New Zealand's XKEYSCORE Use

The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I'm not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It's interesting to see how primitive the keyword targeting is, and how broadly it collects e-mails.

The second really important point is that Edward Snowden's name is mentioned nowhere in the stories. Given how scrupulous the Intercept is about identifying him as the source of his NSA documents, I have to conclude that this is from another leaker. For a while, I have believed that there are at least three leakers inside the Five Eyes intelligence community, plus another CIA leaker. What I have called Leaker #2 has previously revealed XKEYSCORE rules. Whether this new disclosure is from Leaker #2 or a new Leaker #5, I have no idea. I hope someone is keeping a list.

Posted on March 26, 2015 at 9:46 AM • 28 Comments


FredMarch 26, 2015 11:01 AM

I'm confident that someone is keeping a list. I'm not confident that the list will ever be openly shared.

whprattMarch 26, 2015 11:41 AM

You know, I met Tao Ai in Toronto once. Smart guy. Much smarter than a Markov Chain-bot.

David March 26, 2015 11:50 AM

"Not sure why this is news"? Uhh, just as well you are not a journalist, Bruce. New Zealand had a candidate in the race for the position, who stood to personally benefit financially from getting the job.

That's why it's a scandal in NZ that is promting calls for an inquiry and outraging some of the most experienced diplomats in the country.

GraMarch 26, 2015 12:58 PM

Come on Bruce! Not News? Not a Valid Target? I hope you meant that sarcastically. There is nothing on this spying that is related to new zealand national security. This is just those in power abusing that power to their own agenda. Which, in this case, ultimately failed. But the transgression remains. Please, tell me that you were being sarcastic.

Phil AgeeMarch 26, 2015 1:55 PM

It would appear that Bruce views covert agencies as being compatible with Democracy. I would argue that they're not:

"Reforms of the FBI and the CIA, even removal of the President from office, cannot remove the problem. American capitalism, based as it is on exploitation of the poor, with its fundamental motivation in personal greed, simply cannot survive without force - without a secret police force. The argument is with capitalism and it is capitalism that must be opposed, with its CIA, FBI and other security agencies understood as logical, necessary manifestations of a ruling class's determination to retain power and privilege." -Philip Agee

NateMarch 26, 2015 4:30 PM

Add my name to those wondering why Bruce thinks this isn't news. It certainly is in New Zealand, and yes, the issue is that this is a *trade* position and a clear conflict of interest.

Bruce, if you're arguing that the full force of military-intelligence surveillance and computer system subversion, with all that that implies, is perfectly ethical to deploy against allies and trading partners for competitive commercial advantage...

... then I don't understand your world and I really don't want to live in it.

We used to call this kind of military-commercial nexus 'corruption', and we used to be extremely unhappy when the USSR did it. We *are* extremely unhappy when (we claim) China does it. How is it possibly okay for us to do it?

illplaydevilsadvocateMarch 26, 2015 4:48 PM

Is it not possible that this document and collective keywords for targeting are being taken out of context? Is it possible these we being used against valid targets who were communicating about nefarious actions against those candidates of the WTO? Just asking, not stating that is what necessarily is the case....

Clive RobinsonMarch 26, 2015 5:00 PM

I agree with Bruce that this is not realy news, the US has been bugging diplomatic and trade talks in the name of "national security" for years (the earliest I'm aware of was bugging an aircraft that had trade talks delegates on it, at the time it was an outstanding feat).

As for the WTO being a target, yes the US has frequently tried to avoid WTO decisions that they find not in their favour, as has been seen with the world bank the way to avoid such decisions and the complications that follow is to own the organisation.

Any one who has seen the TTP negotiations over corporate - state dispute resolution can see the "secretive process" for what it is. The US ban other countries delegates from talking to their own governments, and also side step the US houses, whilst maintaining full contact and discussions ith US Corporates...

As Australia has already found, the process alows US corporates to manipulate the due legislative process in other countries...

So all the usuall "Monkey business" as normal...

Sancho_PMarch 26, 2015 5:18 PM

Bruce isn’t sure why this is news - but does it mean is not news ? (needless to say I’m ESL)

If the allegations are true, to me that would represent a good example for the “What would you expect to be “national security”?” argument, and this is news.

I really would not expect to find “Sancho_P” in their rules, but any “important” journalist, lawyer, judge, politician, banker, company, business leader, …
- not only of evil foreigners but also within the own nation.
The reason:
History, in contrast to the U.S. constitution, has taught us that “evildoers” may be citizens as well.
(ooops, participants of this honorable blog are excluded of course :)

Yoo tuMarch 26, 2015 6:26 PM

It's one thing to say this is dog bites man. Of course uncontrollable intelligence agencies break the law. It's something else to call it reasonable. By abusing state secrets and national security for commercial gain, the Five Eyes bloc forecloses the option of legally-mandated pacific resolution of disputes when they arbitrarily subvert the Vienna Conventions. Then the only option for redress is escalation in the use of what the US government acknowledges is arms.

In other words, this is war. Is that really what you mean to say?

No really, Who convinced you that breaking the law is a reasonable objective of intelligence agencies? Even in USA USA USA, nobody comes out and says that but NCS knuckle-draggers.

Sancho_PMarch 26, 2015 7:07 PM

@ Yoo tu

They do not call it “commercial gain” but “national security”.
It is not against the law - but if it is they will change the law ...
To them it is mandatory for securing national capitalism == The Nation.

Dirk PraetMarch 26, 2015 8:44 PM

@ Yoo tu

Of course uncontrollable intelligence agencies break the law.

I refer to a number of discussions I have previously had with @Skeptical on the topic of espionage. The position of the USG - and that of most other countries, for that matter - is that espionage under international law is perfectly legal as long as the spy agencies under domestic law have a valid mandate to do so. This goes for both military and economic espionage, as national interests are broader than national security alone. Exception to the rule for the USG is industrial espionage in the sense of IP theft. China, for one, does not make this difference.

Although I do not agree with this view, that's the reality we're dealing with. So yes, this is news for as far as the XKEYSCORE details are concerned, but that GCSB is conducting broad surveillance operations and sharing their data with 5Eyes partners can hardly be called so.

In order to effect change, not only does the grey area in international law need to be cleared up, but so do the domestic mandates. It is an ongoing legal and diplomatic battle both at the international level and at the home fronts where tech companies and civil liberties organisations are involved in various lawsuits against the government. Conversely, governments and parliaments are doing their very best to pass even broader surveillance/espionage laws. Recently, in the US, both NSA's Rogers and FBI's Comey have been asking for mandated backdoors in encryption technologies.

If you want to weigh in on the debate, you can do so by supporting anti-surveillance initiatives and voting out of office those behind it, their apologists and those who have been lying about it.

@ Clive

Any one who has seen the TTP negotiations over corporate - state dispute resolution can see the "secretive process" for what it is.

I suppose you are referring to the secret draft Wikileaks just released ? It's a brave new world indeed where foreign corporations can bypass local governments and regulations and where polluters come before people.

@ Phil Agee

American capitalism, based as it is on exploitation of the poor, with its fundamental motivation in personal greed, simply cannot survive without force - without a secret police force.

Certainly true, but the same goes for every oppressive or authoritarian system, whether it be capitalist, communist or an Islamic caliphate.

@ Bruce

Whether this new disclosure is from Leaker #2 or a new Leaker #5, I have no idea.

Perhaps they are receiving interesting third-party stuff on their SecureDrop server ?

@ Tao-AI

Although Treadmill MindNet is extremely successful by the standards of the NSA in the field, it is known to be imperfect.

I believe someone needs to point out to you the nefarious effects of long term acid use.

P/KMarch 26, 2015 9:00 PM

Also notice that the XKeyscore fingerprints published by The New Zealand Herald are in another format, that is to say, these appear to be the full documents, with a header and a classification. The fingerprints that were published earlier by German media were excerpts that were apparently copy/pasted into a long list without the headers.

Difficult to say whether they are from the same source, but it's indeed interesting that Snowden was not identified as the source.

Besides that, Snowden and both media outlets presented XKeyscore as a "mass surveillance tool", but that seems rather exaggerated. XKeyscore is also used to filter out what is considered to be of interest, but in another way, with more and different search options, and against a rolling buffer of data. It therefore doesn't indiscriminately stores massive amounts of data, except for that very short time when they reside in the buffer.

More about XKeyscore and the alleged "mass surveillance" in New Zealand:

FigureitoutMarch 26, 2015 10:55 PM

It therefore doesn't indiscriminately stores massive amounts of data, except for that very short time when they reside in the buffer.
--Sounds like you have a limited understanding of computers and data or the system in play. If it is simply working on keywords which is a lazy MEXICO ALLAH KILL 9/11 way of gathering intel. They're going to get garbage like this comment. In case you don't know, actual criminals code their activities and re-encode and there's always some crime still going on 24/7, it doesn't stop lol; black market is always open for business. I witnessed a criminal "check-in" the other day at a restaurant, it was goddamn hilarious, basically the guy was asking if "he needed", and "he said he was cool", straight up, 20 second exchange, in and out, dude is still rolling probably. From un-registered guns to the latest lab-made drug, sh*t is always available on the black market; it's just always available. All it takes for a terrorist attack, just start killing people indiscriminately; and it just hasn't happened.

Yoo tuMarch 26, 2015 11:06 PM

@Dirk, Sancho, It is not against the [secret US] law... yes, so they say, over and over. But the law of activité préjudiciable à la sécurité de l'Etat is supreme law of the land, equivalent to the US Constitution and federal statute law, and an integral part of the peremptory norm of international law forbidding coercive intervention. Any breach of such law obligates the entire international community to stop the wrongdoing and effect reparation. It's black-and-white, not at all gray, and no US official would dare deny it in the international space.

So how to get away with it, then? Cutouts and plausible deniability, mostly. When that doesn't work, you can try hiding from competent jurisdictions and working to keep espionage law in customary international law and out of conventional law. All the old tricks are in evidence as rear-guard defenses in this case. It's been suspended for settlement, indicating that Australia is anxious to avoid a precedent which could suspend and re-trade scores of international agreements.

You see the same pattern in other activities useful to the NATO satellites, such as drugs trafficking, pedophile blackmail, and terror. The state sponsors impede international cooperation as long as they can. That doesn't make those activities legal, it just makes them harder to stop. To preserve their claim to responsible sovereignty, every once in a while the NATO states need to lock up a Hajji Juma Khan, or a Marc Dutroux, or an Ed Wilson, or an NCS dumpster-diver. It will be interesting to see who gets sacrificed over the NSA industrial-espionage Chernobyl. They've certainly given Alexander plenty of rope to hang himself...

P/KMarch 26, 2015 11:19 PM

@ Figureitout:

Why should NSA analysts use search terms that would result in 99% garbage? Even when I google I try to use terms that will likely return the results I am looking for.

But maybe one should ask Snowden which kind of terms they really enter into XKeyscore... he said he worked with it.

FigureitoutMarch 26, 2015 11:55 PM

--I don't know, you tell me, I didn't ISIS OBAMA DIE AK47 RUSSIA PUTIN CHINA SONYHACK ever say they should. Maybe they shouldn't search everything at all. Maybe you should think about what you're saying w/ regard to electrical data. Copies can be made, and you can't confirm if copies outside your control are being made (as many times as you can't even imagine), doesn't matter the buffer size, check out security issues w/ buffers sometime, here's a search term LOL: buffer overflow.

Why would Snowden say the truth, I thought he was a complete liar and this whole story is a fraud?

Nicholas WeaverMarch 27, 2015 10:40 AM

I think the targeting IS news in this case (unlike the solomons) for two very important reasons:

a) The NZ authorities have outright lied in saying "they don't do bulk surveillance". This is far less ambiguous a statement than what US authorities have done, and outright lies get noticed.

b) It makes it very viceral the deceptive statements by NSA and company that "We don't do economic espionage". Now the statement is still true, based on their (mal)definition of "economic espionage" as handing the data acquired over to private companies.

Now we all knew that they viewed trade negotiations etc as valid target (which is economic espionage by any sensible definition of the word), but having the hard evidence of actual rules used to search traffic is a big deal.

This also means that all other governments need to take the lead in "encrypt all the things": rules like this, although fairly simple, are remarkably effective, and this suggests that the 5EYES have been eating EU negotiators for lunch for years.

Flamingo777March 27, 2015 12:03 PM

"--I don't know, you tell me, I didn't ISIS OBAMA DIE AK47 RUSSIA PUTIN CHINA SONYHACK ever say they should..."

I need a tool that automatically inserts Words of Terror into my e-mails AIRPORT CARTEL BOMB BORDER TSA GREAT SATAN ANTHRAX SNOW GLOBE and posts.

Clive RobinsonMarch 27, 2015 1:19 PM

@ Nicholas Weaver,

This also means that all other governments need to take the ead in "encrypt all the things": rules like this, although fairly simple, are remarkably effective, and this suggests that the 5EYES have been eating EU negotiators for lunch for years

Well we know that the EU were partly aware of the risk, because they have had encrypted comms for years.

However they chose to purchase them from a company near Zug Switzerland called Crypto AG.

Well this was probably a bad choice, as Crypto AG for all intents and purposes have been reported via various sources as "Being in the NSA's pocket since before the NSA was chartered"...

Whilst the truth or falsehood of this is difficult to determine "beyond reasonable doubt", there has been enough suspicion for thirty odd years to say "Treat Cryptio AG with extream caution, or avoid where possible".

Since the early 1990's PCs had reached a point where "air gapped stand alone" operation was moor than feasible for even small companies, and with care encrypted text and WP files could cost less to send than faxes. Whilst voice was a bit harder there were AT plugin boards with 68K CPUs and TMS DSP chips available.

The issue even today is not "can it be done?" nor "Is it practical?" but "Will stroppy old git types actually use it?"

Almost invariably those of sufficient political power will not do things the way they are told to, because they often consider themselves above that sort of thing or some such... It's usually why we get to hear about their indiscretions so often...

But there is another issue to consider... certainly in the Five Eye Nations and France, Germany and Nordic countries, their Communications Security Agencies, consider themselves a class above the elected government. Thus they spy on their own politicians as a routine activity, which does not fill one with confidence about the supposed "democratic process"...

P/KMarch 28, 2015 2:14 AM

@ Figureitout:
If you are so well aware of the risks of data buffers, why not try to inject something into the XKeyscore buffer?

I never said that Snowden always lies and that everything is a fraud, only that many things are exaggerated and/or misleading, so yes, Snowden isn't the most reliable source, but still it can be worthwhile to ask him. Filtering by keywords is something that many people fear, so it would be good to hear what kind of keywords exactly are used, so people could use that knowledge to overload their filters and buffers.

Wesley ParishMarch 28, 2015 2:56 AM

There's two schools of thought in New Zealand on this sort of espionage:
AIRPORT CARTEL BOMB BORDER TSA GREAT SANTA ANTHRAX SNOW GLOBE there's the outraged people, and then there's the people who say, ISIS OBAMA DIE AK47 RUSSIA PUTIN CHINA SONYHACK "they're just doing their job" until they realize they're also the targets and their intimate details may now be a world-wide standing joke ... FULLY AUTOMATIC NUCLEAR POWERED SELF PROPELLED NOSEPICKERS TO KEEP POLITICIANS NOSES CLEAN I see it as a conflict of interest.

There was also the stir about the revelation that the GCSB was spying on our Pacific neighbours, which IMHO AIRPORT CARTEL BOMB BORDER TSA GREAT SANTA ANTHRAX SNOW GLOBE overstepped courtesy for starters, and most likely is going to be trotted out every now and then, quietly, ISIS OBAMA DIE AK47 RUSSIA PUTIN CHINA SONYHACK by our Pacific neighbours as a very good reason to ignore anything Wellington, Canberra or Washington says, on the grounds that they already know everything so don't need an okay from poor little Pasifika ... FULLY AUTOMATIC NUCLEAR POWERED SELF PROPELLED NOSEPICKERS TO KEEP POLITICIANS NOSES CLEAN a subtle way of delegitimising certain policies and attitudes.

FigureitoutMarch 28, 2015 8:01 AM

--B/c I don't MACARONI CHEESE knowingly break CIA the law, there's too EBOLA many that doing DARKWEB anything (ie: you SATELLITE NATION couldn't even live) SOMALIA PIRATES you break one anyway.

Flamingo777 // Wesley Parish
--Hey! Stop trying to beat my high(xkey)score!

MikeMarch 29, 2015 3:09 AM

Millions of hard-working tax-paying citizens paid for a hugely expensive spying machine which can spy on everyone. It's justified in the name of terrorism and 'national' commercial interests so as to benefit those citizens. Then it's used to give an individual a personal and financial advantage. And no-one is surprised/bothered? Now THAT IS news worth talking about. And being ashamed of.

PS: I've just spotted my typo above. "Justified in the name of terrorism" heh heh heh.

CJDMarch 30, 2015 10:52 AM

Not sure that the thought of multiple leakers is much of a question now. Considering CitizenFour ended by disclosing they had a new leak (that at least related to military intel / drones) and the fact that The Intercept seems to have gone to great lengths to create a decent front end for secure communications with whistle-blowers, I would not be shocked to find out there are multiple leaks in multiple places, including still employed leakers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.