How the NSA Targets Tor Users
And one researcher's suggestion of how we might be able to stop it.
In the latest NSA leak, published on the German site Tagesschau yesterday, we're able to glean more about how one of the intelligence agency's surveillance systems actually works.
The "XKeyscore" system, first revealed by the Guardian in July 2013, allows NSA analysts an overview of millions of people's data: emails, browsing history and social media activity, all stored in databases and accessible without prior authorisation. Conceptually, that's a very powerful tool.
Now an investigation led by Jacob Appelbaum, a security researcher and a member of the team behind the anonymous Tor browser, looks at portions of the source code that dictate what else the system is capable of.
The full details, published on German site Das Erste, are dense and well worth reading if you want a better understanding of the code behind the NSA's surveillance. But in sum, XKeyscore records who visits the Tor Project website (as long as you appear to be outside of the Five Eyes countries), and logs the IP address of people searching for various other privacy and encryption software.
According to the report, it also monitors visitors to a server that hosts a part of an anonymous email service at MIT, and two other servers in Germany used by the Tor network, and targets a part of the Tor network used by journalists and activists in heavily censored countries.
When Tor routes your internet traffic, it does so by passing it through different "relays". These are nodes of the network run by volunteers, and their IP addresses are publicly known. This makes it easy for your computer to connect to one quickly to get you up and running on the network. But when governments of countries such as China or Iran want to stop people using Tor, they block connections to these public relays.
To circumvent this, the Tor Project uses a special type of relay called 'bridges'. These are also run by volunteers, but their addresses are not public, so when someone wants to connect to one they need to specifically request the address via email or on the web.
But it seems the guys behind XKeyscore know this, and have designed their system to track Tor bridge users. According to the source code revealed by the researchers, XKeyscore records connections to the bridges.torproject.org server. Then, to actually get hold of the bridge addresses in order to track connections to them, another piece of code extracts data from the body of emails that the Tor Project sends to those that request a bridge.
"This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections," the authors wrote.
According to them, this means that Tor bridges, an essential tool for journalists and activists in oppressed countries, are being monitored, and that XKeyscore "attempts to track" their users.
In response to all of this, security researcher Robert Graham has suggested that it may be possible to flood the NSA's system with disinformation about Tor's bridges. In his blog post, "Jamming XKeyscore", he says that we could "jam the system with more information than it can handle."
Graham suggests simply sending emails from the address "firstname.lastname@example.org" (remember: the email address used to notify someone of a bridge), and including a load of bridge-related stuff that would interest the NSA's system. If done with "megabytes" worth of data, he says, "it'll totally mess up XKeyscore."
"It has no defense against getting flooded with information like this, as far as I can see," Graham writes.
Another method could be to pretend that your site is the one dishing out the bridge addresses. Without getting too technical, it is possible to make a server appear to be "bridges.torproject.org" when it's not. Doing this, and assuming that "at least search engines will follow that link and generate traffic", could contribute to sending false information to the NSA.
According to Graham, this will "cause the NSA database of bridges to fill up with bad information – assuming it's not already full from people screwing with the emails as noted above :)."
Regardless of whether or how well those techniques would actually work, it's an interesting thought experiment on how citizens could take a practical stand against surveillance, and make the targeting of anti-censorship software users even more of a pain than it already is.