Increasing numbers of Internet Service Providers monitor or record all of their customers' interactions and distort them, when possible, by dropping ads onto Web pages and e-mail messages and redirecting some IP addresses. Customers who are concerned about privacy and/or unimpeded communication have begun using virtual private networks — agents that receive service requests from customers and forward them to the designated services, concealing their origin. The VPN receives the results and return them to the customer. All communications between the customer and the VPN are encrypted so that the customer's ISP's recordings of the transactions aren't intelligible and the ISP has no way to modify their content.
This of course means that the customer has to trust the VPN more than the local ISP, since the VPN could play the same kinds of tricks if it chose to do so. A number of VPN service providers have been found to be corrupt in exactly this way.
The mediation is also pointless if the encryption that the VPN uses when interacting with customers can be broken by eavesdroppers. It turns out that many otherwise competent and honest VPNs are using weak cryptosystems with known vulnerabilities, and that many others are using cryptosystems that well-funded state agencies such as the National Security Agency have been able to break since at least 2006, even though stronger alternatives are available.
“NSA Cracked Open Encrypted Networks of Russian Airlines, Al Jazeera, and Other ‘High Potential’ Targets”
Micah Lee, The Intercept, August 15, 2018
The National Security Agency successfully broke the encryption on a number of “high potential” virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems, according to a March 2006 NSA document. …
There are many different VPN protocols in use, some of them known to be less secure than others, and each can be configured in ways to make them more or less secure. One, Point-to-Point Tunneling Protocol, “is old and insecure and there are bunch of known security vulnerabilities since forever,” Nadia Heninger, cryptography researcher at the University of Pennsylvania, told me in an email. “I would not at all be shocked if these were being exploited in the wild.”
The NSA also appears to have, at least in some situations, broken the security of another VPN protocol, Internet Protocol Security, or IPSec, according to the Snowden documents published by The Intercept and Der Spiegel in 2014.
“For both TLS and IPsec, there are both secure and insecure ways of configuring these protocols, so they can't really be labeled as blanket ‘secure’ or ‘insecure,’” Heninger explained. “Both protocols offer a zillion configurable options, which is a source of a lot of the published protocol-level vulnerabilities, and there are cipher suites and parameter choices for both protocols that are definitely known to be cryptographically vulnerable.” Still, she was “pretty confident” that there are ways to configure TLS and IPsec that “should resist all known attacks.” …
In 2015, Heninger and a team of 13 other cryptographers published a paper, titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” that revealed major weaknesses in the security of several of the internet's most popular protocols. Their paper described a new attack called Logjam and concluded that it was within the resources of a nation-state to use this attack to compromise 66 percent of all IPSec VPNs. “A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break,” the authors speculated.
In its surveillance of American citizens, the National Security Agency is supposed to be constrained by the Foreign Intelligence Surveillance Act, which specifies exactly which violations of the Fourth Amendment are notionally permitted and which ones are doubly and explicitly prohibited by Congress.
The NSA, being above the law, ignores all such constraints whenever it is convenient for them to do so. But the Foreign Intelligence Surveillance Act stipulates that the NSA is subject to a feeble kind of judicial oversight and review, by a body called the Foreign Intelligence Surveillance Court, which has managed to detect a few of the NSA's numerous modes of violation and issued carefully phrased reprimands.
This article attempts to enumerate the known violations and points out that, taken together, they demonstrate that the NSA operated illegally from 2004 through 2018, without interruption.
“NSA — Continually Violating FISA Since 2004”
Marcy Wheeler, emptywheel, June 28, 2018
The Electronic Frontier Foundation sued the government to obtain the opinions of the Foreign Intelligence Surveillance Court on the requests for (unconstitutional) general warrants against American citizens under section 702 of the Foreign Intelligence Surveillance Act, which notionally authorizes the court to issue specific warrants against non-citizens.
Last week, the FISC released about a third of the opinions that the EFF requested, in heavily redacted form. They show that government agencies, seeking the court's approval for warrantless mass surveillance, also tried repeatedly to sneak in language that would have established even wider collection parameters and even longer data-retention policies. Predictably, the insensate demands for ever more intensive surveillance eventually exceed any prescribed bounds, however weak.
“Newly Released Surveillance Orders Show That Even with Individualized Court Oversight, Spying Powers are Misused”
Aaron Mackey and Andrew Crocker, Deeplinks, Electronic Frontier Foundation, February 7, 2018
Over a period between 15 months and three years, the NSA obtained [without any court authorization] a number of communications of U.S. persons. The precise number of communications is redacted.
Rather than notifying the court that it had destroyed the communications it obtained without authorization, the NSA made an absurd argument in a bid to retain the communications: because the surveillance was unauthorized, the agency's internal procedures that require officials to delete non-relevant communications should not apply. Essentially, because the surveillance was unlawful, the law shouldn't apply and the NSA should get to keep what it had obtained.
The court rejected the NSA's argument. “One would expect the procedures' restrictions on retaining and disseminating U.S. person information to apply most fully to such communications, not, as the government would have it, to fail to apply at all,” the court wrote.
The court went on to day that “[t]here is no persuasive reason to give the [procedures] the paradoxical and self-defeating interpretation advanced by the government.”
The court then ordered the NSA to destroy the communications it had obtained without FISC authorization. … Rather than immediately complying with the order, the NSA asked the FISC once more to allow it to keep the communications.
Again the court rejected the government's arguments. “No lawful benefit can plausibly result from retaining this information, but further violation of law could ensue,” the court wrote. The court then ordered the NSA to not only delete the data, but to provide reports on the status of its destruction “until such time as the destruction process has been completed.”
That was in May 2011. Whether the NSA ever destroyed the data in question, whether it ever filed any of the required reports, and whether any further violations of law have ensued are all secrets. None of the inside parties has chosen to release the answers. Perhaps further lawsuits will yield some information.
You can't make this stuff up.
“NSA Deletes ‘Honesty’ and ‘Openness’ from Core Values”
Jean Marc Manach, The Intercept, January 24, 2018
The National Security Agency maintains a page on its website that outlines its mission statement. But earlier this month, the agency made a discreet change: It removed “honesty” as its top priority.
Since at least May 2016, the surveillance agency had featured honesty as the first of four “core values” listed on NSA.gov, alongside “respect for the law,” “integrity,” and “transparency.” The agency vowed on the site to “be truthful with each other.”
On January 12, however, the NSA removed the mission statement page — which can still be viewed through the Internet Archive — and replaced it with a new version. Now, the parts about honesty and the pledge to be truthful have been deleted. The agency's new top value is “commitment to service,” which it says means “excellence in pursuit of our critical mission.” …
In its old core values, the NSA explained that it would strive to be deserving of the “great trust” placed in it by national leaders and American citizens. It said that it would “honor the public's need for openness.” But those phrases are now gone; all references to “trust,” “honor,” and “openness” have disappeared.