[Sporktacular]

Aren't there systems where a server does the browsing and/or page rendering but it's controlled by terminals using other protocols?

Just speculatively, if someone was managing the setup of a room full of NSA analysts browsing for OSINT, how would they cover their tracks? What would that traffic look like?

[sandworm101]

It would look much like any other institution full of people doing general web browsing. A university full of foreign students googling stuff in thier home languages. A hospital full of patients googling about random stuff. An airport full of international passengers surfing twitter feeds for war news.

[Sporktacular]

What they choose to investigate is itself revealing. CDNs and large hosting providers for example would be in a position to make inferences by observing and correlating traffic from that origin. I would be trying to obfuscate it using a VPN distributed over a range of countries and IP addresses. That could appear strange to a host, depending on how they implement it.

[sandworm101]

Except that most open source material is now encrypted. They could see lots of traffic towards Twitter/Facebook/YouTube/google and lots of overseas news sources but would have little insight into actual content.

[Sporktacular]

The NSA doesn't want any of the hundreds of thousands of Twitter/Facebook/YouTube/Google workers to have that insight either. And when the sites they're visiting aren't encrypted they can't browse to it because of OPSEC? That would all be at risk of side channel analysis. They aren't going to leave it chance. Count on them covering their tracks.