Is the NSA Reading Your E-Mail?
Richard M Smith has some interesting ideas on how to test if the NSA is eavesdropping on your e-mail.
With all of the controversy about the news that the NSA has been monitoring, since 9/11, telephone calls and email messages of Americans, some folks might now be wondering if they are being snooped on. Here’s a quick and easy method to see if one’s email messages are being read by someone else.
The steps are:
- Set up a Hotmail account.
- Set up a second email account with a non-U.S. provider. (eg. Rediffmail.com)
- Send messages between the two accounts which might be interesting to the NSA.
- In each message, include a unique URL to a Web server that you have access to its server logs. This URL should only be known by you and not linked to from any other Web page. The text of the message should encourage an NSA monitor to visit the URL.
- If the server log file ever shows this URL being accessed, then you know that you are being snooped on. The IP address of the access can also provide clues about who is doing the snooping.
The trick is to make the link enticing enough for someone or something to want to click on it. As part of a large-scale research project, I would suggest sending out a few hundred thousand messages using various tricks to find one that might work. Here are some possible ideas:
- Include a variety of terrorist related trigger words
- Include other links in a message to known AQ message boards
- Include a fake CC: to Mohamed Atta’s old email address (el-amir@tu-harburg.de)
- Send the message from an SMTP server in Iraq, Afghanistan, etc.
- Use a fake return address from a known terrorist organization
- Use a ziplip or hushmail account.
Besides monitoring the NSA, this same technique can be used if you suspect your email account password has been stolen or if a family member or coworker is reading your email on your computer of the sly.
The only problem is that you might get a knock on your door by some random investigative agency. Or get searched every time you try to get on an airplane.
But I think that risk is pretty low, actually. If people actually do this, please report back. I’m very curious.
Michael Ash • December 26, 2005 12:56 PM
Nice idea.
If anyone tries this, keep in mind how extremely insecure e-mail actually is. If you get a ping and you’re absolutely positive that nobody has the password, it doesn’t mean it’s the NSA. It could simply be a person on your local network with a sniffer, a bored mail server admin, etc. It could even be some sort of ultra-sophisticated virus scanner or spam checker that loads URLs mentioned in the message.
If positive hits are obtained, it would be interesting to repeat with increasing layers of crypto. If it’s casual snoopers, even a pass of ROT-13 should stop them. Then again, if the NSA is doing wholesale e-mail surveillance, they may not be able to afford to break everybody’s crypto even if it’s something dumb.
I would love to see the results if someone tries this.