Skip to main content

NSA uses Windows error reports to spy on civilians

Every Windows user knows that irritating post-crash message: "The system has recovered from a serious error. A log of this error has been created. Please tell Microsoft about this problem." Below the message, the options: "Send Error Report" or "Don't Send".

Many users click "Send" without thinking any more about it. "Sure," they think. "Why not help Microsoft fix this bug?"

Here's why not: new reports leaked by Edward Snowden suggest that the American National Security Agency (NSA) has even been spying on our Windows error reports in order to gain information about our systems.

And the worst thing? It isn't even that hard. For error dumps that contain any potentially personal information, Microsoft encrypts its reports, but for the more mundane kind, the messages are transmitted unencrypted and out in the open.

That isn't to say there's not still a horde of useful information being passed in these reports. Information on your operating system, what software you run, when it crashes, and which programs aren't working properly is gift-wrapped in this smorgasbord of valuable system information. The reports even contain information on when a USB or PCI device is plugged in. All of this could prove extremely useful when tailoring a specific attack against a system, or designing a trojan to infect it (opens in new tab).

The operation appears to be conducted by Tailored Access Operations (TAO), the NSA's top operative unit, and the one most often used to infiltrate the computers of enemies of the United States.

The inventive spying techniques are giving the NSA something to laugh about, at least.

In one internal graphic, they replaced the text of Microsoft's original error message with one of their own. "Sigint" stands for "signals intelligence."

An internal presentation suggests that the NSA's powerful XKeyscore spying tool (opens in new tab) is used to filter Microsoft's unencrypted crash reports from the enormous ocean of Internet traffic.

According to the presentation, the reports are a "neat way" to gain "passive access" to a machine. Passive access is a term used to describe access to all data that a computer sends out to the Internet, without any internal malware compromising the system.

Microsoft has denied close links to the NSA (opens in new tab) from the start of the PRISM spying scandal (opens in new tab) that engulfed the second half of 2013.

Update: When approached by ITProPortal, Microsoft spokespeople issued the following statement:

"Microsoft does not provide any Government with direct or unfettered access to our customer's data. We would have significant concerns if the allegations about Government actions are true. Regardless, we continue to review our encryption technologies and practices."

The company also directed concerned users to their "Microsoft on the Issues (opens in new tab)" blog, where they discussed government surveillance in early December.

Paul Cooper
Paul Cooper

Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.