For Decades, India Used CIA-Monitored ‘Encrypted’ Devices: Report

An investigative report by The Washington Post has revealed that a leading cryptographic equipment company that sold its software to more than 120 countries, including India, was secretly owned by the Central Intelligence Agency (CIA).

Crypto AG, which manufactures equipment that ensure secrecy of communications, was used by governments, military outfits, diplomats and even the Vatican, according to the Washington Post report.

“But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence,” the report said.

The arrangement went on for decades and remained a closely-guarded secret of the Cold War era, well into the Nineties. The Post, along with ZDF, a German public broadcaster obtained the information through “a classified, comprehensive CIA history” that “laid bare” the secretive arrangement with the United States’ global intelligence agency

“These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages,” the report added.

What is Crypto AG?

Crypto AG was formed in 1920 and manufactured crypto tools for the US military during World War II.

Crypto AG was liquidated in 2018 and its international operations were sold to Swedish entrepreneur Andreas Linde who founded Crypto International.

Crypto International Group is a Swedish company that, in 2018, acquired the brand name and other assets of Crypto AG. After the story surfaced, the company issued a complete denial of any knowledge or involvement with the CIA.

The report reveals that, both CIA as well as German intelligence agency BND, had access to highly sensitive details shared over Crypto AG’s devices.

What is CIA’s Link with Crypto AG?

The reports reveals that the CIA’s relation with the Swiss company went far beyond just getting access to unencrypted communications. The agency along with US’ other major intelligence and security wing - the National Security Agency (NSA) enjoyed control over almost every aspect of the company’s operations.

CIA and NSA were “presiding with their German partners over hiring decisions, designing its technology, sabotaging its algorithms and directing its sales targets.”

Is India Affected?

While the report doesn’t say much about the extent to which India’s secret communications was compromised, whether any senior political leader was tapped or what kind of information may have potentially been exposed to the CIA.

It does, however, say that both, India and Pakistan count among the customers of Crypto AG’s product. The period mentioned in the report suggests, any communication, if leaked, would have been between the 1970s to the 1990s.

“Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican,” the report said.

How Was This Not Known Till Now?

Security and crypto experts, reacting to the story, however, said that this news was not entirely new and was partially already known.

Crypto expert and public-interest technologist, Bruce Schnier, commenting on the news on his blog, wrote “This isn't really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details”

In a story dated 10 December, 1999, The Baltimore Sun wrote, “For years, NSA secretly rigged Crypto AG machines so that US eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents.”

Why Is This So Worrying?

The revelations are especially worrying as they shed light on the dizzying scope of covert American surveillance. In 2013, NSA contractor Edward Snowden’s sensational leaks exposed the sweeping surveillance carried out by the NSA in secret.

Classified documents passed on to The Guardian and other publications revealed that nearly every mobile company was passing on its customers’ entire call records to the NSA.

Crypto AG’s “reach and duration help to explain how the United States developed an insatiable appetite for global surveillance,” the report states.

Does India Have An Encryption Policy?

At a time when government policies have been seen to be pushed through, sometimes without any consultation, in a rare instance in 2015, the government had withdrawn a policy after major public backlash. It was the Draft Encryption Policy – which required citizens to store the plaintext of their communications for a period of 90 days.

The withdrawal of the policy, however, doesn’t mean the Centre no longer wishes to get around encryption.

This would require the messaging app to compromise its end-to-end encryption which ensures only the sender and receiver can access the texts.

In this regard, a case pending in Supreme Court has sought to know from the government the steps it has taken to introduce traceability in WhatsApp messages. The Attorney General had told the court it was planning to notify amendments to Intermediary Rules under the IT Act, 2008 which could compel WhatsApp to comply with providing information about the originator of a text message.