Tor allows users to surf the internet as well as conduct chat and send instant messages anonymously. It works by encrypting the traffic and relaying it through a number of random servers, or nodes, hosted by volunteers around the world to make it difficult for anyone to trace the data back to its source. Each node in the network can only see the previous node that sent it the traffic and the next node to which it's sending the traffic. In documents released by Edward Snowden, NSA workers discussed their frustration in spying on people who use Tor. "We will never be able to de-anonymise all Tor users all the time," one internal NSA document noted.
But the XKeyscore source code reveals some of the ways the NSA attempts to overcome this obstacle.
Tor isn't the only target of XKeyscore, however. The system is also targeting users of other privacy services: Tails, HotSpotShield, FreeNet, Centurian, FreeProxies.org, and MegaProxy.
Tails is an operating system used by human rights activists, as well as many of the journalists who have access to the Edward Snowden documents, to protect sensitive computer activity. It runs from a USB stick or CD so that it's not stored on the system, and uses Tor and other privacy tools to protect user activity. At the end of each session, when the user reboots it, Tails erases any data pertaining to that session-such as evidence of documents opened or chats -- except for data the user has specifically saved to an encrypted storage device. The NSA clearly regards Tails as a sinister tool, however, referring to it in one comment in the source code as "a comsec mechanism advocated by extremists on extremist forums."
The XKeyscore rule for monitoring Tails users indicates that it is designed to identify users searching for the software program, as well as anyone "viewing documents relating to TAILs, or viewing websites that detail TAILs."
How XKeyscore Works
The XKeyscore rules use features the NSA calls "appids," "fingerprints," and "microplugins," to identify and tag activity online. Appids, the German publication notes, are unique identifiers that help the system sort and categorize data and user activity, such as an online search. The microplugins are possibly used to extract and store specific types of data.
The rules indicate that the NSA is specifically targeting the IP address of nine servers operated by key Tor volunteers in Germany, Sweden, Austria, the Netherlands and even the US These servers are used by the Tor network as directory authorities. They generate, on an hourly basis, a directory of all the Tor nodes or relays on the Tor network, which change constantly as new servers are added by volunteers or taken out of the network. The Tor software consults these lists to direct traffic to the nodes. The XKeyscore system uses a fingerprint called "anonymiser/tor/node/authority" that targets any IP address that connects to the nine servers.
One of the servers is maintained by Sebastian Hahn, a 28-year-old a Tor volunteer and computer science student at the University of Erlangen. A German attorney told the media outlets that the targeting of Tor volunteers in Germany may violate restrictions against the US conducting secret intelligence activity against German citizens in Germany.