The NSA's interest in breaking the Tor encryption system is well known. A presentation leaked in 2013 recounted the agency's largely failed attempts to reveal the identities of users and degrade the quality of the network itself; using anonymizing software has been treated as a red flag. And according to a report published by security researcher Jacob Appelbaum and others, it's treating even the Tor website as a place to check for terrorists. The authors, three of whom work on the Tor project, say they've obtained new details on NSA internet database XKeyscore, specifically a piece of source code with rules for automatically capturing information about people who used Tor and privacy-focused operating system Tails.
"Advocated by extremists on extremist forums."
As explained on the site of German broadcasters WDR and NDR, the rules monitor servers in Germany and elsewhere that host Tor directory authorities, which contain a list of all the service's relays; a comment explains that the "goal is to find potential Tor clients connecting to the Tor directory servers." It also monitors the email address used to send out details of non-public relays, which are used in countries where major Tor servers are blocked. Some of these rules are set up to explicitly avoid people believed to be in "Five Eyes" countries, the small group of places where the US has formally agreed to heavily limit spying. But the system apparently goes beyond trying to compromise Tor. One rule seems to "fingerprint" people who even visit the Tor website, as well as people who search for information about Tails or visit places known to have information on it. That apparently includes the Linux Journal, where anything in the "Linux" category of articles is flagged.
Fingerprints, as explained by Edward Snowden earlier this year, are flags that allow NSA agents to identify and track users across the web. Earlier this year, he suggested that their use was widespread. "Fingerprints are used to identify people who have had the bad luck to follow the wrong link on an Internet site, on an Internet forum, or even to download the wrong file. They've been used to identify people who simply visit an Internet sex forum," he said, adding that they had also been used to monitor French citizens who logged into networks that the NSA considered suspicious. This appears to add a few more parameters to this list, specifically aimed at people who use encryption tools. As usual, the NSA takes a dim view of encryption tools. It's previously dismissed the "pseudo-legitimate" uses of Tor — which include protecting journalists' sources and evading abusive partners. Here, it calls Tails "a comsec [communications security] mechanism advocated by extremists on extremist forums."
Where is this information coming from? The report says it's the result of "months of investigation by the German public television broadcasters NDR and WDR, drawing on exclusive access to top secret NSA source code, interviews with former NSA employees, and the review of secret documents of the German government." The exact source of these secret documents is unspecified. Appelbaum has previously feuded with The Guardian over surveillance leaks, accusing it of delaying a story about Tor and criticizing its willingness to redact information at the behest of the White House and Britain's GCHQ.