NSA headquarters in Fort Meade, Maryland. Photo: NSA
If you use Tor or any of a number of other privacy services online or even visit their web sites to read about the services, there’s a good chance your IP address has been collected and stored by the NSA, according to top-secret source code for a program the NSA uses to conduct internet surveillance.
There’s also a good chance you’ve been tagged for simply reading news articles about these services published by Wired and other sites.
This is according to code, obtained and analyzed by journalists and others in Germany, which for the first time reveals the extent of some of the wide-spread tracking the NSA conducts on people using or interested in using privatizing tools and services—a list that includes journalists and their sources, human rights activists, political dissidents living under oppressive countries and many others who have various reasons for needing to shield their identity and their online activity.
The source code, for the NSA system known as XKeyscore, is used in the collection and analysis of internet traffic, and reveals that simply searching the web for privacy tools online is enough to get the NSA to label you an “extremist” and target your IP address for inclusion in its database.
But the NSA’s analysis isn’t limited to tracking metadata like IP addresses. The system also conducts deep-packet inspection of emails that users exchange with the Tor anonymizing service to obtain information that Tor conveys to users of so-called Tor “bridges.”
Legal experts say the widespread targeting of people engaged in constitutionally protected activity like visiting web sites and reading articles, raises questions about the legal authority the NSA is using to track users in this way.
“Under [the Foreign Intelligence Surveillance Act] there are numerous places where it says you shouldn’t be targeting people on the basis of activities protected by the First Amendment,” says Kurt Opsahl, deputy general counsel for the Electronic Frontier Foundation. “I can’t see how this activity could have been properly authorized under FISA. This is suggesting then that they have come up with some other theory of authorizing this.”
The findings also contradict NSA longstanding claims that its surveillance targets only those suspected of engaging in activity that threatens national security.
“They say ‘We’re not doing indiscriminate searches,’ but this is indiscriminate,” Opsahl notes. “It’s saying that anyone who is looking for those various [services] are suspicious persons.”
He notes that the NSA actions are at clear odds with statements from former U.S. Secretary of State Hilary Clinton and others in the government about the importance of privacy services and tools to protect First Amendment freedoms.
“One hand of the government is promoting tools for human rights advocates and political dissidents to be able to communicate and is championing that activity,” he says. “While another branch of the government is determining that that activity is suspicious and requires tracking. This may intimidate people from using these very important tools and have a chilling effect that could undermine the free expression of ideas throughout the world.”
The findings were uncovered and published by Norddeutscher Rundfunk and Westdeutscher Rundfunk—two public radio and TV broadcasting organizations in Germany. An English-language analysis of the findings, along with parts of the source code for the XKeyscore program—was also published by Jacob Appelbaum, a well-known American developer employed by the Tor Project, and two others in Germany who play significant roles in Tor.
Secrets Revealed in the Code
XKeyscore is the collection system the NSA uses to scoop up internet data and analyze it. It has been described in NSA documents leaked by Edward Snowden as a crucial tool that the NSA can use to monitor “nearly everything a user does on the internet.”
Embedded in the code they found rules describing what XKeyscore is focused on monitoring. The rules indicate that the NSA tracks any IP address that connects to the Tor web site or any IP address that contacts a server that is used for an anonymous email service called MixMinion that is maintained by a server at MIT. XKeyscore targets any traffic to or from an IP address for the server. The NSA is also tracking anyone who visits the popular online Linux publication, Linux Journal, which the NSA refers to as an “extremist forum” in the source code.
Tor was originally developed and funded by the U.S. Naval Research Laboratory in the late ’90s to help government employees shield their identity online, but it was later passed to the public sector for use. Tor has since been completely rebuilt by developers, and is now overseen by the Tor Project, a non-profit in Massachusetts, though it is still primarily funded by government agencies.
Tor allows users to surf the internet as well as conduct chat and send instant messages anonymously. It works by encrypting the traffic and relaying it through a number of random servers, or nodes, hosted by volunteers around the world to make it difficult for anyone to trace the data back to its source. Each node in the network can only see the previous node that sent it the traffic and the next node to which it’s sending the traffic.
In documents released by Edward Snowden, NSA workers discussed their frustration in spying on people who use Tor. “We will never be able to de-anonymize all Tor users all the time,” one internal NSA document noted.
But the XKeyscore source code reveals some of the ways the NSA attempts to overcome this obstacle.
Tor isn’t the only target of XKeyscore, however. The system is also targeting users of other privacy services: Tails, HotSpotShield, FreeNet, Centurian, FreeProxies.org, and MegaProxy.
Tails is an operating system used by human rights activists, as well as many of the journalists who have access to the Edward Snowden documents, to protect sensitive computer activity. It runs from a USB stick or CD so that it’s not stored on the system, and uses Tor and other privacy tools to protect user activity. At the end of each session, when the user reboots it, Tails erases any data pertaining to that session—such as evidence of documents opened or chats—except for data the user has specifically saved to an encrypted storage device. The NSA clearly regards Tails as a sinister tool, however, referring to it in one comment in the source code as “a comsec mechanism advocated by extremists on extremist forums.”
The XKeyscore rule for monitoring Tails users indicates that it is designed to identify users searching for the software program, as well as anyone “viewing documents relating to TAILs, or viewing websites that detail TAILs.”
Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by theNational Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post.
Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.
Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.
The surveillance files highlight a policy dilemma that has been aired only abstractly in public. There are discoveries of considerable intelligence value in the intercepted messages — and collateral harm to privacy on a scale that the Obama administration has not been willing to address.
Among the most valuable contents — which The Post will not describe in detail, to avoid interfering with ongoing operations — are fresh revelations about a secret overseas nuclear project, double-dealing by an ostensible ally, a military calamity that befell an unfriendly power, and the identities of aggressive intruders into U.S. computer networks.
Months of tracking communications across more than 50 alias accounts, the files show, led directly to the 2011 capture in Abbottabad of Muhammad Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in a 2002 terrorist bombing on the Indonesian island of Bali. At the request of CIA officials, The Post is withholding other examples that officials said would compromise ongoing operations.
Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.
In order to allow time for analysis and outside reporting, neither Snowden nor The Post has disclosed until now that he obtained and shared the content of intercepted communications. The cache Snowden provided came from domestic NSA operations under the broad authority granted by Congress in 2008 with amendments to the Foreign Intelligence Surveillance Act. FISA content is generally stored in closely controlled data repositories, and for more than a year, senior government officials have depicted it as beyond Snowden’s reach.
The Post reviewed roughly 160,000 intercepted e-mail and instant-message conversations, some of them hundreds of pages long, and 7,900 documents taken from more than 11,000 online accounts.
The material spans President Obama’s first term, from 2009 to 2012, a period of exponential growth for the NSA’s domestic collection.
Taken together, the files offer an unprecedented vantage point on the changes wrought by Section 702 of the FISA amendments, which enabled the NSA to make freer use of methods that for 30 years had required probable cause and a warrant from a judge. One program, code-named PRISM, extracts content stored in user accounts at Yahoo, Microsoft, Facebook, Google and five other leading Internet companies. Another, known inside the NSA as Upstream, intercepts data on the move as it crosses the U.S. junctions of global voice and data networks.
No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but also from people who may cross a target’s path.
Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.
Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.
“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst. Another makes fun of a suspected kidnapper, newly arrived in Syria before the current civil war, who begs for employment as a janitor and makes wide-eyed observations about the state of undress displayed by women on local beaches.
By law, the NSA may “target” only foreign nationals located overseas unless it obtains a warrant based on probable cause from a special surveillance court. For collection under PRISM and Upstream rules, analysts must state a reasonable belief that the target has information of value about a foreign government, a terrorist organization or the spread of nonconventional weapons.
Most of the people caught up in those programs are not the targets and would not lawfully qualify as such. “Incidental collection” of third-party communications is inevitable in many forms of surveillance, but in other contexts the U.S. government works harder to limit and discard irrelevant data. In criminal wiretaps, for example, the FBI is supposed to stop listening to a call if a suspect’s wife or child is using the phone.
There are many ways to be swept up incidentally in surveillance aimed at a valid foreign target. Some of those in the Snowden archive were monitored because they interacted directly with a target, but others had more-tenuous links.