NSA Targets the Privacy-Conscious for Surveillance Jake Appelbaum et. al, are
reporting on XKEYSCORE selection rules that target users -- and people who just visit the websites of -- Tor, Tails, and other sites. This isn't just metadata; this is "full take" content that's stored forever.
This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the "email_address" function to see if the message is to or from "
[email protected]". Next, if the address matched, it uses the "email_body" function to search the full content of the email for a particular piece of text - in this case, "https://bridges.torproject.org/". If the "email_body" function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.
[...]
It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.
[...]
There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.
It's hard to tell how extensive this is. It's possible that anyone who clicked on this link -- with the embedded torproject.org URL above -- is currently being monitored by the NSA. It's possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don't know what else the NSA harvests about people who it selects in this manner.
Whatever the case, this is
very disturbing.
EDITED TO ADD (7/3): The BoingBoing
story says that this was first published on
Tagesschau. Can someone who can read German please figure out where this originated.
And, since Cory said it, I do not believe that this came from the Snowden do ents. I also don't believe the
TAO catalog came from the Snowden do ents. I think there's a second leaker out there.
EDITED TO ADD (7/3): More
news stories. Thread on
Reddit. I don't expect this to get much coverage in the US mainstream media.
EDITED TO ADD (7/3):
Here is the code. In part:
// START_DEFINITION /* These variables define terms and websites relating to the TAILs (The Amnesic Incognito Live System) software program, a comsec mechanism advocated by extremists on extremist forums. */
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and
word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or '
tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION
// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing do ents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint('ct_mo/TAILS')=
fingerprint('do ents/comsec/tails_doc') or web_search($TAILS_terms) or
url($TAILS_websites) or html_ le($TAILS_websites);
// END_DEFINITION
Hacker News and
Slashdot threads.
ArsTechnica and
Wired articles.