Sign up to our newsletter
The latest security news direct to your inbox
Widespread Internet surveillance by America’s National Security Agency (NSA) has been further exposed by two new developments: the analysis of leaked NSA surveillance reports published by the Washington Post and the analysis of XKeyscore targeting code published by German public television. Coverage of these stories is unlikely to reassure the growing number of Internet users who say they are inclined to reduce their online engagement due to the activities of the NSA.
Reducing and/or modifying Internet activity in the wake of the NSA revelations instigated by Edward Snowden is a phenomenon we have documented on several occasions on We Live Security. In the Harris poll that we commissioned and earlier studies, we found that as many as 46% of people who were aware of the Snowden/NSA revelations had changed their online behavior in response to mass online surveillance. About a quarter of “NSA aware” people had reduced their online shopping and banking, as well as their use of email. I discussed these issues in a couple of podcasts, here and here.
That poll was conducted in February, and a lot of consumer-facing companies were probably hoping that this “Snowden effect” of online disengagement would wane in the ensuing months. However, in my opinion, the latest revelations are going to reinforce or sustain this trend.
Headlines like “90% of People the NSA Spies on Are Not Real Target” are not going to reassure anyone who has doubts about their online privacy. As the communication breakdown chart in the Washington Post indicates, 89% of accounts for which data was collected and stored belonged to “bystanders or non-targets”. And a lot of this data was personal communication, such as instant messages, emails, stored documents, Internet relay chats (IRC), social network messages (like Facebook status updates), and even real-time voice and video (such as Skype).
I think the Post does a good job of pointing out that there was also valuable anti-terrorist information within the sample of data they analyzed (data leaked to them by Edward Snowden). In fact, a majority of people we surveyed earlier this year thought surveillance was effective: 57% of Americans familiar with the NSA revelations believe that the government mass surveillance at the scale revealed by former CIA contractor Edward Snowden helps prevent terrorism. However, 43% disagreed, and in that same survey over 80% said there should be new laws implemented to better regulate government surveillance. In other words the majority opinion seems to be that some surveillance is acceptable but it really needs to be better controlled.
Even as the latest up-tick in violence in the Middle East has raised concerns about terrorist threats, which might cause more people to support surveillance, the fact that the U.S. government appears to have been taken by surprise by the emergence of ISIS may lead more people to question how the country spends it’s intelligence budget (which is somewhere in excess of $50 billion).
While the general public may be dismayed at reading Washington Post findings, one specific online constituency is outright upset. I’m talking about people who use and/or promote the Tor network. Named for The Onion Router, Tor is free software that enables a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet (but don’t Google Tor or visit the website just yet). The fact that America’s NSA and the UK’s GCHQ have been trying to defeat Tor was documented last year in The Guardian:
“The National Security Agency has made repeated attempts to develop attacks against people using Tor, a popular tool designed to protect online anonymity, despite the fact the software is primarily funded and promoted by the US government itself.”
I know it sounds a bit crazy, but read on, because what is newly revealed — in the analysis of programming code used by the NSA in its XKeyscore program — might sound even wilder:
“Merely searching the web for the privacy-enhancing software tools outlined in the XKeyscore rules causes the NSA to mark and track the IP address of the person doing the search.”
That’s according to German public broadcaster Norddeutscher Rundfunk, which actually published excerpts of the code. In other words, NSA may well track your IP address if you visit the Tor website (you were warned). Bear in mind that the site gets around 130,000 unique visitors a month (per compete.com). Presumably, the NSA has plenty of storage space and processing capacity to track all of those addresses, which may include several of mine, since I have gone to that site numerous times. And here’s what is both weird and infuriating about this NSA activity: only a very, very small percentage of the people who visit torproject.org are legitimate espionage targets.
(If you’ve forgotten what role Xkeyscore plays in the NSA’s Internet surveillance operations, here’s what Edward Snowden said you can do with it: “You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.” From a TV interview with Norddeutscher Rundfunk.)
If you think that tracking people who merely express an interest in Tor is extreme, then maybe you’re one of those “Linux Extremists”. You might think headlines like “NSA targets Linux Journal as ‘extremist forum‘” are an exaggeration, but the reality is right there in the code of the NSA’s XKeyscore program, part of an attempt to spy on people who might be interested in, or trying to use — warning, think before you click — The Amnesic Incognito Live System. Just take a look:
// START_DEFINITION /* These variables define terms and websites relating to the TAILs (The Amnesic Incognito Live System) software program, a comsec mechanism advocated by extremists on extremist forums. */
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux' or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor '); $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*'); // END_DEFINITION
That’s code defining one of the categories you can target with Xkeyscore. No wonder as many as 9 out of 10 people in the surveillance data sampled by the Washington Post were “bystanders.”
Whether or not consumer reluctance to engage online will make a visible dent on the 2014 earnings of online retailers, banks, and other players — like advertising-based services such as Facebook, Twitter, Google, and Yahoo — is hard to predict. But there have been some notable business hits directly attributable to the NSA revelations. Last month we learned that Verizon is not getting its German government contract renewed, largely because of the NSA/GCHQ connection seems to be the assumption. I couldn’t find an estimate of the value of that lost business but last year we saw Boeing lose a $4.5 billion fighter jet deal to Sweden’s Saab because the buyer, Brazil, was upset about the NSA. Cloud business losses in the wake of the NSA revelations were predicted to be tens of billions of dollars last year, but as this article in Gigaom suggests, it’s complicated. However, this chart of the share price of American networking equipment maker Cisco, plotted against the NASDAQ for the first 12 months after the first Snowden revelations, suggests that the news has not been good for their business.
Just because the NSA has been — in the eyes of many — doing electronic surveillance the wrong way doesn’t mean they should stop doing it. Clearly it makes no sense to ban online surveillance. As our survey revealed, people see its value. But people also question it’s proportionality to the threat. Is this the best use of funds, given how much terrorist activity such surveillance seems to have missed? Would more targeted, better supervised surveillance work better? And what about good old-fashioned human intelligence? Are we neglecting that in the hope that big data analysis will give better results with less risk? Personally, I’m skeptical on that front. Given that there are real economic costs to the way the NSA has been running its operations, the arguments for improvement and reform would appear to be compelling.
Author Stephen Cobb, ESET