NSA and GCHQ decryption attempts offer 'substantial potential for abuse'

Tech companies respond to revelations that spy agencies subverted security but say they were unaware of program

Dominic Rushe in New York

Two of the world's biggest technology companies, Microsoft and Yahoo, expressed deep concern on Friday about widespread attempts by the US and UK intelligence services to circumvent the online security systems that protect the privacy of millions of people online.

Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse. Google said it was not aware of any covert attempts to compromise its systems.

Documents obtained by whistleblower Edward Snowden and published jointly by the Guardian, the New York Times and the nonprofit news organisation ProPublica on Thursday show that agents at GCHQ have been working to undermine encrypted traffic on the "big four" service providers, named as Hotmail (the Microsoft email service now known as Outlook), Google, Yahoo and Facebook.

Yahoo responded with a strongly worded statement on Friday. "We are unaware of and do not participate in such an effort, and if it exists, it offers substantial potential for abuse. Yahoo zealously defends our users' privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law," a spokesman said.

A Microsoft spokesperson said: "We addressed these issues in our blog on July 16. We have significant concerns about the allegations of government activity reported yesterday and will be pressing the government for an explanation."

Tensions between tech firms and US authorities have been escalating. On Monday Microsoft and Google will file their latest legal briefs in a joint attempt to force the Foreign Intelligence Surveillance court to allow them to disclose more information about the requests for confidential information they receive.

A spokesman for Google said: "The security of our users' data is a top priority. We do not provide any government, including the US government, with access to our systems. As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide user data to governments only in accordance with the law."

Facebook was not immediately available for comment.

In a blogpost Ron Bell, Yahoo's general counsel, said: "Our legal department demands that government data requests be made through lawful means and for lawful purposes. We regularly push back against improper requests for user data, including fighting requests that are unclear, improper, overbroad or unlawful. In addition, we mounted a two-year legal challenge to the 2008 amendments to the Foreign Intelligence Surveillance Act and recently won a motion requiring the US government to consider further declassifying court documents from that case."

In a statement issued on Friday, the office of the director of national intelligence (ODNI), which oversees the US's intelligence agencies, said it was "hardly be surprising that our intelligence agencies seek ways to counteract our adversaries' use of encryption".

The ODNI said the stories were "not news" but warned that they threatened national security.

"The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday's disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions," said the ODNI.

The latest revelations come as experts believe the private sector is becoming increasingly distrustful of the NSA and its allies. Speaking to federal technology website Nextgov.com, Christopher Finan, a former White House and Pentagon official who worked in cyber offence research, said the NSA revelations were underming relations with the private sector.

Private industry has long counted on the NSA's cybersecurity expertise. "NSA has postured itself as a neutral arbiter who could provide these capabilities to the private sector and really didn't necessarily want much in return," said Finan. "I don't know if they can present themselves as the same honest broker now that we're seeing the enormous quantities of data that they are actually taking in."

http://www.theguardian.com/world/2013/sep/06/yahoo-nsa-gchq-decryption-abuse