Try to imagine one of the biggest coups of United States Intelligence, considered the biggest success story of the Central Intelligence Agency (CIA). Who do you think the targets and partners are? What methods, strategies and tools are used? This story involves cryptography and a company that did business halfway around the world but was secretly run by the CIA and the West Germany Federal Intelligence Service, the Bundesnachrichtendienst (BND) .
In 2020, journalist Greg Miller, from the Washington Post, revealed “the intelligence coup of the century”: the CIA, along with the BND, secretly commanded the Swiss company Crypto AG, which came to supply security equipment. encryption for more than 120 countries around the world since the 1950s. These intelligence agencies had access to communications carried out using this equipment, through intentional equipment failures, making it easier to break the codes of encrypted messages. As the internal report itself concludes, “foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read” (free translation).
Before taking on the name Crypto AG, the company founded in 1920 by Swede Arvid Gerhard Damm was called AB Cryptoteknik. Damm died before the war and the company was passed into the hands of one of its first investors, Boris Hagelin. In 1940, after Germany’s invasion of Norway, Hagelin took some of the machines with him to the USA and later managed to close a deal to produce 140,000 units of the C-36 model, known in the USA as M-209, for USA troops, during the Second World War. The model was ideal for troops on the battlefield, due to its mobility and because it did not depend on electricity or fuel.
This production, it is worth noting, was carried out in the United States, using the Smith Corona typewriter factory. This equipment production agreement yielded 8.6 million US dollars for Hagelin’s company. After the war, he returns to Sweden, his home country, to reopen his factory, but later moves to Switzerland to escape Swedish policies of nationalization of the defense industry.
The promises of improvements and new developments in Crypto AG’s products and the risk of strengthening communications in other countries now pose a problem for the USA, defined by CIA itself as the “Dark Ages of American Cryptology”: the Soviets, Chinese and North Koreans had impenetrable communications. The USA fear was that the rest of the world would go dark too, a familiar argument often used by law enforcement agencies of the Five Eyes alliance (USA, United Kingdom, Canada, Australia and New Zealand), the well-known “Going Dark” narrative.
Using the friendly relations already established with Hagelin and a dose of veiled economic threat, the CIA closes a “cooperation” agreement, in which the Swedish businessman would restrict the sale of more sophisticated models to countries chosen by Uncle Sam. This, of course, also included a large financial reward. This agreement was renewed in the 1960s, including advice to ensure Crypto AG’s successful sales to governments around the world.
In this decade, the CIA and the USA National Security Agency (NSA), concerned about the impact of integrated circuits in creating an era of “unbreakable encryption”, provided direct assistance to Crypto AG in developing a system based on this technology, which was apparently safe, but with known flaws that would allow rapid decoding of communications. According to the CIA’s internal report: “Imagine the idea of the American government convincing a foreign manufacturer to change a product in its favor (…). Imagine a brave new world.”
Fearing the loss of market share, Hagelin accepted external help to adapt his technology to electronic circuits. The result came two years later and Crypto AG’s new electronic model had been designed by the NSA. The vulnerability sped up the process of decoding communications, from months to a few seconds. The NSA, however, would still have to intercept communications. Subsequently, the company started selling two different models of the equipment: one for friendly countries and the other for the rest of the world.
Win-win: information y mucha plata
The reward was not only the hacking of the devices, but also Crypto AG’s dependence on US support. Meanwhile, governments purchased modern but secretly vulnerable equipment. As Hagelin’s age advanced, the CIA, in partnership with Germany, purchased the company in June 1970. From then on, the two agencies would meet regularly to decide equipment sales policies and divide profits. The CIA and BND made millionaire profits from Crypto AG. The USA, however, did not like selling two types of equipment and, over time, fewer and fewer countries received the unrigged equipment, despite German resistance. The countries also brought the companies Siemens (German) and Motorola (USA) to advise Crypto AG on business matters, who were aware of the secret purpose.
The CIA’s internal report points out that Crypto AG’s sales went from 15 million in 1970 to 51 million Swiss francs in 1975. Not by chance, this report calls the operation “the most profitable intelligence enterprise of the cold war”, whose Profit was used to finance the agencies’ other operations. The focus was not on profit, although very welcome. Intelligence can be considered an informational conflict, as recalled by Marcos Cepik (2003), full professor at UFRGS, currently deputy director of the Brazilian Intelligence Agency (Abin). In this sense, Crypto AG was a success beyond expectations in the disputes for information and knowledge. The enterprise accounted for 40% of foreign communications decoded by the NSA and 90% of German diplomatic reports.
However, there were conflicts between the partners, especially due to the great USA appetite for information. Increasingly over time, espionage was not limited to adversaries, but also to close allies such as members of the North Atlantic Treaty Organization (NATO), for instance Spain, Greece, Turkey, and Italy. On the other hand, Germany never achieved the privilege of joining the Five Eyes alliance. In the 1990s, Germany assessed that the risks of the operation were not worth it and sold its share to CIA, which, in turn, used the company’s profits to expand its influence on companies in the cryptography sector. With the pervasiveness and ubiquity of computing and smartphones, Crypto AG’s relevance declined and it was eventually sold and dismantled in 2018. The loss of this operation would not have bothered the US due to the growing global influence of US technology companies on the Internet.
It is worth remembering the revelations by Mark Klein and Edward Snowden about several massive NSA surveillance operations, including direct monitoring of data traveling through terrestrial and submarine cables that connect regions and continents (Ogasawara, 2021). If Crypto AG became obsolete with the expansion and massification of the Internet, the United States intelligence sector was able to adapt and, perhaps, even increase its global surveillance capacity, including the communications of Angela Merkel, then Chancellor of Germany, its former partner in Crypto AG.
Technological Dependence, National Sovereignty and the case of Cryptography
These dynamics in the intelligence sector show how technology is central to state sovereignty and security in the international order. While countries most openly adversarial to the US, such as Russia, China and North Korea, have never used Crypto AG’s services, several nations have had their communications collected, decoded and analyzed for decades, including Iran, Brazil, Argentina, Libya, among many others. . A critical example of this vulnerability exploitation occurred during the Falklands War, when Argentina tried to take the Falkland Islands from the United Kingdom, suffering a stunning defeat. Our South American neighbor was also a client of Crypto AG and, as a member of the Five Eyes alliance, the UK intelligence services received information from classified communications from Argentine authorities.
After the Washington Post revelations, researchers Vitelio Brustolin (UFF), Dennison de Oliveira (UFPR) and Alcides Peron (USP) investigated implications of the case for Brazil (Brustolin et al, 2020) and discovered contracts that lasted until December 2019 , starting in the 1950s. Even after partial revelations of the company’s relationship with the NSA and the huge loss of customers, in the 80s, Brazil continued to buy from Crypto AG. Brazilian purchases also aimed to distribute this equipment to partner countries in Operation Condor, a plan that involved kidnappings, torture and murders by the dictatorships of Argentina, Chile, Bolivia, Paraguay and Uruguay, which “proves that American government officials were aware” of the crimes committed by dictatorships.
The problem goes even further. Dennison de Oliveira, one of the authors, in an article from O Globo, points out how this espionage was used to harm Brazil at the time of the nuclear agreement with Germany: “there was collusion between the two countries, alongside everything that was happening on the Brazilian side, to push a terrible agreement”. The researcher points out how the United States’ criticism of China’s advances in the 5G sector in Brazil, arguing that China would weaken the technology for espionage purposes, is problematic. In fact, such practices are proven to be carried out precisely by the United States.
This USA suspicion also applies to the treatment they give to companies like the Russian Kaspersky, which provides cybersecurity solutions such as antivirus, and the Chinese companies Huawei and TikTok, which have been facing strong sanctions and threats from the USA government. In the case of these two Chinese companies, there is intense momentum in the USA against their operation in the national territory. TikTok, for example, faces great pressure from the American federal government for the company to be sold and become controlled by companies from this country, under accusations that TikTok conducts espionage for the Chinese government. Meanwhile, data sharing between USA companies and its government is public, notorious and uncontrolled.
In addition to economic disputes, the Crypto AG case highlights how technological dependence can weaken the national sovereignty of countries, especially developing ones. Dennison de Oliveira, in an interview on the UFPR website, points out the need to “ launch an extensive and in-depth debate about what will happen to Brazil if we continue to import, for use by the government and the Armed Forces, equipment and coding and decoding systems messages developed abroad”.
Digital sovereignty and cryptography
Crypto AG’s example highlights how technology is central for sovereignty and national security. While countries in the Global North develop and sell these technologies, countries like Brazil are usually left to serve as consumers, vulnerable to foreign priorities and interests. With the spread of the Internet, the scenario of national sovereignty has been transformed, as the network does not easily follow national commands or limits. Between China, India, Russia and the European Union, there are several initiatives to deal with threats to sovereignty that arise from technological dependence, which forms data colonialism (Avelino, 2023).
In a connected world, risks to sovereignty also involve the extraterritorial effects of foreign policies. At IGF 2023 in Kyoto, we organized, in partnership with the Internet Society, a workshop on the extraterritorial effects on the Global South of anti-encryption policies from the Global North. In a scenario of the economy and public services increasing dependency on private messaging, such as Whatsapp in the Brazilian case, the risks to countries and citizens are enormous if the security and privacy guaranteed by strong encryption are weakened by foreign legislations, such as UK’s Online UK Safety Act.
On the other hand, it is also worth paying attention to the case of using First Mile, a tool provided by Cognyte to the Brazilian Intelligence Agency, used to track the location of cell phones based on data sent to telecommunications towers. The case is being investigated by the Federal Police on suspicion of espionage by enemies and political opponents of former President Bolsonaro during the administration of current federal deputy Alexandre Ramagem (PL) at Abin. What is even more worrying is the fact that this data was exposed on the company’s server in Israel . In addition to technological dependence to illegally monitor people in Brazil, the data was still vulnerable to access by foreigners.
We know that information and communication technologies are increasingly central to most contemporary societies, their economies and everyday lives, from the most public to the most private dimensions. Privacy, as a quality of information control in social interactions, is a central aspect for maintaining trust in exchanges between people, groups, organizations and institutions (Waldmann, 2018). In the context of so many interactions mediated by technologies, strong encryption is a central element to guarantee privacy, security and trust, but also, ultimately, the digital sovereignty of a country and its people.
Cryptography can be understood as an infrastructure that makes “certain things possible and other things impossible” (Easterling, 2014). This digital infrastructure organizes the mobility of information and communication (Amicelle and Grondin, 2021). Strong encryption makes secure and private communication possible and makes unauthorized access to information impossible or very difficult, depending on the algorithms and protocols employed and other elements of this “opaque socio-technical assemblage”. (Kitchin, 2016)
In this sense, it is necessary to develop and adopt infrastructures that strengthen security and privacy, which are not only rights that empower citizens, but requirements, needs, for a fair society. This involves abandoning infrastructural insecurity, as conceptualized by Niels ten Oever and Christoph Becker (2024) in a recent paper. The authors point out how the standardization of telecommunications networks has been used to maintain infrastructural insecurity, which generally benefits private actors, especially state-owned ones. One of the cases analyzed by the authors is precisely the Signaling System No. 7 , even explored by FirstMile, mentioned above.
As discussions about public digital infrastructure advance, it is important to pay attention to what these infrastructures facilitate and hinder (Easterling, op.cit), including privacy and security or surveillance and insecurity. It seems to me that state agents should promote the former in debate and public policies. This involves abandoning anti-cryptography narratives and policies, which can have a counterproductive effect on good digital and popular sovereignty, as well as stimulating the development of knowledge and technological solutions for and by the people who need them, including cryptography.
References
AMICELLE, Anthony; GRONDIN, David. Algorithms as suspecting machines: Financial surveillance for security intelligence. In: Lyon, David; Wood, David Murakami (Ed.). Big data surveillance and security intelligence: The Canadian case. UBC Press, 2020.
AMOORE, Louise; Raley, Raley. Securing with Algorithms: Knowledge, Decision, Sovereignty. Security Dialogue, v48, 2016.
AVELINO, Rodolfo da Silva. Colonialismo Digital: Tecnologias de rastreamento online e a economia informacional. Alameda, 2023.
CEPIK, Marco. Espionagem e democracia. FGV Editora, 2003.
EASTERLING, Keller. Extrastatecraft: The power of infrastructure space. Verso Books, 2014.
KITCHIN, Rob. Thinking critically about and researching algorithms. In: The Social Power of Algorithms. Routledge, 2019. p. 14-29.
OGASAWARA, Midori. Collaborative surveillance with big data corporations: Interviews with Edward Snowden and Mark Klein. In: LYON, David; WOOD, David Murakami. Big data surveillance and security intelligence: The Canadian case, p. 21-42, 2021.
TEN OEVER, Niels; BECKER, Christoph. (2024). Infrastructural insecurity: Geopolitics in the standardization of telecommunications networks. Media International Australia, 0(0). https://doi.org/10.1177/1329878X231225748
WALDMAN, Ari Ezra. Privacy as trust: Information privacy for an information age. Cambridge University Press, 2018.
O Observatório da Criptografia
– ou ObCrypto – é um portal de referência para o monitoramento de decisões, legislações e estudos relacionados à criptografia e seus reflexos.
obcrypto@ip.rec.br