An investigation by the German broadcasters ARD and WDR has apparently demonstrated the targeting by the NSA of a German student called Sebastian Hahn, who runs a node on the anonymization network Tor.
Tor (“The Onion Router”) works by bouncing traffic off a series of servers so that it’s near-impossible to trace who’s browsing what. It’s partly funded by the U.S. Department of State because it’s handy for dissidents in repressive regimes, but Edward Snowden’s leaks already showed last year that the NSA has been targeting Tor because it believes terrorists also use it.
The German reports on Thursday were based on source code related to XKeyscore, believed to be the front-end system for searching data held by the NSA and its partners. This code includes the IP address for a server run by Hahn, who explained to me by email:
“I saw some source code which appears to belong to an XKeyscore plugin.The IP address was embedded in that source code. We’re not talking about the main tool, just a plugin.”
Hahn, who has been involved in the Tor project for around 6 years, runs one of the Tor “directory authorities”, which list all the roughly 5,000 Tor servers out there. These authorities keep users’ Tor clients up to date. Thursday’s reports say it’s not known whether Hahn’s server was monitored by the NSA as such, or by the agency’s German partners.
The source code includes the IP address of another German target too, according to the reports – the Chaos Computer Club. The CCC is Europe’s oldest and largest hacker collective, and it runs communications services for activists (which is why it’s one of several communications providers suing the British signals intelligence agency GCHQ over surveillance).
The XKeyscore plugin source code reportedly also includes a reference in a comment column to Tor users being “extremists” and, worryingly, it also suggests that people may be marked for surveillance by the NSA simply by visiting the Tor site or searching for the Tor-connected “incognito” operating system Tails, the reports claimed.
What’s more, the broadcasters reported – again based on this source code – that the actual contents of emails sent over the Tor network are extracted for scrutiny, not just the emails’ metadata about senders, recipients and timing.
Related research and analysis from Gigaom Research:
Subscriber content. Sign up for a free trial.