FBI and NSA put heat on Web firms for SSL master encryption keys

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.
These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.
If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.
“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.
The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight. “I believe the government is beating up on the little guys,” the person said. “The government’s view is that anything we can think of, we can compel you to do.”
A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would turn over a master key used for Web encryption or server-to-server e-mail encryption, the spokesperson replied: “No, we don’t, and we can’t see a circumstance in which we would provide it.”
Google also declined to disclose whether it had received requests for encryption keys. But a spokesperson said the company has “never handed over keys” to the government, and that it carefully reviews each and every request. “We’re sticklers for details — frequently pushing back when the requests appear to be fishing expeditions or don’t follow the correct process,” the spokesperson said.
Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not received requests for encryption keys from the U.S. government or other governments. In response to a question about divulging encryption keys, Feinberg said: “We have not, and we would fight aggressively against any request for such information.”
Apple, Yahoo, AOL, Verizon, AT&T, Opera Software’s Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies.
Encryption used to armor Web communications was largely adopted not because of fears of NSA surveillance — but because of the popularity of open, insecure Wi-Fi networks. The “Wall of Sheep,” which highlights passwords transmitted over networks through unencrypted links, has become a fixture of computer security conventions, and Internet companies began adopting SSL in earnest about three years ago.
“The requests are coming because the Internet is very rapidly changing to an encrypted model,” a former Justice Department official said. “SSL has really impacted the capability of U.S. law enforcement. They’re now going to the ultimate application layer provider.”
An FBI spokesman declined to comment, saying the bureau does not “discuss specific strategies, techniques and tools that we may use.”
NSA director Keith Alexander, shown here at a Washington, D.C. event this month, has said that encrypted data are "virtually unreadable."

Top secret NSA documents leaked by former government contractor Edward Snowden suggest an additional reason to ask for master encryption keys: they can aid bulk surveillance conducted through the spy agency’s fiber taps.
One of the leaked PRISM slides recommends that NSA analysts collect communications “upstream” of data centers operated by Apple, Microsoft, Google, Yahoo, and other Internet companies. That procedure relies on a FISA order requiring backbone providers to aid in “collection of communications on fiber cables and infrastructure as data flows past.”
Mark Klein, who worked as an AT&T technician for over 22 years, disclosed in 2006 (PDF) that he met with NSA officials and witnessed domestic Internet traffic being “diverted” through a “splitter cabinet” to secure room 641A in one of the company’s San Francisco facilities. Only NSA-cleared technicians were allowed to work on equipment in the SG3 secure room, Klein said, adding that he was told similar fiber taps existed in other major cities.

The following two tabs change content below.
Eric Write head editor and chief at The Pluto Daily