An investigation by the German broadcasters ARD and WDR has apparently demonstrated the targeting by the NSA of a German student called Sebastian Hahn, who runs a node on the anonymization network Tor. It has also shown that anyone searching for “privacy-enhancing software tools” online may be marked for surveillance.
Tor (“The Onion Router”) works by bouncing traffic off a series of servers so that it’s near-impossible to trace who’s browsing what. It’s partly funded by the U.S. Department of State because it’s handy for dissidents in repressive regimes, but Edward Snowden’s leaks already showed last year that the NSA has been targeting Tor because it believes terrorists also use it.
The German reports on Thursday were based on source code related to XKeyscore, believed to be the front-end system for searching data held by the NSA and its partners. This code includes the IP address for a server run by Hahn, who explained to me by email:
“I saw some source code which appears to belong to an XKeyscore plugin.The IP address was embedded in that source code. We’re not talking about the main tool, just a plugin.”
Hahn, who has been involved in the Tor project for around 6 years, runs one of the Tor “directory authorities”, which list all the roughly 5,000 Tor servers out there. These authorities keep users’ Tor clients up to date. Thursday’s reports say it’s not known whether Hahn’s server was monitored by the NSA as such, or by the agency’s German partners.
The source code includes the IP address of another German target too, according to the reports – the Chaos Computer Club. The CCC is Europe’s oldest and largest hacker collective, and it runs communications services for activists (which is why it’s one of several communications providers suing the British signals intelligence agency GCHQ over surveillance).
Meanwhile, according to an English-language ARD article published later on Thursday — and partly written by members of the Tor project — the NSA “tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts.”
The XKeyscore plugin source code reportedly also includes a reference in a comment column to Tor users being “extremists” and, worryingly, it also suggests that people may be marked for surveillance by the NSA simply by visiting the Tor site or searching for the Tor-connected “incognito” operating system Tails, the reports claimed. The website LinuxJournal is also targeted and referred to as an “extremist forum.”
What’s more, the broadcasters reported – again based on this source code – that the actual contents of emails sent over the Tor network are extracted for scrutiny, not just the emails’ metadata about senders, recipients and timing.
This article was updated at 8.30am PT to reflect the additional information in the English-language ARD article that was published late Thursday.
NOTE (5 July): As Robert Graham and other security researchers have pointed out, it is not clear from the rules code that formed the basis of Thursday’s reports, that people interested in Tor and Tails are labelled as extremists. The comments merely say that Tails is “a comsec [communications security] mechanism advocated by extremists on extremist forums,” which is apparently true. The comments do still say people are targeted for searching for Tails information or viewing documents or websites that detail the system. Graham also alleges that the code on that page may have been partially doctored, writing that it is “weird, as if they are snippets combined from training manuals rather than operational code.”