It’s been nearly three months since Edward Snowden started telling the world about the National Security Agency’s mass surveillance of global communications. But the latest disclosures, by the Guardian, New York Times, and ProPublica are perhaps the most profound yet: the N.S.A. and its partner agency in the United Kingdom, the Government Communications Headquarters, possess significant capabilities to circumvent widely used encryption software in order to access private data.

Encryption poses a problem for intelligence agencies by scrambling data with a secret code so that even if they, or any other third-party, manages to capture it, they cannot read it—unless they possess the key to decrypt it or have the ability to crack the encryption scheme. Encryption has become only more pervasive in the decade since the N.S.A.’s “aggressive, multipronged effort to break widely used Internet encryption technologies” began in 2000. When you log into Gmail or Facebook, chat over iMessage, or check your bank account, the data is typically encrypted. This is because encryption is vital for everyday Web transactions; if for instance, you were to log in to your Gmail account using a park’s open wireless network and your username and password were transmitted in plain form, without being encrypted, your credentials could potentially be captured by anyone using that same network.

Both the Times and the Guardian write that the N.S.A. and the G.C.H.Q. have “cracked much of the encryption” on the Web. But we don’t know precisely how much: the Times writes that the “full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand.” But it deploys “custom-built, superfast computers to break codes,” and it works with “technology companies in the United States and abroad to build entry points into their products.”

While the Times and the Guardian do not make clear precisely which encryption schemes the N.S.A. and its partners have rendered effectively useless—and which companies the agency has partnered with—there are some hints about what the N.S.A. has accomplished with Bullrun, its project to defeat network encryption.

The N.S.A. has apparently possessed “groundbreaking capabilities” against encrypted voice and text communication since 2010, which the Guardian says made “‘vast amounts’ of data collected through internet cable taps newly ‘exploitable.’” The N.S.A. appears to have found a way around some Internet-level encryption protocols that use outdated standards, but are nonetheless ubiquitous: the Guardian writes, “The agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer.” And the Times notes that the “most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or V.P.N.s; and the protection used on fourth-generation, or 4G, smartphones.” The hypertext transfer protocol (H.T.T.P.) is the basis for Web communication—it’s the “http” in your browser’s address bar. S.S.L. is one of the most common cryptographic protocols on the Web and is supported by nearly all Web sites. (It’s also used by instant-messaging and other programs to secure transmissions over the Internet.) H.T.T.P.S. is essentially the application of the S.S.L. protocol to H.T.T.P., making online services like e-mail and banking secure. A virtual private network enables a user to have a private connection on a public network in which their transmissions are protected. Under normal circumstances, the use of these protocols would shield data from the N.S.A.’s dragnet surveillance of communications.

Cryptographic and security experts have been able to piece together some ideas about the extent of the agency’s capabilities. Mike Janke, the C.E.O. of the encrypted-communications company Silent Circle—which shut down its encrypted e-mail service a few weeks ago—said over the phone that, based on information and literature he has seen, he believes the N.S.A. developed “a massive push-button scale” ability to defeat or circumvent S.S.L. encryption in virtually real time. He added, “the reality of it is that most of the security world has known that lower level encryption—S.S.L., H.T.T.P.S., V.P.N.s—are highly susceptible to being defeated because of their architecture.” Bruce Schneier, who has seen the Snowden documents, wrote that the N.S.A. has circumvented common Web encryption “primarily by cheating, not by mathematics.” Instead of busting the algorithms that power encryption schemes, Schneier is suggesting that the N.S.A. has found a way around it. Matthew Green, a prominent crypto researcher, suggests that the N.S.A. may have compromised the encryption software that implements the algorithms that determine how data is scrambled—in particular, software made by Microsoft and used by many Web servers for encryption. The Times writes that the “the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages.” Intriguingly, it adds, “independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored.” If the agency possesses the keys, there is no need to crack the encryption algorithm.

Thomas Drake, an N.S.A. whistleblower who was profiled by Jane Mayer in the magazine, said over the phone that he believes the 2010 breakthrough was possibly more dramatic and may refer to the defeat of “some of the main-line encryption” algorithms in wide use, like the R.S.A. algorithm or the Advanced Encryption Standard at 256-bit level. (The length of the key used to encrypt and decrypt information, measured in bits, is one of many aspects of what determines how hard an encryption scheme is to crack: 128-bit encryption is now relatively easy; 2048-bit is much harder.) This kind of capability was hinted at in James Bamford’s piece a year ago about the N.S.A.’s massive new data center in Utah.

The most damning aspect of the new disclosures is that the N.S.A. has worked to make widely used technology less secure. The Times reports that in 2006, the N.S.A. intentionally introduced a vulnerability into an encryption standard adopted by both the National Institute of Standards and Technology and the International Organization for Standardization. This is deeply problematic, Green writes, because the cryptographic industry is “highly dependent on NIST standards.” The N.S.A. also uses its Commercial Solutions Center, which invites companies, including start-ups, to show their technology to the agency under the guise of improving security, in order to “leverage sensitive, cooperative relationships with specific industry partners” and covertly make those products more susceptible to N.S.A.’s surveillance. Schneier, who has reviewed the documents, describes the process thusly: “Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on.” This is why the N.S.A. specifically asked the Times and Guardian to not publish their articles and the documents detailing the program warn explicitly and repeatedly of the need for secrecy: “Do not ask about or speculate on sources or methods.”