Former NSA contractor Edward Snowden has leaked new documents to The Guardian and The New York Times that reveal expensive secret programs in the NSA and GCHQ aimed at defeating online privacy by decrypting email, online banking and medical records. Security experts have said that the programs “undermine the fabric of the Internet,” but can they really be any worse than the surveillance programs Snowden outted, like PRISM and XKeyscore? Here are 10 things you need to know about the latest Snowden leak.
1. Codenamed “Bullrun” and “Edgehill”
The NSA’s decryption program was named "Bullrun" after the major battle in the American Civil War, while the British program was named "Edgehill" after a battle in the English Civil War. According to the documents leaked by Snowden, Bullrun aims to “defeat the encryption used in specific network communication technologies.” Similarly, Edgehill aimed to decrypt the four major Internet communication companies: Hotmail, Google, Yahoo and Facebook.
2. Bullrun Began 10 Years Ago
Snowden showed how the NSA had been working for a decade to break Internet encryption technologies. A major breakthrough for the NSA came in 2010, when it was able to exploit Internet cable taps to collect “vast amounts” of data.
3. NSA and GCHQ View Encryption as a Threat
One document leaked by Snowden showed that the NSA described its program as “the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.” Both the NSA and GCHQ described encryption, used to ensure privacy and establish confidence in Internet commerce, as a threat to their mission against terrorism.
4. Bullrun Is the Most Expensive Program Leaked by Snowden
The funding allocated for Bullrun in top-secret budgets dwarfs the money set aside for programs like PRISM and XKeyscore. PRISM operates on about $20 million a year, according to Snowden, while Bullrun cost $254.9 million in 2013 alone. Since 2011, Bullrun has cost more than $800 million.
5. Bullrun Influences Product Design
A majority of the funding for Bullrun goes toward actively engaging tech companies in their product design. The NSA covertly influenced tech companies to insert vulnerabilities into commercial products that would allow the NSA access without consumers’ knowledge. Snowden did not name specific tech companies that were involved.
6. GCHQ Has Lofty Goals For Edgehill
Edgehill started with the initial goal of decrypting the programs used by three major Internet companies, which were unnamed in Snowden’s leak, and 30 Virtual Private Networks. GCHQ hopes that by 2015 Edgehill will have decrypted 15 major Internet companies and 300 VPNs.
7. GCHQ Relied On Covert Agents in Tech Companies
Edgehill involved a program called Humint (“human intelligence”) Operations Team that sought and recruited employees in tech companies to act as undercover agents for GCHQ.
8. NSA and GCHQ Worked to Keep Bullrun and Edgehill Secret
Both intelligence agencies took great care to keep their decryption programs hidden from the public. NSA analysts were warned to “not ask about or speculate on sources or methods.” Likewise, GCHQ knew that the program would damage the public’s trust, and stated that it would “raise public awareness, generating unwelcome publicity for us and our political masters.”
9. NSA Covertly Influenced International Encryption Standards
According to The Guardian, security experts had long suspected that the NSA was influencing security standards, and these Snowden documents appear to confirm that it was a goal of project Bullrun. The NSA covertly drafted its own version of a standard on encryption issued by the U.S. National Institute of Standards and Technology, and it was approved for worldwide use in 2006.
10. NSA Label Consumers as “Adversaries”
One document leaked by Snowden describes why consumers shouldn’t be aware of backdoor vulnerabilities made to products. “To the consumer and other adversaries, however, the systems’ security remains intact.”
Grouping citizens with adversaries indicates how these surveillance agencies view their role in society. It also sheds a bit of light on why both countries named their programs after Civil War battles.