XKeyscore: The NSA program that collects ‘nearly everything’ that you do on the internet
XKeyscore itself consists of 700 servers (running Linux!) situated at 150 different sites around the world, which are constantly scanning and indexing intelligence accrued by NSA’s data gathering tools (which are separate from XKeyscore). As far as we can tell, the data gathering tools are themselves a massive network of servers that are located in data centers around the world. These servers intercept and analyze data that traverses the internet and other communications networks. The bulk of what a typical user does on the internet is transmitted via HTTP (hypertext transfer protocol), and it’s relatively trivial to scoop out the interesting data from a packet of HTTP data. When you send an IM on Facebook, XKeyscore will have no problem working out who the sender and recipient are, and the body of the message. Likewise, when you use a webmail client like Gmail or Hotmail, the sender, recipient, CC, BCC, subject, and body are all easily accessible via HTTP packet sniffing.
As for where the NSA gets this data from, there are three sources: F6 (aka the Special Collection Service), FORNSAT (foreign satellite collection), and SSO (the Special Source Operations division). F6 places eavesdropping equipment in foreign embassies, data centers, and other important communications hubs; FORNSAT intercepts data from foreign satellite links; and SSO deals with everything else, from such as cable and microwave taps.
How XKeyscore extracts information from HTTP sessions
Combined, these three sources harvest an almost-incomprehensible amount of data. According to the leaked slides, some sites produce so much data (20+ terabytes) that they only have space to store it for 24 hours. (Most of these slides are from 2008, though, so they may have upgraded their storage capacity since then.) As of 2012, there were 41 billion records available for analysis by XKeyscore within any given 30-day window.
To use the XKeyscore (XKS) system, an NSA analyst taps in a few search parameters, a “justification” (i.e no formal warrant is required), and presses Enter. XKS can be indexed by email or IP address, name, telephone number, keyword, language, or even the type of web browser. If the search returns an email or IM hit, the analyst can instantly view the contents of that message. Presumably there are other tools/viewers for other kinds of data. Because there’s so much data available, the NSA slides recommend that analysts narrow down their search results using the metadata first.
The slides say that, as of 2008, 300 terrorists had been caught with intelligence from XKS. In 2008, the slides also said that “future” capabilities will include VoIP and EXIF parsing (EXIF being the metadata associated with images, which can contain geolocation data).
What about HTTPS?
To be entirely honest, it isn’t all that surprising that XKS exists. Given the way the internet and its protocols work, it’s relatively easy to eavesdrop on most internet-based communications, and eavesdropping is essentially what the NSA was created for. It is also highly likely, as with Prism, other Western nations have access to XKS — or their own XKS-like systems.
What is surprising is that the slides seem to suggest that VPNs and encrypted links may not be secure. “Show me all PGP usage in Iran” and “Show me all VPN startups in country X, and give me the data so I can decrypt and discover users” seem to be functions available to analysts using XKS. This isn’t a direct admission they’ve broken ciphers such as AES-256 and 3DES, but it would seem that they’ve found some exploitable weaknesses.
This leads us to another important question: Can the NSA eavesdrop on HTTPS traffic? In recent years, many web services have moved to HTTPS as standard (such as Gmail), and in theory the encryption should keep your data safe from prying eyes. As of 2012, though, despite the widespread adoption of HTTPS, XKS still seems to be working as intended. Has the NSA cracked HTTPS? Has the NSA somehow obtained the root SSL certificates from the likes of Symantec and Comodo, so that it can perform man-in-the-middle (MITM) attacks on any website that uses HTTPS?
If HTTPS, PGP, and VPNs have been compromised, and if the NSA really has its insidious tentacles hooked into fiber-optic cables, microwave links, and foreign satellite links, there is almost no way of using the internet or any other communications network without the American and other Western governments snooping on you.