For the last several months, the Guardian and other media have been publishing snippets of confidential information revealed by former NSA contractor, Edward Snowden. This deluge of classified material has become background noise, to the extent that a general impression has now been formed that the US and UK intelligence services can pretty much do anything, and that no one is safe from their reach.
As a manufacturer of security software, we see it as our obligation to at least shed some more light on the subject. The data available for the task is limited since it is assumed that, with governments being involved, some details have been deliberately withheld so as not to endanger national security.
Can the NSA crack all encryptions?
The most important question first: Can the NSA (or its partners) crack all encryptions? We assume they cannot. But the NSA doesn’t have to. A large part of its work consists of intercepting data before or after it is encrypted. If the NSA had bugged your PC (which we can generally assume is not the case) the best encryption in the world would be useless, because the NSA Trojans would record the data in advance. So a “clean” PC is the prerequisite for successful encryption.
As a further measure, the NSA apparently attempts to persuade companies to deliberately incorporate errors or backdoors into their products in exchange for cash payments. This has never happened at Steganos. Steganos has never received any such request, nor does it implement backdoors, master passwords or similar devices into its products. Steganos is a German limited liability company based in Berlin and is not subject to any influence by the US, UK or any other country. Germany has strict data protection laws and does not currently have any regulations on the retention of data (a related lawsuit brought by the European Commission against Germany has yet to be decided). This situation makes Germany a good location for providers of security products. We very much hope that the political situation will not deteriorate here, but that, on the contrary, this location’s advantage is recognized and actively encouraged.
Personal guarantees by employees against infiltration
Based on these framework conditions, every Steganos employee is also obligated (as part of his or her employment or service contract) to abide by the German Federal Data Protection Act. They sign agreements based on United Nations’ transparency regulations to prevent outside influence and infiltration of the company by a third party.
Furthermore, Steganos has strict data protection guidelines that should also be as transparent for our users as possible. By the way, the guidelines for our VPN product, Steganos Online Shield, have just been called “pleasingly specific” by c’t magazine (issue 20/2013). Our product was given the best review of all those tested.
Beware of the ‘five-eyes’ countries and generally take precautions
All these measures can only work if no unencrypted data is stored on or transferred via servers in the US, Canada, UK, France, Australia or New Zealand. These countries have what is known as the five-eyes agreement that permits close cooperation between the respective countries intelligence services. If you want to play it safe in any of these lands, you should consider the following:
(a) If you use a VPN product, choose the Steganos Online Shield or OkayFreedom servers that are not located in any of the five-eyes countries (there are a wide variety of alternatives). Even though Steganos servers located in data centers maintained within these regions are safe, determining what happens to the data after it has been channeled through such areas is not always clear. Nor is it completely clear what occurs in other countries. Therefore, it is generally recommended that both the route as well as the user data are encrypted.
(b) Use encryption software to encrypt e-mails, cloud content and files. For example, the Steganos Privacy Suite encrypts the data on your local PC before it reaches the Internet.
Encryption is your friend
Whether you’re sending emails, attachments or using cloud storage, encryption is your friend. Trust the math, as security legend Bruce Schneier once said. There have never been any known attacks on correctly-implemented modern encryption procedures (such as AES 256 bit). Edward Snowden said in the Guardian: “Encryption works.” It makes no business or financial sense to go to the effort of implementing or paying for software containing backdoors. Cracking good encryption (with good passwords) is highly complicated and time consuming. It requires huge numbers of supercomputers connected in a series. Even then the outcome of such concerted attacks is uncertain.
But often the effort is not even necessary, since most users don’t encrypt their data. The NSA has approached security firms, email providers, cloud storage service providers and social networks. The US companies that (have to) help the NSA in any way are not allowed to discuss it – not just in the way they help, but even the act of collaboration in itself. Google, Microsoft, Yahoo, and now Facebook have filed lawsuits against this regulation. No such regulations exist in Germany.
Independence from governments and services
Another possibility for intelligence services to gather data is to tap into a local (W)LAN, in cooperation with network providers via their data centers or directly from deep sea cables. Advisable in all of these cases is a good encryption service that encrypts the data and, ideally, the transport route as well. TLS/SSL is a suitable process for the latter. This is performed inside Steganos Online Shield, Steganos Internet Anonym and OkayFreedom. The Snowden reports suggest that the NSA compromised the certificates necessary for secure encryption using this process. As a result, Steganos itself signs the certificates it uses in the products named above – without relying on American or other service providers who may have been forced to cooperate with the NSA.
We hope to have brought some clarity to this complex matter. The ongoing horror stories about the methods used by the intelligence agencies should not dissuade us from protecting our data using the best available methods or discontinue to work of making these complex techniques comprehensible and available for as many people as possible – free of political influence, backdoors and predetermined breaking points.