Future Tense

NSA Even Spied on Google Maps Searches, Documents Suggest

Even Google Maps searches might not be safe from the NSA.

Photo by Justin Sullivan/Getty Images

With its PRISM Internet surveillance program, the National Security Agency can reportedly monitor targets’ emails and do live surveillance of Google searches and other data. Now, the latest batch of revealed secret documents suggests the agency may have the ability to spy on Google Maps use, too.

In recent days, Brazilian newspaper O Globo has been publishing details about the NSA’s monitoring of email and phone call metadata across Latin America. O Globo, working in partnership with the Guardian’s Glenn Greenwald, has been revealing information gleaned from secret NSA documents disclosed by former NSA contractor Edward Snowden. The same trove of documents has been the source of a series of explosive scoops that have put the spotlight on the extent of the NSA’s ability to monitor Internet and phone communications in the United States and internationally.

Over the weekend, O Globo published a handful of new top-secret NSA PowerPoint slides. One of the slides disclosed the existence of an NSA program called “XKEYSCORE,” which appears to involve the mass storage of international Internet metadata—including information about emails, phone calls, log-ins, and other user activity—that can later be mined, or “queried,” by an NSA analyst from a computer.

One of the PowerPoint slides published by O Globo

Screengrab via O Globo.

Notably, another of the XKEYSCORE slides suggests that the NSA can monitor a person’s Google Maps activity—and use this as a basis to follow up any activity deemed suspicious with further investigation. The slide notes: “My target uses Google maps to scope target locations—can I use this information to determine his email address? What about the Web searches—do any look suspicious?” It adds: “XKEYSCORE extracts and databases these events, including all web-based searches, which can be retrospectively queried.”

It’s unclear how up to date the XKEYSCORE PowerPoints are and whether this program is still active. Either way, the slides are highly revealing. It is possible that they date from pre-2011, before Google made the decision to give all users the ability to encrypt Google Maps sessions using the SSL protocol. Without SSL encryption turned on, which shows in Internet browsers as HTTPS unlike unencrypted HTTP, the information you are sending over the Internet can be intercepted easily by anyone who has access to the data as it is being communicated over a network.

It seems likely that prior to Google adopting SSL for its maps sessions, the NSA was taking advantage of this by mining data about users’ Google activity directly from U.S. and international networks. Information published by the Guardian last month showed that the NSA appears to be collecting billions of what it calls “digital network intelligence” records from Internet infrastructure across the world. Separately, the Associated Press recently reported that the agency is operating a large surveillance program that “snatches data as it passes through the fiber optic cables that make up the Internet’s backbone.”

Although Google Maps sessions are now automatically encrypted, which may have stifled the NSA’s snooping somewhat, it is also possible that the agency can still get access to Google Maps data by demanding that the company turn it over as part of orders issued under the Foreign Intelligence and Surveillance Act. In addition, not all Google searches are encrypted—unless you are logged in to a Google account or direct your browser to https://encrypted.google.com—meaning that the NSA is still likely collecting huge troves of users’ searches by siphoning data off of networks it is tapping in to.

I asked Google whether it was able to hand over Google Maps sessions in real-time under a FISA order, but the company said it could not comment. “At some point we may expand our transparency report to cover this topic in more depth, but until then I’m not able to provide additional information for you,” spokesman Chris Gaither told me. I also asked Gaither why the Google does not automatically encrypt all of its searches in order to thwart spies mining the data directly off of networks. He said that Google had “worked hard over the past few years to increase our services’ use of SSL encryption” and was “committed to adding more support for SSL.”

But you don’t have to wait on Google to take action. If you are concerned about the NSA snooping on searches and maps sessions, there are a range of tools available to browse the Internet more securely. You can use Tor browser or a Virtual Private Network to conceal your IP address, both of which can help anonymize your Internet sessions. Alternatively, you can switch to using privacy friendly search engines like Ixquick and DuckDuckGo, which are committed to not storing data about users’ searches and have enjoyed a boom in popularity in recent weeks following the revelations about the scope of the NSA’s surveillance programs.