Just yesterday the federal Privacy and Civil Liberties Board released its report insisting that the National Security Agency's (NSA) operates a perfectly legal operation collecting mass amounts of metadata on Internet users. At Forbes, Gregory McNeal were quick to call it "a big victory for the NSA, and a seeming rebuke to critics of the agency." Well, any good P.R. points the agency scored were likely undone today. A German publication got its hands on the top secret source code of XKeyscore, one of the mass surveillance systems exposed by whistle blower Edward Snowden last year, and suggests that the NSA is watching us a lot more closely than it admits.
Here are some major points from DasErste.de:
With the source code can be proven beyond reasonable doubt for the first time that the NSA is reading not only so-called metadata, that is, connection data. If emails are sent using the Tor network, then programming code shows that the contents – the so-called email-body – are evaluated and stored. Two servers in Germany—in Berlin and Nuremberg—are under surveillance by the NSA. Merely searching the web for the privacy-enhancing software tools outlined in the XKeyscore rules causes the NSA to mark and track the IP address of the person doing the search. Not only are German privacy software users tracked, but the source code shows that privacy software users worldwide are tracked by the NSA. Among the NSA's targets is the Tor network funded primarily by the US government to aid democracy advocates in authoritarian states. The XKeyscore rules reveal that the NSA tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts. It also records details about visits to a popular internet journal for Linux operating system users called "the Linux Journal—the Original Magazine of the Linux Community," and calls it an "extremist forum."
One of the most important takeaways, tech security expert Bruce Schneier highlights, is the "very disturbing" fact that "this isn't just metadata; this is 'full take' content that's stored forever."
Linux users aren't the only "extremists" in the NSA's eyes. The agency also engages in long-term surveillance of people who use – or even simply search for – anonymity-protecting tools like Tails and Tor.
One of the two German servers being spied on belongs to Sebastian Hahn, a computer science student at the University of Erlangen. He's an important figure in the Tor Project because
his server is not just a node, it is a so-called Directory Authority. There are nine of these worldwide, and they are central to the Tor Network, as they contain an index of all Tor nodes. A user's traffic is automatically directed to one of the directory authorities to download the newest list of Tor relays generated each hour.
What is XKeyscore?
Snowden succinctly explained the system earlier this year:
You could read anyone's email in the world, anybody you've got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you're tracking: you can follow it as it moves from place to place throughout the world. It's a one-stop-shop for access to the NSA's information. …
You can tag individuals… Let's say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what's called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.
An NSA representative responded to today's revelation, assuring, expectedly, that "such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad."
Who leaked the information?
The most likely guess would be Snowden, but the writers of the report don't acknowledge any input from him. Schneier, who is very familiar with the Snowden documents, says it's not his work. "I think there's a second leaker out there," he writes.