Internet users who use online privacy tools or read certain websites may themselves become targets of NSA surveillance, according to a new investigation by public broadcasting outlets in Germany published on Thursday.
Citing documents that refer to "deep packet inspection" rules used by the NSA for its so-called "XKeyscore" program to determine what targets are selected for surveillance and how, the investigation (versions: German | English) reveals that people who seek out or use online privacy tools—including things like TOR, a network tool that provides digital anonymity and minimizes exposure to possible surveillance—may be targeted simply for making those efforts.
Other platforms targeted by the program include the LINUX open source operating system as well as privacy and encryption services such as HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion. According to the reporting, the NSA characterized those who would use such services as "extremists," which sparked spirited outrage on social media as the story broke.
As part of its investigation, the researchers examined a piece of computer code found on a server maintained by Sebastian Hahn, a German student of computer science who manages a node on the TOR network. The discovery showed not only that Hahn was a target of NSA surveillance, but also the previously unknown lengths the agency has gone in targeting users of such tools.
Examination of the XKeyscore rules contained in the code (now published for the first time) goes beyond previous reporting by the Guardian newspaper about the program and, according to the English version of the new reporting, "provides a window into the actual instructions given to NSA computers" conducting the surveillance.
"The top secretsource code published here," the report continues, "indicates that the NSA is making a concerted effort to combat any and all anonymous spaces that remain on the internet. Merely visiting privacy-related websites is enough for a user's IP address to be logged into an NSA database."
When asked for his reaction to the findings, Roger Dingledine, an MIT alumnus who spearheads the TOR project, told the investigative team:
"We've been thinking of state surveillance for years because of our work in places where journalists are threatened. Tor's anonymity is based on distributed trust, so observing traffic at one place in the Tor network, even a directory authority, isn't enough to break it. Tor has gone mainstream in the past few years, and its wide diversity of users - from civic-minded individuals and ordinary consumers to activists, law enforcement, and companies - is part of its security. Just learning that somebody visited the Tor or Tails website doesn't tell you whether that person is a journalist source, someone concerned that her Internet Service Provider will learn about her health conditions, or just someone irked that cat videos are blocked in her location. Trying to make a list of Tor's millions of daily users certainly counts as wide scale collection. Their attack on the bridge address distribution service shows their "collect all the things" mentality - it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country. Does reading the contents of those mails violate the wiretap act? Now I understand how the Google engineers felt when they learned about the attacks on their infrastructure.”
On Thursday, as news of the story spread around the world, Hahn himself answered questions about the new developments surrounding XKeyscore and his role in the investigation.
Asked how it felt to be in the company of German Chancellor Angela Merkel as a target of NSA surveillance, Hahn responded: "It is a different level of surveillance, thus I dislike this comparison. Every German citizen is subject of surveillance on a daily basis, without anyone mentioning it. My personal case might be good for headlines; the whole dimension and the missing protection measures, especially for less technical experienced people is the real scandal. I am shocked how easily innocent people can get into the focus of surveillance. Intelligence agency [sic] take that for granted."
As the German public broadcaster Das Erste summarizes, the investigation into the code and the NSA targeting it represents revealed: "Merely searching the web for the privacy-enhancing software tools outlined in the XKeyscore rules causes the NSA to mark and track the IP address of the person doing the search. Not only are German privacy software users tracked, but the source code shows that privacy software users worldwide are tracked by the NSA."
Cory Doctorow, writing for Boing Boing in a piece aptly titled, 'If you read Boing Boing, the NSA considers you a target for deep surveillance,' says the reporting contains several key revelations. He writes:
I have known that this story was coming for some time now, having learned about its broad contours under embargo from a trusted source. Since then, I've discussed it in confidence with some of the technical experts who have worked on the full set of Snowden docs, and they were as shocked as I was.
One expert suggested that the NSA's intention here was to separate the sheep from the goats -- to split the entire population of the Internet into "people who have the technical know-how to be private" and "people who don't" and then capture all the communications from the first group.
In addition, and not for the first time, the source of leak has the potential to be an explosive development all its own. According to Doctorow:
Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials. If that's true, it's big news, as Snowden was the first person to ever leak docs from the NSA. The existence of a potential second source means that Snowden may have inspired some of his former colleagues to take a long, hard look at the agency's cavalier attitude to the law and decency.
And technology expert and privacy advocate Bruce Shreier agreed, writing: "I do not believe that this came from the Snowden documents [...] I think there's a second leaker out there."