National Security Agency, SID Today: The Answer Is... Peer to Peer File Sharing , June 22, 2005. Top Secret.
National Security Archive
A 2005 NSA memo reveals how the agency turned the torrent of peer‑to‑peer traffic into a covert intelligence‑gathering tool.
Source: National Security Agency, SID Today: The Answer Is... Peer to Peer File Sharing , June 22, 2005. Top Secret. Date: Jun 22, 2005 Archive: The Intercept Collection: Cyber Vault: Costs of a NYC Blackout Oct 18, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
The NSA’s P2P Wake‑Up Call, June 2005
The declassified “SID Today: The Answer Is… Peer to Peer File Sharing” memo is a routine internal briefing from the NSA’s File‑sharing Analysis and Vulnerability Assessment (FAVA) pod, dated 22 June 2005. It was produced in the Technical Advocate Office’s S3T1 pod, a small unit tasked with turning emerging network phenomena into intelligence collection opportunities. The memo’s purpose was two‑fold: first, to catalog the explosive growth of peer‑to‑peer (P2P) traffic; second, to demonstrate that the agency had already built the technical chops to identify, decrypt and parse that traffic for operational value.
Context: The P2P Explosion and the Intelligence Community’s Response
In the early 2000s, file‑sharing applications moved from the novelty of Napster to a diversified ecosystem—BitTorrent, eDonkey, KaZaA, Gnutella, among others—each generating massive bandwidth. Commercial studies cited in the memo (e.g., CacheLogic’s 2004‑2005 traffic analysis) showed that a single P2P protocol, BitTorrent, accounted for more than a third of all Internet traffic, outpacing web browsing, email and even emerging VoIP services. This surge coincided with the NSA’s broader shift toward “network‑centric” collection, epitomized by the post‑9/11 expansion of bulk data programs such as FAIRVIEW and MAINWAY. The agency’s analysts recognized that the torrent of user‑generated files and metadata could serve as a new “data exhaust” source, potentially revealing the habits, contacts and even the identities of foreign intelligence targets.
Who Was Talking, and What Their Words Reveal
The memo is signed only with the pod’s designation (FAVA Pod, S3T1) and a “Run Date,” underscoring its internal, operational nature. The language oscillates between dry statistics (“over one‑third of all Internet traffic”) and almost tongue‑in‑cheek remarks (“no offense to Britney Spears intended”), suggesting a culture comfortable with technical jargon yet aware of the absurdity of hunting intelligence value in pop‑culture file shares. The most revealing passage notes that the pod had “developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed.” This admission confirms that, by mid‑2005, the NSA possessed the cryptanalytic tools to pierce the modest encryption employed by popular P2P clients—a capability that would later be referenced in debates over the agency’s ability to break more robust encryption.
The memo also highlights a shift from pure traffic‑volume measurement to content‑level exploitation: “Using these tools, we have discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising.” The phrasing hints at early intelligence finds—perhaps manuals, software exploits, or politically sensitive media—though the document stops short of specifying them, a typical precaution to avoid disclosing sources or methods.
What the Document Tells Us Beyond the Text
Reading between the lines, the memo betrays a strategic mindset: the NSA was not merely cataloguing a nuisance traffic class but actively integrating P2P monitoring into its SIGINT pipelines. The mention of “registry entries… e‑mail addresses, country codes, user names” indicates that the agency was correlating P2P metadata with other data stores to build richer target profiles. Moreover, the invitation to “contact us” if any unit encounters P2P usage signals an organizational push to disseminate the pod’s capabilities across the broader intelligence community, effectively turning P2P monitoring into a service bureau.
The classification markings (TOP SECRET // SI/TK, REL TO USA AUS CAN GBR NZL) reveal the document’s sensitivity and the expectation that allied signals‑intelligence partners would share interest—reflecting the Five‑Eyes’ collaborative approach to emerging cyber‑threats. The later declassification date (2032‑01‑08) underscores how the agency anticipated the information would remain sensitive for decades, likely due to the underlying collection methods rather than the content itself.
Legacy and Contemporary Relevance
The memo foreshadows several later controversies. First, it predates the 2013 Snowden disclosures that revealed the NSA’s bulk collection of internet metadata; the FAVA pod’s work shows that the agency was already harvesting non‑traditional data sources well before the public debate. Second, the technical capability to break P2P encryption anticipates current concerns about the agency’s ability to undermine modern end‑to‑end encryption used in messaging apps. Finally, the document illustrates an early acknowledgment that “non‑state” traffic—files shared by ordinary citizens—could be a trove of intelligence, a notion that now underpins discussions about privacy, surveillance, and the collateral impact of mass data collection.
In sum, this 2005 briefing is a microcosm of the NSA’s adaptation to the evolving architecture of the internet: turning a cultural phenomenon—peer‑to‑peer file sharing—into a systematic intelligence collection vector, and embedding that capability within a network of allied partners. Its declassification offers a rare glimpse into the agency’s internal calculus at a moment when the digital landscape was beginning to outpace existing surveillance frameworks, a moment that still resonates in today’s debates over cyber‑surveillance and privacy.
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
(U) The Answer Is... Peer to Peer File Sharing FROM: FAVA Pod (S3T1) Run Date: 06/22/2005
(U) One corresponding question might be: What technology is responsible for nearly two-thirds of all Internet traffic? In fact, CacheLogic conducted a study (available at www.cachelogic.com) examining traffic from January 2004 through June 2004 which showed that over one-third of all Internet traffic is due to a single Peer to Peer (P2P) application: BitTorrent. Let's take a moment to ponder this. Think of all of the non-P2P traffic out on the net: web, email, voice over IP (voip), etc. It turns out that BitTorrent is responsible for more traffic than all of these -- combined!
(U) This is due in large part to the types of files typically shared using BitTorrent, namely movies and TV shows (many in High Definition!). What is even more amazing is that BitTorrent isn't even the most popular file-sharing application. The P2P-focused website Slyck.com publishes the number of users currently connected to many of the popular P2P networks, and the two file-sharing applications with the most users as of June 2005 are eDonkey and KaZaA with approximately 5 million and 2.5 million users respectively.
(U) If you're asking yourself what is a Peer to Peer application, you are not alone. Peer to Peer file-sharing is a relatively recent addition to Internet communication methods. In its most basic sense, P2P applications provide a way for two users to share files directly, without having to put the files on a central computer. The first P2P system to gain notoriety was Napster. That system became the target of the Recording Industry Association of America (RIAA), since many users were illegally sharing copyrighted music files. Many of the popular P2P networks today continue to be targeted by the RIAA for the same reason.
(S//SI) This is the backdrop against which the File-sharing Analysis and Vulnerability Assessment (FAVA) Pod began its research**. The first task was to find ways to efficiently identify P2P traffic to allow further processing. eDonkey has been a particular success story in this regard as we can identify most eDonkey traffic now by examining only a few bytes in a packet.
(S//SI) One question that naturally arises after identifying file-sharing traffic is whether or not there is anything of intelligence value in this traffic. By searching our collection databases, it is clear that many targets are using popular file sharing applications; but if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended). Hence the next task was to decode the traffic of these P2P applications. As many of these applications, such as KaZaA for example, encrypt their traffic, we first had to decrypt the traffic before we could begin to parse the messages. We have developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed.
(TS) The latest success on the KaZaA project was developing the ability to parse out the registry entries on a hard drive. Stored in the registry are e-mail addresses, country codes, user names, location of the downloaded files, and a list of recent searches -- encrypted of course.
(S) Using these tools, we have discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising -- not simply harmless music and movie files. With more widespread adoption, these tools will allow us to regularly assimilate data which previously had been passed over; giving us a more complete picture of our targets and their activities.
(S) The file-sharing applications the FAVA Pod has examined are: BitTorrent, DirectConnect, eDonkey, FastTrack (KaZaA), Freenet, Gnutella, Gnutella2, JoltID, MSN Messenger, Windows
Messenger, and Yahoo Briefcase. If you have a target using any of these applications or using some other application which might fall into the P2P category, please contact us -- we would be more than happy to help.
** Note: (S) The Pod Research Program, S3T1, resides in the Technical Advocate Office. For more information, type "go pods" in your favorite browser.
(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL_sid_comms).
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108
NATIONAL
SECURITY
ARCHIVE
National Security Archive,
Suite 701, Gelman Library, The George Washington University,
2130 H Street, NW, Washington, D.C., 20037,
Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu