Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.

The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other "partners" around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

By Jon Healey
September 5, 2013, 4:57 p.m.
The latest Edward Snowden-powered exposé published by the New York Times, ProPublica and the Guardian is, to me, the most frightening. It reveals that the National Security Agency has moved beyond its historic role as a code-breaker to become a saboteur of the encryption systems. Its work has allegedly weakened the scrambling not just of terrorists' emails but also bank transactions, medical records and communications among coworkers.

Here's the money graf:

"The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."

I'd be disappointed if the NSA hadn't figured out how to do that hacking trick. But adding vulnerabilities to standard encryption techniques? That's just making the job easier for hackers to make sense of the scrambled data they steal.

The outrage is still pouring in from various advocacy groups. Here's a succinct condemnation by the Center on Democracy and Technology, one of the more centrist of these organizations:

"These revelations demonstrate a fundamental attack on the way the Internet works," senior staff technologist Joseph Lorenzo Hall wrote in a statement. "In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it’s incredibly destructive for the NSA to add flaws to such critical infrastructure. The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners."

David Cameron personally ordered his senior civil servant to threaten the Guardian with legal action if it failed to hand over or destroy documents about the British intelligence agency GCHQ. He was also kept abreast of the detention of the partner of Guardian journalist Glenn Greenwald at Heathrow airport, as was the White House.

Unfortunately for Cameron, and his American counterparts, the Guardian turned to the Times and ProPublica for assistance. The Times had previously come under scrutiny for the way it had covered--or, in the eyes of its critics, undercovered--the NSA story. Drawing perhaps the most influential news organization in the world more deeply into that story was likely not what American or British officials wanted.

The first results of that collaboration were published on Thursday, with major splashes on all three websites. In its piece, the Times wrote that it was publishing the story over government objections:

Intelligence officials asked The Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others.

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

This story has been reported in partnership between The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

The significance of the story itself, I think, is easy to see. When people hear encryption, they often think about what certain people who are very interested in maintaining the confidentiality of their communications use, whether it be lawyers talking to their clients, human rights activists dealing with sensitive matters, people working against oppressive governments. And those people do use encryption, and it’s extremely important that it be safeguarded. And the fact that the NSA is trying to not only break it for themselves, but to make it weaker and put backdoors into all these programs makes all of those very sensitive communications vulnerable to all sorts of people around the world, not just the NSA, endangering human rights activists and democracy activists and lawyers and their clients and a whole variety of other people engaged in sensitive work.

But encryption is much more than that. Encryption is really the system that lets the Internet function as an important commercial instrument all around the world. It’s what lets you enter your credit card number, check your banking records, buy and sell things online, get your medical tests online, engage in private communications. It’s what protects the sanctity of the Internet. And what these documents show is not just that the NSA is trying to break the codes of encryption to let them get access to everything, but they’re forcing the companies that provide the encryption services to put backdoors into their programs, which means, again, that not only the NSA, but all sorts of hackers and other governments and all kinds of ill-motivated people, can have a weakness to exploit, a vulnerability to exploit, in these systems, which makes the entire Internet insecure for everybody. And the fact that it’s all being done as usual with no transparency or accountability makes this very newsworthy.

JUAN GONZÁLEZ: But, Glenn, going back to the mid-1990s in the Clinton administration, when the government tried to establish these backdoors into communications on the Internet, there was a public debate and a rejection of this. What has happened since then now in terms of how the NSA operates?

GLENN GREENWALD: Right, it’s interesting. If you go back to the mid-'90s, that debate was really spawned by the attack on Oklahoma City, which the Clinton administration—on the Oklahoma City courthouse by Timothy McVeigh, which the Clinton administration immediately exploited to try and demand that every single form of computer security or human communication on the Internet be vulnerable to government intrusion, that it all—that there be no encryption to which the governments didn't have the key. And as you said, a combination of public backlash and industry pressure led to a rejection of that proposal, and the industries were particularly incensed by it, because they said if you put backdoors into this technology, it will make it completely vulnerable. If anyone gets that key, if anybody figures out how to crack it, it will mean that there’s no security anymore on the Internet.

And so, since the NSA and the U.S. government couldn’t get its way that way, what they’ve done instead is they resorted to covert means to infiltrate these companies, to pressure and coerce them, to provide the very backdoors that they failed to compel through legislation and through public debate and accountability. And that is what this story essentially reveals, is that the entire system is now being compromised by the NSA and their British counterpart, the GCHQ, systematic efforts to ensure that there is no form of human commerce, human electronic communication, that is ever invulnerable to their prying eyes. And again, the danger is not just that they get into all of our transactions and human communications, but that they are making it much easier for all kinds of other entities to do the same thing.