Alleged leaked documents about the NSA's XKeyscore snooping software appear to show the paranoid agency is targeting Tor and Tails users, Linux Journal readers – and anyone else interested in online privacy.

At the heart of the claims is this sample configuration file for the XKeyscore system.

The top-secret documents were apparently obtained and studied by members of the Tor project and security specialists for German broadcasters NDR and WDR. In their analysis of the divulged data, the team accuses the NSA of, among other things:

Specifically targeting Tor directory servers

Reading email contents for mentions of Tor bridges

Logging IP addresses of people who search for privacy-focused websites and software

And possibly breaking international law in doing so.

We already know from leaked Snowden documents that Western intelligence agents hate Tor for its anonymizing abilities. But what the aforementioned leaked source code, written in a rather strange custom language, shows is that not only is the NSA targeting the anonymizing network Tor specifically, it is also taking digital fingerprints of any netizens who are remotely interested in privacy.

These include readers of the Linux Journal site, anyone visiting the website for the Tor-powered Linux operating system Tails – described by the NSA as "a comsec mechanism advocated by extremists on extremist forums" – and anyone looking into combining Tails with the encryption tool Truecrypt.

If something as innocuous as Linux Journal is on the NSA's hit list, it's a distinct possibility that El Reg is too, particularly in light of our recent exclusive report on GCHQ – which led to a Ministry of Defence advisor coming round our London office for a chat.

If you take even the slightest interest in online privacy or have Googled a Linux Journal article about a broken package, you are earmarked in an NSA database for further surveillance, according to these latest leaks.

This is assuming the leaked file is genuine, of course.

Other monitored sites, we're told, include HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion. The IP address of computer users even looking at these sites is recorded and stored on the NSA's servers for further analysis, and it's up to the agency how long it keeps that data.

The XKeyscore code, we're told, includes microplugins that target Tor servers in Germany, at MIT in the United States, in Sweden, in Austria, and in the Netherlands. In doing so it may not only fall foul of German law but also the US's Fourth Amendment.

"The fact that a German citizen is specifically traced by the NSA, in my opinion, justifies the reasonable suspicion of the NSA carrying out secret service activities in Germany," said German IT attorney Thomas Stadler. "For this reason, the German Federal Public Prosecutor should look into this matter and initiate preliminary proceedings."

The nine Tor directory servers receive especially close monitoring from the NSA's spying software, which states the "goal is to find potential Tor clients connecting to the Tor directory servers." Tor clients linking into the directory servers are also logged.

"This shows that Tor is working well enough that Tor has become a target for the intelligence services," said Sebastian Hahn, who runs one of the key Tor servers. "For me this means that I will definitely go ahead with the project.”

When questioned about the code analysis the NSA issued the following statement. Make of it what you will:

In carrying out its mission, NSA collects only what it is authorized by law to collect for valid foreign intelligence purposes - regardless of the technical means used by foreign intelligence targets. The communications of people who are not foreign intelligence targets are of no use to the agency. In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons - regardless of nationality - have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. The president's directive also makes clear that the United States does not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion. XKeyscore is an analytic tool that is used as a part of NSA's lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad. All of NSA's operations are conducted in strict accordance with the rule of law, including the President's new directive.

While the German reporting team has published part of the XKeyscore scripting code, it doesn't say where it comes from. NSA whistleblower Edward Snowden would be a logical pick, but security experts are not so sure.

"I do not believe that this came from the Snowden documents," said security guru Bruce Schneier. "I also don't believe the TAO catalog came from the Snowden documents. I think there's a second leaker out there."

If so, the NSA is in for much more scrutiny than it ever expected. ®

Bootnote

Robert Graham of Errata Security has dissected the configuration code leaked today, concluding: "The source definitely seems like something the NSA would use to monitor network traffic, but at the same time, seems fairly limited in scope."

He does attempt to tackle various peculiarities in the file's language, from the clumsy comments about extremists to the way it suggests Uncle Sam performs deep packet inspection. While some believe the config document is fake, Graham suggests it could be part of prototype technology – although the file refers to version 5 of the scripting language, hinting that it could be operational by now.