Online privacy tools like Tor have become incredibly popular in the wake of Edward Snowden’s surveillance revelations. But according to an analysis of leaked source code from the National Security Agency, using or merely searching for information about those tools is enough to label someone an “extremist” in the eyes of the National Security Agency.

A series of articles published in German news outlets NDR and WDR seems to show that exhibiting any interest in tools used to hide one’s identity is interpreted as suspicious and marked for extra surveillance under the agency’s XKeyscore system—unless that activity comes from one of the nations of the “Five Eyes” surveillance alliance (the United States, Canada, the United Kingdom, Australia, and New Zealand). The code, which is believed to still be in use by the NSA today, contains rules which monitors anyone communicating with services and email addresses associated with the Tor anonymity network, as well as websites such as the Linux Journal, a popular and long-running computing resource which Xkeyscore chillingly labels an “extremist forum.”

While shocking in its inclusiveness, the focus on privacy tools is not at all surprising to security experts. A previously published top-secret NSA document called “Tor Stinks” illustrated the agency’s ongoing frustration with trying to break the anonymity software. Ironically, Tor was originally developed by the U.S. Navy, and includes among its major financial benefactors the U.S. State Department, which touts its ability to help foreign dissidents circumvent government censorship. U.S. law enforcement including the Drug Enforcement Agency makes use of the tool for investigations, and the Federal Bureau of Investigation has even admitted that it has “known legitimate uses.”

Instead of connecting directly to websites, Tor, also known as The Onion Router, redirects a user’s web traffic through a zig-zagging network of relay computers run by volunteers around the world. By wrapping the communications inside “layers” of encryption, the relays obscure the true IP address of the user, both from the site’s owners and anyone else who happens to be monitoring the network. The NSA source code shows rules for specifically targeting volunteer-run Tor “directory servers” located in Germany, the U.S., Sweden, Austria and the Netherlands.

The report also names the administrator of one such targeted directory, a German computer science student named Sebastian Hahn. “Millions of people use it to stay safe online, and by watching the server and collecting metadata about its users, those people are put at risk.” he told German TV network Das Erste.

Another tool specifically named in the NSA’s code is Tails, a Linux-based operating system specially designed for privacy and security which filters all of its Internet traffic through Tor and can be run from a CD-ROM or USB stick. Law enforcement often complains that these tools create a haven for child traffickers, terrorists and other serious criminals, but they are also routinely used by security researchers, journalists, human rights activists, private companies, and regular folks who just want some online privacy.

The Xkeyscore code shows that the NSA also targets other privacy tools such as HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy and MixMinion. The rules contain filters that provide exceptions for servers in countries that are members of Five Eyes. But some appear to be written broadly enough to allow targeting inside those countries. For example, one rule targeting MixMinion includes all traffic sent to or from a server located on the campus of MIT, the report says.

There are a few ways Tor users can still be identified if they are not practicing good operational security, but the good news is that Tor itself has been so far proven secure—even from the NSA. The agency’s “Tor Stinks” presentation says that there are no practical ways of consistently identifying Tor users, concluding that “We will never be able to de-anonymize all Tor users all the time.”

But if that’s the case, why bother targeting privacy-conscious users at all?

A likely answer is that the NSA is waiting for them to slip up. While Tor encrypts traffic as it bounces around its anonymizing network, it will still be transmitted in plain text at the beginning and end of the network if the site is not secured with transport encryption known as SSL/TLS, commonly seen as a “lock” icon inside the browser’s address bar. That means there is still an opportunity to collect the contents of emails sent over the Tor network, if the connection isn’t secured and a criminal or spy agency is listening in the right places. Indeed, the report shows that the NSA does collect and store the contents of emails sent over Tor, whether or not they can read them.

When questioned about the surveillance of people interested in privacy, the NSA would only offer a statement saying that agency “collects only what it is authorized by law to collect for valid foreign intelligence purposes—regardless of the technical means used by foreign intelligence targets.”

It’s unclear whether or not the source code came from the material leaked by Snowden. But cryptography expert Bruce Schneier, who has worked with Glenn Greenwald on the Snowden documents, seems to think that both this story and a previous report in Der Spiegel about the NSA’s hacking tools are the result of a “second leaker.”

“It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link—with the embedded torproject.org URL above—is currently being monitored by the NSA,” he writes.

“Whatever the case, this is very disturbing.”