Privacy SOS

Did this Tor developer become the first known victim of the NSA’s laptop interception program?

UPDATE (1/27/14): Shepard says she reached out to the seller and was told they entered the wrong tracking number. She hasn't received the package yet. She also says the new tracking details show that it has now been sent to Seattle, but to the wrong zip code, and "didn't ship until after [she] got the original notification email." That's left her unsure of "what to make of it and feeling paranoid," she told me via Twitter.

Last night Andrea Shepard, a core Tor developer living in Seattle, posted this message to Twitter:

The image she linked to shows the shipment tracking details for a keyboard Shepard ordered from Amazon, the global internet superstore and cloud computing giant that in late 2013 secured a $600 million contract with the CIA. Here's the image; click to enlarge it.

As you can see, the tracking details are highly unusual. Instead of shipping the keyboard directly from the Amazon storage facility in Santa Ana, California, to Shepard in Seattle, the package was first dispatched to Dulles, Virginia. From Dulles, it moved another four times around the military and intelligence belt in suburban Washington DC, finally landing in Alexandria at 11:03 am on January 23.

Contrary to Amazon's shipment tracking summary, Virginia is not the package's final destination. Shepard does not live in Alexandria and told Amazon to ship the keyboard to a Seattle, Washington address. You can see this for yourself in the top right hand corner of the image.

At the end of December 2013, journalists working for the German newspaper Der Spiegel published information about a top-secret arm of the NSA, called the Tailored Access Operations division. TAO does highly targeted surveillance, a world apart from the indiscriminate, mass surveillance that happens under other NSA and FBI programs. One of the more alarming things we learned in the TAO story is that the NSA intercepts computers ordered online and installs malware on them, before sending them on to their final destination.

Could this be what happened to Shepard's keyboard, ordered on Amazon and delivered to Alexandria, instead of to Seattle? Could Amazon have made a mistake in notifying Shepard about this extra journey, which was likely meant to stay a secret? If this really is an example of the TAO laptop-interception program in action, does this mean that companies like Amazon are made aware of the government's intention to "look after" consumer products ordered by their customers? Or did Shepard receive this weird notice only after some sort of glitch in the NSA's surveillance matrix?

If this indeed is evidence of the NSA intercepting a laptop to install spyware on it, it's yet more proof that, even when the spying is highly targeted and precise, the NSA isn't necessarily using its powers to only go after terrorists or dangerous criminals. Shepard is neither a criminal nor a terrorist. She's a developer, an activist, and a free speech supporter.

Is that all it takes to become a victim of the NSA's targeted spying? Someone should ask Amazon and the NSA what happened here, so we can get to the bottom of this bizarre situation. If in fact the NSA is installing malware on the computers of activists and coders working to protect internet anonymity, the government has a lot of explaining to do. If this is the case, it shows that even highly-targeted surveillance can be wildly abused, if agencies are left to fester in the dark to do whatever they want.

© 2021 ACLU of Massachusetts.