Let me tell you a story about how the CIA and BND for decades completely backdoored the crypto machines used by many of the world’s governments for top secret messages. And not only that, they also made good money doing it!

Welcome to The Private Citizen, episode 14! As you can see, I have redesigned the website a bit, including some new subscribe buttons. The podcast is now available on Apple Podcasts, Google Podcasts and Spotify. You can always use the RSS feed directly, of course, and there’s a handy Pocket Casts button, because that’s my favourite podcatcher.

And, as promised in episode 4, the website is now available over TLS. Including the audio files, of course, which are streamed from a thoroughly revamped CDN server.

Anyway, let’s get into the main topic of this episode, which was suggested by has in some earlier feedback on the show.

Taking Their Money and Stealing Their Secrets

In February, The Washington Post, together with German and Swiss public broadcasters ZDF and SRF, broke a spy story that reads like its right out of a Tom Clancy novel. The Post calls the subject matter as being “among the most closely guarded secrets of the Cold War”.

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.

The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican. But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

This file the Post and the ZDF they obtained seems to be quite something.

This story is based on the CIA history and a parallel BND account, also obtained by The Post and ZDF, and interviews with current and former Western intelligence officials as well as Crypto employees. Many spoke on the condition of anonymity, citing the sensitivity of the subject. It is hard to overstate how extraordinary the CIA and BND histories are. Sensitive intelligence files are periodically declassified and released to the public. But it is exceedingly rare, if not unprecedented, to glimpse authoritative internal histories of an entire covert operation. The Post was able to read all of the documents, but the source of the material insisted that only excerpts be published.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets. The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history.

“It was the intelligence coup of the century,” the CIA report concludes. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”

The implications are huge.

From 1970 on, the CIA and its code-breaking sibling, the National Security Agency, controlled nearly every aspect of Crypto’s operations – presiding with their German partners over hiring decisions, designing its technology, sabotaging its algorithms and directing its sales targets.

Then, the U.S. and West German spies sat back and listened. They monitored Iran’s mullahs during the 1979 hostage crisis, fed intelligence about Argentina’s military to Britain during the Falklands War, tracked the assassination campaigns of South American dictators and caught Libyan officials congratulating themselves on the 1986 bombing of a Berlin disco.

Well, monitoring the mullahs didn’t help with Operation Eagle Claw much, but what they could do is impressive.

A year later, after Iranian militants stormed the U.S. Embassy and took 52 American hostages, the Carter administration sought their release in back-channel communications through Algeria. Inman, who served as NSA director at the time, said he routinely got calls from President Jimmy Carter asking how the Ayatollah Khomeini regime was reacting to the latest messages. “We were able to respond to his questions about 85 percent of the time,” Inman said. That was because the Iranians and Algerians were using Crypto devices.

It didn’t all go according to plan, though.

The program had limits. America’s main adversaries, including the Soviet Union and China, were never Crypto customers. Their well-founded suspicions of the company’s ties to the West shielded them from exposure, although the CIA history suggests that U.S. spies learned a great deal by monitoring other countries’ interactions with Moscow and Beijing.

There were also security breaches that put Crypto under clouds of suspicion. Documents released in the 1970s showed extensive – and incriminating – correspondence between an NSA pioneer and Crypto’s founder. Foreign targets were tipped off by the careless statements of public officials including President Ronald Reagan. And the 1992 arrest of a Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a devastating “storm of publicity,” according to the CIA history.

Side note: The founder of Crypto AG, Boris Hagelin (* 1892, † 1983) was a Swede born in Azerbaijan. His father Karl Wilhelm Hagelin worked for Nobel in Baku, but the family returned to Sweden after the Russian Revolution. He took over a Swedish rotor machine firm and outsold his competitor Enigma. At the beginning of World War II, Hagelin moved to Switzerland, taking the design documents for his latest machine with him on his way through Berlin and across Germany. This was the machine later adopted by the US military that made him rich. The thing was much less secure than Enigma and only used for tactical messages, because it was assumed the Germans could break the cipher in a few hours time. After living in the US for a while, Hagelin returned to Sweden and later Switzerland, maintaining a life-long loyalty to the US and good memories of his time there. Hagelin is the great-grandfather of NHL left winger Carl Hagelin who won the Stanley Cup in 2016 and 2017 with the Pittsburgh Penguins.

The German spy agency, the BND, came to believe the risk of exposure was too great and left the operation in the early 1990s. But the CIA bought the Germans' stake and simply kept going, wringing Crypto for all its espionage worth until 2018, when the agency sold off the company’s assets, according to current and former officials. The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.

Even so, the Crypto operation is relevant to modern espionage. Its reach and duration help to explain how the United States developed an insatiable appetite for global surveillance that was exposed in 2013 by Edward Snowden. There are also echoes of Crypto in the suspicions swirling around modern companies with alleged links to foreign governments, including the Russian anti-virus firm Kaspersky, a texting app tied to the United Arab Emirates and the Chinese telecommunications giant Huawei.

Curious that the Post doesn’t mention the RSA and NIST at this point.

See also: The Strange Story of Dual_EC_DRBG (Schneier on Security)

The CIA and the BND declined to comment, though U.S. and German officials did not dispute the authenticity of the documents. The first is a 96-page account of the operation completed in 2004 by the CIA’s Center for the Study of Intelligence, an internal historical branch. The second is an oral history compiled by German intelligence officials in 2008.

The overlapping accounts expose frictions between the two partners over money, control and ethical limits, with the West Germans frequently aghast at the enthusiasm with which U.S. spies often targeted allies.

Behaviour that’s never stopped, as the Snowden revelations have made clear. If anything, the Germans are now profiting from this by swapping data with US intelligence services (see Operation Eikonal and XKeyscore). If you’re not allowed to spy on your own citizens, you just swap the data you are allowed to collect with the other country and vice versa.

But both sides describe the operation as successful beyond their wildest projections. At times, including in the 1980s, Crypto accounted for roughly 40 percent of the diplomatic cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded and mined for intelligence, according to the documents. All the while, Crypto generated millions of dollars in profits that the CIA and BND split and plowed into other operations.

That’s just absolutely wild. Genius, too. In an evil sort of way.

The deal called for Hagelin, who had moved his company to Switzerland, to restrict sales of his most sophisticated models to countries approved by the United States. Nations not on that list would get older, weaker systems. Hagelin would be compensated for his lost sales, as much as $700,000 up front.

In 1960, the CIA and Hagelin entered into a “licensing agreement” that paid him $855,000 to renew his commitment to the handshake deal. The agency paid him $70,000 a year in retainer and started giving his company cash infusions of $10,000 for “marketing” expenses to ensure that Crypto – and not other upstarts in the encryption business – locked down contracts with most of the world’s governments.

To protect its market position, Crypto and its secret owners engaged in subtle smear campaigns against rival companies, according to the documents, and plied government officials with bribes. Crypto sent an executive to Riyadh, Saudi Arabia, with 10 Rolex watches in his luggage, the BND history says, and later arranged a training program for the Saudis in Switzerland where the participants' “favorite pastime was to visit the brothels, which the company also financed."

It was a classic “denial operation” in the parlance of intelligence, a scheme designed to prevent adversaries from acquiring weapons or technology that would give them an advantage. But it was only the beginning of Crypto’s collaboration with U.S. intelligence. Within a decade, the whole operation belonged to the CIA and BND.

Let’s Buy the Whole Thing

U.S. officials had toyed since the outset with the idea of asking Hagelin whether he would be willing to let U.S. cryptologists doctor his machines. But Friedman overruled them, convinced that Hagelin would see that as a step too far.

c.f.: William Friedman, “the father of American cryptology”

The CIA and NSA saw a new opening in the mid-1960s, as the spread of electronic circuits forced Hagelin to accept outside help adapting to the new technology, or face extinction clinging to the manufacturing of mechanical machines.

NSA cryptologists were equally concerned about the potential impact of integrated circuits, which seemed poised to enable a new era of unbreakable encryption. But one of the agency’s senior analysts, Peter Jenks, identified a potential vulnerability. If “carefully designed by a clever crypto-mathematician,” he said, a circuit-based system could be made to appear that it was producing endless streams of randomly generated characters, while in reality it would repeat itself at short enough intervals for NSA experts – and their powerful computers – to crack the pattern.

Amazingly, they are still kinda using the same type of backdoors today (see Dual_EC_DRBG).

Two years later, in 1967, Crypto rolled out a new, all-electronic model, the H-460, whose inner workings were completely designed by the NSA. The CIA history all but gloats about crossing this threshold. “Imagine the idea of the American government convincing a foreign manufacturer to jimmy equipment in its favor,” the history says. “Talk about a brave new world.”

The company always made at least two versions of its products – secure models that would be sold to friendly governments, and rigged systems for the rest of the world.

Crypto’s shift to electronic products buoyed business so much that it became addicted to its dependence on the NSA. Foreign governments clamored for systems that seemed clearly superior to the old clunky mechanical devices but in fact were easier for U.S. spies to read.

By the end of the 1960s, Hagelin was nearing 80 and anxious to secure the future for his company, which had grown to more than 180 employees. CIA officials were similarly anxious about what would happen to the operation if Hagelin were to suddenly sell or die. Hagelin had once hoped to turn control over to his son, Bo. But U.S. intelligence officials regarded him as a “wild card” and worked to conceal the partnership from him. Bo Hagelin was killed in a car crash on Washington’s Beltway in 1970. There were no indications of foul play.

Ha ha. Yeah. Sure.

U.S. intelligence officials discussed the idea of buying Crypto for years, but squabbling between the CIA and NSA prevented them from acting until two other spy agencies entered the fray.

The French, West German and other European intelligence services had either been told about the United States’ arrangement with Crypto or figured it out on their own. Some were understandably jealous and probed for ways to secure a similar deal for themselves. In 1967, Hagelin was approached by the French intelligence service with an offer to buy the company in partnership with German intelligence. Hagelin rebuffed the offer and reported it to his CIA handlers. But two years later, the Germans came back seeking to make a follow-up bid with the blessing of the United States.

They cut out the French for some reason.

The two agencies agreed to chip in equally to buy out Hagelin for approximately $5.75 million, but the CIA left it largely to the Germans to figure out how to prevent any trace of the transaction from ever becoming public. A Liechtenstein law firm, Marxer and Goop, helped hide the identities of the new owners of Crypto through a series of shells and “bearer” shares that required no names in registration documents. The firm was paid an annual salary “less for the extensive work but more for their silence and acceptance,” the BND history says. The firm, now named Marxer and Partner, did not respond to a request for comment.

A new board of directors was set up to oversee the company. Only one member of the board, Sture Nyberg, to whom Hagelin had turned over day-to-day management, knew of CIA involvement. “It was through this mechanism,” the CIA history notes, “that BND and CIA controlled the activities” of Crypto. Nyberg left the company in 1976. The Post and ZDF could not locate him or determine whether he is still alive.

Probably not.

Each year, the CIA and BND split any profits Crypto had made, according to the German history, which says the BND handled the accounting and delivered the cash owed to the CIA in an underground parking garage.

This reads like a bad spy movie.

From the outset, the partnership was beset by petty disagreements and tensions. To CIA operatives, the BND often seemed preoccupied with turning a profit, and the Americans “constantly reminded the Germans that this was an intelligence operation, not a money-making enterprise.”

Sounds about right.

Of course, other companies got in on it too.

Mindful of the limitations to their abilities to run a high-tech company, the two agencies brought in corporate outsiders. The Germans enlisted Siemens, a Munich-based conglomerate, to advise Crypto on business and technical issues in exchange for 5 percent of the company’s sales. The United States later brought in Motorola to fix balky products, making it clear to the company’s CEO this was being done for U.S. intelligence.

In light of all this, it seems a bit rich to complain about Huawei spying on telecoms infrastructure, don’t you think?

To its frustration, Germany was never admitted to the vaunted “Five Eyes,” a long-standing intelligence pact involving the United States, Britain, Australia, New Zealand and Canada. But with the Crypto partnership, Germany moved closer into the American espionage fold than might have seemed possible in World War II’s aftermath. With the secret backing of two of the world’s premier intelligence agencies and the support of two of the world’s largest corporations, Crypto’s business flourished. A table in the CIA history shows that sales surged from 15 million Swiss francs in 1970 to more than 51 million in 1975, or $19 million. The company’s payroll expanded to more than 250 employees.

Things Start to Crumble

So how did this amazing operation meet its end?

The NSA’s eavesdropping empire was for many years organized around three main geographic targets, each with its own alphabetic code: A for the Soviets, B for Asia and G for virtually everywhere else. By the early 1980s, more than half of the intelligence gathered by G group was flowing through Crypto machines, a capability that U.S. officials relied on in crisis after crisis.

Reagan puts his foot right in it, the old cowpoke:

Reagan appears to have jeopardized the Crypto operation after Libya was implicated in the 1986 bombing of a West Berlin disco popular with American troops stationed in West Germany. Two U.S. soldiers and a Turkish woman were killed as a result of the attack. Reagan ordered retaliatory strikes against Libya 10 days later. Among the reported victims was one of Gaddafi’s daughters. In an address to the country announcing the strikes, Reagan said the United States had evidence of Libya’s complicity that “is direct, it is precise, it is irrefutable.” The evidence, Reagan said, showed that Libya’s embassy in East Berlin received orders to carry out the attack a week before it happened. Then, the day after the bombing, “they reported back to Tripoli on the great success of their mission.”

Reagan’s words made clear that Tripoli’s communications with its station in East Berlin had been intercepted and decrypted. But Libya wasn’t the only government that took note of the clues Reagan had provided. Iran, which knew that Libya also used Crypto machines, became increasingly concerned about the security of its equipment. Tehran didn’t act on those suspicions until six years later.

The employees become suspicious:

After the CIA and BND acquisition, one of the most vexing problems for the secret partners was ensuring that Crypto’s workforce remained compliant and unsuspecting. Even while hidden from view, the agencies went to significant lengths to maintain Hagelin’s benevolent approach to ownership. Employees were well paid and had abundant perks including access to a small sailboat on Lake Zug near company headquarters.

And yet, those who worked most closely with the encryption designs seemed constantly to be getting closer to uncovering the operation’s core secret. The engineers and designers responsible for developing prototype models often questioned the algorithms being foisted on them by a mysterious external entity. Crypto executives often led employees to believe that the designs were being provided as part of the consulting arrangement with Siemens. But even if that were so, why were encryption flaws so easy to spot, and why were Crypto’s engineers so routinely blocked from fixing them?

In 1977, Heinz Wagner, the chief executive at Crypto who knew the true role of the CIA and BND, abruptly fired a wayward engineer after the NSA complained that diplomatic traffic coming out of Syria had suddenly became unreadable. The engineer, Peter Frutiger, had long suspected Crypto was collaborating with German intelligence. He had made multiple trips to Damascus to address complaints about their Crypto products and apparently, without authority from headquarters, had fixed their vulnerabilities.

Frutiger “had figured out the Minerva secret and it was not safe with him,” according to the CIA history. Even so, the agency was livid with Wagner for firing Frutiger rather than finding a way to keep him quiet on the company payroll. Frutiger declined to comment for this story.

U.S. officials were even more alarmed when Wagner hired a gifted electrical engineer in 1978 named Mengia Caflisch. She had spent several years in the United States working as a radio-astronomy researcher for the University of Maryland before returning to her native Switzerland and applying for a job at Crypto. Wagner jumped at the chance to hire her. But NSA officials immediately raised concerns that she was “too bright to remain unwitting.”

Whatever you do, don’t hire the bright people! They might find out things.

The warning proved prescient as Caflisch soon began probing the vulnerabilities of the company’s products. She and Spoerndli, a colleague in the research department, ran various tests and “plaintext attacks” on devices including a teletype model, the HC-570, that was built using Motorola technology, Spoerndli said in an interview. “We looked at the internal operations, and the dependencies with each step,” Spoerndli said, and became convinced they could crack the code by comparing only 100 characters of enciphered text to an underlying, unencrypted message. It was an astonishingly low level of security, Spoerndli said in an interview last month, but far from unusual. “The algorithms,” he said, “always looked fishy.”

Didn’t these customer governments ever put their own specialists on figuring out if this tech was actually secure? Did they just trust Crypto AG so completely? Maybe because everyone thought a coup as the Americans had pulled off to be impossible?

In the ensuing years, Caflisch continued to pose problems. At one point, she designed an algorithm so strong that NSA officials worried it would be unreadable. The design made its way into 50 HC-740 machines rolling off the factory floor before company executives discovered the development and stopped it. “I just had an idea that something might be strange,” Caflisch said in an interview last month, about the origin of her suspicions. But it became clear that her probing wasn’t appreciated, she said. “Not all questions appeared to be welcome.” The company restored the rigged algorithm to the rest of the production run and sold the 50 secure models to banks to keep them out of the hands of foreign governments.

Because these and other developments were so hard to defend, Wagner at one point told a select group of members of the research and development unit that Crypto “was not entirely free to do what it wanted”. The acknowledgment seemed to subdue the engineers, who interpreted it as confirmation that the company’s technology faced constraints imposed by the German government. But the CIA and BND became increasingly convinced that their routine, disembodied interference was unsustainable.

Enter the new Hagelin.

Crypto had become an Oz-like operation with employees probing to see what was behind the curtain. As the 1970s came to a close, the secret partners decided to find a wizard figure who could help devise more advanced – and less detectable – weaknesses in the algorithms, someone with enough cryptological clout to tame the research department. The two agencies turned to other spy services for potential candidates before settling on an individual put forward by Sweden’s intelligence service. Because of Hagelin’s ties to the country, Sweden had been kept apprised of the operation since its outset.

Kjell-Ove Widman, a mathematics professor in Stockholm, had made a name for himself in European academic circles with his research on cryptology. Widman was also a military reservist who had worked closely with Swedish intelligence officials. To the CIA, Widman had an even more important attribute: an affinity for the United States that he had formed while spending a year in Washington state as an exchange student.

Officials involved in Widman’s recruitment described it as almost effortless. After being groomed by Swedish intelligence officials, he was brought to Munich in 1979 for what purported to be a round of interviews with executives from Crypto and Siemens. The fiction was maintained as Widman faced questions from a half-dozen men seated around a table in a hotel conference room. As the group broke for lunch, two men asked Widman to stay behind for a private conversation.

“Do you know what ZfCh is?” asked Jelto Burmeister, a BND case officer, using the acronym for the German cipher service. When Widman replied that he did, Burmeister said, “Now, do you understand who really owns Crypto AG?” At that point, Widman was introduced to Richard Schroeder, a CIA officer stationed in Munich to manage the agency’s involvement in Crypto. Widman would later claim to agency historians that his “world fell apart completely” in that moment. If so, he did not hesitate to enlist in the operation. Without even leaving the room, Widman sealed his recruitment with a handshake. As the three men joined the rest of the group at lunch, a “thumbs up” signal transformed the gathering into a celebration.

Years after his recruitment, he told U.S. officials that he saw himself as “engaged in a critical struggle for the benefit of Western intelligence,” according to the CIA document. “It was, he said, the moment in which he felt at home. This was his mission in life.”

Crypto installed Widman as a “scientific advisor” reporting directly to Wagner. He became the spies' hidden inside agent, departing Zug every six weeks for clandestine meetings with representatives of the NSA and ZfCh. Schroeder, the CIA officer, would attend but tune out their technical babble. They would agree on modifications and work up new encryption schemes. Then Widman would deliver the blueprints to Crypto engineers. The CIA history calls him the “irreplaceable man,” and the “most important recruitment in the history of the Minerva program.” His stature cowed subordinates, investing him “with a technical prominence that no one in CAG could challenge.”

Side note: ZfCh (Zentralstelle für das Chiffrierwesen) became the Bundesamt für Sicherheit in der Informationstechnik (BSI) in 1991. The BSI now runs the country’s CERT, among other things.

As Widman settled in, the secret partners adopted a set of principles for rigged algorithms, according to the BND history. They had to be “undetectable by usual statistical tests” and, if discovered, be “easily masked as implementation or human errors." In other words, when cornered, Crypto executives would blame sloppy employees or clueless users.

That’s probably exactly how they’re still doing it today.

Now Argentinia becomes suspicious:

In 1982, when Argentina became convinced that its Crypto equipment had betrayed secret messages and helped British forces in the Falklands War, Widman was dispatched to Buenos Aires. Widman told them the NSA had probably cracked an outdated speech-scrambling device that Argentina was using, but that the main product they bought from Crypto, the CAG 500, remained “unbreakable.”

“The bluff worked,” the CIA history says. “The Argentines swallowed hard, but kept buying CAG equipment.”

They need to pull some of Hagelin’s papers:

Hagelin, then 90 years old, became ill on a trip to Sweden and was hospitalized. He recovered well enough to return to Switzerland, but CIA officials became worried about Hagelin’s extensive collection of business records and personal papers at his office in Zug. Schroeder, with Hagelin’s permission, arrived with a briefcase and spent several days going through the files. To visitors, he was introduced as a historian interested in tracing Hagelin’s life. Schroeder pulled out the documents “that were incriminating,” according to the history, and shipped them back to CIA headquarters, “where they reside to this day.”

And then shit gets real.

Crypto endured several money-losing years in the 1980s, but the intelligence flowed in torrents. U.S. spy agencies intercepted more than 19,000 Iranian communications sent via Crypto machines during that nation’s decade-long war with Iraq, mining them for reports on subjects such as Tehran’s terrorist links and attempts to target dissidents.

In 1992, however, the Crypto operation faced its first major crisis: Iran, belatedly acting on its long-standing suspicions, detained a company salesman. Hans Buehler, then 51, was considered one of the company’s best salesmen. Iran was one of the company’s largest contracts, and Buehler had traveled in and out of Tehran for years. There were tense moments, including when he was questioned extensively in 1986 by Iranian officials after the disco bombing and U.S. missile strikes on Libya.

Six years later, he boarded a Swissair flight to Tehran but failed to return on schedule. When he didn’t show, Crypto turned for help to Swiss authorities and were told he had been arrested by the Iranians. Swiss consular officials allowed to visit Buehler reported that he was in “bad shape mentally,” according to the CIA history.

Buehler was finally released nine months later after Crypto agreed to pay the Iranians $1 million, a sum that was secretly provided by the BND, according to the documents. The CIA refused to chip in, citing the U.S. policy against succumbing to ransom demands for hostages.

LOL. How the fuck does that policy apply to secret hush money paid by the CIA or other intelligence services? And the German’s bought that? Jamokes.

Buehler knew nothing about Crypto’s relationship to the CIA and BND or the vulnerabilities in its devices. But he returned traumatized and suspicious that Iran knew more about the company he worked for than he did. Buehler began speaking to Swiss news organizations about his ordeal and mounting suspicions. The publicity brought new attention to long-forgotten clues, including references to a “Boris project” in Friedman’s massive collection of personal papers, which were donated to Virginia Military Institute when he died in 1969. Among the 72 boxes delivered to Lexington, Va., were copies of his lifelong correspondence with Hagelin.

In 1994, the crisis deepened when Buehler appeared on Swiss television in a report that also featured Frutiger, whose identity was concealed from viewers. Michael Grupe, who had succeeded Wagner as chief executive, agreed to appear on Swiss television and disputed what he knew to be factual charges. “Grupe’s performance was credible, and may have saved the program,” the CIA history says. Even so, it took several years for the controversy to die down.

In 1995, the Baltimore Sun ran a series of investigative stories about the NSA, including one called “Rigging the Game” that exposed aspects of the agency’s relationship with Crypto. The article reported NSA officials had traveled to Zug in the mid-1970s for secret meetings with Crypto executives. The officials were posing as consultants for a front company called “Intercomm Associates” but then proceeded to introduce themselves by their real names – which were recorded on notes of the meeting kept by a company employee. Amid the publicity onslaught, some employees began to look elsewhere for work. And at least a half-dozen countries – including Argentina, Italy, Saudi Arabia, Egypt and Indonesia – either canceled or suspended their Crypto contracts. Astonishingly, Iran was not among them, according to the CIA file, and “resumed its purchase of CAG equipment almost immediately.”

I mean, at this point, you must have been able to put one and one together if you worked at the place for some time.

In interviews in Switzerland last month, several former Crypto workers mentioned in the documents described feelings of unease about their involvement in the company. They were never informed of its true relationship to intelligence services. But they had well-founded suspicions and still wrestle with the ethical implications of their decisions to remain at a firm they believed to be engaged in deception.

The BND Wants Out

The main casualty of the “Hydra” crisis, the code name given to the Buehler case, was the CIA-BND partnership. For years, BND officials had recoiled at their American counterpart’s refusal to distinguish adversaries from allies. The two partners often fought over which countries deserved to receive the secure versions of Crypto’s products, with U.S. officials frequently insisting that the rigged equipment be sent to almost anyone – ally or not – who could be deceived into buying it.

In the German history, Wolbert Smidt, the former director of the BND, complained that the United States “wanted to deal with the allies just like they dealt with the countries of the Third World.” The Cold War had ended, the Berlin Wall was down and the reunified Germany had different sensitivities and priorities. They saw themselves as far more directly exposed to the risks of the Crypto operation. Hydra had rattled the Germans, who feared the disclosure of their involvement would trigger European outrage and lead to enormous political and economic fallout.

In 1993, Konrad Porzner, the chief of the BND, made clear to CIA Director James Woolsey that support in the upper ranks of the German government was waning and that the Germans might want out of the Crypto partnership. On Sept. 9, the CIA station chief in Germany, Milton Bearden, reached an agreement with BND officials for the CIA to purchase Germany’s shares for $17 million, according to the CIA history.

German intelligence officials rued the departure from an operation they had largely conceived. In the German history, senior intelligence officials blame political leaders for ending one of the most successful espionage programs the BND had ever been a part of.

With their departure, the Germans were soon cut off from the intelligence that the United States continued to gather. Burmeister is quoted in the German history wondering whether Germany still belonged “to this small number of nations who are not read by the Americans.” The Snowden documents provided what must have been an unsettling answer, showing that U.S. intelligence agencies not only regarded Germany as a target but monitored German Chancellor Angela Merkel’s cellphone.

Now the whole thing falls apart:

In reality, the operation appears to have entered a protracted period of decline. By the mid-1990s, “the days of profit were long past,” and Crypto “would have gone out of business but for infusions from the U.S. government.” As a result, the CIA appears to have spent years propping up an operation that was more viable as an intelligence platform than a business enterprise. Its product line dwindled and its revenue and customer base shrank.

But the intelligence kept coming, current and former officials said, in part because of bureaucratic inertia. Many governments just never got around to switching to newer encryption systems proliferating in the 1990s and beyond – and unplugging their Crypto devices. This was particularly true of less developed nations, according to the documents.

After the BND’s departure, the CIA expanded its clandestine collection of companies in the encryption sector, according to former Western intelligence officials. Using cash amassed from the Crypto operation, the agency secretly acquired a second firm and propped up a third. The documents do not disclose any details about these entities. But the BND history notes that one of Crypto’s longtime rivals – Gretag AG, also based in Switzerland – was “taken over by an ‘American’ and, after a change of names in 2004, was liquidated."

We’re now concentrating on software.

Crypto itself hobbled along. It had survived the transitions from metal boxes to electronic circuits, going from teletype machines to enciphered voice systems. But it struggled to maintain its footing as the encryption market moved from hardware to software. U.S. intelligence agencies appear to have been content to let the Crypto operation play out, even as the NSA’s attention shifted to finding ways to exploit the global reach of Google, Microsoft, Verizon and other U.S. tech powers.

In 2017, Crypto’s longtime headquarters building near Zug was sold to a commercial real estate company. In 2018, the company’s remaining assets – the core pieces of the encryption business started nearly a century earlier – were split and sold. The transactions seemed designed to provide cover for a CIA exit.

The Legacy of Crypto AG

Crypto’s products are still in use in more than a dozen countries around the world, and its orange-and-white sign still looms atop the company’s longtime headquarters building near Zug, Switzerland. But the company was dismembered in 2018, liquidated by shareholders whose identities have been permanently shielded by the byzantine laws of Liechtenstein, a tiny European nation with a Cayman Islands-like reputation for financial secrecy.

Two companies purchased most of Crypto’s assets. The first, CyOne Security, was created as part of a management buyout and now sells security systems exclusively to the Swiss government. The other, Crypto International, took over the former company’s brand and international business. Each insisted that it has no ongoing connection to any intelligence service, but only one claimed to be unaware of CIA ownership. Their statements were in response to questions from The Post, ZDF and Swiss broadcaster SRF, which also had access to the documents.

CyOne has more substantial links to the now-dissolved Crypto, including that the new company’s chief executive held the same position at Crypto for nearly two decades of CIA ownership. A CyOne spokesman declined to address any aspect of Crypto AG’s history but said the new firm has “no ties to any foreign intelligence services.” The Swiss government, which was always sold secure versions of Crypto’s systems, is now CyOne’s only customer.

Andreas Linde, the chairman of the company that now holds the rights to Crypto’s international products and business, said he had no knowledge of the company’s relationship to the CIA and BND before being confronted with the facts in this article.

“We at Crypto International have never had any relationship with the CIA or BND – and please quote me,” he said in an interview. “If what you are saying is true, then absolutely I feel betrayed, and my family feels betrayed, and I feel there will be a lot of employees who will feel betrayed as well as customers.”

The Swiss government probably knew.

The Swiss government announced on Tuesday that it was launching an investigation of Crypto AG’s ties to the CIA and BND. Earlier this month, Swiss officials revoked Crypto International’s export license. The timing of the Swiss moves was curious. The CIA and BND documents indicate that Swiss officials must have known for decades about Crypto’s ties to the U.S. and German spy services, but intervened only after learning that news organizations were about to expose the arrangement.

The histories, which do not address when or whether the CIA ended its involvement, carry the inevitable biases of documents written from the perspectives of the operation’s architects. They depict Rubicon as a triumph of espionage, one that helped the United States prevail in the Cold War, keep tabs on dozens of authoritarian regimes and protect the interests of the United States and its allies. The papers largely avoid more unsettling questions, including what the United States knew – and what it did or didn’t do – about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.

Nor do the files deal with obvious ethical issues at the core of the operation: the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety. In recent interviews, deceived employees – even ones who came to suspect during their time at Crypto that the company was cooperating with Western intelligence – said the revelations in the documents have deepened a sense of betrayal, of themselves and customers.

What Can We Learn from this Story?

Now that we know all this, there are several things we have to remember from now on.

  • We need to assume that this kind of thing is still going on. Except the battleground is all software now. There are probably several crypto and security companies being controlled by the NSA and CIA right now.
  • How crazy is it, that a country who’s pulled a stunt like this is now railing against the Huawei involvement in 5G infrastructure? Anytime anyone from the US government ever says anything about Huawei not being trustworthy, we need to ask them what software and hardware they have backdoored in the wake of moving on from the Crypto AG operation.
  • We need to watch for these kinds of backdoors in crypto algorithms. Especially open source ones. And we can’t buy the “this was probably an accident” excuse anymore.
  • I’ve said for years that just because a product is from Switzerland doesn’t mean it is somehow more trustworthy than products from other countries. In fact, I would assume the opposite now. The secrecy of their financial institutions obviously helps with these kind of schemes.

Feedback

As usual, I’ve gotten quite a few messages from producers since the last episode. It looks like listenership is picking up nicely. I seem to have over a thousand regular listeners now, which is quite good after two months and hardly any outside advertising, I feel. Anyway, here’s what some of you have been saying:

Steve Hoos writes:

Love the work you’re doing. As for ideas about what can be added to the podcast, I think it would be cool to add a solution to the problem. Maybe an episode about an alternative software or device that can be used to replace a problem software or device. For example, Jitsi or Jami to replace Zoom. Or Wyze cameras recording to a local server to replace Ring doorbells.

Thanks for the hard work!

Fadi Mansour replies to me replying to his feedback on episode 12:

I’m humbled by what you said in the episode, I hope that my feedback is helpful. I believe in sharing experiences, although I keep repeating that I come from (to use a euphemism) “a less democratic country”. But I have to say, regardless of my personal opinion about the state of affairs in Syria, I consider myself relatively lucky as I didn’t suffer any direct troubles. But that’s where my comments about privacy assumptions and how they can be limiting comes from: You are OK as long as you avoid getting into any controversial topics. And this is exactly what you hope would not be the case in a democracy.

He also referenced a vlog I recorded and said that he hopes I’m not too depressed. Many people misunderstood the reference to depression, which I used in regards to the economic phenomenon, not my mental state. This is why I clarified that in a second vlog. So don’t worry about me!

A listener who I will keep anonymous, because they sent me an encrypted email, asked why I don’t use Liberapay. It basically comes down to their weird requirement to be only used for “donations” and some confusion about tax law on their part.

If you also have thoughts on the things discussed here, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Eric gPodder Test, Rasheed Alhimianee, Butterbeans, Mark Holland, Steve Hoos, Shelby Cruver, Fadi Mansour, Matt Jelliman, Joe Poser, Vlad, ikn, Dave Umrysh, 1i11g, Vytautas Sadauskas, RikyM, drivezero, Dirk Dede, David Potter, Jackie Plage, Jonathan Edwards and Barry Williams.