Eighty years is a long time to keep a secret from the people you are supposed to protect. That, in essence, is the charge two US lawmakers are now levelling at their own government over a surveillance technique so old it predates the transistor.
Senator Ron Wyden and Representative Shontel Brown have released a letter they sent to the Government Accountability Office demanding an investigation into the vulnerability of modern computers to TEMPEST-style side-channel attacks, the monitoring and deciphering of accidental emanations from PCs, phones, and other computing devices to surveil their operations.
This category of spying techniques, originally codenamed TEMPEST by the National Security Agency but now encompassed in the more general term "side-channel attacks," has been a known problem in computer security for close to eight decades. The core idea is disarmingly simple: every electronic device leaks faint electromagnetic and acoustic signals as it operates, and a skilled listener with the right equipment can reconstruct what that device was processing, without ever touching it or connecting to it over a network.
The possibility of such attacks has been taken seriously by the US government since as early as the 1940s, when Bell Labs discovered that machines it sold to the US military for encrypting messages produced legible signals on an oscilloscope on the other side of the lab. The Bell Labs machines were transmitting clues about the inner workings of military cryptography in the radio waves created by their components' electromagnetic charge. A declassified NSA report from 1972 later described the problem of the agency's classified computers transmitting "radio frequency or acoustic energy," warning that such emissions could radiate through free space for distances of a half mile or more if conducted through nearby materials like power lines.
Much of TEMPEST is about leaking electromagnetic emanations, but it also encompasses sounds and mechanical vibrations. For example, it is possible to log a user's keystrokes using the motion sensor inside smartphones. In other words, your phone's accelerometer could betray your passwords, no network connection required.
More recent demonstrations have shown the threat is not purely theoretical. In 2015, Tel Aviv University researchers demonstrated a radio spying device that could steal information from a computer based on the electromagnetic emanations of its processor from just a couple of feet away. Separately, four researchers demonstrated a TEMPEST attack against a laptop, recovering its encryption keys by listening to its electrical emanations, with the attack hardware costing around $3,000.
Here's the thing: the US government has known about all of this for decades and has quietly protected its own systems while leaving everyone else in the dark. The government's own protective measures include the use of isolated, radio-shielded spaces for securely accessing secret information, known as a Sensitive Compartmented Information Facility, or SCIF. Meanwhile, the government has "neither warned the public about this threat, nor imposed requirements on the manufacturers of consumer electronics, such as smartphones, computers and computer accessories, to build technical countermeasures into their products," Wyden and Brown point out in their letter.
In the letter, Wyden and Brown write that these forms of spying "do not just pose a counterintelligence threat to the US government, but these methods can also be exploited by adversaries against the American public, including to steal strategically important technologies from US companies." Along with the letter, Wyden and Brown also commissioned a newly released Congressional Research Service report about the history of TEMPEST and the contemporary threat posed by similar side-channel attacks.
Wyden and Brown's letter ends by urging the GAO to review the scale of the modern privacy threat of side-channel attacks, the "cost and feasibility" of implementing protections against them in modern devices, and potential policy options, including mandating device manufacturers add countermeasures.
The case for scepticism is also worth taking seriously. In some ways, side-channel attacks are already harder to carry out than in years past: the push to preserve battery life in phones and laptops has already led to more efficient computer components that use less electricity and thus transmit less accidental radiation, according to Samy Kamkar, a well-known security researcher who has focused on side-channel attacks. The new Congressional Research Service report on side-channel attacks itself points out that more computing than ever takes place in the cloud, inside data centres where a would-be spy would likely have a harder time picking up and deciphering emanations. Just how practical side-channel attacks like TEMPEST are against modern computing devices, and how often they are actually used in the wild by hackers and spies, remains far from clear.
There is a legitimate tension here between the cost of mandating hardware changes across the entire consumer electronics industry and the actual, demonstrable risk to ordinary people. Regulatory mandates carry real costs, and those costs are ultimately passed on to consumers. Getting the threat assessment right matters before reaching for a legislative solution.
What the lawmakers' push does expose, regardless of where that assessment lands, is a structural accountability gap. The National Security Agency has spent decades refining classified standards to protect government hardware from exactly these attacks. The question Wyden and Brown are really asking is why that institutional knowledge has never been translated into guidance or requirements for the devices that billions of civilians carry in their pockets every day. That question deserves a straight answer, whatever the GAO ultimately finds.