KARMA POLICE, The Intercept

Purpose:

KARMA POLICE is a mass surveillance programme that collects web-browsing habits from “every visible user on the Internet”. It is used to create profiles that show the web browsing histories of people who browse the Internet unencrypted (e.g. without the use of Virtual Private Network or services such as TOR). The programme keeps a record of all websites visited including social media and news websites, search engines, chat forums, and blogs (INT01). The programme requires the interception of data from the fibre-optic cables that transport Internet data and communications across the globe. The system then analyses metadata that reveals people behaviours and activities online.

Capabilities (INT01):

• Creates profiles of web-browsing habits
• Analyses instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions.
• Watches for “suspicious” Google searches and use of Google Maps.

Exploitation of:

• Metadata

Data extraction sources:

• Unencrypted Internet traffic such as: HyperText Transfer Protocol (http) activity, an insecure protocol used to send and receive data from the web.

Combined with other state surveillance tools:

TEMPORA – fibre-optic cable tapping

Layers of operation:

• Application layer
• Social Layer

Background:

KARMA POLICE was created by Government Communications Headquarters (GCHQ) approximately seven years. The programme collects mass amounts of data and not targeted to specific individuals. The data repository, Black Hole, is used to store metadata from between 30 days to 6 months.

Sources:

The Intercept (INT)
1) PROFILED: From Radio to Porn, British Spies Track Web Users’ Online Identities
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/

www.crypto.is – remailers explained .

Anonymous remailers can be used to hide information about the sender of email by re-sending the email through a series of nodes that are connected in a chain thus hiding the originating location. The aim of remailers is to protect the anonymity of people who may find themselves in a variety of situations such as [CRP01]:

• Individuals who don’t trust their Internet Service Provider or Network Administrator
• Consumers, who want to send feedback on a product or service
• Activists, protesting against political issues and local concerns
• Journalists, who want to correspond with a source without exposing the source, or being tracked down themselves.
• Whistleblowers, who want to report illegal activity of a co-worker, government or company
• Law Enforcement, who want to communicate with confidential sources or undercover agents without risking their operational security
• Researchers and Survey Participants, who don’t want to expose their opinions on sensitive topics

Capabilities:

There are four types of remailers [VAN01].

• Type I (Cypherpunk) – removes identifying information from the header, such as the sender address, and originating IP address of an email that is either encrypted or plain text. Messages can be sent through several different servers in a chain so that each remailer will not know who is sending a message to whom. Type I remailers do not keep logs of transactions. In addition, messages cannot be answered.

• Type II (Mixmaster) – requires the use of a computer program used at the command line or using 3^rd party minimalist graphical user interfaces to compose emails that are then sent to a remailer server. Type II remailers can only send emails one way. Type II remailers use a Mix Network, a routing protocol that uses a chain of proxy servers called ‘mixes’. It shuffles messages from multiple sources and sends them out in a random order to another mix node, thus breaking the link between the source of a request and its destination. Message are relayed through each node in the network through the Application layer using – Simple Mail Transfer Protocol (SMTP).

• Type III (Mixminion) – can be used to both send and receive anonymous e-mail and was designed to address some of the limitations of Type II remailers. Like Type II, it uses a Mix Network, however, a key difference between remailers is that Type III use of the Transport layer security (TLS) unlike Type II, which uses the Simple Mail Transfer Protocol (SMTP). This allows for the establishment of an encrypted tunnel that messages travel though. It also addresses a number of other technical vulnerabilities such as [Danezis et al., 2003] provides defence against attacks (by breaking the security of a mix network), routes encryption keys (by resetting encryption keys) and other improvements.

• Pseudonymous remailers – takes away the e-mail address of the sender, gives a pseudonym to the sender, and sends the message to the intended recipient that can be answered via that remailer. It assigns its users a user name, and it keeps a database of instructions on how to return messages to the real user. These are used on popular websites such as Gumtree through email masking [GUM01]. This replaces actual email addresses with pseudonyms allowing users to communicate back and forth through the remailer. Although, this commercial use differs from using a nym server (pseudonym server), which provides untraceable e-mail addresses, where neither the nym server operator nor the operators of the remailers involved can discover which nym corresponds to which real identity.

Surveillance mitigation:

• Anonymity – mix routing and nym servers strip identifying information replacing it with either a pseudonymous or anonymous name along with a proxy server IP address.

Vulnerabilities:

• Usability – There is a learning curve to being able to use anonymous remailers [LBT01] because it uses a command line interface. Although there is a graphical user interface provided by QuickSliver Lite [QSL01] it is still quite basic. There is also a web interface available [PRW01] although these are not as secure because the website operator or anyone spying on the website has the ability to see the originating IP address unless the person is using TOR [PRW02]. It is more secure to install the client directly on to the machine used to send an email. However, this takes a level of technical skill and confidence that ordinary users may not possess. A person who wants to download Mixmaster will need to know how to install and configure the software within the UNIX operating system.

• Threat modelling – Users of anonymous remailers have to determine for themselves the level of technical security they require based upon the number of ‘chains’ or proxy servers an email goes through before reaching its destination. In addition, a person will also need to specific how many copies of the email are sent to ensure that at least one makes it through the Mix Network.

• Data loss – Email can get lost in the Mix Network and as a result may never reach their intended destination.

Layer of interaction:

• Application layer: Simple Mail Transfer Protocol (SMTP) – Type II remailers.
• Transport layer: Transport layer security (TLS) – Type III remailers.

Background:

The first anonymous remailer appeared in the early 1990s as the Penet remailer, at anon.penet.fi [LEN01]. It was widely used however the service had a number of vulnerabilities including storing real email address that were mapped to anonymous ones. Also, the remailer had been compromised through multiple technical attacks. Additionally, it was required to reveal information about a user who posted copyrighted documents from the Church of Scientology to a newsgroup in 1995. The operator eventually shut down the service due to legal concerns and privacy issues [IAC01].

Since the Snowden revelations and the emergence of the ‘real-name paradigm’ where online identity mirrors the real world as in Facebook, Twitter and other social media have [INF01] people have become increasingly interested in technical resources that provide anonymity and the remailer provides this capability.

Sources:

Crypto.is (CRP)

1) https://crypto.is/blog/what_is_a_remailer

Danezis, G., Dingledine, R., Mathewson, N. (2003) Mixminion: Design of a Type III Anonymous Remailer Protocol. In IEEE Symposium on Security and Privacy, Berkeley, CA, 11-14 May 2003.
http://www.mixminion.net/minion-design.pdf

Gumtree

1) http://gumtree.force.com/Help/articles/General_Information/Anonymised-emails

The Information (INF)

1) https://www.theinformation.com/History-Holds-Tough-Lessons-for-Anonymous-Services

InfoAnarchy (IAC)

1) http://www.infoanarchy.org/en/Anonymous_remailer

Leavitt, N. (LEN)
Anonymization Technology Takes a High Profile. 2009. IEEE Computer.
1) http://leavcom.com/articles/ieee_nov09.php

Light Blue Touchpaper (LBT)

1) https://www.lightbluetouchpaper.org/2014/04/03/current-state-of-anonymous-email-usability/

Mixmaster (MIX)

1) http://mixmaster.sourceforge.net/faq.shtml

Mixminion (MIM)

1) http://mixminion.net

Paranoia remailer web interface (PRW)

1) https://webmixmaster.paranoici.org/mixemail-user.cgi

2) https://webmixmaster.paranoici.org/webinfo.txt

QuickSliver Lite (QSL)

1) https://www.quicksilvermail.net

Vanish (VAN)

1) http://www.vanish.org/anonymity/remailers.htm

Glossary (GLO)

1) http://whatismyipaddress.com/email-header

2) http://techterms.com/definition/command_line_interface

The GNU Privacy Guard (GPG) logo.

Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) are both public key encryption cryptographic software used to authenticate the identity of people sending messages and to encrypt and decrypt email messages and documents. The key difference between the two is that PGP is paid-license software owned by Symantec. Whereas GPG uses a GNU General Public License, meaning that the code can be modified, used and distributed free of charge. PGP and GPG are both OpenPGP compliant [OPP01] implementing the Internet Engineering Task Force (IETF) approved standard for encryption technologies [IET01] thus ensuring that they are interoperable with each other so that a message sent by one can be read by the other.

Another implementation for email encryption includes S/MIME (Secure/Multipurpose Internet Mail Extensions). It is an alternative to PGP/GPG used mostly by businesses that use large corporate computing infrastructures such as IBM, Microsoft and other vendors that offer commercial email packages and web browser software. It differs from PGP/GPG in that it does not exchange personal keys but relies upon the use of a common certifier that they both use [DFB01].

The aim of all of these is to enhance privacy by enabling people to sign, encrypt and decrypt electronic data, protecting the content of emails to ensure that third parties cannot read email communications.

Software applications

Software that utilise public key encryption include:

• TrueCrypt – a discontinued freeware utility used to create a hidden encrypted virtual disk within an operating system such as Windows, Mac OS, and Linux. In this way it is not a protocol for sending secure email over the network, rather, it is a method for encrypting documents on a computer that remain there or are then sent through email. It uses on-the-fly encryption (OTFE) where data is automatically encrypted as it is saved on a hard drive.
• LEAP – a free, open source email encryption system that works by providing a local proxy that a standard email client connects to [FPF01]. Rather than people maintaining the own encryption keys, a proxy service provider automatically encrypts email sent through it. In addition, if people do have their own public keys these will automatically be discovered and validated so that only that person will be able to read the email [LAP01]. It is less secure than having one’s own key as the service provider has access to both the metadata and forwarding information [FPF01]. The system is meant to be usable, hence, with usability, comes a certain amount of insecurity in this case by allowing for encryption access in a ‘user-friendly’ manner using a BitMask application [LAP01]. It has created new protocols [LAP02]: Soledad (server daemon), Bonafide (secure user registration, authentication, and provider discovery), and Key Management (new rules for validation) [LAP03].
• Mailpile – a front-end email client that uses a webmail interface to provide encryption by default [MPE01]. It downloads all email from an email server onto the computer with an option to run it on a cloud service. Even if the email server used is a commercial product like Gmail or Yahoo the contents of emails would still be stored there, however, it would be encrypted [MPE01].
• Enigmail – an extension used in the email client Mozilla Thunderbird and SeaMonkey that uses OpenPGP public key e-mail encryption and digital signatures. It requires users to first set up their own GPG or PGP keys. After installation Enigmail integrates digital signing and encryption of email directly from the Thunderbird email client in a user-friendly manner.

Capabilities:

• Public-key cryptography – used in PGP/GPG and S/MIME and is an asymmetric cryptographic protocol that requires two separate keys, one private for decrypting emails and one public used for encrypting or digitally signing messages.
• Digital certificate – used by S/MIME these are issued to organisations and individuals by trusted certificate authorities. These are downloaded and then added to an email client. The certificate is then used to make secure connections [TRP01].
• Digital signature – used by PGP/GPG it serves as a digital signature that authenticates the signer of a message as actually being that person or entity [GLO01].

Surveillance mitigation:

• Privacy – enables private digital communications so that messages cannot be read by third parties. The difference between plaintext and ciphertext has been compared to the postcard and the letter, where plaintext is more like a postcard that anyone can read and ciphertext is akin to placing a message in a sealed envelope. This has been called the ‘analog gap’ [MPE02].

Vulnerabilities:

• Usability – PGP/GPG has been criticized for its lack of general usability [CEB01] however there are tools currently available and under development (described above) that seek to address this issue.
• Security – Public keys may be decoded allowing access to messages. For example, the GCHQ/NSA programme BULLRUN that aims to break encryption tools.
• Attribution – a digital signature provides proof of authorship, which may be used to provide legal proof of a person’s communications and activities.

Layer of interaction:

• Application layer: Simple Mail Transfer Protocol (SMTP)
• Transport layer: Transport layer security (TLS)

Background:

Cryptography in its early days were managed and researched within government’s departments of defence in order to protect state secrets and to ensure secure communication across international borders. A non-secret technology known as public key encryption appeared in the 1970s using RSA [CAC01] and resulted in the emergence of the CryptoWars, an attempt by the U.S. government to limit the public and foreign countries from accessing cryptography strong enough to resist decryption by U.S. national intelligence agencies [OPN01].

The Snowden revelations have shown that the CryptoWars are not over [OPN01] in particular with the BULLRUN programme, which seeks to break encryption tools [EFF01].

Sources:

Codes and Ciphers (CAC)
1) http://www.codesandciphers.org.uk/heritage/ModSec.htm

Cryptographic Engineering blog (CEB)
1) http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html

Differencebetween (DFB)
1) http://www.differencebetween.net/technology/software-technology/difference-between-pgp-and-smime

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/document/crypto-wars-governments-working-undermine-encryption

Freedom of the Press Foundation (FPF)
1) https://freedom.press/organization/leap-encryption-access-project

The Internet Engineering Task Force (IET)
1) http://www.ietf.org/rfc/rfc4880.txt

GPG Tools
1) https://gpgtools.org

LEAP (LAP)
1)  https://leap.se/en/services/email
2)  https://leap.se/en/docs/design
3)  https://leap.se/slides/#/

Mailpile (MPE)
1)  https://www.mailpile.is/faq/
2)  https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security

OpenPGP (OPP)
1) http://www.openpgp.org/about_openpgp/

Open Rights Group (OPN)
1) https://wiki.openrightsgroup.org/wiki/Crypto_Wars

Tech Republic (TRP)
1) http://www.techrepublic.com/blog/it-security/email-encryption-using-pgp-and-s-mime

TrueCrypt
1) http://truecrypt.sourceforge.net/

The Off-the-Record Messaging Webpage

Off-the-Record Messaging (OTR) is an encryption protocol making it possible to engage in private conversations using specific instant messaging software. Its aim is to provide a platform that enables both encrypted and ‘deniable’ instant messaging conversations [CPU02]. ‘Deniable authentication’ allows participants in an instant messaging conversation to verify each other without the need for digital signatures which are attributed to a specific person and that can potentially be seen by a third party [CPU01].

OTR is an alternative to PGP and S/MIME public key encryption addressing some their vulnerabilities. These include [Borisov et al., 2004]:

• the use of encryption keys that endure for a long period of time making them subject to compromise
• the need for digital signatures that provide proof of authorship, which may be used to provide legal proof of a person’s communications and activities.

Specifically, OTR ensures that [Borisov et al., 2004]:

• Only the two parties involved are allowed access to the contents of a conversation
• After a conversation is over, no one (not even the parties involved) can produce a transcript
• While participants are assured of each other’s identities, neither they nor anyone else can prove this information to a third party.

Software applications

Two of the main established software applications using OTR include:

• Pidgin – an OTR instant messaging program that can be used on Windows, Linux, and other UNIX operating systems. It allows users to log in to multiple accounts on different networks, such as MSN, Google Talk, and Yahoo chat, at the same time [PID01]. It allows for chat, file transfers, away messages, and buddy lists. A key criticism of the application is that it stores passwords as plaintext [PID02]. This means that the password file is readable by anyone who has physical or virtual access to the computer and to the user or administrative accounts.
• Adium – an OTR instant messaging program that can be used on Apple operating systems, like Pidgin, users can connect to any number of instant messaging accounts. It allows for multiple chats simultaneously, address book integration and file transfer [ADI01].

Capabilities:

• Confidentiality – using ‘perfect forward secrecy’ means that previous conversations and messages cannot be recovered. This is achieved using short-lived encryption/decryption keys that are generated as needed and deleted after use [Borisov et al., 2004]. It relies upon the agreeing of a shared secret without revealing it to any third party (this can be done in person for example). What this means in technical terms is that ‘Message Authentication Codes (MACs)’ are used rather than digital signatures to prove messages authorship to the receiver of the message, while at the same time preventing such proof to any third parties.

• Plausible Deniability – allows for participants in conversations to disclaim authorship of any content. This is achieved using ‘malleable encryption’, which is more insecure because it can be compromised resulting in the forgoing of transcripts. This however, provides an avenue for plausible deniability and repudiation of the contents of any communication.

Surveillance mitigation:

• Privacy – enables private digital communications so that messages cannot be read by third parties. The difference between plaintext and ciphertext has been compared to the postcard and the letter, where plaintext is more like a postcard that anyone can read and ciphertext is akin to placing a message in a sealed envelope. This has been called the ‘analog gap’ [MPE02].

Vulnerabilities:

• Authentication – OTR provides two layers of authentication. One uses encryption keys, however, they are not assigned to a specific person as they are in PGP. The only way to authentic your communication partner is to compare fingerprints using another communication channel such as face-to-face, telephone, or another digital channel [BNB01]. Another way to authenticate is to have the two parties decide on a shared secret but they need to ensure that no third party is eavesdropping whether it is done in person or online. If the secret is shared online using PGP there is a trace that links the parties, which could be revealed later. This authentication process allows for some degree of human error and if this happens the OTR session could be compromised through a man-in-the-middle attack [BNB01].

• Human – Even though conversations are not saved in OTR, any communication partner could take screenshots of the conversation [HUFF01].

Layer of interaction:

• Transport layer: (using the existing IM protocol) [Borisov et al., 2004].

Background:

Off-the-Record Messaging was developed in 2004 [CPU03] and was developed to enable encrypted real-time chat while also addressing some of the vulnerabilities of public key encryption. OTR chat software Pidgin and Adium use the LibPurple protocol [ADI02, PID03], which enables network connectivity that allows access to a variety of instant messaging applications. This allows users to login to multiple IM accounts, although it does not support group chat. The Electronic Frontier Foundation provides a helpful messaging scorecard [EFF01] that assesses the level of security provided a variety of communication tools including instant messaging.

Sources:

Adium (ADI)

1) https://adium.im/about

2) https://trac.adium.im/wiki/LibPurple

Bitcoin Not Bombs (BNB)

1) http://www.bitcoinnotbombs.com/beginners-guide-to-off-the-record-messaging

Borisov, N., Goldberg, I., Brewer, E. (2004) Off-the-Record Communication, or, Why Not To Use PGP. In WPES, 2004.
https://otr.cypherpunks.ca/otr-wpes.pdf

Cypherpunks (CPU)

1) https://otr.cypherpunks.ca/index.php

2) https://otr.cypherpunks.ca/press/news.com.com/Making+your+IM+secure–and+deniable/2100-7355_3-5576246.html

3) https://otr.cypherpunks.ca/news.php

Electronic Frontier Foundation (EFF)

1) https://www.eff.org/secure-messaging-scorecard

Huffington Post (HUFF)

1) http://www.huffingtonpost.com/2014/10/10/google-off-the-record_n_5959188.html

Mailpile (MPE)

1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security

Pidgin (PID)

1) https://pidgin.im/about/

2) https://developer.pidgin.im/wiki/PlainTextPasswords

3) https://developer.pidgin.im/wiki/Using%20Libpurple

The Open Whispers Logo.

New types of encryption software are being developed that aim to address the vulnerabilities associated with traditional forms of encryption such as Public Key Encryption. At issue with traditional methods are traceability of authorship through the use of digital signatures (no true anonymity) and the decryption of messages and files that may be stored by third parties by either breaking the encryption or by legal means requiring the handing over of encryption keys (no true privacy).

Software applications

The most recent cryptographic software includes:

• CryptoCat – a web browser plugin that uses Javascript encryption [W3C01] to implement the Off-the-record (OTR) protocol. Its key feature is usability, as it only requires the download of a web browser plugin to begin using it. In addition, it allows for secure group chat. However, many security experts have criticized the robustness of ‘in-browser, javascript’ encryption [SOG01; SCH01; TAR01] as there exist many vulnerabilities with a web browsers design for ‘remote code execution’ [TAR01]. Security experts have suggested that the media has hyped the software as a personal interest story rather than examining its actual robustness [SOG01], for example [WIR01]. Even so, it is reported that Glen Greenwald used Cyrptocat to communicate with Edward Snowden while in Hong Kong to arrange their meeting [WIR01].

• ChatSecure – phone app, for both iPhone and Android that enables secure chat through OTR encryption. It can be used with multiple accounts such as Facebook Chat, Google Talk, Google Hangouts, and Jabber [EFF01]. Used with the Orbot plugin it can go around most firewalls, network restrictions and blacklists [GPR01]. The app also supports the use of TOR so that users can also hide their network activity [GPR01].

• Open Whispers Systems – an Open Source community of contributors that work on a variety of free privacy software tools [OWH01] including:

– TextSecure – an encrypted mobile instant messaging app for Android phones that provides ‘forward secrecy’ of communications with others using the same app. It can send and receive both encrypted and unencrypted text (SMS) and media (MMS) messages, and attachments files. Messaging is compatible with Signal, the IOS version of TextSecure [TSR01].

– Signal – an encrypted mobile instant messaging and voice calls app for IOS phones that provides ‘forward secrecy’ of communications with others using the same app [SIL01]. Messaging is compatible with TextSecure, the Android version.

– Red Phone – an encrypted voice calling app for Android phones that uses Wi-Fi or data rather than mobile voice plans [RPH01].

• Silent Circle – is a private company that offers encryption tools similar to Open Whisper. They use the same voice encryption protocol however users are charged a subscription fee. They also specialise in ‘enterprise solutions’ for organisations [SCR01]. Software includes:

– Silent Phone – encrypted voice and video calls on mobile devices for iOS and Android. The app can be used with Wi-Fi, EDGE, 3G or 4G cellular anywhere in the world.

– Silent Text – encrypted text messaging for iOS and Android with ‘burn functionality’ feature that destroys selected messages.

– Silent Contacts – encrypted address book for mobile phones.

– Blackphone – is an Android adapted phone using PrivatOS that focuses on enhancing privacy and security. It has a subscription-based service that enables users to make both encrypted and unencrypted voice calls. It also includes encrypted chat, browsing, file sharing, texting and conference calls.

• Pond – a forward secure, asynchronous messaging system that aims to address the drawback of PGP asynchronous messaging [PND01]. Pond message expire automatically a week after they are received. However, the author of the software stresses that people would use it at their own risk as the code has not been reviewed. It relies upon email gateway servers that accept messages while the user is offline [PND02]. Users choose a server, e.g. [PND03] or create their own. It uses an overlay network that connects to intermediary nodes to hide, which servers people may be accessing to receive messages. Users exchange either PGP or OTR keys with the Pond server, e.g. [PND03]. Again, the author of the software warns that the code is incomplete [PND02].

Capabilities:

• Forward secrecy – ensures that every new connection uses unique and ephemeral key information, this ensures that if long-term keys (e.g. PGP/GPG) are compromised that the content of messages cannot be decrypted [EFF02].

Surveillance mitigation:

• Privacy – enables private digital communications so that messages cannot be read by third parties. The difference between plaintext and ciphertext has been compared to the postcard and the letter, where plaintext is more like a postcard that anyone can read and ciphertext is akin to placing a message in a sealed envelope. This has been called the ‘analog gap’ [MPE02].

Vulnerabilities:

• Decryption – forward secrecy does not defend against a successful cryptanalysis of the underlying ciphers being used. This is because it is a method for decrypting an encrypted message without the key, whereas forward secrecy only protects keys, not the cipher algorithms used to perform encryption [ZUR01].

Layer of interaction:

• Transport layer

Background:

Privacy and security of business and personal digital communication has received increased interest since the Snowden revelations of June 2013. In addition, the vulnerabilities associated with Public Key Encryption have been a catalyst for developers to provide more secure encryption to users.

Sources:

CryptoCat (CCA)

1) https://crypto.cat

Electronic Frontier Foundation (EFF)

1) https://ssd.eff.org/en/module/how-install-and-use-chatsecure

2) https://www.eff.org/deeplinks/2014/07/forward-secrecy-brings-better-long-term-privacy-wikipedia

Guardian Project (GPR)

1) https://guardianproject.info/apps/chatsecure

2) https://chatsecure.org/blog

Mailpile (MPE)

1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security

Open Whispers (OWH)

1) https://whispersystems.org/about/

TextSecure (TSR)

1) https://whispersystems.org/

Signal (SIL)

1) https://whispersystems.org/blog/signal/

2)   https://ssd.eff.org/en/module/how-use-signal-%E2%80%93-private-messenger

3)  http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the-iphone/

Red Phone (RPH)

1) https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en

Pond (PND)

1) https://pond.imperialviolet.org/

2) https://pond.imperialviolet.org/tech.html

3) https://pondgw.hoi-polloi.org/usage

Schneier on Security (SCH)
1) https://www.schneier.com/blog/archives/2012/08/cryptocat.html

Silent Circle (SCR)

1) https://silentcircle.com/services

Soghoian, Christopher (SOG)
1) http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html

Tony Arcieri (TAR)

1) http://tonyarcieri.com/whats-wrong-with-webcrypto

W3C, Web Cryptography API (W3C)

1) http://www.w3.org/TR/WebCryptoAPI/

Wired (WIR)

1) http://www.wired.com/2012/07/crypto-cat-encryption-for-all/

Zur:linux (ZUR)
1) http://zurlinux.com/?p=1772

A Verizon pre-paid (aka: burner) phone.

There are options for preserving privacy and security that do not rely upon cryptographic technologies. Rather some people choose a selection of workarounds for communicating sensitive information.

Techniques

The most well known techniques include:

• Pseudonyms – a fictitious name used in place of a person’s real name to mask their identity [GLO01]. In the digital arena these could be usernames, social media profiles, web-services accounts (e.g. Dropbox) and email addresses. A pseudonym can be used to send email messages, exchanges files, and post comments on social media. They can be discarded on a regular basis (daily, weekly) or used for a specific activity (e.g. commenting on social media). They do not protect a user third parties identifying their IP address, location, email content, or web browsing behaviours.

• Code words – Similar to shared secrets used in Off-the-record messaging. A code word can be used in face-to-face meetings where each party has knowledge of the word of phrase. Once the code word is revealed the parties engaged in communication have the option to then begin to reveal information they may not have otherwise. Governments, journalists and other organisations use code words and phrases when engaged in secretive operations.

• Burner phones (pre-paid phones) – a pre-paid mobile phone bought with cash and not associated with a real person, as they do not require identification to purchase [EFF01]. Burner phones are thrown away and replaced often. Burner phones are said to be the most secure option for phone communication [CIJ01]. Although, these phones can still be tracked and monitored. Additionally, other phones can be associated with a burner and so it is recommended that all other phones be placed in a metal container (Faraday cage) to ensure that they do not emit signals. Also, calls can still be tapped and recorded so sensitive information should not be exchanged [ARS01].

• Drafts folder – an email drafts folder that is used to communicate using a shared email account that is created using a pseudonym. Messages are written, read and replied to without actually sending information through a network. Participants shared the username and login details that enable them to use a web-based email service as an electronic dropbox [WAS01]. However, the IP address can be traced to the identity of the person logging is as was the case in the Petraeus scandal [ACU01].

Capabilities:

• Alternatives to cryptographic software – these techniques can be used as alternatives to cryptographic software. They can be considered workarounds to secure communication that may include digital or face-to-face methods.

Surveillance mitigation:

• Privacy – enables private digital communications so that messages cannot be read by third parties. The difference between plaintext and ciphertext has been compared to the postcard and the letter, where plaintext is more like a postcard that anyone can read and ciphertext is akin to placing a message in a sealed envelope. This has been called the ‘analog gap’ [MPE01].
• Anonymity – Real identities can be concealed however there is no guarantee that a user of any of the described methods would not be traceable by other means such as IP address. Anonymity software does not necessarily make one’s actions private; rather any action taken may be done in full public view.  Anonymity allows a person to conduct activities without it being attributed to a person’s actual identity (e.g. real name, address, age, etc.). In this case, a pseudonym may be used which prevents the linking of online activity to a specific person. People choose to conduct activities anonymously online for a variety of reasons including citizen activism (petition signing, discussion forums), social interaction, web browsing, online purchases and whistleblowing (someone who exposes misconduct, fraud and illegal activity within an organisation).

Vulnerabilities:

• Human error – using these techniques may not completely hide identity or ensure privacy, as there may be other methods for tracing and monitoring communication such as eavesdropping of face-to-face activities; long-term use of a burner phone is a security risk; or using a direct network connection when using digital alternatives will expose the user’s IP address and location.

Layer of interaction:

• Social layer

Sources:

American Civil Liberties Union (ACU)

1) https://www.aclu.org/blog/free-future/surveillance-and-security-lessons-petraeus-scandal

Ars Techica (ARS)

1) http://arstechnica.com/security/2013/10/how-the-nsa-breakthrough-may-allow-tracking-of-burner-cell-phones/

Electronic Frontier Foundation (EFF)

1) https://ssd.eff.org/en/glossary/burner-phone

The Centre for Investigative Journalism (CIJ)

1) http://www.tcij.org/resources/handbooks/infosec/chapter-7-phones-voicevideo-calls-over-internet

Mailpile (MPE)

1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security

Washington Post (WAS)

1) http://www.washingtonpost.com/blogs/worldviews/wp/2012/11/12/heres-the-e-mail-trick-petraeus-and-broadwell-used-to-communicate/

Graphic of a VPN, www.legacytec.com/Pages/VPN.html

Purpose:

A Virtual Private Network (VPN) network provides secure access to online data by creating a private network with which to access both the public Internet and other internal organisational networks. A VPN uses tunneling protocols thus encrypted data at the sending end and decrypted at the receiving end.

VPNs allow for greater privacy because data packets are encrypted as the move across the Internet making it difficult to know the activities of users. Additionally, it allows users to access private networks that run within organisations such as universities and companies. These allow users to access content that would not be available otherwise.

Techniques include, each have their own technical strengths and weaknesses [BPN01]:

• Layer 2 Tunnel Protocol (L2TP and L2TP/IPsec)
• Secure Socket Tunneling Protocol (SSTP)
• Internet Key Exchange (version 2) (IKEv2)
• OpenVPN

Capabilities:

• Tunneling – Creates a secure connect for data at both the sending and receiving ends of a network.
• Encryption – Data is packaged into secure envelopes, providing protection from packet sniffing [SCO01].
• IP cloaking – Masks the users originated IP address and allows people to appear as if they are accessing the Internet from another country or organisation.

Surveillance mitigation:

• Privacy – A secure and anonymous way to access content or conduct activities (e.g. online banking) on the Internet.

Vulnerabilities:

• VPN provider – The customer should ensure that their VPN service provider does not keep logs
• Decryption – Spiegel [SPI01] has reported that the NSA has a number of programmes that aim to compromise VPN security.

Layers of operation:

• Transport layer

Sources:

Best VPN (BPN)
1) https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/

Spiegel (SPI)
1) http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html

Scott, C., Wolfe, P., Erwin, M (SCO), Virtual Private Networks. O’Reilly, 1999.
1) http://shop.oreilly.com/product/9781565925298.do

Purpose:

The Invisible Internet Project (I2P) is an anonymous peer-to-peer communication layer, an offshoot of Freenet (GIZ01) designed to run any Internet service (email, IRC, file sharing, HTTP, Telnet) as well as distributed applications. Its aim is to “protect communication from dragnet surveillance and monitoring by third parties such as ISPs” (I2P01). A computer running the I2P software is called an I2P node.

All communication in I2P is encrypted end-to-end and forwarded through a network of nodes to conceal the source and destination of the traffic. The communication endpoints are identified by cryptographic keys (I2P01).

I2P can be used to host services that are only accessible via the anonymising network. Websites published via I2P, known as “eepsites”, use domain names ending with the ‘.i2p’ suffix.

Capabilities:

• Garlic routing – A variant of onion routing that encrypts multiple messages together to make it more difficult to conduct traffic analysis. Garlic routing is one of the key factors that distinguishes I2P from TOR and other networks where messages are encrypted multiple times.
• Peer-to-peer – The I2P network is decentralised. All users run the same software, which by default takes part in relaying data for other users. This means that unlike Tor, traffic does not enter and leave the anonymising network, which may make traffic confirmation more difficult.

Surveillance mitigation:

• Traffic analysis – Can be used to infer who is talking to whom over a public network. Knowing the source and destination of a person’s Internet traffic makes it possible to track their behaviour and interests.
• Decentralization – Having no central servers, I2P is not controlled by any one individual or organization, including the designers of the platform. There is no single point where content can be removed or access to the network can be blocked.
• Anonymity – Garlic routing separates identification from routing so that information can be published and accessed anonymously.

Vulnerabilities:

• Harvesting – It is easy to compile a list of I2P nodes because every node is continually attempting to find other nodes and connect to them.
• Sybil attacks – Peer-to-peer networks are vulnerable to ‘sybil attacks’ in which an attacker creates multiple identities in order to have a disproportionate influence on the operation of the network.
• Full list: https://geti2p.net/en/docs/how/threat-model.

Layers of operation:

• Transport layer: I2P provides an anonymous transport layer that can be used by other applications.
• Application layer: I2P nodes communicate across the Internet at the application layer.

Background:

I2P has been called a “super anonymous network” (GIZ01) where users can gain access to content that is not available outside the network. Unlike Tor, users cannot browse the public Internet with the I2P software.

People using I2P can control the trade-offs they make between anonymity, reliability, bandwidth usage, and latency by choosing the number of nodes their data passes through (I2P01).

Sources:

Gizmodo (GIZ)
1) http://gizmodo.com/i2p-the-super-anonymous-network-that-silk-road-calls-h-1680940282

Invisible Internet Project (I2P)
1) https://geti2p.net/en
2) https://geti2p.net/en/docs/how/threat-model

PRISM, The Guardian, slide #2.

Purpose:

PRISM is an NSA programme that exploits data collected by the FBI’s Data Intercept Technology Unit (DITU) from nine major US corporations including Facebook, Google and Apple. There is no single PRISM database. Rather, when the data arrives at the NSA, it is sorted and distributed to the following systems:

• MARINA: Internet metadata
• MAINWAY: telephone metadata
• NUCLEON: voice content
• PINWALE: selected email and other content

MARINA is the counterpart of PRISM, where MARINA stores metadata and PRISM provides access to content. The telephone counterparts are MAINWAY (metadata) and NUCLEON (content) (MOJ01).

Mother Jones Magazine, Four programmes.

According to the leaked slides, PRISM is the biggest single contributor to the NSA’s intelligence reporting (GUA01).

Capabilities:

• Access to content and metadata from service providers via the FBI

Data sources:

• Content and metadata from nine major US companies:
  • Google
  • Skype
  • Facebook
  • Yahoo
  • Microsoft
  • Apple
  • YouTube
  • AOL
  • PalTalk

Related programmes:

MARINA – NSA repository for Internet metadata.

PINWALE – NSA content repository.

Layers of operation:

• Application layer: Collection of content and metadata through interfaces created by service providers.
• Social layer: Aggregation of content and metadata from multiple applications.

Background:

PRISM is considered a downstream programme as it collects information from service providers. It is used in conjunction with upstream programmes that collect communications from fibre-optic cables and other infrastructure.

Although PRISM is an NSA programme, GCHQ is a key partner and has full access to the database (GUA02). In 2013, a UK parliamentary committee deemed GCHQ’s activity legal (BBC01). However, in 2015 the Investigatory Powers Tribunal deemed the activity unlawful (GUA03).

Company partners:

• Google
• Skype
• Facebook
• Yahoo
• Microsoft
• Apple
• YouTube
• AOL
• PalTalk

Sources:

BBC News (BBC)
1) http://www.bbc.co.uk/news/uk-23341597

Guardian (GUA)
1) http://www.theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document
2) http://www.theguardian.com/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism
3) http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa

Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs

XKEYSCORE, ACLU document archive, slide #11.

Purpose:

XKEYSCORE is an NSA search and analysis system for data collected by other surveillance programmes. The system is described by Snowden as a search engine that provides a “one-stop shop” for access to content, metadata and real-time tracking and monitoring of user activities (COU01). Access to XKEYSCORE is shared with a number of other intelligence agencies including GCHQ (COU01, GUA01). In 2012, GCHQ’s TEMPORA programme was the largest source of XKEYSCORE data (EFF01).

The system incorporates user interfaces, databases and algorithms to select specific types of content and metadata that have already been collected by other surveillance programmes. Data can be retrieved using “strong selectors” such as email addresses and “soft selectors” such as keywords (ACU01). Rules for identifying particular kinds of data can be created and stored in the system. For example, analysts can target Tor users through rules that select web searches related to Tor and connections to the Tor network (NDR01). XKEYSCORE also has the ability to alert analysts to the activities of specific email and IP addresses (GUA02).

In 2008, the system included over 700 servers at approximately 150 locations around the world (ACU01). Content remains in the XKEYSCORE environment for three to five days, while metadata is stored for 30 days.

Capabilities (ACU01, EFF01):

• Ingestion of “full take” from NSA and partner agency bulk collection programmes.
• Federated query mechanism allows analysts to search multiple databases with a single query.
• Content and metadata can be searched using “strong selectors” and “soft selectors”.
• Rules for matching particular kinds of data can be created and stored in the system.
• Computer systems that are vulnerable to attack can be identified by monitoring network traffic.
• Documents can be traced back to their authors.
• Pattern-of-life analysis can develop profiles of individuals or find individuals matching a profile.

Data sources (ACU01, ELE01, SES01, WEE01):

• CIA/NSA Special Collection Service (F6).
• NSA Special Source Operations (such as PRISM, MUSCULAR and INCENSER).
• Foreign satellite data (FORNSAT).
• MARINA metadata repository.
• TRAFFICTHIEF metadata repository.

Related programmes (ACU01, EFF01, ELE01, SES01):

PRISM – NSA programme for content and metadata collection from service providers via the FBI.

MUSCULAR – GCHQ programme for bulk data collection from service provider data centres.

INCENSER – GCHQ programme for bulk data collection from fibre-optic cables.

TEMPORA – GCHQ programme for bulk data collection and buffering.

TRAFFICTHIEF – NSA repository for metadata about selected targets.

MARINA – NSA repository for bulk Internet metadata.

PINWALE – NSA repository for selected content.

Layers of operation:

• Network layer, transport layer and application layer: Matching content and metadata against rules defined by analysts.
• Social layer: Aggregation of content and metadata from multiple sources, pattern-of-life analysis.

Background:

XKEYSCORE training materials detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search (GUA02). Requests are not reviewed by a court or any NSA personnel before being processed. The programme covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata (GUA02). The programme also allows for on-going “real-time” interception of an individual’s Internet activity (GUA02).

Data storage is an issue. According to leaked documents, “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours” (GUA02). In response, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named PINWALE, which can store material for up to five years (GUA02).

Sources:

American Civil Liberties Union (ACU)
1) https://www.aclu.org/files/natsec/nsa/NSA%20XKeyscore%20Powerpoint.pdf

Courage Foundation (COU)
1) https://edwardsnowden.com/2014/01/27/video-ard-interview-with-edward-snowden

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/report_on_the_nsas_access_to_tempora.pdf

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection
2) http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

NDR Panorama (NDR)
1) http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html

Robert Sesek (SES)
1) https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html

The Week (WEE)
1) http://theweek.com/articles/461482/4-nsa-terms-should-know