Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata
from the 'just-metadata'-strikes-again dept
The latest batch of Snowden docs published at The Intercept cover a lot of ground. The internal informational sheets from the Signals Intelligence Directorate include info on a host of surveillance programs that haven't been revealed by previous document dumps. Nor do they discuss the programs in full. As such, some of the information is limited.
One of those published last week mentions the NSA's targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance.
Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there's another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata. (h/t Electrospaces)
[REDACTED] will be briefing on THERAPYCHEATER. This is a system that uses metadata analysis to detect and exploit the communication patterns of targets about whom the SIGINT system has no specific a priori knowledge. By identifying suspicious patterns in the access to draft folders of webmail accounts, THERAPYCHEATER will identify email addresses potentially being used in a form of covert communication known as a cyber dead drop. There are numerous examples in both SIGINT and collateral of terrorists using cyber dead drops to communicate operational information and plans.
Apparently, the tried-and-true surveillance workaround is no longer a secure option. One way to avoid surveillance of communications was to simply not communicate. Composing drafts in a shared email account was one to talk to others without risking interception.
As the paragraph states, this draft folder metadata is used to acquire new surveillance targets, based almost solely on the analyst's impression of account activity. Presumably from here, the NSA can move on to seeking access to the actual account to see what's hiding inside that's never been sent. Or, at the very least, keep an eye on traffic to and from the email account.
This was written in 2005 so access to email account metadata may be more limited, thanks to routine encryption. However, the metadata here refers to activity taking place within an account, suggesting the NSA does (or at least did) have access to certain types of account activity, rather than simply gathering metadata related to web-traversing communications.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dead drops, email, mastershake, metadata, nsa, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Was it ever?
[ link to this | view in chronology ]
sounds familiar
I wonder if the NSA generated that piece of intel?
[ link to this | view in chronology ]
Technically ignorant?
Unless you mean an online file sharing network, by definition an offline file sharing network cannot be compromised using online methodologies.
It's an entirely different context.
You should specify would kind of dead drop you mean.
[ link to this | view in chronology ]
Re: Technically ignorant?
This is like suggesting the linked video is technically ignorant by saying the title implies only USB-connected devices or all devices with USB connectors can be used for a dead drop.
[ link to this | view in chronology ]
Re: Technically ignorant?
Compromising an online endpoint of an offline network could be said to compromise the network too. E.g., if you're moving files between 1 offline and 1 internet-connected computer via a USB stick, someone who compromises the internet-connected one has compromised the "network"; it no longer offers secrecy.
[ link to this | view in chronology ]
But...
[ link to this | view in chronology ]
Do you _really_ think for a millisecond that they don't have the master certificates to decrypt all SSL traffic? Really?
If it was a problem for them they'd be shutting it down; pronto.
[ link to this | view in chronology ]
Re:
Yes, because that's not how TLS works. If they had all the Certificate Authority private keys, they could forge any certificate, but decrypting a session requires knowing the private key of the certificate for that session, not the private key of the root CA certificate that signed the intermediate CA certificate that signed the endpoint certificate. Some stupidly implemented CAs know the private keys of the certificates that they endorse, but the better ones never receive the endpoint's private key, so they can't disclose it even under duress.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
...?
I'm in the UK. The last time I was unemployed for any length of time, a fair while ago now, I was sent to a place called Reed Employment in Partnership, a company contracted by the government to help the unemployed get back into work.
Due to past security issues, customers weren't allowed to attach their own storage devices to Reed's computers. Instead, we were all required to use the draft folders in webmail accounts for storing our CVs (or résumés, in American), etc, in similar fashion to the counter-surveillance method described in the article.
It's a certainty that at least some extremists were making use of Reed's services. Presumably, everyone using the same branch who subsequently accessed their email from another location would also be flagged up as a potential terrorist - particularly the ones who mainly spoke Arabic and weren't fluent in written English.
Did Reed unintentionally push hundreds of thousands of customers onto anti-terrorism watch-lists? I wonder how many other government service providers did the same thing...?
[ link to this | view in chronology ]
It's interesting that the feds were onto it and looking for ways to handle it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
WHAT HAPPENED TO MY FREAKIN’ SURVEILLANCE SYSTEM?!
[ link to this | view in chronology ]
Just wonderin'
[ link to this | view in chronology ]