Around the world, many people are pushing for so-called NSA-proof services. Believing that any service can be resilient to spying or wiretapping from the NSA is naive. No such service can exist. Those who are funding services like ProtoNet are wasting their money and are believing the lies sold to them by profiteers.

Please note that while I use ProtoNet throughout this article, I’m using them mainly as an example. Plenty of other examples of profiteering companies and services exist.

Email Services
A message must contain two pieces of metadata at a very minimum: who is sending the message and to whom the message will be delivered. These two pieces must be sent in the clear. Otherwise, the Mail Transfer Agent (MTA) won’t know what to do with the message. As we’ve seen with the PRISM program, the NSA is mainly interested in metadata. The NSA doesn’t have the resources to store every single bit transferred over the Internet–instead, it settles for just the metadata. The services ProtoNet will offer will still be vulnerable to metadata analysis by the NSA.

End-to-End Encryption
As Moxie Marlinspike has described, SSL has many problems. Verisign is a large US-based registrar just a few miles away from Washington, DC, that provides not only domain names, but also SSL sertificates. What’s stopping the NSA (or other intelligence agencies within the US) from compelling Verisign or other SSL certificate vendors from secretly issuing wildcard certificates to help in the spying/wiretapping effort? A wildcard certificate would enable the US government to secretly snoop on any SSL-encrypted web traffic.

With Bush giving telecommunications providers full immunity via his famous FISA expansion legislation, it’s easy to draw the conclusion that Verisign will be given immunity, too. Even if Verisign doesn’t provide the US with a wildcard certificate, browser vendors contain dozens of trusted SSL certificate vendors. The NSA could compel or compromise one or more of these vendors.

Hosting Data Abroad
We Americans would like to believe that as citizens of the US, our data is safe both when stored inside the nation and outside of it. The NSA believes that any data that lives outside the US, no matter whom the data is about, has fewer protections than data stored in the US. The NSA is recording nearly all calls in multiple countries. The NSA is working with Germany to make wiretapping easy in the country.

Javascript-Based Encryption
ProtoNet will use a javascript encryption library to encrypt messages in the browser before the message is sent to the server. They say this will make it so that not even ProtoNet will be able to decrypt your messages. Except in notable cases, the NSA isn’t interested in the message payload. The NSA is interested in the message’s metadata. In those cases in which the NSA would be interested in the message payload, the javascript encryption library must be hosted on some server somewhere and downloaded by the client. The NSA could use their SSL wildcard certificates to do a man-in-the-middle attack and serve up a malicious javascript library. They could also compromise the servers on which the javascript library lives and directly modify the javascript.

A lot of these ideas sound like conspiracy theories. If the NSA can create the devices in its ANT Catalog, wholesale record phone conversations in other countries, work with foreign governments to spy on their people, intercept and backdoor networking equipment, why can’t the NSA spy on so-called “NSA-proof” services? The NSA has the capability to spy on nearly anyone and everyone. The title of Glenn Greenwald’s book paints the correct picture: there is no place to hide.