NSA’s Xkeyscore program targeted visitors to MIT server, Tor Project for enhanced scrutiny



NSA Privacy Tor

A new report from noted security researchers — first published in conjunction with German news program Tagesschau — states that the NSA’s Xkeyscore program, which determines who is flagged for enhanced tracking and monitoring, targeted every visitor to a particular MIT server, visitors seeking information on the privacy-focused Tor Project, which is based in Cambridge, and those who simply searched for information on the privacy-enhanced TAILS operating system.

The report was co-authored Lena Kampf, Jacob Appelbaum, and John Goetz, and included what the researchers claimed was source code configuration files from the NSA’s secretive tracking program — reportedly leaked by a source other than Edward Snowden.

The code focused on the MIT server, which hosts an anonymizing email tool, was particularly broad. It was unclear whether or not it included exceptions screening out U.S. persons and other visitors from the so-called “Five Eyes” nations (Australia, Canada, New Zealand, United Kingdom, United States) that have a joint signals intelligence partnership: Some parts of the configuration file targeting other activity seemed to definitely exclude those visitors, but this exclusion code was absent in the MIT server’s parameters.

Instead, the code appears to simply look for all visitors to a certain IP address (, which includes not only MixMinion, the anonymous email tool, but also gaming libraries and privacy-focused web site materials, according to the researchers.

appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
http_host('mixminion') or

The segment of the code that screens for individuals interested in Tor is slightly more narrow, explicitly excluding Five Eyes-originating visitors:

The fingerprint identifies sessions visiting the Tor Project website from
non-fvey countries.
and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));

But the TAILS parameters were broader, segmenting aside Internet users who simply searched for terms related to the privacy-focused operating system that was used by Edward Snowden:

This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to TAILs,
or viewing websites that detail TAILs.
fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);

As BetaBoston reported earlier this year, the Tor browser is often used by individuals in abusive relationships to help protect their privacy and physical safety, and was originally developed by the U.S. Navy to overcome censorship and spying by other countries.

The NSA has admitted previously that some of its own analysts have used its surveillance tools to spy on romantic interests or former partners.

How much extra scrutiny triggering these newly disclosed filters incur was unclear from the report.

Well known technology author Cory Doctorow wrote that he was given the materials under embargo, and was shocked by what he read:

Tor and Tails have been part of the mainstream discussion of online security, surveillance and privacy for years. It’s nothing short of bizarre to place people under suspicion for searching for these terms.

More importantly, this shows that the NSA uses “targeted surveillance” in a way that beggars common sense. It’s a dead certainty that people who heard the NSA’s reassurances about “targeting” its surveillance on people who were doing something suspicious didn’t understand that the NSA meant people who’d looked up technical details about systems that are routinely discussed on the front page of every newspaper in the world.

One expert suggested that the NSA’s intention here was to separate the sheep from the goats — to split the entire population of the Internet into “people who have the technical know-how to be private” and “people who don’t” and then capture all the communications from the first group.

He said his source indicated that the leaker of the source code was not Snowden, but a second source with access to NSA materials. Bruce Schneier, a security expert with access to the Snowden files and a fellow at Harvard’s Berkman Center, also said he believed there was a second NSA leaker.

The NSA responded to questions from BetaBoston with the following statement:

In carrying out its mission, NSA collects only what it is authorized by law to collect for valid foreign intelligence purposes – regardless of the technical means used by foreign intelligence targets. The communications of people who are not foreign intelligence targets are of no use to the agency.

In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons – regardless of nationality – have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. The President’s directive also makes clear that the United States does not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion.

XKEYSCORE is an analytic tool that is used as a part of NSA’s lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKEYSCORE allows the agency to help defend the nation and protect U.S. and allied troops abroad.

All of NSA’s operations are conducted in strict accordance with the rule of law, including the President’s new directive.

Emails to representatives at the Tor Project and MIT were not returned prior to publication.

Michael Morisy is the founder and former editor of BetaBoston. Follow him on Twitter at @Morisy or email him at [email protected].
Follow Michael on Twitter