Earlier this year, NSA whistleblower Edward Snowden gave us a peek into how far-reaching the agency’s digital spying activities are. US and foreign citizens alike decried how the NSA’s PRISM program can hone in on supposed enemies of the state and pick up relevant conversations — all in the name of national security, of course.
Among these voices is German Chancellor Angela Merkel. Who’s stopping the Americans from spying on everyone else? German magazine Der Spiegel reports that US intelligence agencies actually have eavesdropping equipment at about 80 embassies globally. And, if the authorities have the ability to eavesdrop on billions of conversations simultaneously, what’s stopping them from targeting even locals — anyone can be an enemy of the state.
It seems the technology to eavesdrop on conversations is more far-reaching than we have originally thought. A recent article on the Washington Post describes how the NSA can listen in by cracking the encryption technology used in phone calls across different kinds of mobile technologies. According to the Post, encryption experts have actually complained that the encryption technology known as A5/1 is vulnerable to attacks, but carriers and device manufacturers have not yet upgraded to stronger encryption. Snowden’s leaks include information that the NSA can easily decrypt and unscramble A5/1 even without the encryption key.
30 year old tech
A5/1 is actually dated technology — the encryption technology was developed in the 1980s and is still widely used when a phone is connected via 2G networks, even as 3G and 4G networks are currently available in many markets. Some carriers have reportedly upgraded their 2G networks to support the stronger A5/3 encryption, which makes it more difficult — or at least less practical — for spooks to eavesdrop on everyone’s calls (it reportedly requires 100,000 times more computing power to crack the encryption).
Even then, the encryption only goes between the mobile device itself and the cellular tower. Eavesdropping can be done by spoofing the cellular antenna and recording the communications from that point. Alternatively, since communications are un-encrypted within the mobile provider’s internal network, this can also be an injection point for eavesdropping if a government agency has access (which can either come during a call or after the fact).
Should we be the ones responsible?
This underscores the importance of end-to-end encryption, which is readily available to both consumers and enterprises in the form of third-party applications. If you don’t trust your cellular service provider to have adequate security measures, then apps like Silent Circle and Wickr will protect your conversations, assuming both you and the other party have the app. This is something that can and should be arranged if you need to protect your conversation (say, you’re talking about confidential business deals). But it certainly requires additional effort and might not be practical for all purposes (you might not care if the NSA eavesdrops on you calling for pizza delivery).
But should this be necessary? Can’t we simply trust our mobile carriers to be responsible with ensuring the best encryption so our conversations are secure? Some developers are already building improved encryption into the OS, such as CyanogenMod. Should this not be the case with everyone, like Google and Apple?
Right now, the choice to go for better security lies on users. The tools are readily available, but may not necessarily be required if you do not intend to hide anything, anyway. And because of the rise of social media and varied attitudes toward privacy, vulnerabilities still exist outside of the cellular network. This means it’s probably not as simple as just giving focus on mobile phone encryption.