Friday, February 20, 2015

All your phones are belong to them

Use a mobile phone? Congratulations! The NSA and GCHQ have your encryption keys!

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

And with those keys, they can listen in to any call you make and spy on everything you do, without needing a warrant or legal authorisation and without having to tell the network.

The obvious question: does GCSB have access to these keys? Are they using them to monitor our phone calls? While it would seem on its face to be illegal, but we already know that the spies use secret legal interpretations to make the illegal legal. Is an encrypted signal a private communication, or does the encryption signify that the parties do not believe it to be private? Is intercepting it but not decrypting it immediately legally intercepting that private communication, or is it, in the infamous words of the former Inspector-General of Intelligence and Security, "arguably legal"? The problem is that we don't know, because the GCSB's legal advice on what they can and can not do (and therefore how much privacy we have) is kept secret. But given what we already know about their approach to the law, I think we should assume the worst.

And while we're at it: the company NSA/GCHQ hacked, Gemato, also makes electronic passports. The government might want to look at whether our "allies" have compromised our passport system.