NSA Broke the Encryption on File-Sharing Apps Kazaa and eDonkey

The spy agency didn’t care about copyright violations; it was trying to determine if it could find valuable intelligence.

Photo: Schöning/ullstein bild/Getty Images

Before services like Spotify and Netflix proliferated, people who wanted to listen to music or watch movies online, on demand, had few legal options. Instead, they would download copies of pirated media using file-sharing technology. In early 2004, close to 8 million people in the U.S. alone were estimated to have downloaded music through so-called peer-to-peer apps like LimeWire, eDonkey, Kazaa, and BitTorrent. While it’s difficult to measure exactly how much of the world’s internet traffic consists of people swapping files, at the time some estimates said it was approaching 40 percent. (It was closer to 11 percent by 2016, according to another estimate.)

With this much file sharing occurring online, it’s no surprise that the National Security Agency took notice. According to documents provided by NSA whistleblower Edward Snowden, the spy agency formed a research group dedicated to studying peer-to-peer, or P2P, internet traffic. NSA didn’t care about violations of copyright law, according to a 2005 article on one of the agency’s internal news sites, SIDtoday. It was trying to determine if it could find valuable intelligence by monitoring such activity.

“By searching our collection databases, it is clear that many targets are using popular file sharing applications,” a researcher from NSA’s File-Sharing Analysis and Vulnerability Assessment Pod wrote in a SIDtoday article. “But if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended).”

In order to monitor peer-to-peer networks, the NSA needed to both decode the protocols that various services used and, in some cases, break the encryption to see which files were being swapped. This last hurdle was cleared in at least two cases. “We have developed the capability to decrypt and decode both Kazaa and eDonkey traffic to determine which files are being shared, and what queries are being performed,” the researcher wrote.

The NSA developed ways to exploit Kazaa in order to extract information from registry entries stored on a computer, including “e-mail addresses, country codes, user names, location of the downloaded files, and a list of recent searches — encrypted of course,” according to the article. And, while the author doesn’t go into details, they claim that they “discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising — not simply harmless music and movie files.”

Kazaa is no longer in use and its website shut down in 2012.

The eDonkey network, however, is still active, although the system is not nearly as popular as it once was. EDonkey still uses the same vulnerable encryption it did in 2004. EMule, a popular program for connecting to the eDonkey network, hasn’t had an update in over seven years.

A representative of the eMule developer team told The Intercept that security was never a goal for eDonkey’s encryption. “EMule calls its protocol encryption ‘obfuscation’ rather than encryption,” the developer said. “It was a feature intended to stop ISPs and local routers from throttling the protocol by doing simple deep packet inspections, not one to mainly protect the communication against eavesdropping.”

“There is no doubt the NSA could spy on the traffic if they wanted to,” the developer added, “preventing this was not the aim of the protocol encryption (and not much of an issue back then in the old days when this feature was coded).”

Researchers from NSA’s FAVA Pod were not the only spooks interested in peer-to-peer technology. An NSA program called GRIMPLATE was developed to study how Department of Defense employees used BitTorrent, discover if this use was malicious, and potentially build a case for ending such use. According to a classified presentation from the 2012 iteration of the NSA’s annual SIGDEV conference, which aims to develop new sources of signals intelligence, “BitTorrent sessions are seen on a daily basis between NIPRnet hosts,” referring to computers on the DOD network for sensitive but unclassified information, “and [in] adversary space,” that is, outside networks run by U.S. targets like Russia and China.

By 2010, the British electronic eavesdropping agency Government Communications Headquarters was also interested in “active P2P exploitation research,” according to a page on an internal GCHQ wiki. The page describes DIRTY RAT, a GCHQ web application used by analysts that at the time had “the capability to identify users sharing/downloading files of interest on the eMule (Kademlia) and BitTorrent networks. … For example, we can report on who (IP address and user ID) is sharing files with ‘jihad’ in the filename on eMule. If there is a new publication of an extremist magazine then we can report who is sharing that unique file on the eMule and BitTorrent networks.”

The wiki article also hints at information sharing with law enforcement. “DIRTY RAT will soon be delivered to the [London] Metropolitan Police and we are in the early stages of relationships with [U.K. child protection agency] CEOP and the FBI,” it stated.

GCHQ also developed the technology to leverage its peer-to-peer monitoring for active attacks against users of file-sharing networks. A tool called PLAGUE RAT “has the capability to alter the search results of eMule and deliver tailored content to a target,” the wiki article states. “This capability has been tested successfully on the Internet against ourselves and testing against a real target is being pursued.”

NSA declined to comment. GCHQ did not address specific questions and sent a statement saying, “All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorized, necessary, and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Investigatory Powers Commissioner’s Office (IPCO), and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position. In addition, the U.K.’s interception regime is entirely compatible with the European Convention on Human Rights.”

Other stories and NSA documents released today by The Intercept are available on our SIDtoday home page.

Top photo: Kazaa’s website for music downloads.

Join The Conversation