Breaking News:
Longtime Washington Post editor Ben Bradlee has died at 93, paper says

How does NSA hack into emails?

The Week

As long as there have been allegations, or perhaps generalized notions based on a mistrust in government, that NSA has the capability to read American emails without a court order, something has bothered me.

How would NSA actually accomplish bulk collection of content?

SEE ALSO: North Korea's iPad clone has a web browser, but can't connect to the internet

I mean, yes, the obvious top layer above-the-clouds answer is that they use switches that divert data into their servers, like the switches installed by AT&T after 9/11.

But that's like saying our bodies absorb nutrients we digest as a way of explaining why proteins are so important.

SEE ALSO: The last word: He said he was leaving. She ignored him.

Now, I am not an expert in data encryption or information technology. Fortunately for me, this is a blog, and one is entitled to write about subjects one does not know much about.

I don't want to reveal any secret techniques NSA might use either, but I don't think a general discussion of email hacking goes too far into the red end of the classified spectrum.

SEE ALSO: Senate passes historic immigration reform — but will the House follow?

From what I understand, after a Gmail has left your computer's browser, it's encrypted. When it arrives at Google's servers, it's encrypted. In the middle, as it zips around the world through gateways and switches, a certifying authority — kind of like an internet traffic cop — makes sure that the email communication is following all the safety and traffic laws by remaining encrypted. The meta-data is akin to a destination that's displayed on the outside of a car; the car is tinted so you can't see inside unless you have a key, a specific key that the driver waiting at the next destination can use.

Now, the NSA can break encryption. But — importantly — they cannot instantly (so far as we know) break the type of encryption that Google attaches to every email sent by every user. Not for a single encrypted email, not instantly, and certainly not for millions.

SEE ALSO: 32 TV shows to watch in 2013 [Updated]

It's easy for the government to get emails directly from Google. But it's pretty hard for the government to get Google emails in bulk — and in bulk is the descriptor here — from taps outside Google. Think of meta-data as the stuff on the outside of the car — it's like the government has set up a license plate reader at key intersections and records all the traffic that goes by, but it cannot peak into the car unless it has the key.

If I'm an NSA computer network operations / information warfare tech, I'd obviously have found ways to get into the hardware used by particular targets. You can observe someone writing an email. Install a keystroke program on their screen. Use a spear-fishing technique.

SEE ALSO: How typeface influences the way we read and think

Unless NSA has found a way to mess with the traffic cops — the certifying authorities — I don't see how NSA possibly reads Google emails in real-time, looking for content, using keyword searches. Indeed, I don't know NSA would be able to break the encryption of an email that somehow fell under what secret safe harbor provisions they have for emergencies. They really do need Google's help to read every email they do not steal from either end of the communication.

Eric Mill, a developer for the Sunlight Foundation, summed it up for me in a Tweet: "NSA can and does sniff traffic as it moves across the Internet, especially through backbones. Encrypted traffic is safe-ish."

SEE ALSO: How the NSA won its war

Bart Gellman, one of the main reporters on the story, notes that "Mongols didn't topple the Great Wall of China. Bribed guards, raised ladders. NSA would rather steal keys than break crypto?"

A lot of caveats: Google is but one company. Yahoo and AOL and Facebook are different — I'll get into that in a different post. Also, in reference to bribing guards, perhaps NSA has an agreement with one or many of the certifying authorities, or traffic cops — this is a vulnerable point in the system — but there's no evidence that this is true. I'll explore this in a later post too.

SEE ALSO: How to get ahead at work: Say 'yeah'

Though NSA is no doubt privy to technologies the private sector is not, the idea that it can read emails that it does not get from Google in bulk and search them randomly is probably not a well-grounded fear.

Meta-data, of course, remains front and center. As it should be.

SEE ALSO: 4 changes to English so subtle we hardly notice they're happening

View this article on TheWeek.com Get 4 Free Issues of The Week

More from The Week:

Like The Week on Facebook - Follow The Week on Twitter - Sign-up for The Week's Daily Newsletter

View Comments (67)