Not Even the NSA Can Crack the State Dept’s Favorite Anonymous Network

A far-flung group of geeks, supported by the U.S. State Department, has built a tool for anonymous communication that’s so secure that even the world’s most sophisticated electronic spies haven’t figured out how to crack it.

That’s the takeaway from the latest revelations from National Security Agency leaker Edward Snowden. The NSA has used aggressive computer attack techniques to monitor people using the Tor network, a service that’s funded by the U.S. government and allows users to remain anonymous when they’re connected to the Internet. But the agency has not been able to undermine the core of the Tor system, which was developed by the U.S. Naval Research Laboratory in 2002. It remains a viable means for people to connect to the Internet anonymously. Although Tor’s complete reliability has been called into question in light of the NSA’s efforts — which may have begun as early as 2006, according to the Washington Post — for now it’s State Department 1, NSA 0, in the anonymity wars.

Which highlights another important point in the latest Snowden papers. In them, we see the NSA, an agency of the Defense Department, taking actions that are directly at odds with those of the State Department, which for the past few years has spent millions of dollars to develop Tor and other technologies and then distribute them overseas to political dissidents and democracy activists.

The NSA’s anti-anonymization campaign, detailed in the Guardian, underscores a fundamental conflict at the heart of U.S. government policy toward the Internet. The NSA sees Tor as a tool for terrorists and spies. The State Department sees it as a platform for activists trying to evade the very kinds of surveillance systems that the NSA has built.

"There is a lack of coherence," said Tim Maurer, a policy analyst at the New America Foundation’s Open Technology Institute, which has received funding from the State Department and supports the development of technologies that circumvent surveillance. "If the political goal is to secure fundamental freedoms, privacy, and free flow of information online as well as offline for people in the U.S. and abroad, all policies must flow from that, including those guiding the NSA."

The spy agency does not try to disable Tor, but rather infects or "tags" individual computers using the anonymous service as they come in and out of it. The agency has only managed to install a few "nodes," or individual machines, inside the Tor system in order to identify users.

In February 2012, as part of what appears to have been an experiment at defeating Tor’s anonymity, the NSA’s British counterpart, the Government Communications Headquarters, set up 11 relays in the Tor system, according to an analysis conducted for The Cable by Runa A. Sandvik, a Tor Project developer, and Collin Anderson, an independent researcher. A relay, also known as a router or a node, receives and then directs traffic in the Tor network. The relays were collectively dubbed Freedomnet, and the experiment went by the name REMATION II, according to the analysis. The experiment lasted from Feb. 22 to 28, 2012.

This gives some idea of the resilience of the Tor system in the face of the NSA’s hacking attempts. The agency found it easier to go after weaknesses in Tor users’ computers, specifically a version of the Internet browser Firefox, than to try to defeat the extensive procedures Tor uses to keep its users anonymous.

"The good news is that they went for a browser exploit, meaning there’s no indication they can break the Tor protocol or do traffic analysis on the Tor network," Roger Dingledine, the president of the Tor Project, told the Guardian. "Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard."

National security analysts agreed that in general, Tor seemed to have held up to the NSA’s attempted intrusions. "What caught me here was how little success they [NSA] seemed to have. If I were in the State Department, I’d consider this news an overall win," Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, told The Cable. Healey said the department should be more concerned about how its statements of principle and strategy for a free and open Internet "are being undone by far less coordinated intelligence and covert operations" by the NSA.

"It doesn’t matter what cyber policies get agreed upon in the interagency [process]. Ft. Meade [NSA’s headquarters] de facto makes U.S. cyber policy by changing the facts on the ground, in the network itself," Healey said.

For years, the U.S. government has offered tools and training to help foreign dissidents and journalists circumvent detection by repressive governments. In particular, the Broadcasting Board of Governors (BBG), though its Internet Anti-Censorship (IAC) Division, has provided "anti-censorship, pro-privacy software to users worldwide who are subject to foreign government-sponsored Internet censorship," according to the BBG’s website.

In some cases, that has meant partnering with companies to improve the security of their software. The board also has worked with the Tor Solutions Group to develop "several enhancements" to its usability and performance for users subject to censorship. The BBG’s budget for Internet anti-censorship issues runs a little over $10 million a year.

However, contrary to the Guardian‘s report, the BBG stopped directly supporting Tor last October. At that time, the Tor portfolio was moved to Radio Free Asia, a private nonprofit that receives an annual grant from the BBG for its Internet anti-censorship work, including about $400,000 for a Tor project that monitors Internet surveillance by governments.

While he was careful not to criticize the NSA, Dan Meredith, director of Radio Free Asia’s Open Technology Fund, said the spy agency’s exploitation of services like Tor doesn’t make his job any easier. "The United States government is incredibly large with lots of diverse programs from the Census Bureau to Medicare to Radio Free Asia’s Internet Freedom program — and the employees shouldn’t all get lumped together as aligned with the NSA’s view of the world," he told The Cable. "You’ll try to explain that to activists in Sudan, but they don’t always take it that way. Sometimes I’ll spend 15 minutes with people trying to convince them that I’m not CIA."

The Obama administration is pouring money into new efforts to fund anti-surveillance technology. The U.S. Agency for International Development’s fiscal 2014 budget requests include $7 million to support cutting-edge tools and requisite training that allow secure communications. The agency’s Human Rights and Democracy fund, which has requested $64 million, has a mandate to "support independent media and Internet Freedom." There are other pools of millions of dollars throughout the foreign affairs budgets that go toward supporting tools like Tor.

That has piqued the ire of some intelligence officials. Anonymity is a persistent obstacle to NSA’s surveillance and intelligence-gathering operations. And to the extent that the State Department is a big backer of anonymizing technologies like Tor, it’s butting heads with the spies at the NSA.

"The Secretary of State is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government," former NSA Director Michael Hayden said this year in remarks at The Atlantic Council. "So on the one hand we’re fighting anonymity, on the other hand we’re chucking products out there to protect anonymity on the net."

In a statement released Friday afternoon, Director of National Intelligence James Clapper said that the intelligence community’s interest in "online anonymity services and other online communication and networking tools is based on the undeniable fact that these are the tools our adversaries use to communicate and coordinate attacks against the United States and our allies."

Clapper added, "In the modern telecommunications era, our adversaries have the ability to hide their messages and discussions among those of innocent people around the world. They use the very same social networking sites, encryption tools and other security features that protect our daily online activities."

The Washington Post reported that the NSA has successfully unmasked at least one al-Qaeda member in the Arabian Peninsula, described as a propagandist, who was using the Tor network and posting information on the terrorist group’s Web site.

Tor has also become popular with drug dealers, criminal hackers, and peddlers of child pornography. The online drug market Silk Road, which was shut down by federal authorities this week, relied on Tor.

The NSA cannot know when attacking Tor users’ computers if they belong to foreigners or U.S. citizens. Given the popularity of Tor in the United States, the spy agency is almost certainly infecting the computers of Americans. Tor estimates that nearly 400,000 users are connecting directly to the system in the United States.

The NSA is using the same methods to infect computers that U.S. officials say are deployed by China, Iran, and other regimes against the United States. Cyber spies in those countries have stolen secrets from U.S. corporations, disabled bank Web sites, and mapped out the computer systems that run the electrical power grid, U.S. officials say. Those countries also use some of the same techniques the NSA reportedly uses to infect Tor, in order to keep their own citizens from reading censored material on the Internet.

The documents provided by Snowden reveal that the NSA tricks computers into connecting to a server that tags the machine so the NSA can track it. The spy agency also sends so-called spear-phishing emails to its targets. These messages, which are designed to look as if they came from someone the recipient knows or has a reason to trust, may contain a link or an attachment that unleashes spyware inside the host computer. Spear-phishing is a common technique of Chinese spies trying to infiltrate the computers of U.S. government officials. One spear phishing campaign two years ago targeted senior State Department officials who were working on then-Secretary Hillary Clinton’s Internet Freedom agenda, according to a current and a former department official.

If the upshot of NSA’s anti-Tor campaign is that it cannot easily defeat anonymity there, it doesn’t appear to be giving up on doing so elsewhere. The agency’s Tailored Access Operations group, a den of super hackers that houses vulnerabilities in software programs, Web applications, and browsers is constantly developing techniques for penetrating computers and unmasking their users.

So rack up a win for Tor – and its Foggy Bottom sponsors — in the anonymity war. But it’s far from over.