Apple’s new OS X Mavericks makes it harder for NSA to snoop
Top-secret documents disclosed by former intelligence contractor Edward Snowden have exposed an array of programs that put the digital privacy of computer users at risk. But as security concerns continue to amount, the industry appears to be answering.
Some are now making that argument, at least, after experts became aware of a fix in Apple’s newest operating system that stifles at least one of the National Security Agency programs made public through unauthorized leaks attributed to Mr. Snowden.
The Washington Post revealed earlier this month that classified documents supplied by the former intelligence contractor indicated the NSA has harvested hundreds of millions of email address books and contact lists intercepted by the agency as data routinely moves across the globe between Internet servers located around the world.
Personal data — including that of American citizens — passes through an “overseas collection apparatus,” one official privy to the program told the Post — which the NSA then uses to justify that the intelligence is not of a US person, and thus fair game for interception.
“The documents and intelligence officials say all the collection of contact information takes place outside US territory. But the distributed nature of modern web infrastructure means that communications between an American user and a US webmail provider (such as Google) could still flow outside the United States, where there are fewer legal restrictions on NSA surveillance,” Ashkan Soltani wrote in a separate article for the Post. “The contact lists of Americans also cross the NSA’s international collection points when they live or travel overseas.”
Jonathan Mayer, a computer science doctoral student at Stanford
University, says the new operating system released by Apple
includes an upgrade that makes personal data harder to pilfer
while in transit.
Nice: Apple Contacts vulnerability is patched in OS X Mavericks. Broken plaintext sync with Google has vanished. http://t.co/pky7VgcNZC
— Jonathan Mayer (@jonathanmayer) October 22, 2013
Along with a number of new bells and whistle included in Apple’s OS X Mavericks released on Tuesday, Mayer discovered that users who wish to sync their contacts list between their computer and their Google account can now do so using encryption — something absent in Apple’s previous operating systems.
"The speculation seems to be that this is one of the ways in which the NSA was able to collect Google address book information," Mayer told Huffington Post.
With earlier Apple operating systems, users wishing to sync their accounts were only allowed to do so in an unencrypted fashion, Mayer said, making eavesdropping that much easier. Now, Mavericks allows such transferring to be done in a way that protects personal information — to a degree — from parties looking to pry, including the NSA.
"In short, Apple was irresponsible in not giving users of non-Apple contacts services even the option of using encryption. Apple has fixed their end of the problem," Electronic Frontier Foundation staff attorney Nate Cardozo added to HuffPost.
For privacy conscious users, however, upgrading to Mavericks is only one method of obfuscation and isn’t an all-encompassing solution. Another NSA operation — the Internet surveillance program called PRISM — remains largely unknown outside of the intelligence community aside from what Snowden’s leaks have shown the world, but documents supplied by the NSA whistleblower to the media suggest that Google and Apple — along with the likes of Microsoft, Yahoo, Facebook, PalTalk, YouTube, Skpe and AOL — allow the government to access emails, chats and most every type of traffic transmitted through their servers. Leaked files given to the UK’s Guardian revealed that the NSA also spent millions of dollars paying companies including Google to make such surveillance possible.
And with regards to encryption — encoded information is only as safe as the key that unlocks it, and recent developments suggest even encrypted information can be accessed by the government. Earlier this year, the owner of encrypted email service provider Lavabit shut down his website after the US government demanded he surrender the SSL keys that encrypted all trafficking coming in and out of its services, essentially allowing investigators to access all data “in the clear” as it is submitted, including all content, such as passwords and email messages. Lavabit owner Ladar Levison is currently appealing the government’s request and says he’ll take his case to the Supreme Court if necessary, but other leaked documents suggest the government might not even have to take allegedly-legal courses of action to collect SSL keys: a secret intelligence budget unearthed by Mr. Snowden shows that the US spends billions each year on cryptographic projects, and companies that manufacturer SSL-cracking software have been discovered to have signed contracts with the US government.
