NSA spies need jobs, too. And that is why many covert programs could be hiding in plain sight. Job websites such as LinkedIn and Indeed.com contain hundreds of profiles that reference classified NSA efforts, posted by everyone from career government employees to low-level IT workers who served in Iraq or Afghanistan. They offer a rare glimpse into the intelligence community's projects and how they operate. Now some researchers are using the same kinds of big-data tools employed by the NSA to scrape public LinkedIn profiles for classified programs. But the presence of so much classified information in public view raises serious concerns about security — and about the intelligence industry as a whole. “I’ve spent the past couple of years searching LinkedIn profiles for NSA programs,” said Christopher Soghoian, the principal technologist with the American Civil Liberties Union’s Speech, Privacy and Technology Project. After The Washington Post revealed details about the NSA’s Marina, Mainway and Nucleon databases on June 15, 2013, Soghoian tweeted out the results of one such LinkedIn search.

Linkedin profiles of people in Maryland that mention MARINA & NUCLEON have some fun other codenames like TRAFFICTHIEF http://t.co/7DQ5uaJ1BP — Christopher Soghoian (@csoghoian) June 16, 2013

Many responses linked to profiles that listed ever more NSA programs. Soghoian’s tweet also prompted short posts at TechDirt, Gizmodo and Slashdot. On Aug. 3, The Wall Street Journal published a story about the FBI’s growing use of hacking to monitor suspects, based on information Soghoian provided. The next day, Soghoian spoke at the Defcon hacking conference about how he uncovered the existence of the FBI’s hacking team, known as the Remote Operations Unit (ROU), using the LinkedIn profiles of two employees at James Bimen Associates, with which the FBI contracts for hacking operations. “Had it not been for the sloppy actions of a few contractors updating their LinkedIn profiles, we would have never known about this,” Soghoian said in his Defcon talk. Those two contractors were not the only ones being sloppy. The LinkedIn profile cited by Soghoian’s initial tweet mentions classified NSA programs like Nucleon, Dishfire, Octave, Pinwale, Mainway, Banyan and Marina. These were mentioned alongside one program that was revealed in the press only a month later: Trafficthief, a database for storing metadata from specific surveillance targets. Another profile, from Indeed.com, mentions Cultweave, XKeyscore and other previously unidentified programs. And there are many more. A quick search of Indeed.com using three code names unlikely to return false positives — Dishfire, XKeyscore and Pinwale — turned up 323 résumés. The same search on LinkedIn turned up 48 profiles mentioning Dishfire, 18 mentioning XKeyscore and 74 mentioning Pinwale. Almost all these people appear to work in the intelligence industry.

Network-mapping the data

Fabio Pietrosanti of the Hermes Center for Transparency and Digital Human Rights noticed all the code names on LinkedIn last December. While sitting with M.C. McGrath at the Chaos Communication Congress in Hamburg, Germany, Pietrosanti began searching the website for classified program names — and getting serious results. McGrath was already developing Transparency Toolkit, a Web application for investigative research, and knew he could improve on Pietrosanti’s off-the-cuff methods. “I was, like, huh, maybe there’s more we can do with this — actually get a list of all these profiles that have these results and use that to analyze the structure of which companies are helping with which programs, which people are helping with which programs, try to figure out in what capacity, and learn more about things that we might not know about,” McGrath said. He set up a computer program called a scraper to search LinkedIn for public profiles that mention known NSA programs, contractors or jargon — such as SIGINT, the agency’s term for “signals intelligence” gleaned from intercepted communications. Once the scraper found the name of an NSA program, it searched nearby for other words in all caps. That allowed McGrath to find the names of unknown programs, too. Once McGrath had the raw data — thousands of profiles in all, with 70 to 80 different program names — he created a network graph that showed the relationships between specific government agencies, contractors and intelligence programs. Of course, the data are limited to what people are posting on their LinkedIn profiles. Still, the network graph gives a sense of which contractors work on several NSA programs, which ones work on just one or two, and even which programs military units in Iraq and Afghanistan are using. And that is just the beginning.

Click on the image to view an interactive network illustration of the relationships between specific national security surveillance programs in red, and government organizations or private contractors in blue.

“People mention the level of security clearance they have, so it’s possible to learn the security clearance you need for some of these programs based on this data,” McGrath said. “You can also uncover new program names. Someone found [a program] called Blackmagik … even if you just have a [program] name, you could use it to determine information about the content — where they're based, what language skills they have, just generally to better understand these things that we have very little information about.” Intelligence contractors and military personnel have been referencing classified programs on sites like LinkedIn and Indeed for years, but the obscure code names — like Mainway, Dishfire and Pinwale — did not mean much outside of the intelligence community. What little the public did know tended to circulate among a small, wonky group of national security journalists, researchers and privacy advocates. Edward Snowden changed all that, leaking documents that revealed dozens of previously unknown programs in great detail. “Before, they were just these code names, and we really didn't know what any of them were,” McGrath said. “Now that we know how they operate, we can start to figure things out a little bit more.” NSA personnel often make that easier by grouping similar programs together, Soghoian said. “They’ll have all the telephone metadata programs in one place, all the geo-location programs in another,” he said. “So if you know what one thing is, you can figure the others out.”

Before, they were just these code names, and we really didn’t know what any of them were. Now that we know how they operate, we can start to figure things out a little bit more. M.C. McGrath Transparency Toolkit

It is hard to say how worrisome this is for the intelligence community. NSA spokeswoman Marci Green Miller said the agency requires all current and former personnel — including contractors and military members — to submit for prepublication review “any information intended for public disclosure which is or may be based on protected information while associated with NSA/CSS [Central Security Service].” But Miller did not respond to a question about whether the NSA has reviewed or cleared any of the numerous LinkedIn and Indeed profiles that reference classified programs. She also did not respond to questions about whether the NSA monitors these sites for violations of its policies, or whether it has ever contacted individuals about profiles that reference classified information. LinkedIn and Indeed both declined to comment on the specific issue.

Contractors’ self-interest

Still, even some privacy advocates are surprised at how much information intelligence contractors are willing to publicly reveal. “Defense Department and intelligence agency contractors say probably more than they should about what they’re doing on LinkedIn because they want to get a job,” Soghoian said. “It’s the self-interest of these contractors versus the national security interest of the state.” According to Tim Shorrock, author of “Spies for Hire: The Secret World of Intelligence Outsourcing,” websites like LinkedIn and Indeed are not even the worst offenders. Contractors regularly post public job announcements that mention details of classified programs. They even disclose classified information to potential investors. “There’s no control over what the contractors list in their job applications. They should have some oversight and some better rules about it, but you find this stuff all the time,” Shorrock said. “When I was researching my book, I went to numerous dog-and-pony shows for investors … They'll say, ‘This program was developed by the National Security Agency.’ Then you’ll look it up and see that in the past it’s never been associated with the National Security Agency. Basically, it's bravado, hubris.”

There’s no control over what the contractors list in their job applications. They should have some oversight and some better rules about it, but you find this stuff all the time. Tim Shorrock Intelligence commentator