recommended reading

How to Get NSA's Attention (It's Art)

Many people, upon learning of the government's expansive programs to monitor electronic communications, probably thought to themselves, "Huh, I wonder if there is any steps I can take to make sure my emails do not end up in the pile that the NSA 'touches.'"

But not Ben Grosser. Grosser, an artist whose work explores the effects of software in society, had a different idea: How can I put my emails—the ones about my new cat, the invitations to meet up for coffee—under surveillance?

The result of this counterintuitive line of thinking is ScareMail, a new extension for Gmail that tacks text onto the bottoms of emails, algorithmically generated to capture the attention of the NSA's filtering mechanisms.

A bit of extra text tacked onto an email, full of NSA-alluring keywords. (Ben Grosser)

Grosser explains:

One of the strategies used by the US National Security Agency’s (NSA) email surveillance programs is the detection of predetermined keywords. These “selectors,” as they refer to them internally, are used to identify communications by presumed terrorists. Large collections of words have thus become codified as something to fear, as an indicator of intent. The result is a governmental surveillance machine run amok, algorithmically collecting and searching our digital communications in a futile effort to predict behaviors based on words in emails.

ScareMail proposes to disrupt the NSA’s surveillance efforts by making NSA search results useless. Searching is about finding the needles in haystacks. By filling all email with “scary” words, ScareMail thwarts NSA search algorithms by overwhelming them with too many results. If every email contains the word “plot,” or “facility,” for example, then searching for those words becomes a fruitless exercise. A search that returns everything is a search that returns nothing of use.

And he demonstrates in a quick video:

ScareMail from benjamin grosser on Vimeo.

As you can see from the examples, the results aren't exactly intelligible, and that's intended, says Grosser. Part of what he hopes to demonstrate with his project is that the mere inclusion of certain terms does not itself imply "intent"—that keywords will always generate some content that is innocuous.

Will ScareMail work as intended? The picture of how the NSA filters and handles email contents is still incredibly vague, and you'd have to know how that system works in order to game it, as ScareMail seeks to do. A recent report in The Wall Street Journal explained that of the 75 percent of all U.S. Internet traffic the system could conceivably reach, an unknown amount actually winds up stored within NSA databases, though "some" of what does is said to be communication between Americans (as opposed to between Americans and foreigners, or exclusively between foreigners). 

Just what terms and other clues go into filtering that firehose—a collaborative process on the part of several telecoms and the government—remain mysterious. Grosser says that "the 'scary' nouns and verbs" his program generates "are a best guess at probable NSA search keywords." He relies on a "Department of Homeland Security list of keywords used by their National Operations Center (NOC) for searching social media sites." As expected, Grosser says, that list contains terms such as "Al Qaeda," but, he adds, "it also contains a large number of multipurpose words, such as 'plot,' 'facility,' 'wave,' 'dock,' etc."

On their face, those words aren't scary in the least—which is precisely what's scary about their inclusion on that list.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.