll notice a different kind of website address. Rather than the "http:" that urls usually start with, you'll see "https:". This means the page is secure and that, if it's complying with Internet standards, the website has installed a certificate that proves it is the site it says it is owned by the people who claim to own it. Any encryption of data between site and browser is now "trusted". So, you are implicitly told, you can enter a credit-card number and nobody else can read it. It was encrypted the moment it was entered and you pushed "submit" and the information you exchange with the site is totally protect in a "secure tunnel" (which means that nobody can even see it in any form); the people who own the site are vouching for that.
The Internet offers this assurance by maintaining "standards" for this transaction. About 40 companies world-wide offer certificates (idioscyncratic pieces of code that are to be installed on a server) and, as a default, browsers recognize certificates for those companies. That's the standard. When you visit such a webpage, your browser and the server conduct a complicated series of communications -- called a "handshake" -- that verifies the certificate, the identity of its owner, and the company that wrote the certificate being used. This is among the most sacred trusts in Internet technology. If the certificate isn't authentic or up-to-date, the "server" will return an error.
For several years now, the NSA has been working with some of those certificate companies to allow it to "pose" as a trusted authority and answer your handshake. When your computer asks for an SSL certificate, the NSA's code offers proof that the site is actually secure and owned by the certificate holder. At that point, it can capture all data you enter into that page as it goes through a secure tunnel to which the NSA now has access. This is called a "man in the middle" attack. That data is stored -- for a few days, according to these documents -- and then de-crypted with one of the programs the NSA has spent hundreds of millions of dollars to develop. The agency can then search through the data (probably all the data on the Internet) for "suspicious" terms and phrases to choose which files it will investigate more carefully.
SSL (or TLS as it is now known) protection is also provided to many forms of email and other on-line protocols such as SSH: a protocol that gives users, most often technologists and server administrators, the ability to conduct secure direct communications with a server via "command line" programs. That kind of security is essential to the operations, by administrators, of the entire Internet. No decent administrator will enter a command-line program without it because, if someone can eavesdrop on what the administrator is writing, they can get the administrator's passwords, log into the server, and do what they want with everything stored there.