NSA’s XKEYSCORE dissected: All Tor users marked as ‘extremists’

small__8980097949Anyone trying to protect themselves from the NSA’s surveillance might well be shooting themselves in the foot. An investigation by German researchers has stumbled upon a rule in the NSA’s XKEYSCORE program that allows it to monitor everything from web traffic to private emails. Apparently, anyone using Tor or proxy servers to access the web is automatically marked for extra surveillance – in less technical terms, it seems the NSA is targeting anyone wearing a bulletproof vest.

The rule was found in this configuration file for XKEYSCORE, which has been studied intensively by security specialists of German broadcasters NDR and WDR, and also by members of the Tor Project. Their analysis shows the NSA is specifically targeting Tor’s directory servers, while logging the Ips of anyone searching for privacy-focused websites.

SiliconANGLE has noted the NSA’s disdain for Tor before – the agency has even tried to hack it, so far to no avail – and the leaked source code, which is written in an odd custom language, suggests the spooks are determined to find out what Tor users are up to, one way or another.

Users targeted by XKEYSCORE include anyone who visits the Linux Journal website, and anyone who visits the website of Linux Tails – which the NSA descrives as a “comsec mechanism advocated by extremists on extremist forums. Which means that if you’ve ever Googled anything about online privacy, or scanned a Linux journal article to learn how to fix a broken package, you’re probably on the NSA’s hitlist for surveillance.

The researchers list other monitored sites, which include Centurian, FreeNet, FreeProxies.org, HotSpotShield, MixMinion, MegaProxy and Privacy.li. Anyone who visits them immediately has their IP address logged and stored on a server, and only the NSA gets to say how long it can keep it for.

XKEYSCORE’s code also contains plugins used to target Tor servers located at MIT in the USA, and also servers in Austria, Germany, the Netherlands and Sweden. These Tor servers are said to be under especially close NSA scrutiny, whose goal is “to find potential Tor clients connecting to the Tor directory servers.”

“This shows that Tor is working well enough that Tor has become a target for the intelligence services,” Sebastian Hahn, who runs one of the key Tor servers, notes in the report. “For me this means that I will definitely go ahead with the project.”

Surprisingly the NSA gave a frank admission of XKEYSCORE’s capabilities when confronted with the evidence:

“In carrying out its mission, NSA collects only what it is authorized by law to collect for valid foreign intelligence purposes – regardless of the technical means used by foreign intelligence targets. The communications of people who are not foreign intelligence targets are of no use to the agency.”

“In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons – regardless of nationality – have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities.”

“The president’s directive also makes clear that the United States does not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion.”

“XKeyscore is an analytic tool that is used as a part of NSA’s lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad. All of NSA’s operations are conducted in strict accordance with the rule of law, including the President’s new directive.”

Interestingly, while the German researchers have made their investigation public and published part of the XKEYSCORE code, they didn’t reveal where they got the code from. Edward Snowden is the most obvious source, but well-known security expert Bruce Schneier isn’t sure it came from him.

“I do not believe that this came from the Snowden documents,” he wrote. “I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.”

photo credit: frederic.jacobs via photopin cc