The National Security Agency (NSA) and its British counterpart have successfully defeated encryption technologies used by a broad swath of online services, including those provided by Google, Facebook, Microsoft, and Yahoo, according to new reports published by The New York Times, Pro Publica, and The Guardian. The revelations, which include backdoors built into some technologies, raise troubling questions about the security that hundreds of millions of people rely on to keep their most intimate and business-sensitive secrets private in an increasingly networked world.

The reports, published simultaneously by the NYT, Pro Publica, and The Guardian, are based on newly disclosed documents provided by former NSA contractor Edward Snowden. They reveal a highly classified program codenamed Bullrun, which according to the reports relied on a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion" to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," the NYT reported, quoting a 2010 memo describing a briefing of NSA capabilities to employees of the Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

When British analysts were briefed on the success, according to another memo, "those not already briefed were gobsmacked!" the NYT added.

The newly aired documents underscore the difficult balancing act that intelligence agencies must perform when monitoring terrorists and other state enemies. While officials say the ability to decode communications intercepted from suspects is crucial to national security, critics warn that the undermining of widely used encryption technologies could have an unintended boomerang effect that harms US companies and citizens.

"The risk is that when you build a backdoor into systems, you're not the only one to exploit it," Matt Green, a Johns Hopkins professor specializing in cryptography, told the NYT. "Those backdoors could work against US communications, too."

Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told The Guardian, "Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet."

Neither report made clear exactly how the intelligence agencies are bypassing VPNs, SSL, and TLS, which are all presumed to provide nearly impenetrable cryptographic assurance when used correctly. But the NYT specifically mentions all three—as well as an unspecified protection used in 4G smartphones—as being the focus of the NSA's most intensive efforts.

Similarly, for three years, the GCHQ looked into ways to decode encrypted traffic from Google, Facebook, Microsoft, and Yahoo. By 2012, the British agency developed "new access opportunities" into Google systems, the paper reported. By 2010, a GCHQ counterencryption program, dubbed Edgehill, aspired or was able—the NYT and The Guardian seem to disagree on this point—to decode VPN traffic for 30 targets and set a goal of an additional 300 by 2015.

The reports also discuss the intelligence agencies working to get Internet companies' help in decrypted traffic by eliciting their voluntary cooperation, forcing their cooperation through court orders, or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware. Documents provided by Snowden said the NSA spends $250 million per year on a Sigint Enabling Project that "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them exploitable. Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert backdoors or by surreptitiously exploiting existing security flaws, the NYT said.

The paper went on to describe the covert hand NSA agents played in "deliberately weakening the international encryption standards adopted by developers." It cited a goal in a 2013 budget request to "influence policies, standards, and specifications for commercial public key technologies. The report—written by Nicole Perlroth, Jeff Larson, and Scott Shane—said, "Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members."