The National Security Agency’s broad Internet monitoring program can do a whole lot more than provide a look inside a person's Internet life. According to documents on the X-Keyscore program published by The Guardian, the system can also be used to find computers that are vulnerable to attack, allowing the NSA’s Tailored Access Office to exploit them.

A training slide on the capabilities of X-Keyscore provided to The Guardian by Edward Snowden entitled “TAO” (for Tailored Access Operations, the organization within the NSA that hacks the networks of foreign governments and organizations) states that vulnerability profiles used by TAO to find targeted systems can be used to “show me all the exploitable machines in country X.” The “fingerprints” for vulnerabilities are added as a filtering criteria for X-Keyscore’s filtering application “engines”—a worldwide distributed cluster of Linux servers attached to the NSA’s Internet backbone tap points.

This capability essentially turns X-Keyscore into a sort of passive port scanner, watching for network behaviors from systems that match the profiles of systems for which the NSA’s TAO has exploits constructed, or for systems that have already been exploited by other malware that the TAO can leverage. This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.

Other slides in the set of documents explain how X-Keyscore could be used to track down VPN sessions and determine who they belong to from selected countries. The program could also be used to capture metadata on the use of PGP encryptions in e-mails and encrypted Word documents for later decryption. While X-Keyscore keeps a "buffer" of all the Internet traffic it traps at its tap locations for about three days, metadata on traffic can be kept for up to 30 days, allowing the NSA to trace and store information on who created documents passing across the Internet. "No other system performs this on raw unselected bulk traffic," the document states—implying that searches can be made across traffic that hasn't been specifically tagged for monitoring.