Forgot your password?
typodupeerror
Communications Encryption Government Privacy The Internet

Use Tor, Get Targeted By the NSA 451

Posted by Soulskill
from the hop-online-and-disappoint-some-intelligence-agents dept.
An anonymous reader sends this news from Ars Technica: "Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for U.S.-based communications to be retained by the National Security Agency, even when they're collected inadvertently, according to a secret government document published Thursday. ...The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on U.S. citizens and residents. While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the U.S., they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.'"
This discussion has been archived. No new comments can be posted.

Use Tor, Get Targeted By the NSA

Comments Filter:
  • by nospam007 (722110) * on Friday June 21, 2013 @12:21PM (#44070963)

    So we just need to write a Spam Generator that sends out billions of encrypted stuff to US-citizens to create government jobs?

    Nice!

    • Re: (Score:2, Interesting)

      by roc97007 (608802)

      I'm thinking of torrenting NPR.

    • by AmiMoJo (196126) * <mojo@NOspaM.world3.net> on Friday June 21, 2013 @12:36PM (#44071147) Homepage

      Why does it matter if someone is a "us person"? Fuck off spying on me America.

  • Uhm, guys? (Score:5, Insightful)

    by waddgodd (34934) on Friday June 21, 2013 @12:26PM (#44071031) Homepage Journal

    Given the recent revelations about the NSA dragnets of literally every single email, call, text, and pretty much any other form of electronic communication, it's pretty much a given that the best way to attract the NSA's attention is fog a mirror.

  • non-issue (Score:5, Informative)

    by TCM (130219) on Friday June 21, 2013 @12:26PM (#44071033)

    You are supposed to use HTTPS only over Tor anyway and transmit no identifying data in other cases, respectively. Tor already assumes the existence of such an adversary as the NSA, so what's the story here?

    • Re:non-issue (Score:5, Insightful)

      by Errol backfiring (1280012) on Friday June 21, 2013 @12:33PM (#44071119) Journal

      Tor already assumes the existence of such an adversary as the NSA, so what's the story here?

      That TOR is right. Even in countries that are not a far-from-my-bed dictatorship.

    • by Jartan (219704)

      The story here is that if you use Tor you might be flagging yourself as a "valid US target".

    • Re:non-issue (Score:5, Insightful)

      by flappinbooger (574405) on Friday June 21, 2013 @01:14PM (#44071563) Homepage

      You are supposed to use HTTPS only over Tor anyway and transmit no identifying data in other cases, respectively. Tor already assumes the existence of such an adversary as the NSA, so what's the story here?

      The way I see it, if you use the internet without TOR or VPN etc then everything is out in the open and the NSA logs everything and keeps everything IF OR UNTIL they determine you are a US citizen.

      Or, you can use TOR or VPN or whatever and the NSA will log everything and keep everything - and consider your actions suspicious.

      Moral of the story - If you use TOR or VPN for anything interesting you better make sure you do it right. If you don't use TOR or VPN then don't do anything interesting.

      • Yeah, I don't see this as surprising.

        If you're using TOR to try and conceal your country of origin, don't be surprised when a government agency which is allowed to spy on foreign communication might mistake your traffic for that of a foreign communication. The harder you make it to identify your communication as American, the less likely they are to legally 'ignore' your traffic.

    • You are supposed to use HTTPS only over Tor anyway and transmit no identifying data in other cases, respectively.

      Until the adversary starts issuing warrants for the private server certificate keys to the entities hosting the HTTPS services you accessed over Tor.

      Not only do you want to encrypt your Tor traffic, but you also want to only access services that are not under the jurisdiction of the adversary.

  • Aren't they violating the millennium act? I suppose that's only if they try to circumvent an encryption scheme....

    • by jamstar7 (694492) on Friday June 21, 2013 @12:39PM (#44071193)

      Aren't they violating the millennium act? I suppose that's only if they try to circumvent an encryption scheme....

      It's the government doing this. That makes it legal, sorta. At least it is sorta legal if you wanna bag them terrorrorrorrorrists.

      Personally, I think the terrorrorrorrorrists already won.

      • by Virtucon (127420)

        Shit, use the T-word now and you can get rid of all sorts of annoying problems. It's like that scene from "Cheech and Chong's Next Movie" where Paul Rubens (of Pee Wee Herman fame) is on the phone trying to get the police to come and arrest 'Los Guys' because they are doing a B&E to get the luggage.. (Funny Scene) anyway the cops are paying him lip service and he finally says "Look I think they're Iranians!" [youtube.com].. All of a sudden SWAT shows up with dozens of squad cars, megaphones blaring.... This was 198

      • by ducomputergeek (595742) on Friday June 21, 2013 @02:06PM (#44072173)

        After 9/11 there were things done that made sense such as equipping airliners with armored cockpit doors, not allowing knives or axes or chainsaws in carry on, but collectively we should have kept a stiff upper lip, rebuilt the damn towers 1 story higher and said "It's going to take more than that to change us". Instead we went whining and cowering to the corner and those seeking more power ceased the opportunity telling us "they'd make us safe". I've read that line in enough history books to know whenever those in power start making that claim, bad things happen. Really bad things.

        If you want to live in a free and open society the consequence of such is that sometimes people do bad things. That is the price of such a society. I think in my parents and certainly my grand parents generation they understood this. I put a lot of people off when I say this: but 3000 people die when bad guys crash planes into buildings. Well maybe we should look at things like the cockpit doors and explore air marshal programs. But the Patriot Act? No thanks. If it means 3000 people have to die now and then compared to having to live in a surveillance state, then so be it. 3000 people have to die. It's the price of the very freedoms we claim we so desire. So when bad guys do bad things, lets as a society help those directly effected the best ways we can, but we're never going to be safe. It's a dangerous world. And we as a society in the US don't seem to want to wake up to that reality.

        Now I look around and wonder if Hobbes wasn't right: people are stupid and need to be ruled over by Kings. Because that what it seems like people have been "wanting" these past 12 years...

  • by spacepimp (664856) on Friday June 21, 2013 @12:27PM (#44071041) Homepage
    They keep stretching the parameters and scope of what they can do. Of course that is only after they have been caught lying about the scope to begin with. Does anyone still believe them? I imagine quite soon they will start declaring that they need to have a back door to all encryption just in case you might do something wrong.
    • by OffTheLip (636691) on Friday June 21, 2013 @12:30PM (#44071083)
      Are you sure they "keep stretching the parameters and scope" or are we just learning the scope and depth of what they have already been doing?
      • by ganjadude (952775)
        of course they are stretching it. I mean they tell us what we can deal with, then we find out more,, so they justify that, but down the road we find out even more so they justify that. Where does it actually end is what id like to know
        • "Where does it actually end is what id like to know"

          All your ass are belong to us! Set us up the BOMB!

      • by spacepimp (664856)
        A little of column A and a little of column B. Between changing the definitions to protect their lies, we are discovering the scope and the scope is being extended as well.
    • Unfortunately, apart from the ones that are anti-government all the time, yes...a great many people believe them. Hook, line, & sinker.
    • by dkleinsc (563838) on Friday June 21, 2013 @12:44PM (#44071265) Homepage

      Does anyone still believe them?

      Yes. And they're a part of the problem.

      • by ArcadeX (866171)
        They're only a problem if that vote or reproduce.... not much danger of the first one.
    • They keep stretching the parameters and scope of what they can do. Of course that is only after they have been caught lying about the scope to begin with. Does anyone still believe them? I imagine quite soon they will start declaring that they need to have a back door to all encryption just in case you might do something wrong.

      Are you new to the world, or is this sarcasm?

    • by Virtucon (127420)

      Does anyone still believe them?

      No.

  • by Anonymous Coward on Friday June 21, 2013 @12:28PM (#44071045)

    Combining the fragments of leaked information that are now public related to the NSA's programs and the legal authorities affirmed by the FISA courts and Attorney General Eric Holder, it's clear that the US government's surveillance apparatus has the potential to monitor a significant portion of US citizens' communications.

    Several reputable reports, including PBS' Frontline and NOW, have detailed the construction and operation of telecommunication interception facilities such as Room 641A. These types of facilities, which were deployed by 2003 and revealed to the general public by 2006, provide the NSA with the opportunity to access a large volume of telecommunications traffic. To use an analogy, imagine that several major mail sorting hubs in the US had "secret" rooms controlled by the NSA that all mail passed through.

    A significant portion of Internet traffic is encrypted. Online banking, Facebook, Twitter, Gmail, etc. utilize standard SSL encryption to provide security. To continue the analogy, while some internet traffic is unencrypted in much the same way that postcards are mailed all the time with their messages clearly visible, many "sensitive" online communications such as the aforementioned banking and social networking services encrypt communications, similar to the way that sensitive mail communications like bank statements are usually sent in envelopes and not on postcards.

    It is not politically palatable to suggest that US government agencies can and should surveil US citizens' telecommunications in any indiscriminate fashion, and there is no clear legal authority that would permit them to do so. In an interview with Charlie Rose that aired June 17, 2013, President Barack Obama said "...if you're a U.S. person then NSA is not listening to your phone calls and it's not targeting your e-mails unless it's getting an individualized court order."

    Under the original provisions of the 1978 Foreign Intelligence Surveillance Act (FISA), the US government does have authority to conduct surveillance of communications without a court order if the parties communicating are not United States persons. More recent amendments to FISA since September 11, 2001 have expanded the government's authority to conduct surveillance.

    It can be difficult to identify the geographic origin of telecommunications traffic. Tor, Virtual Private Networking, and Internet proxies provide ways for Internet users to "hide" their return addresses. There are all sorts of legal, legitimate uses for these technologies. For example, the 1996 Health Insurance Portability and Accountability Act (HIPAA) is widely interpreted to require hospitals to use encryption technologies such as Virtual Private Networks to protect confidential medical information if it is transmitted electronically between medical facilities.

    It is also incredibly difficult to determine the nationality of a user of a telecommunications network. For example, two non-US persons could be visiting the US and using a telecommunications network in the country or a US citizen could utilize a telecommunications network when traveling outside the US.

    There's an area where it helps to extend the envelopes vs. postcards analogy a bit: encryption is, in some ways, more like mailing a letter in a combination safe where only the sender, receiver, and safe company know the combination. The whole point of encryption is that it secures communications in such a way that even if someone intercepted an encrypted message, they couldn't read it unless they knew the secret combination to decode it.

    This leads to a couple of questions:

    1. If the US government is trying its best to restrict its surveillance to non-US persons, what does it do if it accidentally intercepts and reads communications from a US person?
    2. If a large volume of telecommunications traffic, particularly traffic that is of interest to the US government, is encrypted (e.g., in opaque envelopes/combination safes without return addresses), how is it possible for t
    • ... If the US government is trying its best to restrict its surveillance to non-US persons, what does it do if it accidentally intercepts and reads communications from a US person?

      Probably the same thing the Police and Federal Agencies do when they falsely arrest you. They say "Oops! So you didn't do anything wrong. But we are keeping all of your info in our database of criminals forever, just in case."

    • by TheNinjaroach (878876) on Friday June 21, 2013 @01:44PM (#44071887)

      Instead of cracking each encoded message they intercept, it would be much easier for the NSA to simply obtain the decryption codes directly from the central authorities like Symantec/VeriSign. This would greatly simplify the problem and would allow the NSA to instantly decode much of the encrypted communication it intercepts

      Symantec and VeriSign don't create the encryption keys. You do. The private key remains private. Their job is to simply add a trusted digital signature to the public key that you've produced.

  • Here's the catch, (Score:5, Informative)

    by Anonymous Coward on Friday June 21, 2013 @12:28PM (#44071053)
    " Where the NSA has no specific information on a person's location, analysts are free to presume they are overseas, the document continues."

    http://www.guardian.co.uk/world/2013/jun/20/fisa-court-nsa-without-warrant [guardian.co.uk]
    • " Where the NSA has no specific information on a person's location, analysts are free to presume they are overseas, the document continues." http://www.guardian.co.uk/world/2013/jun/20/fisa-court-nsa-without-warrant [guardian.co.uk]

      Great! so all they have to do is strip the locale info before handing the data to their analysts. One bounce through an offshore relay should do the trick.

    • by vettemph (540399)

      So ....guilty until proven innocent.

      I wouldn't work quite as well if everyone was consider a US citizen until proven otherwise, comrades.

      • It would work even better if non US citizens were not considered as subhuman.

        It's becoming a trend that every time the US government strips your rights they find a way to deny your citizenship (anwar al-waki & son) so that no one can complain.

        If you are american, you should stop excusing injustices if they don't seen to happen to "proper US citizens".

  • encryption (Score:5, Funny)

    by Anonymous Coward on Friday June 21, 2013 @12:31PM (#44071085)

    use TOR to send copies of 1984

  • by Hatta (162192) on Friday June 21, 2013 @12:32PM (#44071109) Journal

    Yes, using Tor is going to attract attention. That's why we need as many people as possible to use Tor, to decrease the signal to noise ratio. If you have nothing to hide, you should be using Tor to help protect those who do.

  • by DeathToBill (601486) on Friday June 21, 2013 @12:34PM (#44071123) Journal
    That's such a comfort to the rest of us.
  • by steelfood (895457) on Friday June 21, 2013 @12:34PM (#44071125)

    I think this is reasonable in the context of communications monitoring. TOR exit nodes are often not in the U.S., and it's reasonable to expect that traffic coming out of a TOR exit node may not originate from the U.S. I don't support this massive data collection in general, but I don't see why TOR traffic wouldn't be expected to raise red flags.

    That having been said, I'm not sure where the fire is. Unless you're stupid enough to log into your own accounts (which contain identifying information) via TOR, they can collect all they want, but they'll never tie it back to you.

    Now, could they theoretically track your traffic back to its origin if they have a complete picture of the network? It's possible, but they can only do a positive ID when there's not much TOR traffic, especially near your physical location, to begin with. That's where security by obscurity comes into play.

    • by joe_frisch (1366229) on Friday June 21, 2013 @12:48PM (#44071289)

      If the NSA is operating the majority of TOR nodes does that make it easier for them to identify your location? Remember that they have a rather large computer budget.

      • by tylikcat (1578365)

        Yes. My recollection is this is the canonical method circumventing Tor - and the US government has always been the actor in the best position to do this.

        Running Tor is good. Running Tor exit nodes is even better, but you probably don't want to do that at home, at least at home in the US.

    • by plover (150551) on Friday June 21, 2013 @02:29PM (#44072427) Homepage Journal

      It doesn't take much of a slip-up to reveal your identity.

      Look at Panopticlick [eff.org] from the EFF. They can uniquely identify most computers just from the fingerprints in the browser - your collection of fonts, browser plug-ins, and other customizations are usually unique to one machine. So if you ever used Google and did anything that identifies yourself, such as purchased something online and had it shipped to your house, and you later use that same browser through Tor and surf to any site they are observing, or through any exit node under their scrutiny, or to any site loading javascripts from an NSA collaborator such as Google, they would be able to associate your anonymous activities with your identified session. (Ironically, an iPad or iPhone is usually very generic because Apple doesn't allow Safari to be modified. However, they still accept cookies and have no deliberate provisions for anonymity.)

      We also have evidence that the intelligence agencies already understand this, and are actively using such information. The Gauss malware installs a font named Palida Narrow, which enables any site you visit to surreptitiously check to see if you're infected with Gauss. It's the same idea and the same mechanism.

      To safely use Tor, you really need to be careful. You need a stock generic browser, launched from a clean OS image, and you should hope many other people are doing the same. A browser that returns randomly varying attributes to every request would be useful. Block flash, block cookies, and block javascript and all scripts entirely - you dont want Google Analytics or any of the thousand other profiling services to accidentally tag you. You need to connect from varying locations, none of which are your home. A wifi card that allows you to set a random MAC may help. And you likely need to do more - I certainly don't know everything they can observe.

  • by arf_barf (639612) on Friday June 21, 2013 @12:35PM (#44071143)

    It's always true. Just send your communications directly to NSA and a bunch of other people (from a SPAM list) and ask to have it forwarded to the final recipient. It's unlikely that it will get flagged as a potential threat....

  • Technicalities (Score:5, Insightful)

    by organgtool (966989) on Friday June 21, 2013 @12:36PM (#44071151)
    In other words, since they don't know who you are and can't positively confirm that you are a U.S. citizen, then they claim they are not bound to uphold your Fourth Amendment rights despite the fact that they are likely able to confirm that you are currently located in the U.S. I'm not sure that logic would hold up in court and I hope they are challenged on this.
    • Does this technicality allow the U.S. government to open sealed First Class mail whenever it likes? Sure its a domestic delivery but we haven't confirmed that both the sender and the intended recipient are U.S. citizens.

  • Attach an email sig line that is the ciphertext of some small paragraph from Google News.

  • by bill_mcgonigle (4333) * on Friday June 21, 2013 @12:45PM (#44071275) Homepage Journal

    yeah, the encrypted data bit is interesting (who doesn't use opportunistic TLS on SMTP these days?) but here's the bigger problem:

    Section 5 -- Domestic Communications (U)

    A communication identified as a domestic communication will be destroyed upon.
    recognition unless the Director (or Acting Director) of NSA specifically determines, in writing, that: (S) ...

    (2) the communication does not contain foreign intelligence information but is
    reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed such communication may be disseminated (including United States person identities) to appropriate Federal law enforcement authorities, in accordance with 50 U.S.C. l806(b) and l825(c), Executive Order No. 12333, and, where applicable, the crimes reporting procedures set out in the August 1995 "Memorandum of Understanding: Reporting of Information Concerning Federal Crimes," or any successor document. Such communications may be retained by NSA for a reasonable period of time, not to exceed six months unless extended in writing by the Attorney General, to permit law enforcement agencies to determine whether access to original recordings of such is required for law enforcement purposes; (8)

    That's it, no questions left, the NSA is involved in domestic surveillance of US Citizens for law enforcement purposes. It's as if the Church Committee never existed.

    Considering the ease of writing those two required letters and the current state of law breaking in the United States [amazon.com], it's easy to see how bureaucrats could take the guidelines as written and 'reasonably determine' that all domestic communications need to be stored in perpetuity.

    Assuming anything else is to assume a level of generosity and restraint on the part of the intelligence agencies that each day we find ourselves more foolish to do.

    • Such communications may be retained by NSA for a reasonable period of time, not to exceed six months unless extended in writing by the Attorney General, to permit law enforcement agencies to determine whether access to original recordings of such is required for law enforcement purposes.

      "A simple question, Mr. Holder: how many of these extensions have you and your miserable predecessors rubber stamped? I'm putting the final touches on your Contempt of Congress while you ponder about lying. Again."

  • I don't see how with the current form of government that's been perverted and the people in power.

    Will it take 20M people marching on DC or a coup or ???.

    • I think your underestimating how popular it is to have the NSA looking at encrypted communication. Most Americans are just fine with the NSA spying on foriegners.
      • by Nutria (679911)

        Have you forgotten that "spying on foreigners" is what countries *do*, and have done since civilizations got big enough to bump into one another?

  • by HalcyonBlue (596712) on Friday June 21, 2013 @12:57PM (#44071383)
    -----BEGIN PGP MESSAGE----- wYwDnjZmSa5jm10BA/9tq+tFZW7ZTwWorCU2PJ5RWkhiefDCt0GCxVlg1MPa zkj6bUvN99JdyZZtbsQ3xxz7ugvNPL3cydtnX6Hwn9I/BGqZDYB7ki6UBaY1 uT1T5ZQd28WhLd5Bs4JRr5kc9WCuQf5KdZa9WCO/9UItlsmCakYglJxmVSNy 0XHuJrl3k9JiAR8cYQurOOe3LWKMf8Ytewx4iZquuh0wLwrUs14Zy8G+dkcP C66rRlOIw8S0TqeLd8CoHcEaYPu9osnR5+V3Nz31AoOTgYV5FbkRsV6c6HIs 7byyAyg87jk9Hfu9Zbajfec= =MgO6 -----END PGP MESSAGE-----
  • by conspirator23 (207097) on Friday June 21, 2013 @12:59PM (#44071401)

    Many moons ago, people used to stuff all kinds of ridiculous claptrap in their Usenet .sig lines to "clog the NSA monitors." Keywords like nuclear, communist, peace, soviet, blah blah blah blah. It was a fairly useless exercise whether the underlying suspicions were true or not.

    The execution was amteurish, but today's news proves that the principle is worth exlporing further. Software developers need to stop talking the talk and make a more concerted effort to transparently encrypt all the network communication conducted by their applications, their mail systems, their social media platforms, whatever. The cypherpunk community has long pooh-poohed allowing "weak" encryption to become entrenched and create a false sense of security. But this "secutrity through purity" approach has resulted in the abject failure of the widespread adoption of encryption at all levels. Can we not find some sort of barely acceptable common standard and just start routinely implementing it and make the marketing people figure out how to describe it as a sexy feature?

  • "Inadvertent" (Score:5, Insightful)

    by Vainglorious Coward (267452) on Friday June 21, 2013 @12:59PM (#44071405) Journal
    NSA agents are not allowed to eat cookies. However, they may take items from the cookie jar and place them in their mouths to determine whether they are cookies. Any cookies which are inadvertently swallowed may be retained.
  • Extended to the physical mails it is analogous to deeming all sealed letters and other private mail to be suspicious and in need of permanent archiving, and so create Postal Bots that open each letter, photocopies its contents, the reseals it it until the Government decides it wants to devote the resources to looking it up and reading it.

    In the email case the saving is easier, and the reading is harder than with physical mail but they both accomplish the same task (treating private mail as government proper

  • what about encrypted chat?

    And in the event that an intercepted communication is later deemed to be from a US person, the requirement to promptly destroy the material may be suspended in a variety of circumstances. Among the exceptions are "communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis."

  • by jfengel (409917) on Friday June 21, 2013 @03:09PM (#44072777) Homepage Journal

    A torrentor who Tor'd some torrent
    Tried to tutor two torrentors to Tor
    Said the two to the tutor
    Is it harder to Tor
    Than to torrent two torrents over Tor?

"Call immediately. Time is running out. We both need to do something monstrous before we die." -- Message from Ralph Steadman to Hunter Thompson

Working...