Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata

from the 'just-metadata'-strikes-again dept

The latest batch of Snowden docs published at The Intercept cover a lot of ground. The internal informational sheets from the Signals Intelligence Directorate include info on a host of surveillance programs that haven't been revealed by previous document dumps. Nor do they discuss the programs in full. As such, some of the information is limited.

One of those published last week mentions the NSA's targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance.

Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there's another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata. (h/t Electrospaces)

[REDACTED] will be briefing on THERAPYCHEATER. This is a system that uses metadata analysis to detect and exploit the communication patterns of targets about whom the SIGINT system has no specific a priori knowledge. By identifying suspicious patterns in the access to draft folders of webmail accounts, THERAPYCHEATER will identify email addresses potentially being used in a form of covert communication known as a cyber dead drop. There are numerous examples in both SIGINT and collateral of terrorists using cyber dead drops to communicate operational information and plans.

Apparently, the tried-and-true surveillance workaround is no longer a secure option. One way to avoid surveillance of communications was to simply not communicate. Composing drafts in a shared email account was one to talk to others without risking interception.

As the paragraph states, this draft folder metadata is used to acquire new surveillance targets, based almost solely on the analyst's impression of account activity. Presumably from here, the NSA can move on to seeking access to the actual account to see what's hiding inside that's never been sent. Or, at the very least, keep an eye on traffic to and from the email account.

This was written in 2005 so access to email account metadata may be more limited, thanks to routine encryption. However, the metadata here refers to activity taking place within an account, suggesting the NSA does (or at least did) have access to certain types of account activity, rather than simply gathering metadata related to web-traversing communications.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dead drops, email, mastershake, metadata, nsa, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Sep 2017 @ 2:24pm

    "the tried-and-true surveillance workaround is no longer a secure option."

    Was it ever?

    link to this | view in chronology ]

  • identicon
    stine, 21 Sep 2017 @ 2:28pm

    sounds familiar

    Isn't this how U.S. General Petraeus and Paula Broadwell traded messages...(yep, checked wikipedia)

    I wonder if the NSA generated that piece of intel?

    link to this | view in chronology ]

  • identicon
    Sarah, 21 Sep 2017 @ 2:51pm

    Technically ignorant?

    https://www.youtube.com/watch?v=PG6Z27KL6PE

    Unless you mean an online file sharing network, by definition an offline file sharing network cannot be compromised using online methodologies.

    It's an entirely different context.

    You should specify would kind of dead drop you mean.

    link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 21 Sep 2017 @ 3:32pm

      Re: Technically ignorant?

      I thought the definition given in the leaked document was pretty clear with the quote and expanded commentary.

      This is like suggesting the linked video is technically ignorant by saying the title implies only USB-connected devices or all devices with USB connectors can be used for a dead drop.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2017 @ 11:51am

      Re: Technically ignorant?

      by definition an offline file sharing network cannot be compromised using online methodologies

      Compromising an online endpoint of an offline network could be said to compromise the network too. E.g., if you're moving files between 1 offline and 1 internet-connected computer via a USB stick, someone who compromises the internet-connected one has compromised the "network"; it no longer offers secrecy.

      link to this | view in chronology ]

  • identicon
    ANON, 21 Sep 2017 @ 3:04pm

    But...

    Wasn't it the case that in 2005 and earlier, using plain text SMTP commands or HTTP web browsing was how much of the mail traffic operated?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 3:37pm

    "metadata may be more limited, thanks to routine encryption"

    Do you _really_ think for a millisecond that they don't have the master certificates to decrypt all SSL traffic? Really?

    If it was a problem for them they'd be shutting it down; pronto.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 6:23pm

      Re:

      Do you really think for a millisecond that they don't have the master certificates to decrypt all SSL traffic? Really?

      Yes, because that's not how TLS works. If they had all the Certificate Authority private keys, they could forge any certificate, but decrypting a session requires knowing the private key of the certificate for that session, not the private key of the root CA certificate that signed the intermediate CA certificate that signed the endpoint certificate. Some stupidly implemented CAs know the private keys of the certificates that they endorse, but the better ones never receive the endpoint's private key, so they can't disclose it even under duress.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 6:34pm

    Remember when MyNameHere/Whatever was loudly claiming that metadata wasn't significant so we didn't have to worry about the NSA vacuuming it all up? Bah! Humbug!

    link to this | view in chronology ]

  • icon
    DocGerbil100 (profile), 21 Sep 2017 @ 8:05pm

    ...?

    Well, isn't that interesting!

    I'm in the UK. The last time I was unemployed for any length of time, a fair while ago now, I was sent to a place called Reed Employment in Partnership, a company contracted by the government to help the unemployed get back into work.

    Due to past security issues, customers weren't allowed to attach their own storage devices to Reed's computers. Instead, we were all required to use the draft folders in webmail accounts for storing our CVs (or résumés, in American), etc, in similar fashion to the counter-surveillance method described in the article.

    It's a certainty that at least some extremists were making use of Reed's services. Presumably, everyone using the same branch who subsequently accessed their email from another location would also be flagged up as a potential terrorist - particularly the ones who mainly spoke Arabic and weren't fluent in written English.

    Did Reed unintentionally push hundreds of thousands of customers onto anti-terrorism watch-lists? I wonder how many other government service providers did the same thing...?

    link to this | view in chronology ]

  • icon
    MyNameHere (profile), 22 Sep 2017 @ 12:38am

    Dead drops were a very common concept a number of years ago, as it was a very simple way to pass a message without actually sending anything. That was back before anyone realized that pretty much everything you every do in a free mail account (like hotmail) is backed up and kept for a long time.

    It's interesting that the feds were onto it and looking for ways to handle it.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 22 Sep 2017 @ 5:54am

    The names they choose... MASTERSHAKE sounds like those body-building products and THERAPYCHEATER.. And people say they don't have a sense of humor.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2017 @ 9:18am

    Is it just me, or does anyone else have that spooky feeling that all these Snowden data drips are only released 'after' the 3 letter agency has either abandoned the program or replaced it with something better.

    Just wonderin'

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.