Not content with setting up shop within major Internet companies to pull surveillance data from servers using blanket FISA warrants, U.S. government agencies such as the FBI and NSA are also putting the screws to Internet companies in order to acquire the master encryption keys used to protect that data.
With such keys, even the most obfuscated information could be read as plain as day.
CNET has the story, and it’s a doozy.
“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.
The person said large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight.
SSL keys refers to the Secure Socket Layer protocol used to lock down transmissions between web servers and browsers. When used properly, it encrypts data going back and forth between the end user and the server so that even if it is intercepted, the data is unreadable. If you are visiting a web site and see an “https” at the beginning of the web site address (instead of “http”), that site is using SSL.
With the keys to the encryption, however, any data gathered at either end of the site-user interaction—or intercepted in the middle—can be decrypted.
If these allegations are true, then cloud service users could be at serious risk to have their data analyzed or monitored. Microsoft and Google, responding to the CNET story, have already denied handing over encryption keys. Facebook, Apple and Yahoo were among many companies who declined to respond to questions about the alleged practice.
FBI headquarters image courtesy of Wikimedia.