The NSA Is Targeting Users of Privacy Services, Leaked Code Shows
By Kim Zetter, Wired, July 3, 2014
If you use Tor or any of a number of other privacy services online or even visit their web sites to read about the services, there’s a good chance your IP address has been collected and stored by the NSA, according to top-secret source code for a program the NSA uses to conduct internet surveillance.
There’s also a good chance you’ve been tagged for simply reading news articles about these services published by Wired and other sites.
This is according to code, obtained and analyzed by journalists and others in Germany, which for the first time reveals the extent of some of the wide-spread tracking the NSA conducts on people using or interested in using privatizing tools and services--a list that includes journalists and their sources, human rights activists, political dissidents living under oppressive countries and many others who have various reasons for needing to shield their identity and their online activity.
The source code, for the NSA system known as XKeyscore, is used in the collection and analysis of internet traffic, and reveals that simply searching the web for privacy tools online is enough to get the NSA to label you an “extremist” and target your IP address for inclusion in its database.
But the NSA’s analysis isn’t limited to tracking metadata like IP addresses. The system also conducts deep-packet inspection of emails that users exchange with the Tor anonymizing service to obtain information that Tor conveys to users of so-called Tor “bridges.”
Legal experts say the widespread targeting of people engaged in constitutionally protected activity like visiting web sites and reading articles, raises questions about the legal authority the NSA is using to track users in this way.
“Under [the Foreign Intelligence Surveillance Act] there are numerous places where it says you shouldn’t be targeting people on the basis of activities protected by the First Amendment,” says Kurt Opsahl, deputy general counsel for the Electronic Frontier Foundation. “I can’t see how this activity could have been properly authorized under FISA. This is suggesting then that they have come up with some other theory of authorizing this.”
The findings also contradict NSA longstanding claims that its surveillance targets only those suspected of engaging in activity that threatens national security.
“They say ‘We’re not doing indiscriminate searches,’ but this is indiscriminate,” Opsahl notes. “It’s saying that anyone who is looking for those various [services] are suspicious persons.”
He notes that the NSA actions are at clear odds with statements from former U.S. Secretary of State Hilary Clinton and others in the government about the importance of privacy services and tools to protect First Amendment freedoms.
“One hand of the government is promoting tools for human rights advocates and political dissidents to be able to communicate and is championing that activity,” he says. “While another branch of the government is determining that that activity is suspicious and requires tracking.”
The findings were uncovered and published by Norddeutscher Rundfunk and Westdeutscher Rundfunk--two public radio and TV broadcasting organizations in Germany. An English-language analysis of the findings, along with parts of the source code for the XKeyscore program--was also published by Jacob Appelbaum, a well-known American developer employed by the Tor Project, and two others in Germany who play significant roles in Tor.
XKeyscore is the collection system the NSA uses to scoop up internet data and analyze it. It has been described in NSA documents leaked by Edward Snowden as a crucial tool that the NSA can use to monitor “nearly everything a user does on the internet.”
Embedded in the code they found rules describing what XKeyscore is focused on monitoring. The rules indicate that the NSA tracks any IP address that connects to the Tor web site or any IP address that contacts a server that is used for an anonymous email service called MixMinion that is maintained by a server at MIT. XKeyscore targets any traffic to or from an IP address for the server. The NSA is also tracking anyone who visits the popular online Linux publication, Linux Journal, which the NSA refers to as an “extremist forum” in the source code.
Tor was originally developed and funded by the U.S. Naval Research Laboratory in the late ‘90s to help government employees shield their identity online, but it was later passed to the public sector for use. Tor has since been completely rebuilt by developers, and is now overseen by the Tor Project, a non-profit in Massachusetts, though it is still primarily funded by government agencies.
Tor allows users to surf the internet as well as conduct chat and send instant messages anonymously. It works by encrypting the traffic and relaying it through a number of random servers, or nodes, hosted by volunteers around the world to make it difficult for anyone to trace the data back to its source. Each node in the network can only see the previous node that sent it the traffic and the next node to which it’s sending the traffic.
In documents released by Edward Snowden, NSA workers discussed their frustration in spying on people who use Tor. “We will never be able to de-anonymize all Tor users all the time,” one internal NSA document noted.
But the XKeyscore source code reveals some of the ways the NSA attempts to overcome this obstacle.
Tor isn’t the only target of XKeyscore, however. The system is also targeting users of other privacy services: Tails, HotSpotShield, FreeNet, Centurian, FreeProxies.org, and MegaProxy.
XKeyscore additionally tracks the addresses for web sites that use Tor Hidden Services to hide their location on the internet. Sites that use Tor Hidden Services--part of the so-called Dark Web--have a special Tor URL that can only be accessed by those using the Tor browser and who know the specific address. Tor Hidden Services is used by activists to host forums discussing their activity, though it is also used by sites selling illegal drugs and other illicit goods. XKeyscore catalogs every one of these URLs it can discover by culling through what it calls “raw traffic” and storing the address in a database.