NSA targets the privacy-conscious
von J. Appelbaum, A. Gibson, J. Goetz, V. Kabisch, L. Kampf, L. Ryge
NDR and WDR wanted to know from the NSA how it justified attacking a service funded by the U.S. government, under what legal authority Tor Network users are monitored, and whether the German government has any knowledge of the targeting of servers in Germany. Instead of adressing the questions repeatedly posed to them, the NSA provided the following statement: "In carrying out its mission, NSA collects only what it is authorized by law to collect for valid foreign intelligence purposes - regardless of the technical means used by foreign intelligence targets. The communications of people who are not foreign intelligence targets are of no use to the agency. In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons - regardless of nationality - have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. The president's directive also makes clear that the United States does not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion. XKeyscore is an analytic tool that is used as a part of NSA's lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad. All of NSA's operations are conducted in strict accordance with the rule of law, including the President's new directive."
However, the research contradicts the United States' promise to Germany that German citizens are not surveiled without suspicion. Using Tor in Germany does not justify targeting someone, the German attorney Thomas Stadler states: "Tor users do not breach any laws, it is absolutely legitimate to act anonymously on the internet. There are many good reasons to remain anonymous."
What is deep packet inspection?
Deep Packet Inspection, or DPI, refers to the class of technology which examines the content of data packets as they travel across a network. A packet is the fundamental unit of transfer in packet switched networks like the internet. While DPI is commonly used by organizations to monitor their own networks, its use on public networks for censorship and surveillance has been widely condemned by privacy advocates and the United States government alike.
In 2012, the head of the U.S. Delegation to the World Conference on International Telecommunications, U.S. Ambassador Terry Kramer, said “some companies have used deep packet inspection technologies to not look at aggregate customer information, traffic information, et cetera, but to look at individual customer information. So looking at individuals and what sites they’re on and how much capacity they’re using, et cetera, as you can imagine, we’re very much opposed to that because we feel that’s a violation of people’s privacy and gets into, obviously, censorship, et cetera”.
Despite its public political condemnations of invasive DPI use, the United States "Intelligence Community" and its "Five Eyes" partners (Australia, Canada, New Zealand, and the United Kingdom) operate massive internet-scale DPI systems themselves, including XKeyscore. The use of XKeyscore is not limited to these partners, however. The software has been shared with the German BND and BfV, as well as the Swedish FRA, amongst others.
Active vs Passive
XKeyscore and the systems that feed it are considered "passive", meaning that they silently listen but do not transmit anything on the networks that they are targeting. However, through a process known as "tipping", data from these programs can trigger other systems which perform "active" attacks.
Quantum is a family of such programs, including Quantuminsert, Quantumhand, Quantumtheory, Quantumbot, and Quantumcopper, which are used for offensive computer intrusion. Turmoil, Quantum, and other components of the Turbulence architecture are running at so-called "defensive sites" including the Ramstein Air Force base in Germany, Yokota Air Force base in Japan, and numerous military and non-military locations within the United States.
Both Turmoil and XKeyscore feed selected data to real-time "tipping" programs, such as Trafficthief, which can both alert NSA analysts when their targets are communicating and trigger other software programs. Selected data is "promoted" from the local XKeyscore data store to the NSA's so-called "corporate repositories" for long term storage, analysis and exploitation.
More information about XKeyscore
In 2013, the British newspaper The Guardian revealed that by 2008 more than 150 internet surveillance facilities around the world were running the XKeyscore Deep Packet Inspection software. All of the internet traffic observed by XKeyscore, both metadata and full content, is analyzed and stored temporarily at the collection sites for periods ranging from days to weeks, while selected data is forwarded on to other locations for long-term storage.
The storage, indexing, and querying functions are performed at or near the collection sites because the volume of data being collected is too large to forward everything back to facilities in other countries. Analysts working from various locations around the world may search specific XKeyscore sites, or send their queries to a collection of sites.
XKeyscore provides a modular architecture in which tens of thousands of small computer programs, or rules, written in XKeyscore's specialized programming languages called Genesis and XKScript as well as general-purpose languages such as C++ and Python, are run against all traffic to categorize it and extract data. This indexing of the "full take" allows analysts to query the temporary storage stored at the XKeyscore site, effectively sifting through already pilfered communications which occurred before they had deemed them interesting for a specific reason.
XKeyscore can be fed by several different programs, including Wealthycluster and Turmoil. These programs "sessionize" the data, which means that individual connections, such as a request for a web page, are reconstructed from the stream of intercepted packets.
Locations where the NSA runs XKeyscore include Special Source Operations (SSO) sites, typically found at or near major telecommunication providers' infrastructure; Special Collection Service (SCS) sites, usually located inside diplomatic facilities like embassies and consulates; and FORNSAT sites where satellite communications are intercepted. All of these types of sites are known to exist in Germany.
Other "Five Eyes" partners also operate XKeyscore installations. The United Kingdom's Tempora program runs the largest instance of XKeyscore. Both the software itself and limited access to NSA databases have been shared with so-called "3rd party" partners including Germany. The German foreign intelligence agency BND and the domestic intelligence agency BfV are testing the Software.