As long as there have been allegations, or perhaps generalized notions based on a mistrust in government, that NSA has the capability to read American emails without a court order, something has bothered me.
How would NSA actually accomplish bulk collection of content?
I mean, yes, the obvious top layer above-the-clouds answer is that they use switches that divert data into their servers, like the switches installed by AT&T after 9/11.
But that's like saying our bodies absorb nutrients we digest as a way of explaining why proteins are so important.
Now, I am not an expert in data encryption or information technology. Fortunately for me, this is a blog, and one is entitled to write about subjects one does not know much about.
I don't want to reveal any secret techniques NSA might use either, but I don't think a general discussion of email hacking goes too far into the red end of the classified spectrum.
From what I understand, after a Gmail has left your computer's browser, it's encrypted. When it arrives at Google's servers, it's encrypted. In the middle, as it zips around the world through gateways and switches, a certifying authority — kind of like an internet traffic cop — makes sure that the email communication is following all the safety and traffic laws by remaining encrypted. The meta-data is akin to a destination that's displayed on the outside of a car; the car is tinted so you can't see inside unless you have a key, a specific key that the driver waiting at the next destination can use.
Now, the NSA can break encryption. But — importantly — they cannot instantly (so far as we know) break the type of encryption that Google attaches to every email sent by every user. Not for a single encrypted email, not instantly, and certainly not for millions.
It's easy for the government to get emails directly from Google. But it's pretty hard for the government to get Google emails in bulk — and in bulk is the descriptor here — from taps outside Google. Think of meta-data as the stuff on the outside of the car — it's like the government has set up a license plate reader at key intersections and records all the traffic that goes by, but it cannot peak into the car unless it has the key.
If I'm an NSA computer network operations / information warfare tech, I'd obviously have found ways to get into the hardware used by particular targets. You can observe someone writing an email. Install a keystroke program on their screen. Use a spear-fishing technique.
Unless NSA has found a way to mess with the traffic cops — the certifying authorities — I don't see how NSA possibly reads Google emails in real-time, looking for content, using keyword searches. Indeed, I don't know NSA would be able to break the encryption of an email that somehow fell under what secret safe harbor provisions they have for emergencies. They really do need Google's help to read every email they do not steal from either end of the communication.
Eric Mill, a developer for the Sunlight Foundation, summed it up for me in a Tweet: "NSA can and does sniff traffic as it moves across the Internet, especially through backbones. Encrypted traffic is safe-ish."
Bart Gellman, one of the main reporters on the story, notes that "Mongols didn't topple the Great Wall of China. Bribed guards, raised ladders. NSA would rather steal keys than break crypto?"
A lot of caveats: Google is but one company. Yahoo and AOL and Facebook are different — I'll get into that in a different post. Also, in reference to bribing guards, perhaps NSA has an agreement with one or many of the certifying authorities, or traffic cops — this is a vulnerable point in the system — but there's no evidence that this is true. I'll explore this in a later post too.
Though NSA is no doubt privy to technologies the private sector is not, the idea that it can read emails that it does not get from Google in bulk and search them randomly is probably not a well-grounded fear.
Meta-data, of course, remains front and center. As it should be.