Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata

from the 'just-metadata'-strikes-again dept

The latest batch of Snowden docs published at The Intercept cover a lot of ground. The internal informational sheets from the Signals Intelligence Directorate include info on a host of surveillance programs that haven’t been revealed by previous document dumps. Nor do they discuss the programs in full. As such, some of the information is limited.

One of those published last week mentions the NSA’s targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance.

Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there’s another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata. (h/t Electrospaces)

[REDACTED] will be briefing on THERAPYCHEATER. This is a system that uses metadata analysis to detect and exploit the communication patterns of targets about whom the SIGINT system has no specific a priori knowledge. By identifying suspicious patterns in the access to draft folders of webmail accounts, THERAPYCHEATER will identify email addresses potentially being used in a form of covert communication known as a cyber dead drop. There are numerous examples in both SIGINT and collateral of terrorists using cyber dead drops to communicate operational information and plans.

Apparently, the tried-and-true surveillance workaround is no longer a secure option. One way to avoid surveillance of communications was to simply not communicate. Composing drafts in a shared email account was one to talk to others without risking interception.

As the paragraph states, this draft folder metadata is used to acquire new surveillance targets, based almost solely on the analyst’s impression of account activity. Presumably from here, the NSA can move on to seeking access to the actual account to see what’s hiding inside that’s never been sent. Or, at the very least, keep an eye on traffic to and from the email account.

This was written in 2005 so access to email account metadata may be more limited, thanks to routine encryption. However, the metadata here refers to activity taking place within an account, suggesting the NSA does (or at least did) have access to certain types of account activity, rather than simply gathering metadata related to web-traversing communications.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Technically ignorant?

by definition an offline file sharing network cannot be compromised using online methodologies

Compromising an online endpoint of an offline network could be said to compromise the network too. E.g., if you’re moving files between 1 offline and 1 internet-connected computer via a USB stick, someone who compromises the internet-connected one has compromised the "network"; it no longer offers secrecy.

Anonymous Coward says:

Re: Re:

Do you really think for a millisecond that they don’t have the master certificates to decrypt all SSL traffic? Really?

Yes, because that’s not how TLS works. If they had all the Certificate Authority private keys, they could forge any certificate, but decrypting a session requires knowing the private key of the certificate for that session, not the private key of the root CA certificate that signed the intermediate CA certificate that signed the endpoint certificate. Some stupidly implemented CAs know the private keys of the certificates that they endorse, but the better ones never receive the endpoint’s private key, so they can’t disclose it even under duress.

DocGerbil100 (profile) says:


Well, isn’t that interesting!

I’m in the UK. The last time I was unemployed for any length of time, a fair while ago now, I was sent to a place called Reed Employment in Partnership, a company contracted by the government to help the unemployed get back into work.

Due to past security issues, customers weren’t allowed to attach their own storage devices to Reed’s computers. Instead, we were all required to use the draft folders in webmail accounts for storing our CVs (or résumés, in American), etc, in similar fashion to the counter-surveillance method described in the article.

It’s a certainty that at least some extremists were making use of Reed’s services. Presumably, everyone using the same branch who subsequently accessed their email from another location would also be flagged up as a potential terrorist – particularly the ones who mainly spoke Arabic and weren’t fluent in written English.

Did Reed unintentionally push hundreds of thousands of customers onto anti-terrorism watch-lists? I wonder how many other government service providers did the same thing…?

MyNameHere (profile) says:

Dead drops were a very common concept a number of years ago, as it was a very simple way to pass a message without actually sending anything. That was back before anyone realized that pretty much everything you every do in a free mail account (like hotmail) is backed up and kept for a long time.

It’s interesting that the feds were onto it and looking for ways to handle it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...