Feeds

Using encryption? That means the US spooks have you on file

By my order for the good of the state, the bearer has done what has been done

High performance access to file storage

Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin Edward Snowden.

The Guardian has published two more explosive documents which set out what sort of information the NSA is allowed to harvest from foreign targets, as well American citizens.

Both were issued by the secret Foreign Intelligence Surveillance Court and were signed by US Attorney General Eric Holder in 2009.

The leaked documents show that data about a US citizen collected "inadvertently" can also be stored for up to five years, giving agents significant breathing space when gathering intelligence. They also show the methods agents use to establish whether targets are based in the US and what they are allowed to do in order to spy on "non-US persons".

The documents clearly state that surveillance should cease the minute a target is on US soil or is deemed to be an American – but there are exceptions to this which allow spooks to store communications from American citizens.

If someone's location can not be clearly established, then they "will not be treated as a United States person" unless other evidence becomes apparent. This would mean that anyone using anonymity software like Tor, which deliberately masks their location, is liable to have their communications stored.

Spies are also told they can retain "all communications that are enciphered or reasonably believed to contain secret meaning" for up to five years, giving them another way to keep American citizens' communications data.

These must be kept to help create a "technical data base", which is spook slang for any data which is useful for cryptanalysis - the breaking of codes - or analysis of internet traffic. In practice, this means that using encrypted messages for security purposes may have the ironic effect of drawing the secret message to the attention of spies.

This data should really be destroyed within five years, unless they are "communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis".

Exchanges between attorneys and clients can also be kept, as long as they contain foreign intelligence information.

The documents follow in the wake of other revelations from Snowden, including an NSA programme called PRISM which trawled data on individuals from popular US cloud and social services. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.