Feds put heat on Web firms for master encryption keys
Whether the FBI and NSA have the legal authority to obtain the master keys that companies use for Web encryption remains an open question, but it hasn’t stopped the U.S. government from trying.
by Declan McCullagh
July 24, 2013
The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.
These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.
If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.
“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.