The world is still reeling from the leaked details of the NSA's PRISM program, reported to give the government's top spies access to personal user data collected by Google, Apple, Microsoft, and other services. But while the mainstream is fighting over the precise nature of PRISM, the world of cryptography is feeling strangely validated. "People put their trust in Apple, Google, Yahoo, Microsoft, but now they see it's being handed over," said Mike Janke, CEO of the iPhone encryption service Silent Circle. "It takes something like this for people to wake up."
Nadim Kobeissi, founder of Cryptocat, took a similar line. "This is how you develop security software," Kobeissi told The Verge. "You always assume the very worst."
In the days following the first leaks, Cryptocat saw nearly double its normal usage
While PRISM is bad news for privacy advocates, it's good news for cryptography software, which has seen a range of previously obscure features become newly relevant in light of the government’s mass surveillance operations. The most important function in programs like Cryptocat is end-to-end encryption, a design feature that prevents the company handling your email from being able to open your data up to the NSA. In end-to-end encryption, only users have copies of the keys — so if a government agency wants access, they need to get it directly from you. This stands in contrast to services like Gmail, which use SSL encryption as a standard but keep the keys on the company servers and are able to decrypt messages at will. Last week that wasn't a worrying thought, but with the allegations that the NSA has direct access to such servers, it's a newly sensitive point.
Many programs offer end-to-end encryption, from paid services like Silent Circle to free and open source projects like GnuPG and Cryptocat, but they all involve venturing outside the familiar world of large corporations and friendly user interfaces. Still, it may be a leap many consumers are willing to take. In a recent survey more than half the country described itself as uncomfortable with email surveillance, and some programs have already seen numbers rise. Kobeissi says in the days following the first leaks, Cryptocat saw nearly double its normal usage. On Tuesday, Silent Circle announced a half-off deal "in light of the latest wave of concerns."
"If you're Edward Snowden, none of these tools will save you."
At the same time, developers are careful to acknowledge the limits of this approach. Kobeissi says up front, "If you're Edward Snowden, none of these tools will save you." The problem isn't the encryption itself, but the difficulty of maintaining security through every step of the process. An airtight encryption protocol can protect messages in transit, but any would-be snoopers could still find a way to break into the phones on either end, or find a weak spot in the program's implementation. Developers look hard for these kinds of weaknesses, but the NSA is presumably looking harder, and with more resources to throw behind the effort. Even more troubling are tools like weaponized malware built on unpublished exploits, which government agencies have been buying up at an alarming pace in recent years. If a user were to be successfully targeted by these programs, all the encryption in the world wouldn't keep the NSA out of their phone or computer.
The result is that, despite forward-thinking assumptions, most cryptography tools are still only partial solutions — something cryptographers will often be the first to admit. As Kobeissi put it, "These tools are just shims. They're not a substitute for policy and having a political discussion."