Samstag, 5. Oktober 2019

What exactly is an NSA “about collection” and MCT (“multiple communications transactions”)?
(originally posted 02.05.2017 on Google+)


Recently the NSA stopped “about collection” under its Upstream program. But what is this kind of collection exactly? I will explain you. But first I tell you a few technical basics (SPOILER: “about collection” is most likely collection of email forwardings).

Email consists of basically two parts: The email message itself and its transport protocol (SMTP). When you write an email, it is first converted into the email message format, and then transmitted over the internet with SMTP. Both email and SMTP consist of two parts, the headers (“metadata”) and the body (or content). And it is important to understand that the complete email message (header plus content) is the content of the SMTP datastream. This may all sound confusing, so let me simply explain with examples:

This is a typical email message (of course all of the following emails are fictional and fabricated by me -- so fake that I let my Russians speak English :-):

From: <bortnikow@FAKEfsb.ru>
To: <putin@FAKEkremlin.ru>
Date: Mon, 20 Mar 2016, 23:08:01 - 0500
Subject: Mission completed

Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.

With SMTP, this email is transmitted this way:

-> SMTP starts
HELO anyway
MAIL FROM: <bortnikow@FAKEfsb.ru>
RCPT TO: <putin@FAKEkremlin.ru>
DATA
-> Email starts
From: <bortnikow@FAKEfsb.ru>
To: <putin@FAKEkremlin.ru>
Date: Mon, 20 Mar 2016, 23:08:01 - 0500
Subject: Mission completed

Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.
-> End of Email message, the following single point signals this:
.

First please note that this is the most trivial example. The email ”From:” entry is the same as ”MAIL FROM:” in SMTP (that’s basically always the case), and ”To:” equals ”RCPT TO:” (that’s not always the case, as I’ll explain later).

Please also note that both <bortnikow@FAKEfsb.ru> and <putin@FAKEkremlin.ru> are most likely in every well maintained NSA selector list. Both are valid foreign targets, and the NSA would be highly interested in this email. However it is virtually impossible they could collect a domestic Russian email.

Let’s go on with our imaginary emails and consider a possible reply:

From: <putin@FAKEkremlin.ru>
To: <bortnikow@FAKEfsb.ru>
CC: <oleg.sixpack@FAKEkremlin-staff.ru>
Date: Mon, 21 Mar 2016, 06:08:33 - 0500
Subject: Mission completed

Great news. Oleg, do the next steps.

On Mon, 20 Mar 2016, 23:08:01 - 0500, <bortnikow@FAKEfsb.ru> wrote:
>
> Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.


This is also a purely domestic Russian email, thus also likely unaccessible for the NSA. But please note there is a new recipient in the "CC:", so now we have two SMTP sessions:

MAIL FROM: <putin@FAKEkremlin.ru>
RCPT TO: <bortnikow@FAKEfsb.ru>
DATA
From: <putin@FAKEkremlin.ru>
To: <bortnikow@FAKEfsb.ru>
CC: <oleg.sixpack@FAKEkremlin-staff.ru>
Date: Mon, 21 Mar 2016, 06:08:33 - 0500
Subject: Mission completed

Great news. Oleg, do the next steps.

On Mon, 20 Mar 2016, 23:08:01 - 0500, <bortnikow@FAKEfsb.ru> wrote:
>
> Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.
.

And:

MAIL FROM: <putin@FAKEkremlin.ru>
RCPT TO: <oleg.sixpack@FAKEkremlin-staff.ru>
DATA
[same email]
.

And now let’s imagine <putin@FAKEkremlin.ru> had sent a "BCC:" (BCC is the same like CC, safe that with BCC nothing is added to the email headers) to <assange@FAKEjail.se>, then there would have been another SMTP session like this:

MAIL FROM: <putin@FAKEkremlin.ru>
RCPT TO: <assange@FAKEjail.se>
DATA
From: <putin@FAKEkremlin.ru>
To: <bortnikow@FAKEfsb.ru>
CC: <oleg.sixpack@FAKEkremlin-staff.ru>
Date: Mon, 21 Mar 2016, 06:08:33 - 0500
Subject: Mission completed

Great news. Oleg, do the next steps.

On Mon, 20 Mar 2016, 23:08:01 - 0500, <bortnikow@FAKEfsb.ru> wrote:
>
> Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.
.

What should this tell us? The NSA can only tap single SMTP messages, not an email as such. And it is possible that an email address (“selector”) is in the SMTP “RCPT TO:” header, but not in the email “To:” header -- and vice versa. So we can safely assume that the NSA will look in both headers for their targets, in SMTP and the email.

The good news here is, that both headers are unambiguously defined. There is no room for interpretation, the syntax of these header fields are strictly defined in RFCs. The NSA can clearly detect emails from and to their known targets. 

This will change now with “about collections” of MCT (“multi communication transaction”), like the NSA calls it. I explain you with an example. Let’s imagine <oleg.sixpack@FAKEkremlin-staff.ru> forwarded the email to <bannon@FAKEbreitarsch.com>:

From: <oleg.sixpack@FAKEkremlin-staff.ru>
To: <bannon@FAKEbreitarsch.com>
Date: Mon, 21 Mar 2016, 15:22:13 - 0500
Subject: Fwd: Mission completed

As promised, we got them. Get back to me, if you wanna win the election.

----- Forwarded message from <putin@FAKEkremlin.ru> -----

From: <putin@FAKEkremlin.ru>
To: <bortnikow@FAKEfsb.ru>
CC: <oleg.sixpack@FAKEkremlin-staff.ru>
Date: Mon, 21 Mar 2016, 06:08:33 - 0500
Subject: Mission completed

Great news. Oleg, do the next steps.

On Mon, 20 Mar 2016, 23:08:01 - 0500, <bortnikow@FAKEfsb.ru> wrote:
>
> Hi Vlad, we successfully accessed the email account of an high-ranking Democrat. Amazing stuff.

--- End forwarded message ---

Funny, isn’t it? This email enters NSA realm, because the @FAKEbreitarsch.com domain is in the U.S. But if the NSA only targeted traditional From/To, they would never have collected this email, because <oleg.sixpack@FAKEkremlin-staff.ru> is not a known target, and <bannon@FAKEbreitarsch.com> must not be targeted because he is a U.S. citizen. But using “about collection”, the email will be collected, because both <putin@FAKEkremlin.ru> and <bortnikow@FAKEfsb.ru> are in their selector list.

So far the NSA didn’t publicly explain exactly the meaning of “about collection” and MCT, so what I say here is still a bit speculative, but I’m pretty sure that email forwardings are the main reason the NSA “invented” MCT and “about collection”. But let’s discuss it a bit more in detail.

From the NSA's point of view, it's understandable that they consider this message as a "multiple communications transaction", because it consists of two independent emails (which is -- strict technically -- of course not correct, because the forwarded email is just content; see below). The forwarded email was, if not faked, a real email, a real communication of valid targets. Everything the PCLOB and NSA said about MCT and "about connections" makes sense if you look at it from this point of view.

However, there are of course many problems with this approach. 

First, as already mentioned the forwarded email is freetext. There are no strictly defined headers. In my example above "From:" is used to specify the sender. But this must not be the case, and in non-English countries it usually isn't. For example, German email clients will likely write "Von:"instead of "From:". Some email clients will add quote characters (like ">") to the beginning of each line. Some may add line feeds. And consider that an email can "grow" with much more forwardings and replies than in my example. 

So this means the NSA is likely incapable of detecting a forwarded email that was from or to a known target. They likely have to search the complete content, which means that a domestic U.S. email (which is, for whatever reason, routed over international lines) that contains a joke like "Dude, tell this nonsense <putin@FAKEkremlin.ru>!" is possibly ("possibly" because I highly doubt claims that Upstream would cover all U.S. international uplinks) collected and available to analysts for search. This clearly conflicts with privacy rights of citizens.

But even if the NSA would be capable of detecting from/to in forwarded emails, consider that each email is a new one, new things may be discussed. When an email is forwarded 10 times from 10 different people, the last email (which is collected) may be a communication between two U.S. citizens who speak about things that have nothing to do with the target. Another clear conflict with privacy rights.

Maybe this is the reason the NSA stopped the "about collection", at least their statement sounds this way: too many incidental collections, or like activists would call it, "too many privacy violations". However I think there is another factor: One of the (very few) good Snowden effects was the wide spread of STARTTLS since 2013. Nowadays you can safely assume that the vast majority of emails is transmitted encrypted, thus unreadable for passive eavesdroppers (keep in mind that at least Upstream is passive, because the NSA has no direct access to the cables). Maybe the NSA still can read some, be it because some mailservers still don't support STARTTLS, or because a bad encryption is used, but this is very likely the rare exception. I really think that eavesdropping emails is pretty much worthless nowadays. Similar other services. Most providers, Facebook, Google, Webmailer, and so on, they all switched to mandatory HTTPS. So I think that today Upstream has by far not the importance it had 2013 (and even back then, according to PCLOB and other sources, PRISM was much more important than Upstream; and PRISM still is). Maybe Upstream “about collection” is for the NSA just not worth anymore a dispute with FISC.


[1] https://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml 

Keine Kommentare:

Kommentar veröffentlichen