Use privacy services? The NSA is probably tracking you (Wired UK)

NSA headquarters in Fort Meade, Maryland

Wikimedia Commons

If you use Tor or any of a number of other privacy services
online or even visit their web sites to read about the services,
there’s a good chance your IP address has been collected and stored
by the NSA, according to top-secret source code for a programme the
NSA uses to conduct internet surveillance. There’s also a good
chance you’ve been tagged for simply reading news articles about
these services published by Wired and other sites. This is
according to code, obtained and analysed by journalists and others
in Germany, which for the first time reveals the extent of some of
the wide-spread tracking the NSA conducts on people using or
interested in using privatising tools and services — a list that
includes journalists and their sources, human rights activists,
political dissidents living under oppressive countries and many
others who have various reasons for needing to shield their
identity and their online activity.

The source code, for the NSA system known as XKeyscore, is used
in the collection and analysis of internet traffic, and reveals
that simply searching the web for privacy tools online is enough to
get the NSA to label you an “extremist” and target your IP address
for inclusion in its database.

But the NSA’s analysis isn’t limited to tracking metadata like
IP addresses. The system also conducts deep-packet inspection of
emails that users exchange with the Tor anonymising service to
obtain information that Tor conveys to users of so-called Tor
“bridges.” Legal experts say the widespread targeting of people
engaged in constitutionally protected activity like visiting web
sites and reading articles, raises questions about the legal
authority the NSA is using to track users in this way.

“Under [the Foreign Intelligence Surveillance Act] there are
numerous places where it says you shouldn’t be targeting people on
the basis of activities protected by the First Amendment,” says
Kurt Opsahl, deputy general counsel for the Electronic Frontier
Foundation. “I can’t see how this activity could have been properly
authorised under FISA. This is suggesting then that they have come
up with some other theory of authorizing this.” The findings also
contradict NSA longstanding claims that its surveillance targets
only those suspected of engaging in activity that threatens
national security.

“They say ‘We’re not doing indiscriminate searches,’ but this is
indiscriminate,” Opsahl notes. “It’s saying that anyone who is
looking for those various [services] are suspicious persons.”

He notes that the NSA actions are at clear odds with statements
from former US Secretary of State Hilary Clinton and others in the
government about the importance of privacy services and tools to
protect First Amendment freedoms.

“One hand of the government is promoting tools for human rights
advocates and political dissidents to be able to communicate and is
championing that activity,” he says. “While another branch of the
government is determining that that activity is suspicious and
requires tracking. This may intimidate people from using these very
important tools and have a chilling effect that could undermine the
free expression of ideas throughout the world.”

The findings were uncovered and published by Norddeutscher
Rundfunk and Westdeutscher Rundfunk-two public radio and TV
broadcasting organisations in Germany. An English-language
analysis of the findings
, along with parts of the source code
for the XKeyscore program-was also published by Jacob Appelbaum, a
well-known American developer employed by the Tor Project, and two
others in Germany who play significant roles in Tor.

Secrets Revealed in the Code

XKeyscore is the collection system the NSA uses to scoop up
internet data and analyse it. It has been described in NSA
documents leaked by Edward Snowden as a crucial tool that the NSA
can use to monitor “nearly everything a user does on the

Embedded in the code they found rules describing what XKeyscore
is focused on monitoring. The rules indicate that the NSA tracks
any IP address that connects to the Tor web site or any IP address
that contacts a server that is used for an anonymous email service
called MixMinion that is maintained by a server at MIT. XKeyscore
targets any traffic to or from an IP address for the server. The
NSA is also tracking anyone who visits the popular online Linux
publication, Linux Journal, which the NSA refers to as an
“extremist forum” in the source code.

Tor was originally developed and funded by the US Naval Research
Laboratory in the late ’90s to help government employees shield
their identity online, but it was later passed to the public sector
for use. Tor has since been completely rebuilt by developers, and
is now overseen by the Tor Project, a non-profit in Massachusetts,
though it is still primarily funded by government agencies.

Tor allows users to surf the internet as well as conduct chat
and send instant messages anonymously. It works by encrypting the
traffic and relaying it through a number of random servers, or
nodes, hosted by volunteers around the world to make it difficult
for anyone to trace the data back to its source. Each node in the
network can only see the previous node that sent it the traffic and
the next node to which it’s sending the traffic. In documents
released by Edward Snowden, NSA workers discussed their frustration
in spying on people who use Tor. “We will never be able to
de-anonymise all Tor users all the time,” one internal NSA document

But the XKeyscore source code reveals some of the ways the NSA
attempts to overcome this obstacle.

Tor isn’t the only target of XKeyscore, however. The system is
also targeting users of other privacy services: Tails,
HotSpotShield, FreeNet, Centurian,, and

Tails is an operating system
used by human rights activists, as well as many of the journalists
who have access to the Edward Snowden documents, to protect
sensitive computer activity. It runs from a USB stick or CD so that
it’s not stored on the system, and uses Tor and other privacy tools
to protect user activity. At the end of each session, when the user
reboots it, Tails erases any data pertaining to that session-such
as evidence of documents opened or chats — except for data the
user has specifically saved to an encrypted storage device. The NSA
clearly regards Tails as a sinister tool, however, referring to it
in one comment in the source code as “a comsec mechanism advocated
by extremists on extremist forums.”

The XKeyscore rule for monitoring Tails users indicates that it
is designed to identify users searching for the software program,
as well as anyone “viewing documents relating to TAILs, or viewing
websites that detail TAILs.”

How XKeyscore Works

The XKeyscore rules use features the NSA calls “appids,”
“fingerprints,” and “microplugins,” to identify and tag activity
online. Appids, the German publication notes, are unique
identifiers that help the system sort and categorize data and user
activity, such as an online search. The microplugins are possibly
used to extract and store specific types of data.

The rules indicate that the NSA is specifically targeting the IP
address of nine servers operated by key Tor volunteers in Germany,
Sweden, Austria, the Netherlands and even the US These servers are
used by the Tor network as directory authorities. They generate, on
an hourly basis, a directory of all the Tor nodes or relays on the
Tor network, which change constantly as new servers are added by
volunteers or taken out of the network. The Tor software consults
these lists to direct traffic to the nodes. The XKeyscore system
uses a fingerprint called “anonymiser/tor/node/authority” that
targets any IP address that connects to the nine servers.

One of the servers is maintained by Sebastian Hahn, a
28-year-old a Tor volunteer and computer science student at the
University of Erlangen. A German attorney told the media outlets
that the targeting of Tor volunteers in Germany may violate
restrictions against the US conducting secret intelligence activity
against German citizens in Germany.

Another server is operated at MIT by Tor Project leader Roger
Dingledine, an MIT alumnus. But in addition to serving as one of
the Tor directory authorities, the server is also used to operate
the MixMinion mail service and host a number of other web sites,
including ones for online gaming libraries, which means the NSA may
be collecting IP addresses for those users as well.

The XKeyscore rules indicate that in addition to tracking
activity to these Tor directory servers, the NSA also records and
stores any IP address that connects to the thousands of Tor relays
on the network. These addresses are all publicly known, as they are
listed in the directory distributed by the nine servers. But in
addition to these, there are non-public “bridges” that volunteers
in the Tor network maintain. These can be used by human rights
activists and others in repressive regimes like Iran and China that
censor internet traffic and block their citizens from using known
Tor relays.

To obtain the non-public address of one of these bridges users
send an email to the Tor Project or request an address via the Tor
web site. To unmask these private bridges, however, XKeyscore
records any connections to the server and
uses a microplugin to then read the contents of the email that the
Tor Project sends to requesters in order to obtain the address of
the bridge.

The NSA also tracks the IP address of anyone who simply visits
the Tor web site, though it specifically avoids fingerprinting
users believed to be located in Five Eyes countries-the spying
partnership that includes Australia, Canada, New Zealand, the UK
and the US-from others. This appears to be the only distinction
made for Five Eyes users, however. The rules for fingerprinting
visitors to the Tails web site or the web site for the Linux
Journal do not include such exceptions in the version of source
code the media outlets examined.

The EFF’s Opsahl says the exception made for these users with IP
addresses in these countries is odd since the constitution protects
US citizens from NSA surveillance no matter which country they’re
in, and people using or interested in using privacy services are
likely to shield their real IP address when they visit these sites,
making it difficult for the NSA to know exactly where they’re
really located.

XKeyscore additionally tracks the addresses for web sites that
use Tor Hidden Services to hide their location on the internet.
Sites that use Tor Hidden Services-part of the so-called Dark
Web-have a special Tor URL that can only be accessed by those using
the Tor browser and who know the specific address. Tor Hidden
Services is used by activists to host forums discussing their
activity, though it is also used by sites selling illegal drugs and
other illicit goods. XKeyscore catalogues every one of these URLs
it can discover by culling through what it calls “raw traffic” and
storing the address in a database.

This article first appeared on

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here


Leave a Reply

Your email address will not be published.