The NSA Uses the Same Chat Protocol as Hackers and Activists
Jabber is the great equalizer of messaging.
Screenshot from NSA docs obtained by Der Spiegel
NSA documents obtained by Edward Snowden and reported on by Der Spiegel on Sunday reveal that the agency communicates internally with Jabber, an open source messaging service used by hackers and activists trying to skirt the NSA's internet surveillance dragnet.
A document outlining the NSA's Scarletfever program—a "message driven cryptologic exploitation service" designed as part of the larger Longhaul initiative, a program that collects data and finds ways to break its encryption—contains a curious point buried near the end: "Jabber Chat Room: TBD."
But what is Jabber, exactly?
"Jabber" is a nebulous term, and it could refer to the original Jabber.org messaging service that was started by volunteers in 1999, or the Extensible Messaging and Presence Protocol (XMPP)— a widely-used open messaging protocol that emerged from Jabber's development—or Cisco's commercial Jabber XPC platform that was designed with the US government in mind. All are considered implementations of XMPP.
XMPP is an open protocol, which makes XMPP chat services popular among activists and hackers who view open source chat platforms as more secure and resistant to surveillance attempts than messaging services that run on a central server. The latter group includes Google Hangouts, which was criticized after Google announced its move from XMPP last year.
Encryption can be built into XMPP-based services, making them the go-to for many privacy-conscious internet users. Off-the-Record Messaging (OTR) is an encryption protocol used by many XMPP-based messaging clients, and provides plausible deniability to conversants in addition to encrypting messages themselves.
However, as some security experts have noted, if encryption is merely offered as a plugin for XMPP-based services instead of being baked in, the chat code will remain fundamentally insecure and messages could be compromised if users forget to turn the plugin on.
The XMPP community as a whole has been moving towards mandatory encryption for clients, and this year Peter Saint-Andre—who runs jabber.org—published an online manifesto urging developers to build encryption into their systems and to refuse unencrypted connections. The manifesto has garnered the support of high-profile XMPP advocates including Jabber's original author, Jeremie Miller.
The NSA documents posted by Der Spiegel, most of which date back to 2012, highlight how some relatively old encryption tools are still giving the agency major headaches. PGP, a key-based encryption standard for email originally written in 1991, still confounds the agency, for example. Emails encrypted using the service simply read, "No decrypt available for this PGP encrypted message."
Jabber/XMPP, a protocol of a similar vintage to PGP, seems to be holding up just as well. So well, in fact, that the NSA uses it, along with the people it's trying to track online.