[tor-talk] Questions about NSA monitoring of Tor users.

Roger Dingledine arma at mit.edu
Mon Jul 14 10:56:19 UTC 2014

On Sat, Jul 12, 2014 at 11:14:30PM +0000, simonsnake at openmailbox.org wrote:
> I would like to hear from those with personal knowledge and
> experience such as Jacob, Roger, Mike, etc.

You might want to read many of my answers on

> AIUI, from the stories in the German media
> (http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html) and
> Wired (http://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/),
> the NSA has logged the IP of everyone who ever accessed:
> a) a directory server.

Directory authority, yes.

> b) an entry node.

No, I haven't seen any rules that tag flows based on whether they are
accessing one of the 5000ish Tor relay IP addresses. I just skimmed over
the Wired article and it appears they do say that but I think they're
misreading or misunderstanding the rules.

That said, I believe xkeyscore does have rules that DPI on a flow to
see if it looks like a Tor handshake has just happened. But nobody has
published (and I don't know) specifics of exactly what data they run
any of these rules over:

> c) bridges.torproject.org
> d) requested an email of bridges.
> e) the tor website itself (except from five eyes countries).


> This is viable as the NSA runs the Quantum network which allows it
> to intercept traffic to whichever sites it desires before that
> traffic arrives at its destination.

I've lost track of their codenames for things, but I think Quantum is
probably different than their general surveillance infrastructure.

In any case, it is still unclear whether the surveillance happens closer
to the website, closer to the user, or both. It depends on which website
and which user you're thinking about.

And this point leads to speculation about how maybe if you're in Germany
and you access a German Tor directory authority, NSA's surveillance
infrastructure doesn't see you because your request doesn't go over a
big enough backbone Internet link.

...which leads to speculation that the BND and NSA team up to share data,
so they can together cover more of the Internet. And round and round
we go.

> Two questions:
> 1.	What would be the purpose of collecting a vast trove of IP
> addresses? In my case, my IP could be tied to my real name since I
> send emails via SMTP which will contain my IP, email address, real
> name, etc. That said, IP addresses are dynamic. I don't know how
> easy it would be to identify most people via an IP. Of course, one
> way would be to ask the ISP directly. But, whether tied to a real
> identity or not, what's the point?  What does it achieve? They also
> gather the IP address for those who access any number of proxy
> services such as MegaProxy and FreeProxies.org. Would they not just
> end up with a massive database of (mostly dynamic) IPs?

Yes. But I assume they get IPs and also timestamps. And now if they
see something else going on that involves that IP address, they can
ask their database what else that IP address has done.

This is exactly the sort of thing that should scare ordinary people,
because I assume they hand all this data to a human analyst who tries
to make a guess about whether to send a drone. And if that human analyst
thinks Tor is only used by a tiny number of people, all of whom are bad,
then she could easily come to wrong conclusions.

And if some programmer tries to automate the job of that analyst, because
they have too much data coming in and they want to automatically determine
the right places to send drones... things can go wrong in a hurry.

> 2.	What is the attitude that encourages the gathering of this
> information? Is it: because they can? Or do they truly believe that
> anyone who uses Tor is dangerous?

I think it isn't either of these. I'm sure some of them think Tor is
only used by bad people (all the press about Tor and drugs, etc lately
sure hasn't helped).

But I think the general idea is to collect as much information about as
many things as possible, and then "surely" when you put it all together
it'll point you to the bad guys.

In particular, once they find something suspicious, they want to be able
to go back and see what else that person / computer / network was doing
in the past. And to do that, they need to collect as much as they can
about as many things as they can.

This is also the logic that leads them to redefine "collect" to be the
point where they actually *use* the information, not the point where
they, ehm, collect it. Because they know the various committees that
try to oversee them haven't given them permission to gather it all,
but they have also convinced themselves that they can't do a good job
at fighting bad guys if they don't gather it all.

And finally, don't put too much weight on these particular DPI rules.
The news here is not "we finally learned what the NSA are spying on,
and it's Tor connections and people looking at the Mixminion website."
They very likely spy on way way more than this. But these are the ones
that some journalists decided to write about (which in turn means that
they're the ones some whistleblower decided to leak).


More information about the tor-talk mailing list