What an XKeyscore Fingerprint Looks Like

As part of its cooperation with New Zealand’s best journalist on that country’s SIGINT activities, Nicky Hager, the Intercept has published a story on the targets of a particular XKeyscore query (note: these stories say the outlets obtained this document; they don’t actually say they obtained it from Edward Snowden): top officials in the Solomon Islands and an anti-corruption activist there.

Aside from the targets, which I’ll get to, the story is interesting because it shows in greater detail than we’ve seen what an XKS query looks like. It’s a fairly standard computer query, though initiated by the word “fingerprint.” Some of it is consistent with what Snowden has described fingerprints to include: all the correlated identities that might be associated with a search. The query searches on jremobatu — presumably an email unique name — and James Remobatu, for example. As I have noted, if they wanted to target all the online activities of one particularly person — say, me! — they would add on all the known identifiers, so emptywheel, @emptywheel, Marcy Wheeler, and all the cookies they knew to be associated with me.

What’s interesting, though, is this query is not seeking email or other Internet communication per se. It appears to be seeking documents, right out of a file labeled Solomon government documents. Those may have been pulled and stored as attachments on emails. But the query highlights the degree to which XKS sucks up everything, including documents.

Finally, consider the target of the query. As both articles admit, the reason behind some of the surveillance is understandable, if sustained. Australia and New Zealand had peacekeepers in the Solomons to deal with ethnic tensions there, though were withdrawing by January 2013 when the query was done. The query included related keywords.

In the late 1990s and early 2000s the islands suffered from ethnic violence known as “The Tensions.” This led to the 2003 deployment to the Solomons of New Zealand, Australian and Pacific Island police and military peacekeepers. By January 2013, the date of the target list, both New Zealand and Australia were focused on withdrawing their forces from the island country and by the end of that year they were gone.

The XKEYSCORE list shows New Zealand was carrying out surveillance of several terms associated with militant groups on the island, such as “former tension militants,” and “malaita eagle force.” But with the security situation stabilized by 2013, it is unclear why New Zealand spies appear to have continued an expansive surveillance operation across the government, even tailoring XKEYSCORE to intercept information about an anti-corruption campaigner.

More specifically, however, the query was targeting not the militants, but the Truth and Reconciliation process in the wake of the violence.

I would go further than these articles, however, and say I’m not surprised the Five Eyes spied on a Truth and Reconciliation process. I would fully expect NSA’s “customer” CIA to ask it to track the South African and Colombian Truth and Reconciliation processes, because the CIA collaborated in the suppression of the opposition in both cases (going so far as providing the intelligence behind Nelson Mandela’s arrest in the former case). While I have no reason to expect CIA was involved in the Solomons, I would expect one or more of the myriad intelligence agencies in the Five Eyes country was, particularly given the presence of Aussie and Kiwi peacekeepers there. And they would want to know how their role were being exposed as part of the Truth and Reconciliation process. This query would likely show that.

Which brings me to the point the activist in question, Benjamin Afuga (who sometimes publishes leaked documents) made: this spying, which would definitely detail all cooperation between him and the government, might also reveal his sources.

Benjamin Afuga, the anti-corruption campaigner, said he was concerned the surveillance may have exposed some of the sources of the leaks he publishes online.

“I’m an open person – just like an open book,” Afuga said. “I don’t have anything else other than what I’m doing as a whistleblower and someone who exposes corruption. I don’t really understand what they are looking for. I have nothing to hide.”

Ah, but Afuga does have things to hide: his sources. And again, if one or another Five Eyes country had intelligence operatives involved both during the tensions and in the peace keeping process, they would definitely want to know them.

Again, this is all standard spying stuff. I expect CIA (or any other HUMINT agency) would want to know if they’re being talked about and if so by whom — I even expect CIA does a more crude version of this within the US about some of its most sensitive topics, not least because of the way they went after the SSCI Torture investigators.

But this query does provide a sense of just how powerful this spying is in a world when our communications aren’t encrypted.

10 replies
  1. bloopie2 says:

    Thank you for this post. It is quietly fascinating and disturbing. First and foremost, the fact that they are using these electronic systems for other than the “terrorism” purposes that are always cited – it gives the lie to so much of what they say. Second, the fact that when they do deploy these systems, the ease with which they can go after anyone or any topic they choose. And third, the need for us to encrypt, on the assumption that we will be observed. (But still, that’s standard anti-spy stuff, of course – codes and code names, secret meetings in garage basements, disappearing ink, tapes that self-destruct, MAD magazine).
    And it calls to mind, yet again, the fact that no significant terrorist activity has been stopped by this electronic spying. They got bin Laden with humint, of course, during the very time period that this Solomon Islands electronic spying was going on. Well done, New Zealand; you are just like all the other lazy people in the world, who learn not by original research and study but by surfing the Internet.

    • emptywheel says:

      It’s true at the beginning they always talked abt terrorism, but mostly about the phone dragnet, which is the only part of NSA spying that is limited to terrorism. There was never any reason to doubt it.

      Also, FAA HAS stopped terrorist plots, though mostly in other countries (in part bc not that many people try to attack the US as they do Europe). Just the phone dragnet hasn’t.

      • bloopie2 says:

        That’s good to know, thank you; I didn’t realize that. Perhaps that is because I am still looking for that “summary of all programs they use”: What they are, how they work, what they have accomplished, how they are (allegedly) authorized, etc. But on your point, is the FAA program you reference, the one that intercepts US/foreign phone? Or Internet? Is it clearly okay under the fourth amendment? And, how much are we paying to stop terrorist attacks abroad? (Still unhappy here, you can see.)

  2. galljdaj says:

    My computer regularly and irregularly gets hacked, searched, and blocked accesses. That’s ‘new life’ in this nasty criminal country. So why not everywhere , just because ‘we can’!

    We allow the chennys rumsfelds lil bushes lil obamas etc to run wild, why not spies?

  3. emptywheel says:

    FAA includes anything that counts as an “electronic communication” (think content communication across wires) collected in the US with the help of a provider. So both telephone, Internet (PRISM), and Internet collected off telecom backbones (upstream).


    Overseas — with XKeyscore — they’re basically sucking everything off a switch, then sorting through what they want to keep.

  4. galljdaj says:

    You bet there’s lots more! Like crimes committed, and Failure of ‘Responsible’ peoples refusing to allow Citizen access to address those crimes! Those participating: Inspector Generals, the entire DOJ beginning at the top Holder, Senators, FBI, and Federal Officers.

    There is no legal way for the US Govt to be blocking Internet sites, yet it done regularly, when the Govt, get bad press or lies get presented timely to there happenings. The Govt has no right to prevent its lies or crimes from being made known to the US Citizens! Yet it does…

  5. Saul Tannenbaum says:

    There’s already a much more detailed XKEYSCORE file out in the world, the one targetting TOR, TOR users, TAILS, and a variety of other anonymity providers:


    The XKEYSCORE definition for TOR suggests that “documents” can come from just viewing them on the web.

    This fingerprint identifies users searching for the TAILs (The Amnesic
    Incognito Live System) software program, viewing documents relating to TAILs,
    or viewing websites that detail TAILs.
    fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
    url($TAILS_websites) or html_title($TAILS_websites);

  6. wallace says:

    So, we can safely assume we’ve reached the bottom of the abyss. What will you tell your grandchildren? We failed? We were dumb? We ignored Senator Church’s warning? Now what? Further analysis? Personally, I think we have passed the threshold of analysis. Let’s just hope our grandchildren won’t spit on our graves.

Comments are closed.