From the Snowden revelations we learned not only about NSA data collection projects, but also about many software tools that are used to analyze and search those data. These programs run on secure computer networks, isolated from the public internet. Here we will provide an overview of these networks that are used by the US military and US intelligence agencies.

Besides computer networks, they also use a number of dedicated telephone networks, but gradually these are transferred from traditional circuit-switched networks to Voice over IP (VoIP). This makes it possible to have only one IP packet-switched network for both computer and phone services. It seems that for example NSA's NSTS phone system is now fully IP-based.




US national networks

The main US military and intelligence computer networks are (of course) only accessible for authorized personnel from the United States. Special security measures are in place to prevent interception by foreign intelligence agencies. Most of the tools and programs used by NSA run on JWICS and NSANet, but here we only mention them when this is confirmed by documents.

DNI-U(Director National Intelligence-Unclassified)
- Until 2006: Open Source Information System (OSIS)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Access: US intelligence users
- Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
- Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
- Computer applications: Intelink-U, Intellipedia, etc.

Page of the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)

NIPRNet(Non-secure Internet Protocol Router Network)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at gateways
- Address format: http://subdomains.domain.mil
- Access: US military users, via Common Access Card smart card *
- Number of users: ca. 4,000,000
- Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
- Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
- Video Teleconferencing (VTC)

Cyber security officers in an operations center room at Barksdale Air Force Base
There are screens connected to NIPRNet (green background/border)
and SIPRNet (red background/border)
(Photo: U.S. Air Force/Tech. Sgt. Cecilio Ricardo - Click to enlarge)
More about this photo on SecurityCritics.org

SIPRNet(Secret Internet Protocol Router Network)
- Classification level: SECRET (color code: red)
- Secured by: TACLANE (KG-175A/D) network encryptors
- Address format: http://subdomains.domain.smil.mil
- Access: US (and some foreign partners)* military and intelligence users, via SIPRNet Token smart card
- Number of users: ca. 500,000 *
- Controlled by: JCS, NSA, DIA and DISA *
- Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
- Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, etc.
- Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
- Secure Video Teleconferencing (VTC)

Computers in the White House Situation Room, with a yellow screensaver,
indicating they are connected to a TOP SECRET/SCI computer network
(Screenshot from a White House video)

JWICS(Joint Worldwide Intelligence Communications System)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE (KG-175A/D) network encryptors *
- Address format: http://subdomains.domain.ic.gov
- Access: US intelligence users
- Controlled by: DIA, with management delegated to AFISR
- Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
- Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
- Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
- Secure Video Teleconferencing (VTC)

Web-browser with a JWICS address for the ROYALNET tool

These various military and intelligence networks run on a world-wide physical infrastructure that is called the Defense Information Systems Network (DISN), which is maintained by the Defense Information Systems Agency (DISA) and consists of landline, mobile, radio and satellite communication links

Most of these communication links are not connected to the public internet, but because radio and satellite transmissions can easily be intercepted by foreign countries, the security of these networks is assured by encryption. This encryption can also be used to run higher classified traffic over communication links with a lower classification level through Virtual Private Network (VPN) tunnels.

Classified communications have to be protected by Suite A Cryptography, which contains very strong and classified encryption algorithms. On most networks this is implemented by using Type 1 certified TACLANE (KG-175A/D) in-line network encryptors made by General Dynamics:




As long there's the appropriate strong link encryption, only the end points with the computer terminals (where data are processed before they are encrypted) need strict physical and digital security requirements in order to prevent any kind of eavesdropping or interception by foreign adversaries.

Most American military bases are connected to the SIPRNET backbone, but for tactical users in the field, the SIPRNet and JWICS networks can extend to mobile sites through Satellite Communications (SATCOM) links, like for example TROJAN SPIRIT and TROJAN SPIRIT LITE, which consist of a satellite terminal that can be on a pallet, in a shelter, on a trailer or even connected to a transit case.


Other US goverment departments and intelligenc agencies also have their own computer networks at different classification levels:

FBI
- LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
- FBINet (Federal Bureau of Investigation Network; Secret)
- SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)


DHS
- HSIN (Homeland Security Information Network; Unclassified)
- HSDN (Homeland Secure Data Network; Secret)


State Department
- OpenNet (Unclassified)
- ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
- INRISS (INR Intelligence Support System; Top Secret/SCI)


CIA
- AIN (Agency InterNet; Unclassified)
- ADN (Agency Data Network?; Top Secret/SCI)


NRO
- GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
- CWAN (Contractor Wide Area Network; Top Secret)


NGA
- NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)

Finally, there's the Capitol Network (CapNet, formerly known as Intelink-P), which provides Congressional intelligence consumers with connectivity to Intelink-TS and CIASource, the latter being the CIA's primary dissemination vehicle for both finished and unfinished intelligence reports.



US multinational networks

Besides the aforementioned networks that are only accessible for authorized military and intelligence personnel from the United States, there are also computer networks set up by the US for multinational coalitions, and which therefore can also be used by officials from partner countries.

The group of countries that have access to such coalition networks is often denoted by a number of "Eyes" corresponding with the number of countries that participate.

NSANet (National Security Agency Network)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE network encryptors *
- Address format: http://subdomain.domain.nsa
- Access: US, UK, CAN, AUS, NZL signals intelligence users
- Controlled by: NSA, with management delegated to CSS Texas
- Purpose: Sharing intelligence data among the 5 Eyes partners
- Computer applications: SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, World Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
- Phone service: NSTS (National Secure Telephone System)

Web-browser with NSANet address for the INTERQUAKE tool, used by NSA's
Special Collection Service (SCS, organizational code: F6) units
(Click for the full presentation)

Besides NSANet as its general purpose intranet, NSA also operates several other computer networks, for example for hacking operations conducted by the TAO-division. We can see some of these networks in the following diagram, which shows how data go (counter-clockwise) from a bot in a victim's computer on the internet, through a network codenamed WAITAUTO to TAONet and from there through a TAONet/NSANet DeMilitarized Zone (DMZ) to data repositories and analysing tools on NSANet:

PEGASUS
- Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
- Classification level: SECRET//REL FVEY
- Access: US, UK, CAN, AUS, NZL military users
- Controlled by: DIA(?)
- Purpose: Information sharing and supporting command and control systems
- Applications: Secure e-mail, chat and VoSIP communications


STONEGHOST(Quad-Link or Q-Lat)
- Classification level: TOP SECRET//SCI
- Access: US, UK, CAN, AUS, NZL(?) military intelligence users
- Controlled by: DIA
- Purpose: Sharing of military intelligence information
- Applications: Intelink-C, etc.


CFBLNet(Combined Federated Battle Laboratories Network)
- Classification level: Unclassified and SECRET
- Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
- Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
- Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
- Applications: Communications, analytic tools, and other applications

For communications among the members of multinational coalitions, the United States provides computer networks called Combined Enterprise Regional Information eXchange System (CENTRIXS). These are secure wide area network (WAN) architectures which are established according to the specific demands of a particular coalition exercise or operation.

CENTRIXS enables the secure sharing of intelligence and operational information at the level of SECRET REL TO [country/coalition designator] and also provides selected centralized services, like Active Directory/DNS Roots, VoIP, WSUS and Anti-Virus Definitions.

There are more than 40 CENTRIXS networks and communities of interest (COIs) in which the 28 NATO members and some 80 other countries participate. The best-known CENTRIXS networks are:

CENTRIXS Four Eyes(CFE or X-Net)
- Classification level: TOP SECRET//ACGU
- Address format: http://subdomains.domain.xnet.mnf
- Access: US, UK, CAN, AUS military users
- Controlled by: DIA
- Purpose: Operational coordination through sharing and exchange of intelligence products
- Applications: Various services


CENTRIXS-ISAF(CX-I)
- Classification level: TOP SECRET//ISAF
- Access: ca. 50 coalition partners
- Controlled by: ?
- Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
- Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
- Voice over IP


CENTRIXS-M(Maritime)
- Classification level: TOP SECRET ?
- Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
- Computer applications: E-mail, Chat messaging, Webpages, etc.

Some other CENTRIXS networks are:

CENTRIXS-GCTF
- For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)

CENTRIXS-CMFC
- For the Combined Maritime Forces, Central Command (CMFC)

CENTRIXS-CMFP
- For the Combined Maritime Forces, Pacific (CMFP)

CENTRIXS-J
- For the United States and Japan

CENTRIXS-K
- For the United States and South-Korea

Links and Sources
- US National Intelligence: A Consumer's Guide (pdf) (2009)
- Paper about How to Use FASTLANEs to Protect IP Networks (pdf) (2006)

Since March 5, The New Zealand Herald and the website The Intercept published a number of stories based on top secret documents regarding New Zealand. These stories followed last year's claims by Edward Snowden saying that the New Zealand signals intelligence agency GCSB is involved in indiscriminate and illegal mass surveillance of ordinary citizens.

Here we will take a close look at the original documentes that accompanied these reportings and put them in a broader context in order to see whether they support these claims or not. Attention will also be paid to the notorious XKEYSCORE system.



 

GCSB satellite collection

In the first story from March 5, it was claimed that New Zealand's signals intelligence agency GCSB conducted "mass spying on friendly nations" in the South Pacific on behalf of the Five Eyes partnership, which consists of the United States, the United Kingdom, Canada, Australia and New Zealand.

The allegation of "mass spying" seems to be based upon an excerpt from an GCHQ wiki page from about 2011, which talks about "full-take collection" at New Zealand's satellite intercept station in Waihopai (codenamed IRONSAND):




A GCSB report from July 2009 says that GCSB users were trained by NSA XKEYSCORE trainers "in anticipation of full-take collection and 2nd party sharing" with the full-take collection expected to be running by October 2009.


"Full-take" collection

The New Zealand Herald explained that "full-take collection means the base now collects and retains everything it intercepts: both the content of all the messages and the metadata". If that would be true, then one could probably speak of "mass surveillance".

But later on, the report quotes the German magazine Der Spiegel, which reported already in 2013 that XKEYSCORE "enables 'full-take' of all unfiltered data over a period of several days". The latter is an important detail, but neither The New Zealand Herald, nor The Intercept paid any further attention to it.

When New Zealand's prime minister John Key was asked about the "full-take" at a press conference, he told a reporter: "With the greatest of respect, I don't actually think you understand the technical term and it's not my job to explain it to you". This is the standard response governments give in these matters, rather letting citizens think they are under massive surveillance than explaining what really happens...
 

XKEYSCORE

In the GCHQ wiki entry we also see two check boxes with next to them the Waihopai station mentioned as "GCSB_IRONSAND_WC2_FULL_TAKE". The abbreviation WC2 stands for WEALTHYCLUSTER 2, which is apparently the second generation of a system that is used to process low data rate signals: it sessionizes all of them and then forwards them to XKEYSCORE.

Using WEALTHYCLUSTER processing is called the traditional version of XKEYSCORE, which is used for satellite and terrestrial radio signals. For higher data rates, like on fiber-optic cables, it was/is not possible to forward all data to XKEYSCORE.

These yet unfiltered internet communication sessions forwarded to XKEYSCORE are called the 'full-take'. They are only stored for a short period of time: content is buffered for 3 to 5 days (sometimes shorter or sometimes longer, depending on the amount of traffic), and metadata for up to 30 days. In other words, XKEYSCORE creates a rolling buffer which is continually being rewritten:




This buffering enables analysts to perform federated queries using so-called "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents, spreadsheets in English, as well as in Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just filtering out known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new "strong selectors", which can then be used for starting a traditional search.


XKEYSCORE Fingerprints

To use XKEYSCORE more efficient, analysts can create so-called 'fingerprints', which are rules that contain search terms (especially all the correlated identities of a certain target) that are automatically executed by the system. Some examples of XKEYSCORE fingerprints were disclosed by German regional television on July 3, 2014, who presented them as excerpts of XKEYSCORE's source code.

Until now, The New Zealand Herald has published two XKEYSCORE fingerprints that define GCSB targets: one related to candidates for the job of director-general of the World Trade Organisation (WTO), and another one related to the Solomon Islands, for which the fingerprints show that GCSB (and/or NSA) was interested in documents from the government of this island state, as well as in the Truth and Reconciliation Commission and former militia groups.


GCSB targets

Another document disclosed by The New Zealand Herald and The Intercept shows that GCSB also spies on China, Pakistan, India, Iran, South Pacific Island nations (like Tuvalu, Nauru, Kiribati and Samoa, Vanuatu, New Caledonia, Fiji, Tonga and French Polynesia), the diplomatic communications of Japan, North Korea, Vietnam, and South America, as well as French police and nuclear testing activities in New Caledonia, and even on Antarctica.

A number of these targets, and some others, were already listed in a 1985-86 annual report of GCSB (classified as TOP SECRET UMBRA), which was accidently released in 2006. So although it might be embarrassing for the New Zealand government that the spying on nearby friendly island states was exposed, it is nothing new and nothing what is very far out of the range of what intelligence agencies usually do.


"Collect it All"

In a GCSB presentation (pdf) about the Waihopai satellite station from April 2010 we read: "To brief IS on the MHS ‘Collect It All’ initiative" - with IS being the abbreviation for IRONSAND, the codename for Waihopai; and MHS for Menwith Hill Station, NSA's large satellite facility in England.

This seems to confirm that "Collect It All" was initially a project for the Menwith Hill Station, maybe meant to be extended to other satellite collection facilities, but not the primary aspiration for NSA's collection efforts in general, as Glenn Greenwald claimed in his book No Place To Hide.*

As evidence, Greenwald presented a slide from a 2011 presentation for the annual Five Eyes conference, but that shows that "Collect it All" actually refers to just one particular stage of the collection process for satellite traffic:




- On top of the diagram, the process starts with receiving the satellite signals ("Sniff it All") and this is followed by "Know it All", which is about detecting (survey) what kind of traffic certain communication channels contain.

- The stage for which they aim "Collect it All" is when signals are processed into usable data by conversion, demodulation and demultiplexing. This is done through systems codenamed ASPHALT and ASPHALT PLUS, but no further information on these system has been published. Apparently "Collect it All" is about increasing the capability to process signals.

- The next stage is "Process it All" where, after a Massive Volume Reduction (MVR) to get rid of useless data, XKEYSCORE (XKS) is used to search for things that are of interest. The last two stages are about analysing data at a large scale and share them with GCHQ and NSA's satellite intercept station in Misawa, Japan.




Targeted collection

Combining the earlier disclosed information about XKEYSCORE shows that neither "full-take", nor "Collect it All" means that "everything" ends up in some NSA database (typically PINWALE for content and MARINA for metadata). This only happens with data that is extracted based upon 'strong selectors', 'fingerprints', or manual searches by analysts when they think it contains valuable foreign intelligence information.

A 2012 NSA document about a training course for XKEYSCORE, published by Der Spiegel in June 2014, says that this system helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

This suggests that XKEYSCORE is able to sort out data in a way that is even more targeted than the traditional method, in which communications are filtered out by internet addresses. This would make XKEYSCORE even less the "mass surveillance tool" as it is called by Snowden.
 


GCSB cable access

Besides the satellite station in Waihopai and the High-Frequency radio intercept facility near Tangimoana, somesnippets disclosed in September 2014, show that GCSB also started a cable access program codenamed SPEARGUN, for which the first metadata probe was expected mid-2013. According to The Intercept, this program might be about tapping the Southern Cross cable, which carries "the vast majority of internet traffic between New Zealand and the rest of the world".

A bit confusing is that in a 2012 GCSB presentation (pdf), project SPEARGUN is listed among topics related to the "IRONSAND Mission", but maybe this means that the mission of this satellite intercept station in Waihopai was extended to include cable operations too.

IRONSAND is in the north east of the South Island of New Zealand, while the landing points for the Southern Cross cable are in the north of the North Island, a distance of more than 500 kilometers. It's possible that from the Waihopai station the actual cable intercept facilities are remotely controlled, maybe through a secure Virtual Private Network (VPN) connection over the domestic Aqualink cable:




The access points to the Southern Cross cable could then be identical with the "NSA facilities" in Auckland and "in the north" of the country, which Edward Snowden hinted to in his speech on the "Moment of Truth" meeting in Auckland on September 15, 2014.


Snowden's claims

The Intercept presented this cable access as a "mass metadata surveillance system" capable of "illegal domestic spying" on the communications of New Zealanders. These claims seem to be based upon a rather pathetic statement from Edward Snowden himself:

"If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called “XKEYSCORE.” It allows total, granular access to the database of communications collected in the course of mass surveillance. It is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic".

Snowden pretends that XKEYSCORE is primarily used to snoop on the communications of private citizens, as if GCSB, NSA and the other partner agencies don't have way too many other targets (see for example the long list of countries targeted by GCSB) and waste their time on ordinary civilians. Snowden however continues:

"The GCSB provides mass surveillance data into XKEYSCORE. They also provide access to the communications of millions of New Zealanders to the NSA at facilities such as the GCSB station at Waihopai"
"It means they have the ability see every website you visit, every text message you send, every call you make, every ticket you purchase, every donation you make, and every book you order online"

This is also misleading, because, as we have already seen, GCSB isn't very much interested in "your" private communications. In his "Moment of Truth" speech, Snowden claimed that he would have been able to enter for example the e-mail address of prime minister John Key in XKEYSCORE to get access to all content and metadata of his internet activities.

What Snowden briefly acknowledged in this speech, but left out in his statement for The Intercept, is that such searches are constrained by policy restrictions. Indeed, every analyst who works with XKEYSCORE and wants to query data collected in New Zealand, has to do a training on the New Zealand Signals Intelligence Directive 7 (NZSID7), which contains the rules about what GCSB is allowed to do.

As GCSB is not allowed to collect communications of New Zealanders (except for when there's a warrant to assist domestic agencies), this means that the other Five Eyes agencies aren't allowed to do that either. Snowden would therefore not have been allowed to look at the communications of prime minister Key.


Not only must all queries against data from New Zealand sources be compliant with both the NZSID7 and the Human Rights Act (HRA), they will also be audited by GCSB:



Snowden however considers these policy restrictions not sufficient because analysts "aren't really overseen". For GCSB, a 2013 review report found that there were indeed problems with oversight, but the new GCSB law, which is opposed by many people because it would supposedly enable "mass surveillance", actually also strengthens oversight. NSA noticed this too.


The government's response

New Zealand's prime minister John Key rejected the reportings by The New Zealand Herald, saying that "Some of the information was incorrect, some of the information was out of date, some of the assumptions made were just plain wrong". He strongly denied that GCSB collects mass metadata on New Zealanders, but he acknowledged that the agency had tapped into the cable, but only for the purposes of a cybersecurity program codenamed CORTEX.

As a proof, several secret government documents were declassified, but from them it doesn't become clear whether CORTEX really is the same program as the cable access which is codenamed SPEARGUN in the NSA and GCSB documents. According to Key, the CORTEX cybersecurity system was eventually scaled back and now only protects specific entities in the public sector and some private companies.

A snippet from an NSA document says that the implementation of the cable access project SPEARGUN was awaiting the new 2013 GCSB Act. It was said this was because the new law would enable "mass surveillance", but the proposed law also authorizes GCSB to ensure cybersecurity, which would support the statement of the government.

 

Conclusion

As the disclosed documents only contain a few lines and no further details about the cable acces codenamed SPEARGUN, it is not possible to say for sure whether this is about intercepting communications from the Southern Cross cable, like the Snowden-related media claim, or that it is actually a cybersecurity program, like the government says.

What did become clear is that XKEYSCORE isn't really a "mass surveillance tool", but is actually used to collect data in a way that is at least just as targeted as traditional methods. Many of GCSB's targets came out as legitimate, some are more questionable, but none of them included the bulk collection of communications from ordinary citizens, whether domestic or abroad.

Snowden also said that there are "large amounts of indiscriminate metadata about the communication and other online events of citizens" from all Five Eyes countries. But apart from the domestic phone records collected by the NSA, no evidence has yet been presented for such collection in the other countries.



Links and Sources
- EmptyWheel.net: What an XKeyscore Fingerprint Looks Like
- The New Zealand Herald: Bryce Edwards: The ramifications of the spying scandal
- The Press: We're snooping on the Pacific...so what?
- Report: Review of Compliance at the Government Communications Security Bureau (pdf) (2013)
- ArsTechnica.com: Building a panopticon: The evolution of the NSA’s XKeyscore

During the past year, a number of slides from a 2002 NSA presentation titled "National Security Agency: Overview Briefing" were disclosed as part of the Snowden-leaks.

This presentation as a whole would have been a great comprehensive overview of the structure and the mission of NSA at the start of this millennium, but until now only six slides were made public, widely scattered over a period of almost a year and media from 3 continents, almost as to prevent people getting to see the whole picture.

All slides from this presentation can be recognized by their rather overloaded blue background, combining the seals of NSA and CSS, a globe, numerous ones and zeros representing digital communications, and a fancy photoshopped lens flare. In a number of slides, the font type of the classification marking looks different, which could indicate that the presentation was altered and/or re-used several times.




This slide was published by Brasilian media in July 2013. A somewhat distorted version (pdf) was published by Der Spiegel on June 18, 2014. It shows a world map with all the locations where there's a satellite intercept station, which is used for the collection of foreign satellite (FORNSAT) communications.

Nine stations are operated by NSA, including two as part of an SCS unit (see below), and seven stations operated by 2nd Party partners, in this case Great Britain, Australia and New Zealand:

US Sites: - TIMBERLINE, Sugar Grove (US) - CORALINE, Sabena Seca (Puerto Rico) - SCS, Brasilia (Brazil) - MOONPENNY, Harrogate (Great Britain) - GARLICK, Bad Aibling (Germany) - LADYLOVE, Misawa (Japan) - LEMONWOOD, Thailand - SCS, New Delhi (India)

2nd Party Sites: - CARBOY, Bude (Great Britain) - SOUNDER, Ayios Nikolaos (Cyprus) - SNICK, near Seeb (Oman) - SCAPEL, Nairobi (Kenya) - STELLAR, Geraldton (Australia) - SHOAL BAY, Darwin (Australia) - IRONSAND, Waihopai (New Zealand)

All these satellite intercept stations were interconnected, and it was this network that became publicly known as ECHELON. Revelations about this eavesdropping system in the late 1990s led to public and political outrage and subsequent investigations very similar to what happened since the start of the Snowden-leaks.

Until the new millennium, international communications travelled via satellite links, which made ECHELON one of NSA's most important collection systems. But since then, international traffic has shifted almost entirely to fiber-optic cables, making this the agency's current number one source.

We have no slide about NSA's cable tapping capabilities in 2002, but from other sources we know that there were at least three programs operational outside the US:

- RAMPART-M for access to undersea cables
- RAMPART-T for land-based cables, in cooperation with CIA
- RAMPART-A for cable access in cooperation with 3rd Party partner agencies

This slide was published by the Italian paper L'Espresso on December 6, 2013. It once again shows a world map, this time with the names of over 80 cities where there's a joint NSA-CIA Special Collection Service (SCS) unit. These units operate covertly from inside a US embassy or consulate to get access to targets that are difficult to reach otherwise. The names of cities in countries that are hostile to the US are redacted by the paper.

There are also four "Survey Sites" and seven "Future Survey Sites", but at present it is not clear what that means. Finally, there are two Technical Support sites: PSA in Bangkok, Thailand, and RESC (Regional Exploitation Support Center?) at the US Air Force base in Croughton, UK. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.




This slide was published by Der Spiegel on June 18, 2014. It shows a world map with the locations where there's a Cryptologic Support Group (CSG). These CSGs are part of the signals intelligence and cryptologic branches of the five US Armed Services (Army, Navy, Air Force, Marines, Coast Guard), which together form the Central Security Service (CSS) - the tactical part of NSA.

Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:

- STRATCOM: United States Strategic Command, Omaha
- TRANSCOM: United States Transportation Command, Belleville
- USSPACECOM: United States Space Command, Colorado Springs
- JSOC: Joint Special Operations Command, Spring Lake
- State Department, Washington
- NMJIC: National Military Joint Intelligence Center, Washington
- CIA: Central Intelligence Agency, Langley
- ONI: Office of Naval Intelligence, Suitland
- San Francisco
- FORSCOM: United States Army Forces Command, Fort Bragg
- JFCOM: United States Joint Forces Command, Norfolk
- SOCOM: United States Special Operations Command, MacDill AFB
- CENTCOM: United States Central Command, MacDill AFB
- Key West (Naval Air Station)
- SOUTHCOM: United States Southern Command, Doral
- EUCOM: European Command, Molesworth
- NAVEUR: United States Naval Forces Europe, London
- USAREUR: United States Army Europe. Wiesbaden
- USAFE: United States Air Forces in Europe, Ramstein
- EUCOM: European Command, Stuttgart
- USFK: United States Forces Korea, Seoul
- Japan
- Hawaii (United States Pacific Command)

This large number of CSG locations is one of the things that reflects the importance of NSA's military mission, which is almost completely ignored in the Snowden-reportings (the slide was published rather unnoticed as part of a batch of 53 NSA-documents)




This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It shows what NSA saw as current threats in 2002, with an overlay that seems to have been added later and which lists a range of communication techniques. Greenwald says this slide shows that NSA also counts these technologies, including the Internet, as threats to the US, proving that the US government sees this global network and other types of communications technology as threats that undermine American power.*

This interpretation is rather far-fetched because in that case, pagers and fax machines would also be a threat to the US. It's obvious the list shows the means by which individuals and organisations that threaten the US can communicate - which of course is important to know for a signals intelligence agency like NSA.

The actual threats listed in the slide are:

- Hackers
- Insiders
- Traditional Foreign Intelligence
- Foreign [...]
- Terrorists
- Criminal elements
- Developing nations

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It says that NSA has alliances with over 80 major global corporations supporting both missions (i.e. Signals Intelligence and Information Assurance) and presents the names of a number of big American telecommuncations and internet companies, along with pictures of some old-fashioned communication devices.

Greenwald's book says that in the original presentation, this slide follows some unpublished ones that are about "Defense (Protect U.S. Telecommunications and Computer Systems Against Exploitation)" and "Offense (Intercept and Exploit Foreign Signals)".*



This slide was also published in Greenwald's book on May 13, 2014. It shows the three main categories of "customers" of NSA, which are government and military organizations that can request and receive intelligence reports. Besides other major US intelligence agencies, we see that NSA works for civilian policy makers as well as for military commanders, from the Joint Chiefs of Staff (JCS) and the Commanders-in-Chief (CINCs) down to tactical commanders.

Greenwald uses this slide to point to the Departments of Agriculture, Justice, Treasury and Commerce, the mentioning of which he sees as proof for an economic motive of NSA's spying operations.* Although almost all countries (try to) spy in order to get information that can be usefull for their national economic interests, Greenwald is doing as if this kind of intelligence is somehow off limits, and thereby discrediting NSA.


> See also: NSA's global interception network in 2012



Links and Sources
- National Security Agency: Transition 2001 (pdf)
- Declassified interview with NSA Director Michael Hayden (pdf) (2000)

At three satellite facilities, in Britain, Cyprus and New Zealand, there's a special antenna that allows NSA's partner agencies a significant increase in their capability to collect satellite communications.

This antenna is called Torus, and while conventional parabolic dish antennas can only view one satellite at a time, one single Torus antenna is able to receive the signals from up to 35 communications satellites.

These rare and expensive Torus antennas are used by some television networks, but a close look at photos of the Five Eyes satellite stations has now revealed the locations where Torus antennas are also used for gathering signals intelligence.





The Torus antenna is rectangular, instead of circular like the conventional satellite dishes. Its quasi-parabolic shape is actually a section of a geometrical shape called torus, which it gave its name. Where a conventional satellite antenna only has one receiving head, called a Low-Noise Block (LNB) downconverter, a Torus antenna has many of them, placed in an array.




With a focal arc instead of a single focus point, the Torus antenna can pick up the signals from a range of satellites which are in a GeoStationary Orbit (GSO), a fixed position above the equator. This is the case for most of the more than 100 communications satellites. Because a Torus antenna has to be aligned with the position of multiple satellites, it has to be adjusted to a specific position and therefore cannot be turned or spin around like circular satellite dishes.


Satellite collection

The usage of Torus antennas for signals intelligence first became clear from a slide that was part of a 2011 presentation for the annual Five Eyes conference. It was published in May 2014 in Glenn Greenwald's book No Place To Hide.

The slide is titled "New Collection Posture" and contains a diagram showing the various steps in the process of satellite collection. Greenwald saw this as evidence that NSA wants to "Collect it All", although the diagram clearly shows this refers to just one particular stage:




For the first step of this process it's said that "Torus increases physical access" - a clear description of the fact that one such antenna can receive the signals from many satellites. With one satellite having between 24 and 32 transponders to relay a signal, one Torus antenna, under the right circumstances, could in theory receive nearly 1,000 communications channels simultaneously.

This doesn't necessarily means that with Torus antennas, the Five Eyes agencies are now "collecting everything". The new antenna allows them access to much more satellites, but in the next stage (dubbed "Know it All") they look for and pick out the channels that have the best chances for useful information.


More access also means the need for more capacity to process these incoming signals, because they have to be converted, demodulated and demultiplexed before something can be done with them. And for internet communications, also more XKEYSCORE (XKS) servers would be needed for buffering, so analysts can sort out data of interest.

Torus antennas are useful to "increase the haystack", which doesn't mean that the whole haystack is stored - only those tufts that are likely to contain "needles".



Torus interception antennas

Now knowing what to look for, it was quite easy to "spy back" on the satellite intercept stations through the aerial images of Google Maps. By doing so, we can recognize Torus antennas in Britain, Cyprus and New Zealand.


Waihopai, New Zealand

Most information about the use of a Torus antenna for signals intelligence is available for the one at the Waihopai satellite intercept station in New Zealand, which is codenamed IRONSAND.

According to an article that was originally published in The Marlborough Express in July 2007, the Torus at Waihopai was built the month before and was expected to be operational later that year. Then GCSB director Bruce Ferguson said that this new dish would enable satellites to be tracked more efficiently, and with a cost of under 1 million dollars, it was very good value for money, he said.




The new Torus antenna joined the existing satellite dishes, the first of which was built in 1989, and the second in 1998. These dishes are covered by domes, which make them look like giant golf balls. According to the GCSB director this was to ward off the weather, but it is generally considered that it is actually to prevent seeing which direction the dishes face.

The Torus didn't get such a covering, maybe because it only has limited ability to manoeuvre on a fixed pad. But had the Torus antenna been covered like the old dishes, we wouldn't have known about this new and increased satellite interception capability.




The Torus at Waihopai is also mentioned in a recently disclosed GCSB presentation from April 2010, which says: "TORUS now enabling an increase of COMSAT/FORNSAT collection". This sounds like this antenna became operational not long before, although it was already installed in 2007. Maybe it took a few years before the necessary processing capacity became fully functional.


Bude, United Kingdom

A second Torus antenna used for satellite interception is at GCHQ Bude, in the west of Cornwall, in the United Kingdom. Bude, codenamed CARBOY, is a large station where GCHQ and NSA cooperate in the interception of both satellite and submarine cable communications.

Here, satellite interception started in the late 1960s with two giant dishes with a diameter of 27 meters. Nowadays there are 21 satellite antennas of various sizes that can cover all the main frequency bands and seem generally orientated towards the INTELSAT, Intersputnik and INMARSAT communication satellites.

The Torus antenna at GCHQ Bude must have been installed somewhere between January 2011 and June 2013: on the current Google Maps image, which is from December 30, 2010, the Torus antenna isn't yet present, but in the picture below, which is from June 23, 2013, the distinctively shaped antenna is clearly visible:





Ayios Nikolaos, Cyprus

A third Torus antenna is installed at the GCHQ listening station Ayios Nikolaos, which is part of the British Sovereign Base Area of Dhekelia in Cyprus, where British signals intelligence has already been present since the late 1940s.

This listening station is codenamed SOUNDER and is part of the Five Eyes satellite interception network that became known as ECHELON. A Google Maps satellite photo shows that there are several large and small satellite dishes, including one that can be recognized as a Torus antenna:




This satellite image is from April 12, 2014, but because for this location no earlier images are available, it's not possible to say in which year this Torus antenna was installed. This makes that for now, the oldest reference to a Torus antenna used for signals intelligence is for Waihopai in New Zealand (2007).

Update:
As a reader noticed in a comment below, images from Google Earth show that the Torus antenna at Ayios Nikolaos must have been built somewhere between May 2008 and April 2011, according to the images available for those dates.
So for signals intelligence, Torus antennas were subsequently set up in Waihopai (2007), in Ayios Nikolaos (between 2008 and 2011) and in Bude (between 2011 and 2013).

No Torus dishes were visible at the other major satellite stations of the Five Eyes countries, like Yakima and Sugar Grove in the US, Menwith Hill in the UK, Misawa in Japan, and Geraldton in Australia. Torus antennas can also not be seen in aerial photos of the satellite intercept facilities in allied countries like The Netherlands, Denmark, Germany, and Austria.



Development

The Torus antenna was developed in 1973 by COMSAT Laboratories in Clarksburg, Maryland, where it operated an experimental installation that communicated with Intelsat satellites.

The original version of the Torus antenna was able to receive the signals of up to 7 satellites simultaneously and costed 1,1 million US dollars. At that time, the price of a conventional dish, that was much larger than those used nowadays, was around 800,000 dollars.



In 1979, COMSAT applied for the Federal Communications Commission (FCC) to build three Torus antennas for commercial use: in Etam (West Virginia), Andover (Maine) and Jamesburg (California). Each of them had to communicate simultaneously with three American domestic satellites which were in a geostationary orbit at 4° degrees apart from eachother.

After the presentation of the first commercial Torus antenna in 1981, the system didn't become very popular, apparently because the efficiency of this antenna type was less than the parabolic satellite dishes and also had increased sidelobe levels.


Manufacturers

The largest and custom made Torus antennas appear to be manufactured by General Dynamics Satcom Technologies. Smaller, standard Torus antennas are available from General Dynamics' subsidiary Antenna Technology Communications Inc (ATCi), which produces three types under the brand name Simulsat. The width of these dishes is between 8 and 13 meters.

Reportedly there are only about 20 Torus antennas in the world, but it's not clear whether this number is only about the largest ones made by GD Satcom Technologies, or that it also includes that smaller dishes from ATCi. Main customers are the US federal government and television stations that feed their cable networks with a large number of satellite channels.




Television networks

An example of a Torus used by television networks is the American sports broadcaster ESPN, which had a 24-meter Torus antenna installed at its headquarters in Bristol, Connecticut, in 2007. DIRECTV has three Torus dishes, including one at its Los Angeles Broadcast Center (LABC), which receives signals from 32 satellites.

It's not known what the price of a Torus antenna is, but it comes probably near 1 million dollars. This can be worth it as one single Torus eliminates the need to install multiple conventional parabolic dishes, that can cost up to several hundred thousand dollars each.
 

Update:
After this article had been published, a number of other Torus-antennas were found by Cryptome, @sigwinch and other people. Most of them are at the dish farms of television networks and commercial satellite companies. Until now, 17 additional Torus antennas can be seen at:

- CIA headquarters (present already in 2000)
- Schriever Air Force Base in Colorado
- An Intelsat ground station near Napa, California (2)
- An Intelsat ground station in Nuevo, California
- An Intelsat ground station near Atlanta, Georgia
- An RRsat America ground station near Hawley, Pennsylvania
- An Intelsat dish farm in Long Beach, California
- An Echostar satellite downlink facility in Chandler, Arizona
- The Intelsat Teleport near Castle Rock, Colorado
- An Echostar Broadcast Center in Cheyenne, Wyoming
- A satellite station near Lake Pochung, New Yersey
- A satellite ground station in Vernon county, New Yersey
- The HBO Communication Center in Hauppage, New York
- The roof of HBO Studio Productions in New York City (2)
- The Inmarsat access station in Nemea, Greece

Links and sources
- Stuff.co.nz: Snowden Files: Inside Waihopai Domes
- Business sheet: General Dynamics SATCOM Technologies Business Overview (pdf)
- Product sheet: General Dynamics 7.0 Meter Torus (pdf)

A close look at a unique photo of NSA computer equipment revealed the names of five countries: Tunisia, the Netherlands, Belgium, Germany and Italy. The devices are routers, but it's not certain what exactly they used for. The circumstances indicate that they enable the exchange of data for military operations in which these NSA partner countries participate.




On June 14, 2014, the German magazine Der Spiegel published 53 documents pertaining to the NSA's operations in Germany and its cooperation with German agencies. Many of them got little attention, and so they often contain interesting things which are not yet reported.

One of these documents is an undated presentation about Strategic Analystics used at the NSA's European Cryptologic Center (ECC), which is located near the city of Darmstadt in Germany. This presentation contains some unique photos of what seems to be NSA equipment.


Cisco routers

One of the photo's shows a 19-inch rack for computer equipment modules, which contains 13 common Cisco 2811 routers. In the photo we see the front panels of the routers, with each one having a black power cable and a red network cable, which connects to a computer in order to manage the router. The cables for the actual data are on the rear side, where the device has four high-speed WAN interface card (HWIC) slots, two 10/100 Gigabit Ethernet ports, and a slot for an Enhanced Network Module (ENM).




Classification labels

Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures.

All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.


Sometimes, the photos in the presentation are related to what the slide is about, but here that seems not to be the case. The slide is about MapReduce analytics, with MapReduce being a particular method to filter, sort and generate data from very large databases. This is completely different from what routers do, which is transferring data from one computer network to another.




The white labels

Most interesting in this photo is the text on the white labels, which unfortunately is very difficult to read. But after I brought these photos under attention, a twitter-user noticed that these labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:

BAYBRIDGE
TUNISIA

PARTSTREAMER
NETHERLANDS

BAYBRIDGE
SEENFLARE

BAYBRIDGE
BELGIUM

BAYBRIDGE
SIDELIGHT

BAYBRIDGE
MALFRACK

BAYBRIDGE
THAWFACTOR TR82/...

... EXPANSION
GERMANY ...

CRO......
MEVE/ORION ..MG/..EF

BAYBRIDGE
...... ..../....

BAYBRIDGE
FAIRLANE

BAYBRIDGE
ITALY ....

........
....... ....

Most of the routers are labeled BAYBRIDGE, either accompanied by another codeword or by the name of a country: Tunisia, Belgium and probably Italy. The Netherlands and Germany are mentioned on routers which appear to be related to other systems, which for the Netherlands is codenamed PARTSTREAMER. Germany is related to some kind of EXPANSION.

All these codewords are seen here for the first time, so it's not known what they stand for and the variations make it even more difficult to guess what these routers are actually used for. Maybe some future disclosures of NSA documents can provide an explanation.




Third Party partners

One thing that these five countries have in common, is the fact that they are 3rd Party partners of NSA. This means there's a close cooperation based upon a formal agreement between NSA and the agency responsible for signals intelligence in a given country.

Belgium, The Netherlands, Germany and Italy are long-time trusted allies of the US, but Tunisia only came more close to the US after 9/11. It for example supported the war on terrorism, conducted joint training exercises with the US, and US Navy ships regularly visited the ports of Bizerte, Sfax, Sousse and Tunis.*

Initially, Tunisia then fell under responsibility of the US European Command (EUCOM), but came under the newly created US Africa Command (AFRICOM) in 2008. There are even plans to move the AFRICOM headquarters from Stuttgart, Germany to Tunisia, after this small north-african country moved away from its close relationship with France in recent years.


We probably can come even closer to what the purpose of these routers is, by looking at where they are used. As we have seen, the photo isn't related to what's in the slide, but as the presentation as a whole is about certain efforts at the NSA's European Cryptologic Center (ECC), we can assume the routers were photographed there.
 

The European Cryptologic Center

The ECC is one of several Cryptologic Centers of the NSA. These were established in the mid-1990s to decentralize SIGINT operations and make their systems more redundant. Initially they were called Regional SIGINT Operations Center (RSOC).

Four of these centers are in the United States and named after the state they are in: Georgia (in Augusta), Texas (in San Antonio), Hawaii (in Honolulu) and Colorado (in Denver). There are two known centers outside the US: the European Cryptologic Center (ECC, in Griesheim, Germany) and the Afghanistan Remote Operations Cryptologic Center (AROCC, in Bagram, Afghanistan).




The European Cryptologic Center (ECC) is located within the US Army's Dagger Complex outside the small town of Griesheim, near the city of Darmstadt in Germany. In 2011, it had some 240 personnel, consisting of military and civilian members of the military services, NSA civilians and contractors.

On behalf of NSA, the center is operated by the US Army Intelligence and Security Command (INSCOM) and as such is part of the NSA's military branch, the Central Security Service (CSS), more specifically of NSA/CSS Europe and Africa (NCEUR/AF).

The ECC conducts the processing, analysis and reporting of signals intelligence in support of both the European Command and the Africa Command - which perfectly fits the countries we saw on the white labels. The ECC is primarily focussed on Counter-Terrorism and supporting military operations in Africa and the Middle East.


Military operations

According to NSA historian Matthew Aid, NSA's European center already supported American troops operating in Bosnia and Kosovo in the late 1990s. There were direct communication links not only with US military units, but also with all the SIGINT agencies and units of the partner nations operating in the Balkan, like Germany, France, Italy, the Netherlands, and others.

In a similar way the routers we see in the photo from the presentation could then be used for the exchange or transfer of data related to specific military and counter-terrorism operations, each involving different countries. For now, this seems the most likely option, as it could also explain the variations of the codewords.

This seems to be different from SIGDASYS, which is a database system where NSA and some partner agencies can put in and pull out military intelligence information on a more regular basis. Also, SIGDASYS is part of the SIGINT Seniors Europe (SSEUR or 14 Eyes) group, which doesn't include Tunisia.



Links and sources
- Matthew Aid: The European Cryptologic Center at Darmstadt, Germany (2013)
- Presentation about the US Army Intelligence and Security Command (INSCOM) (pdf, 2013)
- NIST: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy (pdf, 2005)

Over the last couple of weeks, the German foreign intelligence agency Bundesnachrichtendienst (BND) was accused of helping the NSA by carelessly or even deliberately entering selectors used for spying on foreign targets in the German satellite interception system at Bad Aibling.

Here, recent outcomes of the German parliamentary inquiry will be combined with information from the various press reportings, in order to provide a more integrated picture of what happened over the past years.

It becomes clear that BND did everything that seemed reasonable to prevent that German data were passed on to the Americans, but that they didn't really care about whether NSA collected communications from other European countries.

It remains unclear to what extent BND is able to prevent German communications being collected from internet traffic.




 
The context

This latest affair started on April 23, when the German magazine Der Spiegel reported that NSA apparently spied upon European and German targets for years, with the knowledge of the German foreign intelligence agency BND.

Other news reports inflated this to BND deliberately helping NSA in spying on these targets illegally, which led opposition leaders accusing the German government of treason. This although by then there was no clear evidence, only sometimes confusing and not always very accurate press reports.


Committee hearings

Meanwhile there's somewhat more clarity, also because last Thursday, May 7, the parliamentary committee investigating NSA spying and cooperation with BND (German: NSA UntersuchungsAusschuss, NSAUA) questioned three BND employees (designated R.U., D.B. and Dr. M.T.) who were involved in this issue.

The day before, May 6, the regular parliamentary intelligence oversight committee (Parlamentarisches KontrollGremium, PKGr) heard BND president Gerhard Schindler and Thomas de Maizière, currently the Interior Ministor, but previously responsible for intelligence affairs at the Chancellery.





The cooperation between NSA and BND

The cooperation between NSA and BND which is at stake here, started with a Memorandum of Agreement (MoA) signed on April 28, 2002, in which both parties agree on joint espionage areas and targets, such as counter-terrorism, the battle against organized crime and against proliferation of weapons of mass destruction.

Two years later, NSA abandoned its Bad Aibling Station for satellite interception, that under the codename GARLICK was part of the ECHELON network. Most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to BND.

In return, BND had to share the results from its satellite collection with the NSA. For this cooperation the Joint SIGINT Activity (JSA) was set up, consisting of personnel from both NSA and BND. The Americans provided most of the equipment. The JSA was located at the nearby Mangfall Barracks and was closed in 2012.



Selectors

For the satellite interception in Bad Aibling, approximately 4 out of 5 selectors came from the Americans, the rest were German. According to the testimony of BND employee D.B., NSA started providing the Germans with phone numbers around 2005, followed in 2007 with selectors for IP communications. Most of them were related to Afghanistan.

According to Süddeutsche Zeitung, NSA provided BND with roughly 690.000 phone numbers and 7,8 million internet identifiers between 2002 and 2013. That is an average of something like 60.000 phone numbers and 700.000 internet identifiers a year, or 164 phone numbers and over 1900 internet identifiers each day.

Such selectors (German: Telekommunikationsmerkmale) include phone and IMEI numbers, e-mail, IP and MAC addresses of computers and tablets, but also other kinds of internet identifiers, like names, nicknames and chat handles. These are called "hard selectors". It is not known whether also "soft selectors" like keywords or maybe even cookies and malicious code signatures were used.


 
How BND checks NSA selectors

The selectors provided by NSA were picked up by BND employees at Bad Aibling from an NSA server a few times a day. Initially their number was not very large. They were for example on Excell sheets which were checked manually at Bad Aibling.

Apparently talking about the Eikonal operation, witness D.B. explained the committee that in the testing phase, one BND employee did this on his own, which led to a delay of one day. In 2007 NSA wasn't satisfied by that and wanted the results in real-time.


3-stage filtering

Later, the number of selectors increased to a level that couldn't be checked by hand anymore. A new procedure was set up, in which, at least since 2008, Bad Aibling personnel sent over the selectors to BND headquarters in Pullach once a week, without further inspection. At the headquarters, the selectors were checked in an automated process of 3 stages:

1. A negative filter which filters out e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

2. A positive filter consisting of a list of German citizens using foreign communication identifiers, for example businessmen, journalists, but also jihadis who have a foreign phone number. Numbers from this relatively large list of a few thousand numbers will also not be monitored.

3. A filter to sort out selectors that collide with German interests. Witnesses heard by the committee wouldn't publicly explain how this works, but maybe in this stage selectors for European military contractors in which Germany participates (like EADS and Eurocopter) are filtered out.

The only regular manual check is for false positives, because for example SIM cards can have an IMEI number that also starts with 49.

Although this filtering was considered 99,99% accurate, the witness R.U. admitted in the hearing on Thursday that this method is not always able to prevent German communications being intercepted, for example when a German citizen uses an Afghan phone number and/or is calling locally in Afghanistan. Such numbers would not be rejected for tasking, and there's also no system that filters out spoken German language.


How to determine nationality?

During an earlier hearing, BND lawyer Stefan Burbaum said that in rare cases a conversation first had to be collected and listened to in order to determine whether the contents are under constitutional protection or not.

Likewise it is impossible to determine the nationality of the person using an e-mail address like for example "redgoose1432@hotmail.com" without further circumstancial information. Even the content isn't always decisive.

We know that NSA analysts have to determine a "foreignness factor" for every selector, to exclude that it belongs to an American. For BND however it's impossible to automatically check whether such a mail address could belong to a German.

Witness R.U. reminded that such cases are rather speculative, because generally selectors like phone numbers are only tasked when they have a connection to a known suspect or target.


How to check internet selectors?

During the hearing for the parliamentary inquiry, the witnesses mainly spoke about (selectors for) intercepting telephone calls, and they weren't questioned about how internet communications are filtered.

This seems to be a missed opportunity, because for the latter it is much more difficult to sort out domestic communications. Phone numbers always start with a country code, but on the internet people use many kinds of identifiers that are not easily attributable to a specific country.

It would have been interesting to know how BND thinks they can prevent for example MAC addresses of devices used by Germans being monitored, or to what extent it is possible to determine the nationality of people behind nicknames. This is important, not at least because there are far more selectors for IP traffic than for telephony.


Positive filtering

It seems that BND tries to solve this issue with the positive filter, using a list of foreign identifiers used by German citizens. However, keeping such a list up-to-date would almost require an intelligence operation itself, but maybe they take a shortcut by requesting the phone numbers and e-mail addresses of Germans abroad from for example the foreign ministry, chambers of commerce and press organisations.

This seems doable for Germans, but it's obvious that this is impossible for companies and citizens from other European countries. This explains why apparently some NSA selectors for European companies made it through BND's selection system.


Economical espionage?

This doesn't automatically means NSA was conducting economical or industrial espionage. According to Süddeutsche Zeitung, there are only very few indications for that. The paper says NSA was mainly interested in certain companies because they were looking for illegal (arms) exports.

For example, the e-mail address of an Airbus employee who was probably targeted by NSA, reportedly belongs to someone who is responsible for applying for arms export licences, which shows that targeting commercial companies can very well have valid foreign intelligence reasons.

On May 13, the head of Germany's domestic security service BfV, Hans-Georg Maassen, said that he has no evidence that the United States carried out industrial espionage in his country.




 
Discovery of suspicious selectors

Already in 2005, a BND employee discovered that among the selectors provided by NSA (at that time also used for the cable tapping under operation Eikonal), there were indentifiers for the European defense contractors EADS and Eurocopter (both now part of Airbus Group).

These companies have no protection under the German constitution, but it was considered that such information shouldn't be forwarded automatically. Selectors for French government officials were discovered somewhat later, according to witness D.B. last Thursday.

Then in 2008, a BND official informed the Chancellery saying that NSA was apparently going after its own interests in Europe too. At least by then, BND started sorting out suspicious NSA selectors and put them in a separate database.


Storing rejected selectors

This selection took place at BND headquarters, but after that, all selectors were sent back to Bad Aibling, where they were either entered into the collection system or stored in the rejected selectors repository (German: Ablehnungsdatei).

Although it could be interesting to know what NSA looks for but didn't pass BND filters, witness D.B. said this database isn't routinely looked at. He also said that NSA is informed about the selectors that have been rejected, which was apparently no problem for them.

Storing the rejected selectors was said to be useful because when NSA sends a suspicious selector again, it can be sorted out by checking against this list. Approved selectors are also sometimes marked as inactive, for example when a foreign extremist travels into Germany. Then BND monitoring has to stop, but when he leaves the country, the selector is activated again.


40.000 rejected selectors

Until 2013, the Ablehnungsdatei was filled with some 40.000 NSA selectors which therefore didn't make it into the collection systems. This is about 0,47% of the total number of selectors provided by the Americans.

Initially, Der Spiegel reported that these 40.000 were found through an investigation in the Fall of 2013, suggesting they had been active all the time and that thereby, BND enabled NSA to illegally spy on some 40.000 targets.

Given the criteria of BND's 3-stage filter system, these 40.000 must include NSA selectors that either have a German country code, a foreign identifier used by a German citizen or entity, or a match with the mysterious "German interests" criteria.

We don't know how many selectors were rejected for each of these stages, but we can assume that in a number of cases NSA did sent identifiers for targets that were recognizable as German. For selectors rejected in the second stage, NSA may not have known that a particular identifier was used by a German, something that BND could probably find out easier.

We also don't know how these 40.000 are divided among phone and internet selectors, which can also make a big difference, as it is much easier to attribute phone selectors to a particular country than it is for internet identifiers. Opposition leaders are demanding that the parliamentary investigation committee can see the list, but the government said they are still negotiating with NSA about this.




Investigating active selectors

Early August 2013, just several months after the start of the Snowden revelations, BND Unterabteilungsleiter D.B. asked technical employee Dr. M.T. to take a look at the active NSA selectors to see what types of identifiers they contain and whether it could be determined what regions NSA was interested in (Interessensschwerpunkte).

For that, Dr. T. was provided with a copy of the database containing all selectors used in Bad Abling. This database copy was stored on a separate computer, because ordinary work stations couldn't process such a large dataset.

To his surprise, he found selectors that seemed politically sensitive. He put them in a separate database, of which a single copy was printed out. This investigation took about four weeks and resulted in some 2000 suspicious selectors. These were still active at that time, unlike the 40.000 which were prevented from being activated.

The database containing all selectors was deleted after the job was done. The one with the 2000 sorted out by Dr. T. wasn't found back after he had returned the dedicated computer.


Suspicous selectors deactivated

Immediatly after finding suspicious selectors, Dr. T. informed his superior Referatsleiter H.K., who reported this to Unterabteilungsleiter D.B. Around mid-August 2013, D.B. called the unit in Bad Aibling and ordered Dienststellenleiter R.U. to deactivate (although press reports call it "delete") the suspicious selectors in the tasking database.

For this, D.B. sent him the printed list with the 2000 selectors by courier. Using some specific criteria (like those mentioned down below??), it was then possible to remove the suspicious selectors. Strangely enough, D.B. thought all this not to be relevant enough to report to the Chancellery.

Der Spiegel reported that in the hearing behind closed doors on May 6, BND president Schindler said that the list of 2000 selectors almost exclusively contains e-mail addresses, not of companies, but mainly of European politicians, EU institutions and government agencies.

The reason for that is clear, because as we have seen, BND didn't systematically filtered out such selectors. But at least this seems to confirm that preventing German selectors from being monitored was successful, and that therefore there's no evidence that BND helped NSA in spying on German citizens, corporations or government officials.


Another investigation?

According to a report by Der Spiegel, BND employee R.U. was instructed on August 14, 2013 to "delete" some 12.000 search terms. These were apparently the outcome of an investigation in which BND's database with NSA selectors had been searched using terms like "gov", "diplo" and "bundesamt" (initially in some press reports erroneously presented as search terms provided by NSA).

This search had resulted in 12.000 hits (which doesn't necessarily means an equal number of selectors). The tabloid paper Bild am Sonntag reported that e-mail addresses containing the term "bundesamt" were targeted against Austrian government agencies and appeared in over 10 NSA selectors.

However, during the parliamentary inquiry, witness Dr. T. said that the three search terms mentioned by Der Spiegel and the number of 12.000 had nothing to do with his investigation. It's therefore unclear whether there was a second investigation, or that the press has mixed things up.


BND takes measures

In November 2013, BND president Schindler issued a new internal regulation, saying that at least BND selectors may not include European targets anymore. Reportedly e-mail addresses ending with .eu will now be blocked and the same has to happen for all European partners. We can assume this also applies to their telephone country codes.

However, this won't help European citizens, companies and organisations who are for example using phone numbers from outside Europe or mail addresses with a generic top level domain like .com, .org or .net. The new regulation is therefore most effective for preventing that communications of European government agencies will get caught in the filter systems.

Recently, BND asked NSA to provide a justification for every of their selectors. For telephone numbers, this was already practice,* but the Americans said that for internet selectors they needed more time. This led BND to stop the collection of internet data for the time being as of early last week. Phone and fax data are still collected and forwarded.

According to Süddeutsche Zeitung, there are currently some 4,6 million active selectors, most of them for filtering internet communications.


 

Results of the collection

After the approved selectors have been entered into the collection systems, these will automatically pick out all data for which there's a match with one or more selectors.

These results are then converted into a readable format and stored in a database: metadata went into VERAS and content into INBE. From there, analysts can see whether it is relevant for the foreign intelligence as required by the government. If not, the data are destroyed.

Many metadata collected in Bad Aibling were automatically forwarded to NSA, after passing a final filter to sort out those related to Germans. According to the newspaper Die Zeit, BND collects about 220 million metadata each day, which is 6,6 billion a month. Up to 1,3 billion of these metadata are shared with NSA, an example being the 552 million metadata seen in a chart from the NSA tool BOUNDLESSINFORMANT.

Shortages

Content collected through selectors provided by NSA was also automatically forwarded after a final filter, but here, BND personnel in Bad Aibling also took random samples to check whether it contained German data.

Because of shortages in personnel and technical capacity, BND employees were fully occupied with the results from their own selectors, and therefore had no time to take a closer look at what came out for NSA. They simply relied upon the initial selector check. Only when BND's own selectors didn't provide useful results, they would take a look at the results of the NSA selectors.




Selected communication links

One important fact that was largely overlooked in the reporting on this issue, but was pointed to by BND president Schindler and one of the witnesses, is that the Bad Aibling station only intercepts satellite links from crisis regions in the Middle East and Africa. BND selects which satellites and which communication channels from those satellite links are intercepted; NSA is said to have no influence on that.


Interception results therefore include for example phone calls between Afghanistan and Pakistan or communications from European companies and agencies with activities in the Middle East. This would also minimize the chance that German communications were being collected.


No records kept

According to Der Spiegel, BND president Schindler said that his agency has no technical means to reconstruct which data were passed on to NSA as no records or statistics were kept on this. Earlier, BND employees also testified that their agency doesn't count the raw data that come in, only the end reports.

This means, that the lists of selectors can only show what NSA was interested in, but that we will probably never know what exactly the results from that collection were.



> BND president Gerhard Schindler will be questioned by the parliamentary committee during a public hearing on Thursday, May 21.



Links and sources
- Zeit.de: BND liefert NSA 1,3 Milliarden Metadaten – jeden Monat (May 2015)
- Golem.de: Der Mann, der die brisanten NSA-Selektoren fand (May 2015)
- Netzpolitik.org: Untersuchungsausschuss: „Ich habe Weisung von oben empfangen und vollzogen“ (May 2015)
- Spiegel.de: Spionageaffäre: BND kann Daten-Weitergabe an NSA nicht rekonstruieren (May 2015)
- Sueddeutsche.de: BND half NSA beim Ausspähen von Frankreich und EU-Kommission (April 2015)
- FAZ.net: BND-Spionage-Vorwürfe: Spionieren und spionieren lassen (April 2015)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA (June 2014)

This weblog first reported about the joint NSA-BND operation Eikonal on October 15, 2014, but meanwhile interesting new details became available from the hearings of the German parliamentary inquiry, and from recent disclosures by a politician from Austria.

Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about this operation so far. New information may be added as it comes available.





 

Initial reporting

Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA.

For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

To prevent communications of German citizens being passed on to NSA, BND installed a special program (called DAFIS) to filter these out. But according to the reporting, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out, which was considered a violation of the constitution.

Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as somepeople noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn't add up.

As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.




Eikonal as part of RAMPART-A

As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella program RAMPART-A, under which the Americans cooperate with 3rd Party countries who "provide access to cables and host U.S. equipment".

Details about the RAMPART-A program itself had already been revealed by the Danish newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.

On October 20, Information published about a document from NSA's Special Source Operations (SSO) division, which confirms that an operation codenamed "EIKANOL" was part of RAMPART-A and says it was decommissioned in June 2008.

The slide below shows that under RAMPART-A a partner country taps an international cable at an access point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C), while they are also forwarded to NSA sites in the US (D, E):




 

Parliamentary hearings

Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation commission of the German parliament (NSAUA) decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange.

During hearings of BND officials it became clear that operation Eikonal was not about tapping into the Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was first confirmed by German media on December 4, 2014.


Commission hearing of November 6, 2014(Live-blog)

According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that the filter system was only able to filter out 95% of German communications. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.


Commission hearing of November 13, 2014(Live-blog - Official transcript)

During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The internal codename for Eikonal was Granat, but that name wasn't shared with NSA. There was even a third codename.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program.

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not all selectors can be attributed to a particular country and there may have been up to several hundred thousand selectors, witness W.K. said that BND was still able to check whether every single one was appropriate: only selectors that could be checked were used.



Commission hearing of December 4, 2014(Live-blog - Official transcript)

During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.

These rooms were only accessible for BND personnel and contained the front-end of the interception system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and servers. These devices were remotely controlled from the headquarters in Pullach.

Based upon analysis and research using public sources BND choose specific cables that would most likely contain traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other one.




After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND and NSA.

Timeframe

Eikonal started with access to a telephone cable (Leitungsvermittelt), which was based upon the so-called Transit agreement between BND and Deutsche Telekom. Project manager S.L. told that the first cable was connected (zugeschaltet) in 2004, but that it's signal was too weak.

In January 2005 an amplifier was installed, so collection started in the spring of 2005. By the end of 2006, Deutsche Telekom decided to terminate its business model for this type of links, so in January 2007 the telephone collection was ended.

BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by the end of 2005, but here the back link was missing. In the spring of 2006 they got access to a second cable, for which they tested the filter systems until mid-2007 (Probebetrieb).

During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully automated forwarding only happened from late 2007 until the operation was terminated in June 2008 (Wirkbetrieb).

Legal issues

For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it couldn't be ruled out that German communications were in there too. Therefore, Deutsche Telekom was only willing to cooperate when there was an order from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their own citizens could be involved.

BND considered the restrictions of a G10-order cumbersome, but they requested and got the order, which allowed the collection of both G10 and fully foreign traffic (Routine-Verkehre). Nonetheless, some employees from Deutsche Telekom, and also from BND still had doubts about the legality.

Eventually, the federal Chancellery, upon request of the BND, issued a letter saying that the operation was legal. This convinced the Telekom management and the operation went on. It didn't become clear under what authority this letter was issued.

Results

The collection under operation Eikonal resulted in only about 500 intelligence reports (German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call.

According to S.L., metadata were "cleaned" so only technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.

Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical metadata are for example used to identify the telecommunication providers, transmission links and the various protocols.


Commission hearing of December 18, 2014(Live-blog - Official transcript)

During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.


Commission hearing of January 15, 2015(Live-blog - Official transcript)

In the hearing from January 15, 2015, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom personnel only knows between which cities a cable runs, but they don't know what kind of traffic it contains - they are not allowed to look inside.



 

Disclosures from Austria

On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party, disclosed an e-mail from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic cable had been connected to the interception equipment. The e-mail describes this cable as follows:

Transit STM1 (FFM 21 - Luxembourg 757/1), containing 4 links of 2 Mbit/s:

Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of 155,52 Mbit/second. A similar multiplexing method is Wavelength-Division Multiplexing (WDM) commonly used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5 Gbit/second.

The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA and/or BND selected it carefully.

FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom's network map is the name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied - the location where that Eikonal tapping took place.

This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in Frankfurt, but containing channels to cities which are much further, so they have to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:




The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal connections. It is not known where 750 stands for, maybe it's for channels within a (757) cable.

As this e-mail is from February 3, 2005, it must relate to a cable for telephone collection, because for Eikonal, the first cable containing internet traffic only became available by the end of that year.


The Transit agreement

On May 18, the Austrian tabloid paper Kronen Zeitung published the full "Transit" agreement (pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables, and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective effect as of February 2004.

This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.

It is not known how Pilz came into possession of these documents, but it seems the source must be somewhere inside the German parliamentary investigation commission. They are the only persons outside BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the other documents.

Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that the commission will ever get access to the list of suspicious NSA selectors.


An NSA or BND wish list?

On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German government, and two tables with cable links to or from Austria and Luxembourg:




According to Pilz, these are samples from a priority list of the NSA, which is said to contain 273 (or 254?) cable links. The list contains the names of 31 European countries and 33 countries outside Europe. Most of the links, 71, are from/to the Netherlands. The US, the UK and Canada are not on the list. The cables related to Belgium and the Netherlands were disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015.

On May 27, Pilz said in Switzerland, that the list was from BND and was given to NSA, who marked in yellow the links they wanted to have fully monitored. The Dutch website De Correspondent reports that the full list even contains some 1000 transit links, of which ca. 250 were marked in yellow. Besides these 250 there were apparently also 156 links from/to Britain.

In the German parliamentary commission hearing from January 15 it was said that there was a "wish list of BND" containing some 270 links, but on March 5, former SIGINT director Urmann said he couldn't remember that NSA requested specific communication links.

In media reports it's said that these cables belong to providers from various European countries, but in the lists we see a different provider mentioned for each of the endpoints of the link. That doesn't sound very much like an owner or operator.

It seems more likely that these cables were owned and/or operated by Deutsche Telekom, and connect the network of one provider to that of the other one (for example: KPN in Amsterdam - {Deutsche Telekom cable} - Austria Telekom in Vienna). Deutsche Telekom operates a Tier 1 network, a worldwide backbone network that connects the networks of lower-level internet providers.




Questions

It is not clear how many of the 273 links on the list were actually intercepted. We only know that for sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche Telekom to BND.

Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about "a cable in Frankfurt", which sounds like one single physical cable, whereas the disclosures by Peter Pilz show that multiple channels must have been intercepted.

Another question is whether it is possible to only filter the traffic from specific channels, or that one has to have access to the whole cable.

It should be noted that not the entire communications traffic on these links was collected and stored, but that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for which there was a match was picked out and processed for analysis.


Possible targets

Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom and one employee of BND for spying on Austria, although at the same time he said he was convinced the NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.

Apparently he didn't consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.

Green party members from various countries claimed that this cable tapping was used for economical or industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.



Links and sources
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Duitse BND tapte tientallen internetverbindingen KPN af
- DerStandard.at: BND-NSA-Affäre: Laut Pilz auch Spionage in Belgien und Niederlanden
- Golem.de: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt

Recently, a mysterious telephone was offered for sale at eBay. The device was made by the little-known company Tektron Micro Electronics, Inc. from Hanover, Maryland, and seems to be a secure phone for military use.

Apart from the pictures shown below, nothing more is known about it, but maybe some readers of this weblog recognize the device and have some more information about its purpose and where it was used.




The phone comes without a handset, but it has a display and a common 12-button key pad, with some additional special purpose buttons. According to the seller, all of them are made of some kind of rubbery material instead of hard plastic. The big round buttons reveal that this is a secure phone, capable encrypting the calls: a green button with a green light for Secure and a red button with a (probably) red light for Non-Secure:




It seems the small button with "2nd" can be used to select the functions which are marked in blue above the standard buttons. Most interesting are the FO (Flash Override) designation above the "3", the F (Flash) above the "6", the I (Immediate) above the "9" and the P (Priority) above the "#" button.

FO, F, I, and P designate the four levels of a system called Multilevel Precedence and Preemption (MLPP), which allows to make phone calls that get precedence over ones with a lower priority. Flash Override (FO) was designed to allow the US President and the National Command Authority to preempt any other traffic in the network in case of a national military emergency.

This precedence system only works on telephone networks that allow this special capability, like the AUTOVON network that was used by the US military (since 1982 replaced by the Defence Switched Network). One of the characteristics of the AUTOVON network was that most of its phones were equipped with a standardized keypad with four extra red buttons for the precedence levels:




So apparently, the Tektron phone was intended for use on the military telephone network, but why it doesn't have the standard AUTOVON keypad is a mystery.

We also don't know when the phone was manufactured. The only indication is provided by the label on the back of the device. It says the model number is EXT-4Rx and has the serial number 271/4.0. The seller had a second device with serial number 111.

There is also a National or NATO Stock Number (NSN): 5810-01-357-8193. Looking up this number on a stock number website returns a "Date Established" of 1992. This indicates the phone must be somewhere from the 1990s, although the way this number is placed, without its own line, also looks like it could have been added later on:




It's not known where exactly this phone was used, which is an even bigger question because in the 1990s secure telephony for the US government and military had largely been standardized after the introduction of the STU-III family of secure voice products.

The STU-III standard was introduced by the NSA in 1987, and three manufacturers were allowed to produce secure telephones based on this standard:

- Motorola
- AT&T (later: Lucent Technologies > General Dynamics)
- RCA (later: General Electric > Lockheed Martin > L3-Communications)

Motorola and AT&T each made a few hundred thousand of these devices. Tektron is not known for having participated in the STU-III program.




The Tektron secure phone measures 7.75 inches (19,6 cm) wide, a little over 9 inches tall (22,8 cm) and 2 inches (5 cm) thick. The encryption function made it very heavy: it weighs about 5,5 pounds (2,5 kg), as the case is fully made from cast non-metallic metal, perhaps aluminum.

Such a metal encasing prevents electromagnetic radiation from being intercepted from the outside (TEMPEST). The STU-III, and the newer STE phones only have their bottom part out of metal, with the upper part out of plastic.

Last Tuesday, June 23, the website Wikileaks (in cooperation with Libération and Mediapart) published a number of NSA-documents showing that between 2006 and 2012, NSA had been able to eavesdrop on the phone calls of three French presidents.

This is the first time we see actual finished intelligence reports that prove such eavesdropping, and being classified as TOP SECRET//COMINT-GAMMA they are much more sensitive than most of the documents from the Snowden-archive.

Also it seems that these new Wikileaks-documents are not from Snowden, but from another source, which could be the same as the one that leaked a database record about NSA's eavesdropping on German chancellor Merkel.

Update:
On Monday, June 29, Wikileaks published two Information Need (IN) requests and five additional intelligence reports, but the latter are not as highly classified as the ones revealed earlier.

 

Intelligence reports

The reports are from various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Only one report is published in the original layout with header and a disclaimer, the other ones are just transcripts, probably because they are taken from pages that also contain reports about other countries. For Wikileaks it is very unusual to disclose documents in such a selective way.

The newsletter contains or is based upon so-called Serialized Reports, which are "the primary means by which NSA provides foreign intelligence information to intelligence users", most of whom are outside the SIGINT community. Such a report can be in electrical, hard-copy, video, or digital form.

The first five intelligence reports published by Wikileaks are:

2006:
Conversation between president Jacques Chirac and foreign minister Philippe Douste-Blazy.
- Method: Unconventional
- Serial number: G/OO/6411-06, 271650Z
- Classification: Top Secret/Comint-Gamma

2008:
Positions of president Nicolas Sarkozy.
- Method: Unidentified
- Serial number: G/OO/503290-08, 291640Z
- Classification: Top Secret/Comint-Gamma

2010, March 24:
Conversation between the French ambassador in Washington Pierre Vimont and Sarkozy's diplomatic advisor Jean-David Levitte.
- Method: Unconventional
- Serial number: Z-3/OO/507179-10, 231635Z
- Classification: Top Secret/Comint

2011, June 11:
Conversation between president Nicolas Sarkozy and foreign minister Alain Juppé.
- Method: Unconventional
- Serial number: Z-G/OO/513370-11, 091416Z
- Classification: Top Secret/Comint-Gamma

2012, May 22:
Conversation between president François Hollande and prime minister Jean-Marc Ayrault.
- Method: Foreign satellite and Unconventional
- Serial numbers: Z-G/OO/503643-12, 211549Z and Z-G/OO/503541-12, 161711Z
- Classification: Top Secret/Comint-Gamma

 
Methods

For most of the five initial, and for all five additional reports, NSA's source of the intercepted communications is "Unconventional". It's not clear what that means, but phone calls between the president and his ministers will in most cases be handled by a local switch and therefore don't go through the intercontinental submarine fiber-optic cables, where they could pass NSA's conventional filter systems for telephone and internet traffic.

For intercepting this kind of foreign government phone calls, NSA would have to have access to the public telephone exchange(s) of Paris or the private branch exchanges (PBX) of the presidential palace and important government departments.

This would indeed require unconventional methods, like those conducted by the joint NSA-CIA units of the Special Collection Service (SCS) who operate from US embassies, or NSA's hacking division TAO.

Update:
According to a book by James Bamford, NSA had an Office of Unconventional Programs in the late 1990s, which in another book was presented as NSA's own equivalent of the SCS units. It is not known whether this office still exists or has evolved into another division.
A 2010 presentation (.pdf) says that RAMPART-A is "NSA's unconventional special access program". This is about cable tapping in cooperation with Third Party partner agencies, but seems not the means to get access to local government phone calls.

In one case, the source is "Foreign Satellite" (or FORNSAT), which is the traditional interception of the downlinks of communication satellites. This method was probably used because president Hollande visited his American counterpart in Washington a few days earlier.

In yet one other case, the method is "Unidentified", and although Wikileaks says it's about an "intercepted communication", the actual report only reflects the positions of president Sarkozy, without mentioning a conversation counterpart.




Classification

Looking at the classification level of the reports shows that they are TOP SECRET//COMINT-GAMMA when the president is involved in the conversation. Intercepted communications between ministers and/or top level advisors, diplomats and government officials are "only" classified as TOP SECRET//COMINT.

Three of the reports have the dissemination marking NOFORN, meaning they may not be released to foreigners. The other two may be released to officials with a need-to-know from agencies of the Five Eyes community.

Four of the reports also have the marking ORCON, meaning the originator controls dissemination of a document, for example by imposing that it has to be viewed in a secured area, or by not allowing copies to be made.


The GAMMA compartment

Probably most remarkable about these reports is that they are from the GAMMA compartment, which protects highly sensitive communication intercepts. It was already used in the late 1960s for intercepted phone calls from Soviet leaders.

The overwhelming majority of the Snowden-documents is classified TOP SECRET//COMINT, with COMINT being the control system for signals intelligence which covers almost anything the NSA does. All those powerpoint presentations, wiki pages and daily business reports are therefore not the agency's biggest secrets.

The five additional reports published on June 29 are all just TOP SECRET//COMINT.

It is not clear whether Snowden had access to the GAMMA compartment. So far, no such documents have been published, except for fiveinternalNSAWikipages, for which the highest possible classification was TOP SECRET//SI-GAMMA/TALENT KEYHOLE/etc., but without GAMMA information being seen in them.

Only a few of the Snowden documents that have been published have a more special classification: we have seen a document from the STELLARWIND and the UMBRA control system, as well as from the ECI RAGTIME, but it is possible that Snowden found these as part of his task to move documents that were not in the right place, given their classification level.


Serial number & time stamp

Besides the source and the topic, there's also a serial number and a timestamp below each report. The time is presented according to the standard military notation. 161711Z for example stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year being that of the particular briefing.

The serial number is in the format for NSA's serialized reports, for example Z-G/OO/503643-12. According to the 2010 NSA SIGINT Reporter's Style and Usage Manual (.pdf), such a serial number consists of a code for the classification level, the Producer Designator Digraph (PDDG), a one-up annual number, and the last two digits of the year in which the report was issued. For the classification level, the following codes are known:


The Producer Designator Digraph (PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector", but it's not clear what exactly that means. The serial numbers mentioned in the reports about France all have OO as PDDG. That one is not associated with a specific interception facility, and therefore it might be a dummy used to actually hide the source in reports for people outside the agency.


 

Tasking database records

Besides the NSA intelligence reports, Wikileaks also published an database extract which includes the (landline and/or mobile) phone numbers of significant French political and economic targets, including the office of the President.

Because this list is about phone numbers, it seems most likely from a database system codenamed OCTAVE, which kept the selectors used for instructing the various collection facilities. It was reportedly replaced by the Unified Targeting Tool (UTT) in 2011.




TOPI: Stands for Target Office of Primary Interest, which is the NSA unit in the Analysis & Production division where the interceptions are analysed and intelligence reports are produced. In the list we see the following TOPIs, all part of the so-called Product Line for International Security Issues (S2C):

S2C13: Europe, Strategic Partnerships & Energy SIGDEV *
S2C32: European States Branch
S2C51: (unknown)

Selector: Shows the particular identifier to select the communications that have to be collected, in this case a phone number. +33 is the country code for France, the third digit being a 1 means that it's a landline (Paris area code), being a 6 means it's a mobile phone.

Subscriber_ID: A description of the subscriber of the selector phone number:

- President of the Republic (cell phone)
- Presidential advisor for Africa (landline, date: 101215)
- Director for Global Public Property of the Ministry of Foreign Affairs (cell phone)
- Government communications center at the Elysée palace (landline)
- Diplomatic advisor at the Elysée palace (cell phone)
- Secretary general at the Elysée palace (cell phone)
- Spokesman of the foreign minister (cell phone)
- Cabinet of the Ministry of Foreign Affairs (MAE, cell phone)
- Presidential advisor for Africa (landline, date: 101214)
- Secretary of State for European Affairs (cell phone)
- Secretary of State for Trade (cell phone)
- Ministry of Agriculture SWBD (landline)
- Ministry of Finance, Economy and Budget (landline, for S2C32)
- Ministry of Finance, Economy and Budget (landline, for S2C51)
- Government air transportation wing (landline)

Information_Need: The collection requirement derived from the National SIGINT Requirements List (NSRL), which is a daily updated compendium of the tasks given to the various Signals Intelligence collection units around the world. These needs have a code number, consisting of the year in which the need was established, followed by a number that refers to a specific topic:

165: France: Political Affairs
204: France: Economic Developments
388: Germany: Political Affairs (see Merkel-entry below)
1136: European Union: Political Affairs
2777: Multi-country: International Finance developments

From all its allies, the US was most interested in France - according to the 1985 version of the NSRL, which fell in the hands of East Germany and was eventually returned in 1992.

TOPI_Add_Date: According to Wikileaks this is the date of tagging of the entry with the responsible TOPI. These dates seem to be in the format yymmdd, which means they are either December 14 or December 15, 2010.

Priority: The priority of the particular Information Need, likely derived from the National Intelligence Priority Framework (NIPF, a reconstruction of which can be found here). This is a huge list containing all countries and topics the US government wants to be informed about, and which prioritizes these topics with a number from 1 (highest) to 5 (lowest). As we can see in the Wikileaks-list, for France, only the president and the director for global public property of the ministry of foreign affairs have priority 2, the rest is medium level 3.

IN_Explainer: Description of the Information_Need

 

A second source

The database entries published by Wikileaks are very similar to the database record that revealed NSA's intention of eavesdropping on German chancellor Merkel back in October 2013. This record contains the number of Merkel's non-secure cell phone and several other entries just like we saw in the Wikileaks list, but it also has some additional information:




Because for Merkel only this record was available, and no finished intelligence reports like those about the French presidents, there is no hard proof that NSA succesfully intercepted her communications.


What many people don't realize, is that this database record about Merkel wasn't from the Snowden-documents. Der Spiegel received it from another source that was never identified, which was confirmed by Glenn Greenwald and Bruce Schneier (this seems to exclude the option that someone with access to the Snowden-documents leaked this on his own).

Because the tasking records about France are very similar, and most likely from the same database as the one about chancellor Merkel, it's very well possible that they are from the same source. Because keeping an eye on foreign governments is a legitimate task, this source is not a whistleblower. He or she could be a cryptoanarchist, or maybe even an agent of a foreign intelligence agency.

Perhaps Wikileaks itself also doesn't know who the source is, because last May, it relaunched its secure TOR-based drop box that allows anonymous submissions of sensitive materials.

During his work for the NSA, Edward Snowden was not involved with European targets. He was based in Japan, and later in Hawaii, where they are responsible for the Pacific region. His last job was supporting the regional NSA/CSS Threat Operation Center (NTOC), which counters cyber threats.

This is reflected by the intercepted content that Snowden apparently did had (legal) access to, according to a report by The Washington Post from July 5, 2014. These intercepts came"from a repository hosted at the NSA’s Kunia regional facility in Hawaii, which was shared by a group of analysts who specialize in Southeast Asian threats and targets".

 

Some perspective

French prime minister Manuel Valls strongly condemned these spying activities, but that was of course just for show. France's own foreign intelligence service DGSE is well-known for its aggressive industrial espionage against American and German companies, and for example also targeted former US president George W. Bush and foreign secretary Madeleine Albright.

On the other hand, the French government was well aware of the security risks, as in 2010 it ordered over 14.000 secure mobile phones, to be used by the president, ministers and high officials of the armed forces and the various ministries that deal with classified defence information.

This highly secure TEOREM cell phone is manufactured by the French multinational defence company Thales, and the price of a single device is said to be around 1.500,- euros. Because the TEOREM has a rather old-fashioned design and the security features don't improve usability, it was apparently not used as often as it should be...




White House response

A spokesman of the US National Security Council (NSC) told the website Ars Technica that "we do not conduct any foreign intelligence surveillance activities unless there is a specific and validated national security purpose. This applies to ordinary citizens and world leaders alike". Later he added: "We are not targeting and will not target the communications of President Hollande."

Just as in the case of German chancellor Merkel, the past tense misses, which means the US government doesn't deny that the French president had been eavesdropped on in the past. But it seems that at least for the near future, both leaders will not be targeted by NSA anymore.



Links and sources
- Reuters.com: NSA wiretapped two French finance ministers: Wikileaks
- ArsTechnica.com: WikiLeaks publishes top secret NSA briefs showing US spied on France
- Wired.com: With its French NSA Leak, Wikileaks is Back
- Zeit.de: Was die Frankreich-Dokumente preisgeben
- LeMonde.fr: Trois présidents français espionnés par les Etats-Unis
- Tagesschau.de: NSA spähte Frankreichs Staatsspitze aus

- See also the thread on Hacker News

With last year's news of NSA eavesdropping on the mobile phone of German chancellor Angela Merkel in mind, Dutch onlinemedia assumed it was big news that the Dutch prime minister Mark Rutte has a phone that cannot be intercepted.

As was the case with chancellor Merkel, most people do not seem aware of the fact that political leaders usually have two kind of phones: an ordinary one that is easy to intercept and a secure one, that is very difficult to tap.

That prime minister Rutte has a secure phone was said by the director for Cyber Security in a radio-interview last week. Afterwards this was seen a slip of the tongue, because the government has the policy to never say anything about the security methods they use.

But from pictures and other sources we can still get a fairly good idea of which phones, both secure and non-secure, are used by the Dutch prime minister. As we will show here, he currently has three landline and two mobile phones at his disposal, only one being a highly secure one.




Since 1982, the office of the Dutch prime minister is on the second floor of a small tower that is part of the parliament buildings and which dates back to the 14th century. In Dutch this office is called Het Torentje.

From the left to the right we see the following telephones on the desk of the prime minister:

1. Ericsson DBC212 (black)
2. Sectra Tiger XS Office (silver)
3. Unidentified office phone (gray)

First we will discuss the two phones without encryption capability and then the secure phone:


1. The Ericsson DBC212

This is a common office telephone which has been part of the internal private branch exchange (PBX) network of the Department of General Affairs for over a decade. Other pictures from rooms in the same building also show the same and similar models of this telephone series, which was made by Ericsson, a Swedish company that manufactured many home and office phones used in The Netherlands. The prime minister can use this phone for every phone call he wants to make that doesn't require encryption.


3. The gray office phone

The make and type of this phone couldn't be identified yet, but it seems to be a common office telephone too. However, this phone is most likely connected to the Emergency Communications Provision (Dutch: NoodCommunicatieVoorziening or NCV).

This is an IP-based network which is completely separated from the public telephone network. Communications over this network are not encrypted, but the switches are in secure locations and connect redundantly.

The purpose of the NCV-network is to enable communications between government agencies and emergency services when during a disaster or a crisis situation (parts of) the regular communication networks collapse. This network replaced the former National Emergency Network (Nationaal Noodnet) as of January 1, 2012 (see below).


 

2. The Sectra Tiger XS Office

The silver-colored telephone which sits in between the two other ones is a Tiger XS Office (XO). This device is capable of highly secured phone calls and can therefore be used by the prime minister for conversations about things that are classified up to the level of Secret.

The Tiger XS Office is manufactured since 2005 by the communications division of the Swedish company Sectra AB, which was founded in 1978 by some cryptology researchers from Linköping University. Sectra, which is an acronym of Secure Transmission, also has a division in the Netherlands: Sectra Communications BV.

Tiger is the brand name for their high-end secure voice products, but with everyone assuming that this refers to the exotic animal, it's also Swedish for "keep silent" (see for example: En Svensk Tiger).


Tiger XS

Although the Tiger XS Office looks like a futuristic desktop phone, it actually consists of a small encryption device which is docked into a desktop cradle with a keypad and handset. The encryption device, the Tiger XS, was originally developed for securing mobile phone communications and has special protections against tampering and so-called TEMPEST attacks.




The desktop unit has no encryption capabilities, but with the Tiger XS inserted, it can encrypt landline phone calls and fax transmissions, so it turns into a secure desktop telephone. The Tiger XS enables secure communications on GSM, UMTS, ISDN and the Iridium, Inmarsat and Thuraya satellite networks. When inserted into the office unit, it also works on the standard Public Switched Telephone Network (PSTN).


Workings

On its own, the Tiger XS device can be used to secure certain types of cell phones. For this, the Tiger XS is connected in between a headset (consisting of an earpiece and a microphone) and a mobile phone, to which it connects via Bluetooth. A secure connection is set up by putting a personal SIM-sized access card into the Tiger XS, entering a PIN code and selecting the person to connect to from the phonebook.

What is said into the microphone of the headset is encrypted by the Tiger XS and then this encrypted voice data go to an ordinary mobile phone through the Bluetooth connection. The phone then sends it over the cell phone network to the receiving end, where another Tiger XS decrypts the data and makes it audible again.



Mobility

At first sight it seems to be a very flexible solution: connecting a separate encryption device to common cell phones. But in reality the Tiger XS can only connect to older mobile phones which suppport the original Circuit Switched Data (CSD) channel and a Bluetooth version that is fully tested and compatible with the way the Tiger XS has to use it. Because of this, the Tiger XS is rarely used for mobile phones anymore, but mostly in combination with the desktop unit.

To restore the intended mobility, Sectra introduced the Tiger 7401 as a replacement for the Tiger XS. The Tiger 7401 is a custom made mobile telephone with TEMPEST verified design that is capable of encrypting phone calls by itself. In 2014, this new device was ordered to replace the Tiger XS for high-level officials of the Dutch Ministery of Defense.


Encryption

The encryption algorithms used by the Sectra Tiger XS are secret, so we don't know whether public standard algorithms like AES and ECDH are used, or ones that are especially designed for the Dutch government, or a combination thereof. The algorithms and the encryption keys are created by the National Communications Security Bureau (Dutch: Nationaal Bureau voor Verbindingsbeveiliging or NBV), which is part of the General Intelligence and Security Service AIVD.

This bureau has approved the Tiger XS for communications up to and including the level Secret (in Dutch marked as Stg. Geheim) in 2007. In the Netherlands, there's no phone that is approved for communications at the level Top Secret (Stg. Zeer Geheim), so these matters cannot be discussed over phones that use public networks. This is different from the US, where there are secure telephones approved for Top Secret and even above.

Encrypted communications are only possible if both parties have the same key: the sender to encrypt the message and the receiver to decrypt it. This means that all people to which the prime minister needs a secure line, also have to have a Tiger XS. That's why we can see this device also on the desk of for example the Dutch foreign minister:




Management

Besides encrypting phone calls and text messages, the Tiger XS also provides user authentication, so one can be sure to talk to the right person. For the actual implementation of these features there are centrally managed user groups.

This remote management, which includes supplying up-to-date phonebooks and encryption keys for the Tiger XS devices is provided by Fox-IT, a Dutch cybersecurity company founded in 1999. Since Dutch state secrets are involved, it is considered essential that this remote management is in the hands of a trusted Dutch partner.

The partnership between Fox-IT for the management and Sectra as the supplier of the hardware was established in 2007 by the VECOM (Veilige Communicatie or Secure Communications) contract. Under this contract all Dutch cabinet members and high-level officials of their departments are provided with secure phones.


Usage

The Tiger XS has also been installed at all government departments in order to provide secure fax transmissions, for example to distribute the necessary documents for the weekly Council of Ministers meeting. Dutch embassies and military units deployed overseas probably also use the Tiger XS for securing satellite communications. For this, Sectra also made a manpack communications set which uses the Tiger XS.

The fact that the Tiger XS uses highly sensitive technology and secret encryption methods, also means that it is not possible to use this device to make secure phone calls to for example foreign heads of state. That's the reason why, as we can see in the picture below, prime minister Rutte used his standard non-secure phone when he was called by US president Obama in 2010:





The mobile phones of prime minister Rutte

Besides the three landline telephones, current prime minister Mark Rutte also uses an iPhone 4 and a Blackberry. He is seen with these devices on several photos and Rutte also confirmed that he uses a Blackberry when he publicly admitted that it accidently fell into a toilet in January 2011.

The iPhone is probably his private phone, because the Blackberry is the device used by Rutte's own Department of General Affairs, as well as by other departments, including those of Foreign Affairs and Social Affairs. Blackberrys are preferred by many companies and governments because they provide standard end-to-end encryption for chat and e-mail messages through the Blackberry Enterprise Server (BES).




Blackberrys do not encrypt voice, but the Dutch computer security company Compumatica has developed a solution called CompuMobile, which consists of a MicroSD card that can be inserted into a Blackberry and then encrypts phone calls and text messages by using the AES 256 and ECDH algorithms. CompuMobile has been approved for communications at the lowest Dutch classification level (Departementaal Vertrouwelijk) in 2012, but whether government departments actually use it, is not known.

Without this security measure, phone calls from both the iPhone and the Blackberry of prime minister Rutte can rather easily be intercepted by foreign intelligence agencies, just like NSA apparently did with the non-secure cell phone of his German counterpart.




The prime minister's phones in 2006

The telephones that are currently installed in the office of prime minister Mark Rutte can be compared with those from his predecessor, prime minister Jan Peter Balkenende. From his office we have this picture, which gives a great view on the communication devices on his desk:




In this picture we see from the left to the right the following three phones, all of them provided by KPN, the former state owned landline operator of the Netherlands:

1. Ericsson DBC212 (black)
2. Siemens Vox 415 (gray)
3. Ericsson Vox 120 (white)

1. The Ericsson DBC212

This is the same telephone which is still in use today, as we could see in the pictures above. It's a common office telephone made by the Swedish company Ericsson and which is part of the internal private branch exchange (PBX) network of the Department of General Affairs.


2. The Siemens Vox 415

The dark gray Vox 415 was an ordinary telephone from a series that was manufactured by Siemens for both home and office use. For private customers this model was sold by KPN under the name Bari 10.

This phone has no security features whatsoever, but as it is in the same place where later the Sectra Tiger XS Office sits, it seems very likely the Vox 415 was also used for secure communications.

For that, it was probably connected to a separate encryption device, maybe one that was compatible with the PNVX, the secure phone which was manufactured by Philips and used by the Dutch government since the late 1980s.


3. The Ericsson Vox 120

The Vox 120 was the business version of a telephone developed by Ericsson around 1986 and that was sold for home use under the name Twintoon. Attached to the back is a separate speaker unit so a third person can listen in to a conversation.

In the bottom left corner the phone has a black label with its extension number for the National Emergency Network (Dutch: Nationaal Noodnet or NN). This was a separate network which enabled government agencies to communicate with emergency services when the public telephone network collapsed.

The National Emergency Network was established in 1991 and was operated by KPN. It had some 5500 connections for 2500 end users, like the departments of the national government, city halls, hospitals, and local police and firefighter headquarters. As of January 2012, it was replaced by the IP-based Emergency Communications Provision NCV (see above).



Links and sources
- Background article in Dutch: De wereld van staatsgeheim geheim (2007)
- Academic paper about Secure Text Communication for the Tiger XS (pdf) (2006)
- The first version: Tiger XS Mobile security terminal (2005)

From a recent photo from the Oval Office, we learn that, probably last May, new telephones for non-secure calls have been installed in the White House. They replace older ones, that were used there since 1996.

The new devices are IP phones, which means they run over an internal packet-switched IP network, instead of a traditional circuit-switched telephone network.


The new Avaya 9608

The new device is a dark gray office phone, model 9608, made by Avaya, which is a leading American manufacturer of telecommunications equipment. Avaya was previously part of Lucent Technologies, which was a spin-off of AT&T.

This model is relatively simple, it's one that is commonly used in offices all over the world. It just has an average monochrome display - not a fancy color touch screen, like other high-end executive models from Avaya's 9600-series.

Although that may look nice, for the president such features would not be of much use, as most of his calls are made through an operator from the White House switchboard.




The new Avaya 9608 phone has no special security features, as it is used for all non-secure calls, both within and outside the White House.


The Cisco 7975G

For secure calls that have to be encrypted, the president uses the other phone on his desk, which is a Cisco 7975G Unified IP Phone (with expansion module 7916). This is also a very widely used high end office phone, and as such not specially secured itself, but here it is connected to the dedicated Executive Voice over Secure IP (VoSIP) network, which connects the White House with some of the most senior policy makers and provides the highest level of encryption.


The previous Lucent 8520

For non-secure calls, the new Avaya replaces the Lucent 8520T on Obama's desk. This Lucent phone was from the most widely used business phone series worldwide. It came in use in 1996, when the White House got a completely new telephone system, which was installed by AT&T and costed 25 million USD.

This new system consisted of an automated private branch exchange (PBX) with black executive phone sets models 8410 and 8520 from Lucent, with the large 8520 on the president's desk in the Oval Office:




Before 1996, the White House still used the manual switchboard from the days of president Johnson. On the president's desk there was even the push button version of the Western Electric 18-button Call Director dating back to the 1960s. The installation of the new telephone system under president Clinton is also discussed in this television report:





See also:

- Does Obama really lack cool phones?
- A White House staff phone

- Overview of older Presidential Telephones of the United States

The location that best represents Top Level Telecommunications in every sense of the word is probably Air Force One, the aircraft that carries the president of the United States.

As unbelievable as it sounds, the telephone sets used aboard this plane dated back to the 1980s and so they were finally replaced by new ones in August 2012. Here we will take a look at this new telephone equipment, which is now used by president Obama when he travels by air.


The new phones

In a range of pictures showing president Barack Obama using a telephone aboard Air Force One, we can see that the new phones consist of a handset in a customized cradle. In the conference room they have a rubber foot so they can be placed on the table without sliding away:




The phone sets to be used by the president in his office room and the conference room have a brown/goldish color that matches the wood and the leather chairs. All other handsets that have been installed throughout the plane are in standard gray:






The Airborne Executive Phone

These new phones aboard Air Force One can be recognized as the Airborne Executive Phone (AEP) made by L-3 Communications. This is a military contractor that, among many other things, also manufactures the STE, the secure desktop telephone that is most widely used by US military and government.

The Airborne Executive Phone is able to make both secure and non-secure calls from a single handset. It also provides Multiple Independent Levels of Security (MILS) for digital voice and internet data access. This should provide end users with the experience of "reliable connectivity, interoperability and security they would have in an executive office environment".


Global Secure Information Management Systems

The Airborne Executive Phone is part of L-3 Communication's Global Secure Information Management Systems (GSIMS). This is an IP-based system for secure airborne communications and has a modular, scalable, and redundant design.

GSIMS integrates existing analog and digital radio and interphone systems with its own IP-based architecture, this in order to provide reliable connectivity, secure video conferencing and controlled wireless connections. The system is effectively controlled from an operator workstation.

L-3 Communications advertises (pdf) the GSIMS system as the most advanced secure communication system for VIP and Head of States aircraft:



More details about the Global Secure Information Management Systems (GSIMS) can be found in the fact sheet (pdf).


Development and installation

The installation of new phones aboard Air Force One was part of a larger, 81 million dollar contract that was awarded to L-3 Communications in 2009. This contract included the installation of Airborne Information Management Systems (AIMS) hardware and software. It modernized the on-board communication systems and replaced outdated analog systems, providing fixed bandwidth switching and integrated secure/non-secure video teleconferencing. Also included was the installation of seamless passenger information interfaces throughout the VC-25 aircraft that serve as Air Force One.

It seems that the Airborne Executive Phone (AEP) was originally developed by Telecore Inc., as can be read in the resume of someone who made a video presentation of this device (he did the same for the Senior Leadership Airborne Information Management System of L-3 Communications). Telecore is the company that manufactures the IST-2 telephone for the Defense Red Switch Network (DRSN), which is also a single device that can be used for both secure and non-secure calls. Probably Telecore sold the AEP to L-3 Communications.


Secure and non-secure calls

As we can see in the L-3 Communications advertisement, secure calls are indicated by a red background in the display and non-secure calls by a green one. This corresponds with two lights on the back of the handset: a green light which is on when the call is non-secure, and a red light that will indicate when it's a secure call over a highly encrypted line.






Air Force Two

The new Airborne Executive Phones are also installed in the smaller Boeing C-32, a modified Boeing 757, which gets the air traffic call sign Air Force Two when it is carrying the vice-president of the United States. Sometimes this plane is also used by the president, and then serves as Air Force One, like for example for a trip on July 17, 2014 to the Port of Wilmington in Delaware:





The old phones aboard Air Force One

Initially, Air Force One had sets of two telephone handsets installed all over the plane. These consisted of a cradle and an old-fashioned, so-called G-style handset, one in white and one in beige. The white handset was for non-secure calls and the beige one for phonecalls over a secure line. These phones were introduced on the previous plane that served as Air Force One, during the presidency of Ronald Reagan(!).




After the new Executive Voice over Secure IP (VoSIP) telephone network was installed in 2007-2008, which connects the White House with some of the most senior policy makers, the Cisco 7975G Unified IP Phone used for this network was also placed in Air Force One, where the big device was somewhat out of place:




Now, all these three different phones have been replaced by a single Airborne Executive Phone, which connects to both ordinary and highly secure telephone networks.



Links
- jp.MSN.com: 米大統領専用機の電話はアイアンマンっぽいヘンな電話
- Gizmodo: The Phones on Air Force One Look Like Iron Man Accessories
- Tinker AFB: Maintenance in chief: Looking after Air Force One
- History of the Presidential Telephones of the United States

- More comments in the Hacker News thread

This time we present an article written in cooperation with the French weblog about intelligence and defence Zone d'Intérêt in which we compare the data collection of Google to intelligence agencies like NSA:

Introduction

Since 1998, Google has grown to become an essential part of the web infrastructure and took an important place in the daily lives of millions. Google offers great products, from search engine to video hosting, blogs and productivity services. Each day, users provide Google, willingly and candidly, with many different kind of personal information, exclusive data and files. Google justifies this data collection for commercial purposes, the selling of targeted ads and the enhancement of its mostly free services.

These terabytes of user data and user generated content would be of tremendous value to any intelligence service. As former director of CIA and NSA Michael Hayden half-jokingly stated at Munk debates: "It covers your text messages, your web history, your searches, every search you’ve ever made! Guess what? That’s Google. That’s not NSA."

But really, how would a company like Google compare to an intelligence agency like the NSA? How would it be able to gain access to confidential information and go beyond OSINT (Open Source Intelligence)? Does Google even have the resources, data and technical capabilities to harvest all-sources intelligence like a major intelligence service would?

Google's unofficial motto is "Don't be evil", but what if Google started being evil and used all of its collected information as an intelligence agency would? What if intelligence professionals had access to Google's resources and data ? What would it mean for the users? And can this be prevented somehow? (it’s also rather ironic that many people now see NSA as a big evil organization, but Google collects even more)

This is the worst case scenario we'd like to explore:

What if Google was an intelligence agency?

Communications to intercept, private data to collect

As a major webmail (425 million active Gmail users in 2012 - source: Google I/O 2012) and instant messaging provider with Hangouts, Google has access to the daily communications of millions of individuals, corporations and organizations. This privileged access to telecommunications worldwide gives Google the opportunity to act as a major COMINT agency, not unlike NSA or GCHQ. Storing its users e-mails and broadcasting their instant messages with audio and video, Google is able to obtain a deep-reaching knowledge of their habits, intents and projects, either personal, professional or commercial. Enhanced with behavior analysis and targeted with collection selectors, theses communications, already stored on the company's servers could be used as a very powerful intelligence database.

NSA only stores data that have any foreign intelligence value, other data that might be useful are automatically deleted after 5 years, but how is that with Google? In the European Union, administrative authorities in charge of data protection, assembled in the Article 29 Working Party of the European Commission (or "G29"), have issued multiple warnings and penalties against Google regarding this issue. In January 2014, the french CNIL, an Art. 29 Working Party member, issued a 150 000€ monetary penalty to Google for failing to define retention periods applicable to the data which it processes. Data collected by Google isn't as strictly regulated and controlled as data collected by intelligence agencies, and it can stay on Google's servers until the company decides to delete it, at its own discretion.

And how about the risk if internal policy and privacy violations by Google personnel? Does Google has access control mechanism just as strict and tight as the compartimentalization and ‘need-to-know’ at NSA? They should have, as Google has far more information about ordinary people in its databases, which could be much more tempting to look at for employees than for example all the military and terrorism stuff that NSA collects. But Google also has to protect this information against foreign intelligence agencies.

Google also provides its users with phone services through its Android phone and tablet operating system, with 1 billion users worldwide in 2014 (source: Google I/O 2014). This could be used as an opportunity to monitor the calls - made or received - by its users, collect their metadata and even record their calls for intelligence purposes. This also goes for SMS and MMS send or received by its users, as android users send 20 billion text messages each day (source: Google I/O 2014). NSA’s database for SMS-messages DISHFIRE receives just around 200 million messages a day. Google is expanding the reach of its phone services, as calls to landline and mobile phones can be placed from Hangouts by any user of Gmail, Google+ and Chrome, even without using an Android device. With Fiber, Google is providing ISP services to three cities in the United States, with plans to expand. Google even wants to introduce internet access to remote areas in Africa via solar-powered balloons – which would also make it much easier for NSA, as many of these regions are also terrorist-related conflict zones where there’s often only mobile phone and radio traffic, which is more difficult to intercept than internet traffic, especially when the latter goes through a US company.

The expanding realm of its webmail and cloud services provides Google with a rare trove of otherwise private individual data and even confidential information from governments and companies. With Gmail, Google has access to sensitive information about individuals, such as their names, phone numbers, addresses or even social security numbers which may transit via e-mail. Logins and passwords from web services are often sent by e-mail, and so are activation and authentication codes. Many users want to take advantage of the free services offered by Gmail and automatically forward e-mails from other webmails or their company e-mail address to their Gmail address, creating a POP/SMTP link. Doing so, they increase the amount of e-mails and information accessible to Google. Private information about individuals, from health and financial issues to clues about their emotional state or relationship status can be found in e-mails. Everything from their buying habits, reading habits or subscriptions, to confidential information, can be extracted from e-mails using already available software, and then easily exploited by intelligence professionals.

Contact lists from services like Gmail, Hangouts, Google+ and from operating systems like Android and Chrome OS would be a valuable source for intelligence analysts, as they allow to identify links between individuals and perform social network analysis. Contacts lists were used in many occasions by intelligence agencies leading investigations against terrorist cells or organized crime groups, but can also be used in social engineering schemes or commercial intelligence.

Corporate information is hosted by Google through most of its services, as Gmail is used by many entrepreneurs and employees, whether it is duly authorized by their company or not. Important information can be retrieved in e-mails, such as details of industrial projects, business offers and everyday company communications. Many companies use Gmail attachments to send and receive corporate documents or use Google Drive to store their information. Google Calendar can also provide a great window into the daily activities of a company, as a way to identify links between individuals, be alerted of forthcoming meetings,  receive status reports from ongoing projects, or deduce a precise timeline of employees work habits. Recently, Google announced that 58% of Fortune 500 companies have "gone Google" and so did 66% of "50 top Start-Ups" and 72 of the 100 best universities (Source: Google Enterprise).

Given all these data containing often highly sensitive and private information, it is remarkable that people, businesses and organisations are so willing to trust it into the hands of Google. One wonders why some people really don’t like it when government officials could have access to such kind of information, but apparently completely trust the Google personnel. Who guarantees that Google isn’t looking into confidential information of other businesses that can be of interest?

Google Search, the first service provided by Google since 1998, receives about 100 billion searches per month and is a great tool used every day by intelligence professionals. Google search crawlers scan the web for individual URLs, web pages and files, using the Google powerful servers. They are able to record, collect and cache any kind of text content, images, video and audio files, and most document formats such as Word and PDF. Google Search can be used to find unrestricted or insufficiently secured subdomains, files, folders and archives, from websites and networks. Using advanced operators, Google can be used to find misplaced confidential information and other vulnerabilities. If there’s one application that is able to read your deepest thoughts, fears and desires, like Edward Snowden said NSA is capable of, then it is Google Search.


Individuals to identify, targets to monitor

Google Search can also be exploited for advanced statistics, behavior analysis of users, identification of single users, and to locate them. Using cookies and connection data recorded by Google for every search, such as IP address, user agent and search terms, the user can be identified and located to a certain extent. Taking advantage of persistent cookies, IP adresses and forensic techniques, such as discourse analysis or syntax analysis, and sifting through recorded searches, online activity through Google services can then be narrowed down to a single organization, a set of users or even a single user.

Recording precisely the search terms from an identified user, company or organization can help an intelligence professional create new, more efficient selectors for intelligence collection and communication interception, based on the interest of users and unique searches. For example, many companies will use Google to find new business prospects, partners or suppliers. Journalists will do background checks on their sources using Google. Scholars and scientists will do their research using Google search, revealing precise information about what they are looking for and what they are working on.

Similar data is collected on many other websites which are not owned or related to Google, but which make use of Google Analytics, a Google-run service allowing webmasters to collect detailed information about their users, such as their IP addresses (collected by Google but not shown to webmasters), what search terms they used to reach their websites and which pages they browsed. While challenging sanctions from the European Art. 29 Working Party, Google refuted that an IP address constitutes personal data, even when associated with data from cookies, and should not be treated as such regarding privacy issues. Which once again shows the different views on privacy  in Europe and the US

But Google has access to much more precise data to identify users and monitor their online activities. Some services, such as Gmail, require users to be registered and to give accurate personal information, such as their real name, their birthdates, their country of residence or another e-mail address they own. Google is also pushing two-factor authentication, requiring that their users disclose an active phone number. While launching its Google+ service, which is now linked to other services such as Gmail and Youtube, Google discouraged the use of pseudonyms and required that all users registered using their real name, or risk account suspension. In October 2012, G29 issued a recommendation to Google that it must inform new users more clearly that they can sign-up to a Google account without providing their real name.

 When users use any Google service while logged in, or with Google cookies activated, or even from an IP address which was previously used while logged in, all of their online activity transiting on Google networks can be traced back to them. On many occasions, personal files and documents stored on Google Drive, or images stored on Google+ Images and Picasa could be traced by Google back to the real name of a registered user. E-mails, instant messages, personal documents, videos and pictures, all stored by Google, can be used to create a very complete and precise profile of a single individual. According to numbers published by Google during I/O 2014, Android users send "93 millions selfies" each day.

The Google image search algorithm is able to identify faces and places in pictures. The image search facial recognition feature is only activated to find pictures of celebrities, but Google+ Photos includes an opt-in service called "Find My Face" capable of automatically recognizing and tagging the user's face in photos uploaded by him or by his friends. Google implemented a "Face Unlock" feature in Android, allowing users to unlock their devices using their camera, showing that Google's recognition algorithms are precise enough to identify an individual, even with slight changes due to lighting conditions or face expression. In addition, Google recurring pop-ups incite Android users to activate a function which automatically uploads all new photographs taken with their device to Google+ Photos and Google Drive. EXIF data and geotags from each photo are collected too. As another option, Google image search has a "reverse image search" functionality which allows any user to upload an image from his computer and let Google's pattern recognition algorithm find similar images. In the help section of Google's image search, it is stated that "any images or URLs that you upload will be stored by Google".

Google's photos database would be an extraordinary tool to any intelligence professional trying to find someone, learn about its habits or identify people he is related to. Recently, intelligence agencies such as the American DIA (Defense Intelligence Agency) or the French DGSE have been acquiring commercial software to collect videos and photos posted online for intelligence purposes, which shows the interest of intelligence analysts for user generated content. In 2010, Google invested 100 million dollars in Recorded Future a company specializing in data mining, advanced statistics, internet traffic monitoring and defense intelligence. Recorded Future was also funded by In-Q-Tel, the technology investment firm of the CIA.

Using data collected through Google Voice Search and Google Now, intelligence technicians could be able to build a large phonemes database to enhance word recognition algorithms, but also to implement voice recognition in order to identify single users based on their voice. For advanced target monitoring, the microphone from a computer, tablet or smartphone running Android or Chrome OS could be activated in order to eavesdrop on a target, using OS-level or App-level backdoors. Coupled with voice recognition, these techniques could be used to identify and locate targets.

In such a scenario, OS-level access could be used to implement backdoors for keylogging, password collection, communication intercepts, microphone or camera hijacking, or even GPS silent activation and monitoring. Access to Google's database would make network penetration easier, as Android devices record the WiFi passwords from secured access points they connect to and store them to the cloud.


Map any place, locate anyone

In 2004, Google acquired Keyhole, a company partly funded by the CIA and the NGA, which developed the technology behind Google Earth, a Google product which provides users with maps and commercial satellite imagery from around the world. Other Google mapping initiatives are Google Maps and Street View. Google Earth is used by many intelligence professionals, whether they work for government agencies or for private contractors, and is often listed as a common tool in intelligence sector job descriptions and resumes.

A useful feature of Google Maps and Google Earth is the ability for users to add tags, photos and points of interests (POI) over the maps and imagery provided by Google. This feature results in crow-sourced sets of maps, which are improved by the output of users who have good knowledge of the places they describe, whether they are travelers, dwellers or experts. This ground knowledge is obtained at no cost by Google and can result in very detailed descriptions, even from remote places. Google also benefits from the geotagged photographs from Panoramio, acquired by Google in 2007, and from POIs added by users participating in Google side-projects, such as Niantic Labs' Field Trip and Ingress applications. Google recently acquired the imaging company Skybox, taking advantage of its growing constellation of satellites.

Another way for Google to get intel from the ground and improve its worldwide mapping capabilities is Street View, by which Google collects 360° snapshots along roads and trails. With Street View, Google is able to get detailed and fresh information about buildings, installations and constructions. This collection effort even captures photos from remote places or restricted areas, such as military bases or intelligence facilities (examples: MI5 installation in the United Kingdom, DGSE station in France) Google has recently announced Project Tango, which is aimed at developing new sensors for mobile devices, in order to map their surroundings in 3D, such as the interior of buildings. Access to the photographs and geospatial information collected by Google through Google Maps, Street View, Google Earth and Panoramio, but also from search crawlers and user content uploaded to the cloud, would be of considerable interest to intelligence technicians. For instance, Letitia A. Long, director of the National Geospatial Intelligence Agency (NGA) recently stated that her agency was increasingly taking advantage of data collected through open sources and social networks. In these cases the possibilities of Google’s commercial tools seem to have already outpaced those used by government agencies.

Google is also making considerable effort in precisely locating its users. Users are often prompted to authorize their localization by Google services, from Google Search to Google Maps and Android. To achieve precise location of a user, Google is using all data available, from search queries which mention a place, to IP addresses and connection data, to GPS signal provided by the user's device.* Google also uses a patiently crafted database of Wi-Fi access points, hotspots and cell towers, which contains MAC addresses, BSSIDs and Cell IDs. This data is collected by Google Street View cars, contractors, but also when a user device allows localization privileges to a Google service or application. This worldwide crowd-sourced database is very detailed, precise and regularly updated. This data collection is often running in the background on users' devices and provide Google with the precise location of many of its users.

For intelligence purposes, geolocation data could be used to silently track a target or get information about their routines. Localization data is stored and logged by Google, and can be accessed by registered users in their Location History. Access to such information by intelligence technicians could be used for behavior analysis, remote surveillance, forensics and social network analysis. Combined with Google access to many Wi-Fi passwords, a precise map of MAC addresses worldwide would provide intelligence technicians and operators with an opportunity to conduct network penetration and communication intercepts. All this could be very valuable for agencies like NSA, as some of the Snowden-documents showed that they now have to put much effort in mapping such communication networks “from the outside”.


A proxy in intelligence collection?

Google collects user data for commercial purposes, mainly to sustain its business model based on online targeted ads, which accounted for 96% of Google's revenue in 2011. However, Google is sharing its worthy data with governments and their intelligence services, when complying with court orders or local laws. According to its Transparency Report, in 2013 Google complied to thousands of user data requests from governments of countries such as the United States, India, France, Germany, United Kingdom, Brazil or Italy. Google reports that it provides user data to "law enforcement agencies", but does not state exactly what kind of data is given. As example, Google cites IP addresses and personal information given by the users when they register, but it is not clear whether or not data provided to authorities is restricted to these elements. Given the large amount of data collected and stored by Google on every user, government agencies could receive a very detailed history of a user's communications and online activity, or even a copy of its hosted files.

In recent NSA and FBI intelligence collection programs, user data can be requested under a legal framework, such as FISA requests, which does not authorize Google to inform its users of the request. Moreover, clandestine intelligence efforts gave the NSA access to Google's data, without the need for legal requests.

In most democratic countries, intelligence services aren't allowed to intercept communications from their citizens nor to collect user data without  the authorization of a judge or commission. Many intelligence activities are meant to be constrained by the rule of law and monitored by congressional oversight to ensure that individual liberties are respected. However, commercial companies are not subject to the same restrictions and can collect a lot of their users data, as long as they duly inform them.

Such loophole can be purposely exploited by an intelligence agency, taking advantage of the ever-growing database from big companies such as Google, either by legally requesting the information collected from their users or by trying to access it covertly. In such occurrences, Google would act as a proxy in intelligence collection, unwillingly (?) putting its resources at the disposal of intelligence services. Citizens and businesses may not want to share as much private information and contents with an internet services company given the possibility that it may later be accessed by intelligence services, domestic or foreign.

One major argument against the collection of data conducted by NSA (or other intelligence angencies) is that they can be used against the people when government is taken over by evil people. Western governments at least have checks and balances, but Google is just a commercial company, and what would happen when, say, some huge  Chinese company would take it over? Then our complete digital lives would be under control of people who care less about individual freedom and privacy. As probably no one (especially the US government) wants that to happen, Google will have to stay an American company one way or another – which makes it even more like a proxy for US intelligence.

In a recent case, Google tipped off the National Center for Missing and Exploited Children after scanning the emails of its users, looking for contents related to child pornography. It seems that Google was not asked by a law enforcement agency to monitor the communications of a single user under investigation, or even to scan emails for suspicious contents. Google acted on its own, scanning emails, maybe on a massive scale, to find suspicious activities. Even though going against child exploitation can be seen as a noble endeavor, it seems that Google may be running its own law enforcement operations, scanning its users' data for what it deems illicit. As Google gives little information about the company's operations, it is hard to know what kind of users' activities could be monitored by Google and proactively reported to authorities or others organizations. It is not clear if this proactive reporting only occurs in the United States, or if it may extend to other, less democratic countries.


Closing thoughts

From an intelligence standpoint, the sheer amount of data that Google collects about individuals and businesses is unrivaled. A single piece of information recorded by Google about a user could be considered innocuous, but the sum of all collected data which can be narrowed down to an individual or an organization gives an intimate picture of its thoughts, intent and activity.

The way Google systematically tries to gain access to new kind of data about its users, whether it's their e-mails, their work files, their personal pictures, their location, or confirmation of their real identity, is propelled by a commercial strategy and a so-called wish to "change the world", making their users' lives easier. However, this "know-it-all" approach facilitates data mining efforts from intelligence services which pursued programs such as "Total Information Awareness" and are conducting large-scale intercepts.*

Of course, this issue is not confined to Google but affects other companies such as Amazon, Apple or Facebook, as well as many other smaller companies. Still, Google owns a special place in the digital world of user data, as it concentrates a wide range of user information, operates phone and email services, develops operating systems and stores users files in the cloud. Google holds a big responsibility to ensure the security and privacy of its users data worldwide, but its ongoing efforts to do so can hardly be considered sufficient.

Google security practices are generally considered state of the art and the company recently announced support for end-to-end encryption in GMail, but the body of messages will remain unencrypted on Google's servers and accessible to the company's bots. In october 2013, Google became aware of a covert network penetration lead by the NSA, targeting communications links connecting the company's data centers, which were not encrypted.* The exact amount of user data which may have been collected by the NSA during the operation is still unclear.

- Google privacy policy is sometimes cloudy, and users trying to get informed about what data they release to Google, how this data will be used and how long it will be retained, have to sift through disclaimer pages scattered on Google's websites.

- As a major stakeholder in the worldwide web, Google has to bring more accountability and transparency about what is shared from its users. The user data that could potentially be provided to law enforcement agencies should be clearly and precisely marked as such. It should become clear to all users that some of their data, whether it's personal information, files, e-mails, messages, metadata from network traffic or phone calls, or even recorded communications may become available to intelligence services.

- Also, Google should clarify if this information can be provided only to the law enforcement agencies of the user's country of residence or also to United States government agencies, as Google is an American company with most of its servers and activities in the US.

- American web companies and cloud operators are facing growing critics about their vulnerability to US intelligence operations. Some in Europe advocates for sovereign "national clouds" restricting data retention and traffic between secured servers and users, forbidding access to the American government. During an hearing before the United States Senate in November 2013, Richard Salgado, Google's director for law enforcement and information security, stated that "in the wake of press reports about the so-called "PRISM" program", he was concerned by the trend of "data localization" that could result in the creation of a "splinternet" and the "effective Balkanization of the Internet". Data localization would also probably cost more to Google, and would place the company under the law of each country where the company processes user data. In many cases Google argued that it was established in the United States and therefore was not subjected to the law of European countries, as all data processing occurs in the USA. However in France, Google was imposed a (small) financial penalty as the administrative authority made clear that the company had to comply with the French Data Protection Act.

- Google cannot condone a systematic breach of confidentiality and privacy of its users. A call to reform US government surveillance laws cannot be considered enough. Google must implement proactive measures, reinforcing its network security, offer end-to-end encryption for all of its services, securely distribute users' files hosting in their countries of residence and better inform its users of privacy risks. These measures could be seen as costly, but are necessary to maintain the trust of Google's user base and main source of revenue.


Google has massive technical capabilities for user data retention, metadata collection, telecommunications monitoring, localization, mapping and imaging, all which could allow it to act as an intelligence agency. The main difference is that Google has a different goal (commercial) than an intelligence agency, but this also makes that Google gathers far more data than an intelligence agency is legally allowed to do.

How long is user data kept on Google's servers? What kind of user data is shared with law enforcement agencies or intelligence services around the world? How does Google prevent its employees to access their users personal data or location? How is the data you gave Google secured against hackers or from intelligence services malicious attacks?

Google don't really say, but you have to take their word for it.

Zone d'Intérêt& Electrospaces

Update:
On September 15, 2014, Wikileaks-founder Julian Assange told the Italian newspaper L'Espresso that he now wants to warn against Google: "They believe they are doing good, but they are now aligned with US foreign policy. This means that Google can intervene on behalf of US interests, for example, it can end up compromising the privacy of billions of people, it can use its advertising power for propaganda".

In an earlier posting on this weblog we took a look at the phones used by the Israeli prime minister Benjamin Netanyahu, which included an eye-catching red one. In some more recent pictures we can see that this red phone has apparently been replaced by an interesting looking white telephone.


Although this device itself is white, it has a rarely seen but very distinctive feature: a red curly cord for the handset and also a red cable for the phone line. The buttons are also surrounded by some kind of red overlay:




The dark gray phone at the left is a more common Nortel M3904 executive phone - a model which is also used at the NSA headquaters and at the office of the British prime minister. Nortel was a big Canadian telephone equipment manufacturer, but was dissolved in 2009.


The white telephone with the red cord also appears on a side table in the seating corner of Netanyahu's office, where before there was only a black phone. The latter is a more common Telrad Executive Phone 79-100-0000 from the Israeli telecom equipment manufacturer Telrad. This phone is also in the office of the Israeli defense minister and therefore it seems to be part of the (non-secure) internal phone system of both ministries.






From the picture above we can make a close-up of the white telephone, which looks a bit different than the one in the first picture. It has no red overlay around the buttons, but instead a red lining around the display and red stripes on the back of the handset. Unfortunately the red letters above the display aren't readable:




The red markings and the red cords indicate that this phone is used like what in the US is called a "red phone". That's a telephone which is connected to a highly secured network for communicating with top level policymakers and military commanders. This doesn't necessarily mean that such a phone itself has to be capable of encrypting the voice data, that can also be done by an encryption device at the internal (secure) phone switch.

As the white telephone in Netanyahu's office is a rather large device, it could be possible that it can do the necessary encryption, although secure phones from other countries (like the STE used in the US) are often even bigger, so we cannot decide upon that.

Israel has its own manifacturer of secure communications equipment: the defense contractor Elbit Systems, which was formerly part of the Tadiran conglomerate. There are no pictures available of phones mabe by Tadiran or Elbit, so we cannot say whether the white telephone in the office of Netanyahu was made by this company.


The white telephone isn't actually very new, it is already in this picture from October 2011. Together with the black one from Telrad, the white phone is also on a side table next to another desk of Netanyahu, as we can see for example in this screenshot:




With the white phone not being completely new, it seems that it has been placed on Netanyahu's desk and in the seating corner on purpose: to show that the prime minister is always in charge and in contact with the military. Because of security reasons, it's rather unusual to see secure telephones with their classification markings in highly visible places like these ceremonial offices where guests are received and the press is allowed in.

Update #1:
A reader of this weblog has recognized the white telephone as a Coral DKT-2320 made by the Israeli company Tadiran Telecom. Although this is a spin-off of the same Tadiran from which Elbit Systems emerged, this is a common office phone without security features. Therefore the red markings and the red cords from the one in Netanyahu's office most likely indicate that this phone is connected to a switch where the calls are encrypted in bulk.

Update #2:
The phone with the red cord and the red surroundings of the buttons we saw in the first picture, now also appeared in two photos from a team within the Israeli Defense Forces (IDF) Intelligence Corps’ Unit 9900, which were published in a IDF blog posting from April 2, 2015:

In this photo we have a better look at the "red phone", which appears to be a distinct version of the generic white ones which are next to the other work stations. This telephone is different though from the Tadiran Coral DKT-2320 mentioned above.

For fulfilling its task of gathering foreign signals intelligence, the National Security Agency (NSA) is cooperating with partner agencies from over 35 countries all over the world.

These relationships are based upon secret bilateral agreements, but there are also some select groups in which intelligence information is shared on a multilateral basis, like the SIGINT Seniors Europe (SSEUR), the SIGINT Seniors Pacific (SSPAC) and the Afghanistan SIGINT Coalition (AFSC).

Until recently, very little was known about these foreign relationships, but the Snowden-leaks have revealed the names of all the countries that are cooperating with NSA. This made it possible to create the following graphic, which also shows various multilateral intelligence exchange groups, which will be discussed here too.





 

2nd Party Partners

The closest cooperation is between NSA and the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. Formally this is based upon bilateral agreements, the first being the UKUSA-Agreement from 1946, but soon the group got a multilateral character, which means partners can exchange information among the other members too (as far as there's a "need to know")

The five partners under the UKUSA-agreement, commonly called the Five Eyes, agreed that they would follow common procedures for operations and reporting, and also use the same target identification systems, equipment, methods and source designations. They would not only share end reports and analyses, but also most of the raw data they collect.

As a kind of gentlemen's agreement it is supposed that the Five Eyes countries are not spying on each other, although some of the documents from the Snowden-leaks show that at least NSA secretly keeps that option open.




Despite the very close and longstanding relationship between the Five Eyes partners, two sub-groups have been formed for specific military operations in which not all five partners participate. These sub-groups are designated Four Eyes (abbreviation for classification purposes: ACGU) and Three Eyes (TEYE).


Cable tapping

The 2nd Party countries are cooperating in many ways, one of which is in cable tapping operations. The NSA umbrella program for this is codenamed WINDSTOP. According to NSA's Foreign Partner Access budget for 2013 WINDSTOP involves primarily Britain, but also Canada, Australia and New Zealand and focusses on access to (mainly internet) "communications into and out of Europe and the Middle East" through an integrated and overarching collection system.


Representatives

For maintaining these extensive relationships, NSA has representatives in each Second Party country. These are called Special US Liaison Officer (SUSLO), followed by the name of the nation's capital. So for example the NSA representative in Britain is the Special US Liaison Officer, London (SUSLOL) and the one in Canada the Special US Liaison Officer, Ottawa (SUSLOO).

Likewise, the other Five Eyes countries have a representative at the NSA headquarters. These are called Special UK Liaison Officer (SUKLO), Special Canada Liaison Officer (SCALO), Special Australia Liaison Officer (SAUSLO), and Special New Zealand Liaison Officer (SNZLO).




 

3rd Party Partners

One step below the 2nd Party partnerships, there's cooperation between NSA and (signals) intelligence agencies from countries who are called 3rd Party partners. This is based upon formal agreements, but the actual scope of the relationship can vary from country to country and from time to time. Details about the cooperation between two countries are laid down in Memorandums of Understanding (MoU).

For the US, this kind of cooperation is useful because foreign agencies can have better access to high-priority targets because of their geographic location, or they could have a specific expertise on certain areas, or just simply because they have a better knowledge of the local situation and language.

The foreign partner agencies are mostly interested in American technology, money and access to the worldwide interception capabilities of NSA and its Five Eyes partners. This makes these 3rd Party partnerships especially attractive for smaller countries, for whom it means a sometimes substantial increase of their otherwise limited capabilities.

One big difference with the countries from the 2nd Party category is that 3rd Party partners do spy upon each other, and many of the Snowden-documents have shown this. From these documents we also learned that in 2013, there were 33 countries with 3rd Party status:





The countries in the column under "CNO" are from a list which is in an undated NSA document about collaboration regarding Computer Network Operations (CNO). The document was first published on October 30, 2013 by the Spanish paper El Mundo and classifies cooperation on four different levels, which was also explained by The Guardian.

The first level is called "Tier A - Comprehensive Cooperation", which comprises Britain, Australia, Canada and New Zealand. A second group, called "Tier B - Focused Cooperation" includes the 19 mostly European countries listed above. A third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan, and finally a fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.

In May 2014, the list with the "Tier A" and "Tier B" countries was also published in Greenwald's book No Place To Hide, where he ignores the fact that the document was about CNO cooperation and simply assumes that the "Tier B" countries are the same as those with 3rd Party status.*




Cable tapping

NSA cooperates with the 3rd Party countries in many ways, one of which is in cable tapping operations. The NSA umbrella program for this is codenamed RAMPART-A. According to NSA's Foreign Partner Access budget for 2013, RAMPART-A provides access to long-haul international leased communications, with TURMOIL capabilities, and over 3 terabit/second of data from all "communication technologies such as voice, fax, telex, modem, e-mail internet chat, Virtual Private Network (VPN), Voice over IP (VoIP), and voice call records".


Representatives

The representatives of NSA in major Third Party countries are called Special US Liaison Advisor (SUSLA), followed by the name of the country. So for example the NSA representative in Germany is the Special US Liaison Advisor, Germany (SUSLAG).

The office staff of such an advisor is called the Special US Liaison Activity (also abbreviated as SUSLA), and for example the SUSLA Germany had 18 personnel (12 civilians and 6 contractors) in 2012, a number which was to be reduced to 6 in 2013.*

It is not clear whether the various Third Party agencies also have a representative at NSA headquarters and if so, what their title is. At NSA these relationships are managed by the Foreign Affairs Directorate (FAD), which has a Country Desk Officer (CDO) for every country or region that matters.


 
Multilateral groups

Although the Third Party relationships are strictly bilateral, some of these countries have also worked very close with each other for a long time. This has been formalized into a few multilateral groups in which intelligence is exchanged not only between one particular country and the US, but also among all other participants. Besides NATO, the following three SIGINT sharing groups are known:


- SIGINT Seniors Europe (SSEUR)
This group consists of the Five Eyes and nine European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Except for Sweden, all are NATO members. After the number of countries, the SSEUR are also called 14-Eyes.
The "Seniors" refers to the heads of the participating military or signals intelligence agencies, who in this group coordinate the exchange of military intelligence according to the needs of each member.
There's also a SIGINT Seniors Europe Counter Terrorism (SISECT) coalition* and in 2013, NSA encouraged GCHQ to host the permanent facility for the joint SSEUR collaboration center.*


- SIGINT Seniors Pacific (SSPAC)
There's a similar group for multilateral exchange of military intelligence among some 3rd party nations from the East Asia/Pacific Rim region. Besides the members of the Five Eyes, the SIGINT Seniors Pacific include Singapore, South Korea and most likely Japan and Thailand. Probably one other country is participating too, making this group also being identified as the 10-Eyes.

Update:
An NSA document disclosed by The New Zealand Herald on March 11, 2015 says that the SSPAC consists of the Five Eyes plus France, India, (South) Korea, Singapore and Thailand.

- Afghanistan SIGINT Coalition (AFSC)
According to an NSA paper from 2013, this group consists of the same 14 countries as the SSEUR and is aimed at sharing Afghanistan-related intelligence reports and metadata among its participants. At the time of the paper, each AFSC-member was responsible for covering a specific area of interest, maybe corresponding to the region in Afghanistan where they had troops deployed.


Snowden and Greenwald agreed not to publish about NSA's involvement in Afghanistan, but the German book about the Snowden-leaks, Der NSA Komplex, reveals that the 14 AFSC-members cooperated closely in decrypting and analysing mobile communications and have a dedicated data center codenamed CENTER ICE for exchanging this kind of intelligence.*

This makes it likely that much of the metadata that various European countries shared with the US, mistakenly presented by Glenn Greenwald as NSA spying on European citizens, was collected as part of this Afghanistan SIGINT Coalition.

Update:
A new multilateral intelligence sharing group seems to be the SIGINT Support to Cyber Defense (SSCD) initiative, which consists of a number of countries that together establish an early-warning system to defend themselves against cyber attacks. Its existance was first mentioned on May 8, 2014 in a speech by the president of the German intelligence service BND, which is also cooperating in this SSCD framework.
SSCD will use traditional SIGINT methods to inspect data packets for things like malicious code so these can be eliminated pro-actively. It's not known which countries are participating, except for Germany and, most likely, the Five Eyes.

Links and Sources
- NSA document about Foreign Relations Mission Titles
- About Canada and the Five Eyes Intelligence Community (pdf)
- Duncan Campbell, Echelon and its role in COMINT
- Declassified NSA paper about Third Party Nations: Partners and Targets

Last week, on September 6, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program.

The memorandum (pdf) is about the legality of STELLARWIND, which was a program under which NSA was authorized to collect content and metadata without the warrants that were needed previously.

Here we will not discuss the STELLARWIND program itself, but take a close look at the STELLARWIND classification marking, which causes some confusion. Also we learn about the existance of mysterious compartments that point to some highly sensitive but yet undisclosed interception programs.





The redacted markings

The first thing we see is that two portions of the classification marking have been blacked out:


1. The redacted space beween two double slashes

This is very strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below). The classification level (in this case: Top Secret) has to be followed by the Sensitive Compartmented Information (SCI) control system (here: COMINT).

But as the US classification system is very complex, there are often minor mistakes in such classification lines. If we assume there was a mistake made here too, then the first term that has been blacked out could be another SCI compartment, which had to be followed by just a single slash (for example HCS for HUMINT Control System would fit the redacted space, although that marking itself isn't classified).

If there was no mistake, however, and the double slash is actually correct, then it would be a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.





2. The redacted space directly after STELLARWIND

The second redaction starts right after the last letter of "STELLARWIND", thereby carefully hiding the category of the redacted marking, which is determined by how it is separated from the previous term. This could be by a slash, a double slash, a hyphen or a space, each indicating a different level.

In this case, the most likely option is that "STELLARWIND" is followed by a hyphen, which indicates the next term is another compartment under the COMINT control system, equal to STELLARWIND.

Classification manuals say there are undisclosed COMINT compartments which have identifiers consisting of three alphabetical characters. This would fit the redacted space as it would read like: "COMINT-STELLARWIND-ABC".

This undisclosed compartment probably also figured in some other declassified documents, where it sometimes seems to be accompanied by a sub-compartment which is identified by three numeric characters, like for example in this and this declaration where the marking could read like "COMINT-ABC 678":




Looking at what was redacted in portions of both documents which were marked with this mysterious compartment, it seems that it's about at least two highly sensitive intelligence sources and methods. For example, pages 31-32 of this declaration (pdf) suggest that this might be obtaining metadata from specific telecom companies and search them for members or agents of particular target groups.




Markings with the mysterious undisclosed COMINT compartments weren't found on any of the Snowden-documents, but only on those that were declassified by the government, so it seems that Snowden had no access to information protected by these particular compartments.

The marking TSP (for Terrorist Surveillance Program), which is in some of the examples shown above, was used instead of STELLARWIND in briefing materials and documents intended for external audiences, such as Congress and the courts.



The STELLARWIND marking

So far, we looked at the two parts of the classification marking that were blacked out. But now we also have to look at the STELLARWIND marking itself, which wasn't redacted, but still causes confusion.

The classification marking of the 2004 memorandum of the Justice Department says "COMINT-STELLAR WIND" and according to the official formatting rules, this means that STELLARWIND would be part of the COMINT control system.

Note that the same memorandum had already been declassified upon a FOIA request by the ACLU in 2011, but in that version (pdf) the codeword STELLARWIND was still blacked out from the whole document. Both documents are compared here.




As COMINT is a control system for communications intercepts or Signals Intelligence, this seems to make sense. But what is confusing, is that the internal 2009 NSA classification guide (pdf) for the STELLARWIND program, which was disclosed by Edward Snowden, says something different.

Initially this guide calls STELLARWIND a "special compartment", but from the marking rules it becomes clear that it is treated as an SCI control system. Accordingly, the prescribed abbreviated marking reads: "TOP SECRET // STLW / SI // ORCON / NOFORN". In this way we can see STELLARWIND in the classification line of the following document:




In this document and also in a similar declaration (pdf) from 2013, the reason for the STELLARWIND classification is explained as follows:

"This declaration also contains information related to or derived from the STELLARWIND program, a controlled access signals intelligence program under presidential authorization in response to the attacks of September 11, 2001. In this declaration, information pertaining to the STELLARWIND program is denoted with the special marking "STLW" and requires more restrictive handling."

STELLARWIND is also being treated as a control system in the 2009 draft report about this program written by the NSA Inspector General, although its classification line is also somewhat sloppy: there are double slashes between STLW and COMINT (should just be a single one), and only a single one between COMINT and ORCON (where there should have been double slashes as both are from different categories):




Throughout this document, the portion markings are also not always consistent. Most of them are "TS//SI//STLW//NF", but one or two times "TS//SI-STLW//NF". But as this report is a draft, it's possible that these things have been corrected in the final version, which hasn't been disclosed or declassified yet.

The 2009 Inspector General report about STELLARWIND was one of the first documents from the Snowden-leaks to be published, and it still is one of the most informative and detailed pieces about the development of NSA's interception efforts since 9/11.


Conclusion

In the end, it doesn't make much difference whether STELLARWIND is a control system on its own, or a sub-system of COMINT, but it is remarkable that for such an important program, the people involved apparently also weren't clear about it's exact status and how to put it in the right place of a classification line.

More important though is that the declassified documents show that besides the STELLARWIND program, there's at least one COMINT-compartment with at least one sub-compartment that protect similar or related NSA collection efforts which are considered even more sensitive, but about which we can only speculate.

 

UPDATE:

On April 24, 2015, the US government declassified a 2009 report by five Inspectors General about the STELLARWIND program, after a FOIA request by The New York Times. This report, which is over 700 pages long, has the overall classification "TOP SECRET // STLW // HCS / COMINT // ORCON / NOFORN":

Included in this report is the final version of the report of the NSA Inspector General, the draft version of which we discussed above. We see that in this final version, the classification line has been corrected: there's now a double slash between COMINT and ORCON, just like it should be.

This also means that the double slash between STLW and COMINT, which initially looked like a mistake, must be correct. We also see this double slash in the overall classification marking for the entire report (which has the additional HCS (HUMINT Control System) for information from the CIA).

Apparently STELLARWIND (STLW) was not an ordinary SCI control system (then there would have been only a single slash between STLW and COMINT), but a category on its own, or belongs to a category not mentioned in the publicly available government classification marking guides.

Update #2:
In a speech on May 15, 2015, former NSA Inspector General Joel Brenner said that STELLAR WIND "was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington" - which could maybe an explanation for the fact the program was or became a classification category on its own.

One of the most important documents that has been disclosed as part of the Snowden-leaks is also one of the least-known: the Strategic Mission List from January 2007, which provides a detailed list of the goals and priorities for the National Security Agency (NSA).

This Strategic Mission List was published by The New York Times on November 2, 2013, as one of three original NSA documents that accompanied a long report about the how NSA spies on both enemies and allies.




About the publication

On the website of The New York Times (NYT), the Strategic Mission List was published as a series of images in png-format, which made it impossible to copy or search the text. It was also difficult to print the document in a readable way. For reasons unknown, NYT is the only media-outlet that published Snowden-documents in this not very user-friendly way.

Hence I asked The New York Times whether they could provide the Strategic Mission List in the standard pdf-format, but the paper didn't reply. I also asked the author of the report, Scott Shane, but he answered that he had no access to the document anymore.

Eventually I used an Optical Character Recognition (OCR) tool to convert the images from the NYT website into a text document, conducted the necessary corrections by hand and then converted the result into the pdf-document, that is now published here and on the Cryptome website.


The Strategic Mission List

Edward Snowden and Glenn Greenwald claim that NSA has just one single goal: collect all digital communications from all over the world: "Collect it All". But this is not mentioned in the Strategic Mission List, which instead lists a range of far more specific goals, many of which are of a military nature, which is also something that lacks in the media-coverage of the Snowden-leaks.

The document describes the priorities and risks for the United States SIGINT System (USSS) for a period of 12 to 18 months and is reviewed, and where necessary updated bi-annually. The topics are derived from a number of other strategic planning documents, including the National Intelligence Priorities Framework (NIPF), which sets the priorities for the US Intelligence Community as a whole.

Note that according to the classification marking, the Strategic Mission List is only authorized for release to the US, the UK, Canada and Australia, which leaves New Zealand excluded.


Structure

The Strategic Mission List is divided into two parts. The first part includes 16 Topical Missions, which represent missions discerned to be areas of highest priority for the USSS, where SIGINT can make key contributions. The second part includes 6 Enduring Targets, which are countries that need to be treated holistically because of their strategic importance.

For both of these sections, the Strategic Mission List includes Focus Areas, the most critical important targets which are a "must do", as well as Accepted Risks, which are significant targets for which SIGINT should not be relied upon as a primary source.


Enduring Targets

The 6 countries that are listed in the Strategic Mission List as being Enduring Targets for NSA and the tactical SIGINT collecting components of the US Armed Forces are:

- China
- North-Korea
- Iraq
- Iran
- Russia
- Venezuela

Topical Missions

Besides the 6 countries listed as Enduring Targets, the Strategic Mission List also includes the following 16 Topical Missions:

- Winning the Global War on Terrorism
- Protecting the U.S. Homeland
- Combating Proliferation of Weapons of Mass Destruction
- Protecting U.S. Military Forces Deployed Overseas
- Providing Warning of Impending State Instability
- Providing Warning of a Strategic Nuclear Missile Attack
- Monitoring Regional Tensions that Could Escalate
- Preventing an Attack on U.S. Critical Information Systems
- Early Detection of Critical Foreign Military Developments
- Preventing Technological Surprise
- Ensuring Diplomatic Advantage for the U.S.
- Ensuring a Steady and Reliable Energy Supply for the U.S.
- Countering Foreign Intelligence Threats
- Countering Narcotics and Transnational Criminal Networks
- Mapping Foreign Military and Civil Communications Infrastructure

We see that many of these topics are of a military nature and that also the more civilian areas of interest are quite common goals for a large (signal) intelligence agency. Although communications of ordinary civilians are accidently caught up in NSA's collection efforts, they are clearly not of interest let alone given priority.

Just over a week ago, the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR came with a story saying that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA. As not all communications of German citizens could be filtered out, this is considered a violation of the constitution.

Here we will give a summary of what is currently known about this BND operation and we will combine this with information from earlier reports. This will show that it was most likely part of the RAMPART-A program of the NSA, which includes similar interception efforts by foreign partner agencies. Finally, we will look at where exactly the BND interception might have taken place.


> See also: New details about the joint NSA-BND operation Eikonal

Update #1:
On October 20, the Danish paper Information has confirmed that the German BND operation Eikonal was indeed part of the RAMPART-A program: a document from NSA's SSO division lists an operation codenamed "EIKANOL" as part of RAMPART-A and says it was decommissioned in June 2008. Unfortunately the original document wasn't published.

Update #2:
During hearings of BND officials by the German parliamentary committee investigating NSA spying, it became clear that operation Eikonal was actually tapping into just one fiber-optic cable from Deutsche Telekom, and not into the Frankfurt internet exchange DE-CIX. This was confirmed by German media on December 4, 2014.

 

The German operation Eikonal

The codename for the BND operation was Eikonal, which is a scientific German word, derived from Greek, meaning likeness, icon or image. Details about it were found in BND documents marked Streng Geheim (Top Secret), which were handed over to a committee of the German parliament that investigates NSA spying activities (NSA Untersuchungsausschuss). It's not clear whether journalists were able to read these documents themselves, or were just told about their contents.

The operation was set up in 2003 as a cooperation between BND and NSA, whith the BND providing access to the Frankfurt internet exchange DE-CIX, and NSA providing sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

For this, NSA provided BND with lists of 'selectors' like phone numbers and e-mail addresses. According to the testimony of an BND employee at a committee hearing last month, his co-workers pulled these selectors from an American server 2, 3 or 4 times a day and entered them into the system that does the actual interception.

The article in Süddeutsche Zeitung says that from DE-CIX, the data first went to BND headquarters in Pullach, and then to the Mangfall barracks in Bad Aibling, where BND and NSA analysts secretly worked together as the Joint SIGINT Activity (JSA, terminated in 2012). From there, there was a secure line back to NSA headquarters.




To prevent communications of German citizens being passed on to NSA, BND installed a special program (codenamed DAFIS) to filter these out. But according to the documents, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out.

A review of operation Eikonal reported that a "complete and accurate" separation between German and foreign telecommunications was impossible. Also BND wasn't able to fully check this because of a lack of technical expertise.

The documents also suggest that the intelligence oversight committees of the Bundestag were not properly informed. The BND noticed at some point that the NSA searched for information about the European defence contractor EADS (now Airbus Group), the Eurocopter and French government agencies. Together with doubts about the legality of the Eikonal operation, this resulted in ending the cooperation with NSA in 2008.

Reportedly, NSA wasn't happy with that and sent its deputy director John Inglis to Berlin in order to demand some kind of "compensation": if not Frankfurt, then BND should offer access to another European fiber-optic cable. Süddeutsche Zeitung says that at that time, BND got access to a cable of "global importance", where NSA did not have access to. NSA then became a "silent partner" receiving data from this new BND interception effort.


Meanwhile, two members of the German parliamentary investigation committee, who are cleared for the BND documents about Eikonal, said that the aforementioned press reports were not always correct. According to one member, it actually wasn't BND, but NSA that ended the cooperation, apparently because the Germans were so heavily filtering the data, that the outcome wasn't of much interest for NSA anymore.

 

The RAMPART-A program of NSA

Those who have followed the Snowden-leaks, may have recognized that operation Eikonal is identical to cable tapping operations which are conducted under the RAMPART-A program of NSA. According to some of the Snowden-documents, this is an umbrella program under which NSA cooperates with 3rd Party countries, who "provide access to cables and host U.S. equipment".

The slide below clearly shows that such a partner country taps an international cable at an access point (A) somewhere in that country and then forwards the data to a processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C) before they are forwarded to an NSA site in the US (D):




Details about NSA's RAMPART-A program were published by the Danish newspaper Information in collaboration with Greenwald's website The Intercept on June 19, 2014. The program reportedly involved five countries, and cooperation two others was being tested. In total, all RAMPART-A interception facilities gave access to 3 terabits of data every second.

The disclosed documents list 13 RAMPART-A sites, nine of which were active in 2013. The three largest are codenamed SPINNERET, MOONLIGHTPATH and AZUREPHOENIX, which by the number of records are NSA's second, third and fifth most productive cable tapping programs - which shows the importance of these 3rd Party relationships for NSA.

Eikonal (which most likely had a different NSA codename seems to be misspelled EIKANOL in the NSA document seen by Information) isn't included in these documents as they date from at least two years after this operation was ended.




The exact locations of these access points are protected under the Exceptionally Controlled Information (ECI) compartment REDHARVEST (RDV), to which Snowden seems to have had no access. Therefore we don't know which countries are participating in the RAMPART-A program, although some of the documents contain leads pointing to Denmark and Germany.

These foreign partnerships operate on the condition that the host country will not use the NSA’s technology to collect any data on US citizens. The NSA agrees that it will not use the access it has been granted to collect data on the host countries’ citizens, but one NSA presentation slide (marked NOFORN: Not for Foreign Nationals) notes that "there ARE exceptions" to this rule:




According to a 2010 briefing, intelligence collected via RAMPART-A yielded over 9000 intelligence reports the previous year, out of which half was based solely on intelligence intercepted through RAMPART-A.


More about RAMPART-A

What the reports on both websites didn't mention is that RAMPART-A is apparently focussed on collecting information about Russia, the Middle East and North Africa. This comes from Der NSA Komplex, a book about the Snowden-revelations written by two journalists from Der Spiegel. Unfortunately this book, which is much more informative than the one by Glenn Greenwald, is only available in German.

Besides 3rd Party partners giving access to cables in their own country, there's also a construction in which such a partner agency cooperates with yet another country that secretly provides access to data traffic, which is also shared with NSA. In recent years, BND and NSA conducted about half a dozen of such operations, three of which are mentioned in Der NSA Komplex:

- Tiamat (access to high-level international targets under risky circumstances. This operation had ended before 2013)*

- Hermos (in the Spring of 2012, BND got access to communication cables in a crisis zone country, but this operation had to be terminated by the end of the year when the situation almost went out of control)*

- Wharpdrive (this operation was still active in 2013, but in the Spring of that year, employees of the private company that operates the communication cables, accidently discovered the clandestine BND/NSA equipment, but the operation was rescued by providing a plausible cover story)*

Update:
In the follow-up report by the Danish paper Information from October 20, 2014, it is said that the WHARPDRIVE access was opened in February 2013 and had the same size as EIKANOL. Information claims that according to Der Spiegel this access was also located in Germany, but Der NSA Komplex says it was a joint venture with a third country and in an NSA document from April 2013 it is also called a "trilateral program", which was "identified for possible termination due to fiscal constraints". From this document it seems the program had EMERALD as an alternate codename.

 

Where did the tapping took place?

The best kept secret is the actual location where the BND tapping point was. Süddeutsche Zeitung reports that in the original documents the name of the provider is blacked out, but that according to insiders, it must have been Deutsche Telekom that assisted BND. The paper even says both parties signed an agreement in which the provider earned a payment of 6.000,- euros a month in return for the access.

This seems to correspond with a report broadcasted by the German television magazine Frontal 21 in July last year, saying that BND had access to the Frankfurt internet exchange through its own cable since 2009. According to an insider, this cable access was under the cover of a major German telecom provider, and it was speculated this was Deutsche Telekom.

But as somepeople noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place. In 2008, the actual routers and switches of DE-CIX were situated in 18 data centers from InterXion, TeleCity, Equinix, Level 3, ITENOS and e-shelter. Since 2008, the distributed DE-CIX switches are interconnected through the priva|nex private fiber-optic network from euNetworks.



Maybe before 2008 the DE-CIX switches were connected by fiber cables from Deutsche Telekom, but if not, there seems to be no way this company could have provided the BND access to the Frankfurt internet exchange. If the 6000,- euro contract really involved Deutsche Telekom, then maybe for the rent of a private cable from the tapping point to a BND site.


In response to earlier media reports, the DE-CIX management put out a press release on June 26, 2014 saying: We exclude that any foreign or domestic secret service had access to our internet exchange and the connected fiber-optic networks during the period of 2004 - 2007". It was added that DE-CIX itself doesn't operate any data centers, nor stores or processes data on its own.

This statement only speaks about the past, so it doesn't contradict the fact that the BND was recently authorized to intercept the communications from 25 internet service providers (ISPs), with their cables being tapped at the DE-CIX internet exchange, as was reported by Der Spiegel on October 6, 2013. A letter containing this authorisation was sent to the Association of the German Internet Industry, which is the owner of the company that operates the Frankfurt internet exchange.

Among these 25 providers there are foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

However, Strato AG said they would never agree with such a wiretapping order and 1&1 declared they never received a letter from BND and suggests that if there's any interception this may take place in cooperation with DE-CIX Management GmbH, the organisation that operates the Frankfurt internet exchange.

This would mean that currently BND isn't tapping the whole internet exchange, but only the cables from selected providers, which is of course much more efficient. Tapping the whole exchange would probably also exceed BND's technical capabilities, as nowadays DE-CIX connects some 550 ISPs from more than 55 countries (including North Korea), including broadband providers, content delivery networks, web hosters, and incumbent operators.

If that's the case, then the actual interception could take place at DE-CIX systems, maybe at the core fiber network or the core switch. This means, BND only needs the cooperation of the DE-CIX management and the indivual providers can honestly deny that their cables are being intercepted.

According to Der Spiegel, the BND copies the data stream and then searches it using keywords related to terrorism and weapon proliferation. A BND spokesman assured the Wall Street Journal in October last year that purely domestic German traffic is neither gathered nor stored.




In august last year, a spokesman from the DE-CIX management said that he couldn't rule out that some providers connected to the exchange would allow interception on their equipment when ordered so by their national governments.

This points to for example Level 3, a US company that has a data center which houses some DE-CIX routers. But if Level 3 would have provided access to DE-CIX, then there was no need for NSA to cooperate with BND. Also, on August 1, 2013, Level 3 gave out a press release saying that the company had not given any foreign government access to its networks in Germany in order to conduct surveillance.

Update:
On March 26, 2015, the German parliamentary investigation commission heard Klaus Landefeld, board member of DE-CIX, who provided some interesting insights in the workings of this internet exchange.

Conclusion

Although we have no positive confirmation that Eikonal was part of the RAMPART-A program, this German operation perfectly fits the way in which foreign parters of NSA get access to important internet cables and switches and share the results with their American counterparts. In this case, NSA apparently cooperated with BND in order to get access to communications from Russia and probably also from the Middle East and North Africa that traveled through Germany.

The best kept secret is how and where such interception takes place, and we have seen that tapping the Frankfurt internet exchange DE-CIX is far more complex than it seems. This makes it difficult to pinpoint the taps, but by combining earlier press reports with the structure of the DE-CIX exchange, it seems unlikely that Deutsche Telekom was involved.

Update #1:
Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the parliamentary investigation committee has decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange or not. As an alternative option it's suggested that Deutsche Telekom might have just given access to its own Frankfurt backbone switch, instead of to DE-CIX - this would better fit NSA's description of what is intercepted under RAMPART-A: "International Gateway Switches; End-Point GSM Switches; Leased Internet Circuits; Internet Backbone Routers".

Update #2:
During hearings of BND officials by the German parliamentary committee investigating NSA spying, it became clear that operation Eikonal was indeed tapping into just one fiber-optic cable from Deutsche Telekom, and not into the Frankfurt internet exchange DE-CIX. This was confirmed by German media on December 4, 2014.

> See also: New details about the joint NSA-BND operation Eikonal




Links and Sources
- Sueddeutsche.de: Codewort Eikonal - der Albtraum der Bundesregierung (2014)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA (2013)
- Heise.de: NSA-Abhörskandal PRISM: Internet-Austauschknoten als Abhörziele (2013)
- Spiegel.de: BND lässt sich Abhören von Verbindungen deutscher Provider genehmigen (2013)
- NSA presentation: RAMPART-A Project Overview (pdf) (2010)
- About the structure of the internet: Die Bosse der Fasern (2005)


- More comments on Hacker News

With last year's news of NSA eavesdropping on the mobile phone of German chancellor Angela Merkel in mind, Dutch onlinemedia assumed it was big news that the Dutch prime minister Mark Rutte has a phone that cannot be intercepted.

As was the case with chancellor Merkel, most people do not seem aware of the fact that political leaders usually have two kind of phones: an ordinary one that is easy to intercept and a secure one, that is very difficult to tap.

That prime minister Rutte has a secure phone was said by the director for Cyber Security in a radio-interview last week. Afterwards this was seen a slip of the tongue, because the government has the policy to never say anything about the security methods they use.

But from pictures and other sources we can still get a fairly good idea of which phones, both secure and non-secure, are used by the Dutch prime minister. As we will show here, he currently has three landline and two mobile phones at his disposal, only one being a highly secure one.




Since 1982, the office of the Dutch prime minister is on the second floor of a small tower that is part of the parliament buildings and which dates back to the 14th century. In Dutch this office is called Het Torentje.

From the left to the right we see the following telephones on the desk of the prime minister:

1. Ericsson DBC212 (black)
2. Sectra Tiger XS Office (silver)
3. Unidentified office phone (gray)

First we will discuss the two phones without encryption capability and then the secure phone:


1. The Ericsson DBC212

This is a common office telephone which has been part of the internal private branch exchange (PBX) network of the Department of General Affairs for over a decade. Other pictures from rooms in the same building also show the same and similar models of this telephone series, which was made by Ericsson, a Swedish company that manufactured many home and office phones used in The Netherlands. The prime minister can use this phone for every phone call he wants to make that doesn't require encryption.


3. The gray office phone

The make and type of this phone couldn't be identified yet, but it seems to be a common office telephone too. However, this phone is most likely connected to the Emergency Communications Provision (Dutch: NoodCommunicatieVoorziening or NCV).

This is an IP-based network which is completely separated from the public telephone network. Communications over this network are not encrypted, but the switches are in secure locations and connect redundantly.

The purpose of the NCV-network is to enable communications between government agencies and emergency services when during a disaster or a crisis situation (parts of) the regular communication networks collapse. This network replaced the former National Emergency Network (Nationaal Noodnet) as of January 1, 2012 (see below).


 

2. The Sectra Tiger XS Office

The silver-colored telephone which sits in between the two other ones is a Tiger XS Office (XO). This device is capable of highly secured phone calls and can therefore be used by the prime minister for conversations about things that are classified up to the level of Secret.

The Tiger XS Office is manufactured since 2005 by the communications division of the Swedish company Sectra AB, which was founded in 1978 by some cryptology researchers from Linköping University. Sectra, which is an acronym of Secure Transmission, also has a division in the Netherlands: Sectra Communications BV.

Tiger is the brand name for their high-end secure voice products, but with everyone assuming that this refers to the exotic animal, it's also Swedish for "keep silent" (see for example: En Svensk Tiger).


Tiger XS

Although the Tiger XS Office looks like a futuristic desktop phone, it actually consists of a small encryption device which is docked into a desktop cradle with a keypad and handset. The encryption device, the Tiger XS, was originally developed for securing mobile phone communications and has special protections against tampering and so-called TEMPEST attacks.




The desktop unit has no encryption capabilities, but with the Tiger XS inserted, it can encrypt landline phone calls and fax transmissions, so it turns into a secure desktop telephone. The Tiger XS enables secure communications on GSM, UMTS, ISDN and the Iridium, Inmarsat and Thuraya satellite networks. When inserted into the office unit, it also works on the standard Public Switched Telephone Network (PSTN).


Workings

On its own, the Tiger XS device can be used to secure certain types of cell phones. For this, the Tiger XS is connected in between a headset (consisting of an earpiece and a microphone) and a mobile phone, to which it connects via Bluetooth. A secure connection is set up by putting a personal SIM-sized access card into the Tiger XS, entering a PIN code and selecting the person to connect to from the phonebook.

What is said into the microphone of the headset is encrypted by the Tiger XS and then this encrypted voice data go to an ordinary mobile phone through the Bluetooth connection. The phone then sends it over the cell phone network to the receiving end, where another Tiger XS decrypts the data and makes it audible again.



Mobility

At first sight it seems to be a very flexible solution: connecting a separate encryption device to common cell phones. But in reality the Tiger XS can only connect to older mobile phones which suppport the original Circuit Switched Data (CSD) channel and a Bluetooth version that is fully tested and compatible with the way the Tiger XS has to use it. Because of this, the Tiger XS is rarely used for mobile phones anymore, but mostly in combination with the desktop unit.

To restore the intended mobility, Sectra introduced the Tiger 7401 as a replacement for the Tiger XS. The Tiger 7401 is a custom made mobile telephone with TEMPEST verified design that is capable of encrypting phone calls by itself. In 2014, this new device was ordered to replace the Tiger XS for high-level officials of the Dutch Ministery of Defense.


Encryption

The encryption algorithms used by the Sectra Tiger XS are secret, so we don't know whether public standard algorithms like AES and ECDH are used, or ones that are especially designed for the Dutch government, or a combination thereof. The algorithms and the encryption keys are created by the National Communications Security Bureau (Dutch: Nationaal Bureau voor Verbindingsbeveiliging or NBV), which is part of the General Intelligence and Security Service AIVD.

This bureau has approved the Tiger XS for communications up to and including the level Secret (in Dutch marked as Stg. Geheim) in 2007. In the Netherlands, there's no phone that is approved for communications at the level Top Secret (Stg. Zeer Geheim), so these matters cannot be discussed over phones that use public networks. This is different from the US, where there are secure telephones approved for Top Secret and even above.

Encrypted communications are only possible if both parties have the same key: the sender to encrypt the message and the receiver to decrypt it. This means that all people to which the prime minister needs a secure line, also have to have a Tiger XS. That's why we can see this device also on the desk of for example the Dutch foreign minister:




Management

Besides encrypting phone calls and text messages, the Tiger XS also provides user authentication, so one can be sure to talk to the right person. For the actual implementation of these features there are centrally managed user groups.

This remote management, which includes supplying up-to-date phonebooks and encryption keys for the Tiger XS devices is provided by Fox-IT, a Dutch cybersecurity company founded in 1999. Since Dutch state secrets are involved, it is considered essential that this remote management is in the hands of a trusted Dutch partner.

The partnership between Fox-IT for the management and Sectra as the supplier of the hardware was established in 2007 by the VECOM (Veilige Communicatie or Secure Communications) contract. Under this contract all Dutch cabinet members and high-level officials of their departments are provided with secure phones.


Usage

The Tiger XS has also been installed at all government departments in order to provide secure fax transmissions, for example to distribute the necessary documents for the weekly Council of Ministers meeting. Dutch embassies and military units deployed overseas probably also use the Tiger XS for securing satellite communications. For this, Sectra also made a manpack communications set which uses the Tiger XS.

The fact that the Tiger XS uses highly sensitive technology and secret encryption methods, also means that it is not possible to use this device to make secure phone calls to for example foreign heads of state. That's the reason why, as we can see in the picture below, prime minister Rutte used his standard non-secure phone when he was called by US president Obama in 2010:





The mobile phones of prime minister Rutte

Besides the three landline telephones, current prime minister Mark Rutte also uses an iPhone 4 and a Blackberry. He is seen with these devices on several photos and Rutte also confirmed that he uses a Blackberry when he publicly admitted that it accidently fell into a toilet in January 2011.

The iPhone is probably his private phone, because the Blackberry is the device used by Rutte's own Department of General Affairs, as well as by other departments, including those of Foreign Affairs and Social Affairs. Blackberrys are preferred by many companies and governments because they provide standard end-to-end encryption for chat and e-mail messages through the Blackberry Enterprise Server (BES).




Blackberrys do not encrypt voice, but the Dutch computer security company Compumatica has developed a solution called CompuMobile, which consists of a MicroSD card that can be inserted into a Blackberry and then encrypts phone calls and text messages by using the AES 256 and ECDH algorithms. CompuMobile has been approved for communications at the lowest Dutch classification level (Departementaal Vertrouwelijk) in 2012, but whether government departments actually use it, is not known.

Without this security measure, phone calls from both the iPhone and the Blackberry of prime minister Rutte can rather easily be intercepted by foreign intelligence agencies, just like NSA apparently did with the non-secure cell phone of his German counterpart.




The prime minister's phones in 2006

The telephones that are currently installed in the office of prime minister Mark Rutte can be compared with those from his predecessor, prime minister Jan Peter Balkenende. From his office we have this picture, which gives a great view on the communication devices on his desk:




In this picture we see from the left to the right the following three phones, all of them provided by KPN, the former state owned landline operator of the Netherlands:

1. Ericsson DBC212 (black)
2. Siemens Vox 415 (gray)
3. Ericsson Vox 120 (white)

1. The Ericsson DBC212

This is the same telephone which is still in use today, as we could see in the pictures above. It's a common office telephone made by the Swedish company Ericsson and which is part of the internal private branch exchange (PBX) network of the Department of General Affairs.


2. The Siemens Vox 415

The dark gray Vox 415 was an ordinary telephone from a series that was manufactured by Siemens for both home and office use. For private customers this model was sold by KPN under the name Bari 10.

This phone has no security features whatsoever, but as it is in the same place where later the Sectra Tiger XS Office sits, it seems very likely the Vox 415 was also used for secure communications.

For that, it was probably connected to a separate encryption device, maybe one that was compatible with the PNVX, the secure phone which was manufactured by Philips and used by the Dutch government since the late 1980s.


3. The Ericsson Vox 120

The Vox 120 was the business version of a telephone developed by Ericsson around 1986 and that was sold for home use under the name Twintoon. Attached to the back is a separate speaker unit so a third person can listen in to a conversation.

In the bottom left corner the phone has a black label with its extension number for the National Emergency Network (Dutch: Nationaal Noodnet or NN). This was a separate network which enabled government agencies to communicate with emergency services when the public telephone network collapsed.

The National Emergency Network was established in 1991 and was operated by KPN. It had some 5500 connections for 2500 end users, like the departments of the national government, city halls, hospitals, and local police and firefighter headquarters. As of January 2012, it was replaced by the IP-based Emergency Communications Provision NCV (see above).



Links and sources
- Background article in Dutch: De wereld van staatsgeheim geheim (2007)
- Academic paper about Secure Text Communication for the Tiger XS (pdf) (2006)
- The first version: Tiger XS Mobile security terminal (2005)

On August 15, The New York Times and Pro Publica published a story in which the big US telecommunications company AT&T was identified as a key partner of the NSA.

Interesting details about this cooperation and the cable tapping were already in the 2008 book The Shadow Factory by James Bamford, but with the new story, also a number of clarifying documents from the Snowden-trove were disclosed.

Among them are some powerpoint presentations that contain the slides which had been shown on Brazilian televion two years ago. They were first discussed on this weblog in January 2014.

Here we will combine these new and old documents to provide a detailed picture of this important collection program, that was previously misunderstood on various occasions.




 

Context

At NSA, the division Special Source Operations (SSO) is responsible for collecting data from backbone telephone and internet cables. For that, SSO also cooperates with private telecommunication providers under the following four programs, which are collectively referred to as Upstream Collection:

- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- OAKSTAR (cooperation with 7 other telecoms, since 2004)*

Before the new revelations, it was often assumed that BLARNEY was the program for NSA's cooperation with AT&T. The Wall Street Journal reported this in August 2013, based upon former officials, saying that BLARNEY was established for capturing foreign communications at or near over a dozen key international fiber-optic cable landing points. This assumption was also followed by Glenn Greenwald in his book No Place to Hide from May 2014.

In a letter to Cryptome, James Atkinson suggests that BLARNEY was the covername for cooperation with AT&T since 1978, and that after the Bell break-up, BLARNEY stayed active for FISA collection, and the new covername FAIRVIEW was created for the "new" AT&T. One new slide however, shows that BLARNEY actually encompasses all (over 30) companies that are cooperating for FISA collection, including of course AT&T and Verizon.


Speculations

The assumption that BLARNEY was the program for AT&T left room for speculation about the purpose and scope of the FAIRVIEW program.

For example, former NSA official and whistleblower Thomas Drake told DailyDot.com in July 2013 that FAIRVIEW was for tapping into the world's intercontinental fiber-optic cables and "to own the Internet". According to Drake it was an umbrella program with other programs, like BLARNEY, underneath it.

Similarly speculative was Bill Binney, also a former NSA official who left and became a whistleblower in 2001. On multiple occasions he said that a map showing the FAIRVIEW tapping points proofs that NSA collects "content and metadata on US citizens" because those collection points are spread across the country:




The new revelations by The New York Times and Pro Publica have now shown that the explanations by both Drake and Binney were misleading: FAIRVIEW is neither an overarching internet tapping program, nor is it collecting communications of US citizens.


Cover names

Closest to the truth came NSA historian Matthew Aid, who in an article by The Washington Post from October 2013, said that STORMBREW is the NSA alias used for Verizon, while FAIRVIEW stands for AT&T.

That's the right connection, although STORMBREW and FAIRVIEW aren't the cover names for these companies themselves, but the code words for the programs under which NSA cooperates with these telecoms.

The cover name for AT&T itself (at least under the BLARNEY program) is probably LITHIUM and for Verizon ARTIFICE. Cover names for other, but yet unidentified US telecoms are ROCKSALT, SERENADE, STEELKNIGHT and WOLFPOINT - their actual names are in the Exceptionally Controlled Information (ECI) compartment WHIPGENIE (WPG).

Although Snowden seems to have had no access to that ECI compartment, reporters for Pro Publica were able to identify both companies based upon various details found in the NSA documents about the STORMBREW and FAIRVIEW programs.

 Legal authorities

The actual purpose of FAIRVIEW can be learned from an NSA presentation, which clearly says the program is for collecting communications of foreign targets at collection points that are inside the United States. Two otherexcerpts say that FAIRVIEW is also used for current and future "cyber plans", which probably include searching for cyber signatures.

All this happens under three different legal authorities, and for each there's a different SIGINT Activity Designator (SIGAD):

Traditional FISA:
- Communications of persons being agents of foreign powers or connected to international terrorist groups
- Individualized warrant needed from the FISA Court
- Internet traffic only (SIGAD: US-984T)

Section 702 FAA:
- Communications of foreigners/with one end foreign
- Must be justified under an annual FAA Certification
- All kinds of internet traffic (SIGAD: US-984XR)
- Telephone traffic (SIGAD: US-984X2)

Transit Authority:
- Communications with both ends foreign
- No external approval required
- Internet traffic: only e-mail (SIGAD: US-990)
- Telephony: according to "Directory ONMR" (SIGAD: US-990)

For collection under Transit Authority, the presentation says that communications "must be confirmed foreign-to-foreign", which is ensured by filters at the actual tapping points (see stage 1 of the dataflow, down below).

These filters only forward authorized traffic to the selection engines, which then pick out the communications that match with strong selectors, like e-mail addresses, phone numbers, etc. These selectors are entered into the system by analysts using the tasking tools UTT, CADENCE (for internet) and OCTAVE (for telephony).

Examples of such selected, authorized traffic can be seen in a number of slides that were shown in a Fantástico report from July 9, 2013. They are from a presentation that has not yet been released. These slides contain maps, which show the amount of internet traffic to countries like North Korea, Russia, Pakistan and Iran, as seen on March 4-5, 2012.


Determining what traffic is foreign is done by filtering based upon telephone country codes and internet IP addresses. For telephony this is quite reliable, but particularly for internet traffic, the speaker's notes for another NSA presentation admit that it is difficult to proof the foreigness. Therefore, it is occasionally discovered that one end of an intercept is actually in the US, which then has to be reported as a "domestic incident".

 Tapping points

One of the most interesting new documents is an NSA presentation from 2010 about the Corporate Partner Accesses, which has the map for the FAIRVIEW program with all the domestic dots, but this time with the explaining legend:




From the legend in combination with the dots on the map, we learn that under the FAIRVIEW program, NSA at that time had access points at the following parts of the AT&T network:

- Peering Link Router Complex (8)
- VoIP Router Complex (26, planned: 0)
- Hub VoIP Router Complex (1, planned: 30)
- Program Cable Station (9, planned: 7)
- Non-Program Cable Station (0)
- RIMROCK 4ESS Circuit Switch (16)
- Program Processing Site (1)

One important thing is that most of the markers inside the US do not represent traditional cable tapping points like those along the borders, but are current and planned accesses to Voice over IP communications. Here's some explanation about the other types of access points too:

Peering Link Router Complex
NSA has 8 access points at AT&T Peering Link Router Complexes. According to Pro Publica they correspond to AT&T's Service Node Routing Complexes (SNRCs), where other communication providers connect to the AT&T backbone through OC-192 and 10GE fiber-optic cables. For NSA, this means they can catch traffic from those other providers too. This backbone access is codenamed SAGURA or SAGUARO. The 8 facilities are in:

- Seattle - San Francisco

- Los Angeles - Dallas

- Chicago - Atlanta

- New York City - Washington DC

It was this kind of access point that was/is in Room 641A in San Francisco, as was exposed by Mark Klein during a lawsuit in 2006. Klein told that the equipment in room 641a was installed early 2003, which could fit the turning on of "a new DNI (Digital Network Intelligence) collection capability" in September of that year.

VoIP Router Complex
The largest number of active access points, 26, are at VoIP Router complexes, which are apparently used for routing voice communications over IP networks, like the internet. No new accesses of this kind were plannend, but expansion seems to be in the next category:

Hub VoIP Router Complex
In the map from 2010 we see only one active access at a Hub VoIP Router Complex, which is somewhere near New York City (maybe in Florham Park, NJ, where AT&T has a data warehouse and its laboratory?). Access to VoIP communications was clearly seen as something that needed expansion, as 30 locations are marked as a planned access point. Unfortunately, no documents have yet been released about this effort.

Map of the US internet backbone network of AT&T in 2009
(Source: AT&T brochure - Click to enlarge)

Program Cable Station
At the time of the presentation, there were 9 AT&T cable stations with a tapping facility, and another 7 for which that was planned. For an article on Pro Publica, it was found out that 9 of these active and planned stations in the continental US correspond to cable landing stations owned by AT&T.
There are also two active and five planned accesses at cable landing points which are probably located in Hawaii and Puerto Rico. Some of the active facilities are in:

- Nedonna Beach, Oregon
- Point Arena, California
- San Luis Obispo, California
- Tuckerton, New Yersey
- West Palm Beach, Florida

RIMROCK 4ESS Circuit Switch
These facilities refer to a 4ESS switch, which is used for long-distance telephone switching. Approximately 100 of these switches are operated by AT&T, but according to the map, only 16 of them have a tapping facility codenamed TOPROCK. Except for two, they are situated along the US border, so seem to be for collecting (the metadata of) in- and outgoing phone calls. These sites appear to be in or near:

- Seattle - Spokane - Sacramento - Los Angeles

- San Diego - Albuquerque - San Antonio - Lansing

- Atlanta - Pittsburgh - Buffalo

- Kingston - Hartford (2) - New York City (2)

Program Processing Site
Finally, there's one centralized Program Processing Site, which is codenamed PINECONE. The map indicates that it's situated somewhere near the AT&T cable landing station of Tuckerton in New Jersey.

 Dataflow

Seen for the first time is an NSA presentation from 2012 with five diagrams showing the dataflow for the various collection methods under the FAIRVIEW program. There are diagrams for:

- Transit internet content (US-990)
- Transit internet metadata (US-990)
- Transit telephony metadata and SMS (US-990)
- FISA e-mail content (US-984T)
- FISA internet content (US-984T)

There are no diagrams for FAIRVIEW collection under the authority of section 702 FAA.




These diagrams show that processing the data from tha various collection points takes places in 3 different stages at 3 different locations:

1. Access and processing at the partner company
2. Site processing in a central secure facility
3. Processing and storage at NSA headquarters

Here's a description of what roughly happens during these 3 stages:


1. Access and processing at the partner company

In the first stage, AT&T provides access to internet and telephone cables and does some filtering and processing right at the various tapping points:

- For the internet collection, we see that the traffic is split at the switches where AT&T's own accesses, as well as peering partner's cables connect to the AT&T Common Back Bone (CBB).

This duplicated traffic goes to one or more routers, where "Foreign IP Filtering" takes place to select foreign and discard domestic traffic. The remaining data stream is then sent over to the central processing facility of the second stage, probably over OC-48 links of 2,4 Gbit/s. The same happens with traffic from other cable access points codenamed MESA.

It was this kind of installation that Mark Klein discovered in Room 641A in the SBC building in San Francisco in 2006. Many people assumed that in this way, NSA was able to store everything that runs over those cables, including American's communications, but now we know that filters ensure that only foreign traffic is sorted out for further processing.

Update:
Klein also testified that in room 641A there was equipment from Narus, which can be used to sessionize and filter data streams, but this is not seen in the diagrams. Maybe, after the exposure of room 641A, NSA moved that kind of equipment from the actual AT&T tapping points to the centralized processing facility codenamed PINECONE.

According to an NSA glossary, there are tens of thousands access links to the AT&T Common BackBone, which "would make 100% coverage prohibitively expensive". Therefore, NSA's Operations and Discovery Division (ODD) worked with AT&T to rank the access routers, and (only?) 8 router uplinks were deemed of high SIGINT interest and subsequently nominated for monitoring.

- Telephone metadata under Transit Authority are collected from Foreign Gateway Switches and "ATPs", by a "CNI [Calling Number Identification] & Call Processor" in facilities codenamed TOPROCK. These metadata are also sent over to the central processing facility of the second stage.

2. Site processing in a central secure facility

The second stage comprises processing which takes place at a central location, in a highly secured building, a Sensitive Compartmented Information Facility (SCIF), which for the FAIRVIEW program is codenamed PINECONE. The equipment there is partly controlled by the partner company and partly by NSA.

Processing data from the many tapping points under the FAIRVIEW program at one central facility is only possible when already large amounts have discarded during the first stage. The remaining data stream is probably sent (unencrypted) to PINECONE over dedicated links within the AT&T network.

- Internet data arrive at IP Routers (IPRs) and via IP Processors (IPPs) go to an "Information Media Manager Distribution Box". Internet metadata then go directly to MAILORDER. This device sends them to NSA headquarters (NSA-W), where they are received by another MAILORDER box.

Until now, MAILORDER was known as a tool for transferring data, but now it becomes clear that MAILORDER actually is the device that encrypts the data so they can be transmitted safely from the PINECONE facility to NSA headquarters.

Before going to MAILORDER, internet content has to pass another box codenamed COURIERSKILL/CLEARSIGHT. This device also gets an input from the CADENCE tasking tool at NSA headquarters: the selectors for filtering.

Therefore, COURIERSKILL/CLEARSIGHT is the device that sorts out the communications that match the e-mail addresses and other identifiers as requested by NSA analysts. For e-mail collection under FISA authority, this filtering is done (directly) by XKEYSCORE.

After passing GATEKEEP, which could be some kind of access control system, the filtered internet content of interest goes to MAILORDER to be sent over to Fort Meade.

- Telephone metadata and SMS messages also pass an "Information Media Manager Distribution Box", which is connected to an unknown device marked NGTPD. Via MAILORDER, these data too are sent over to NSA headquarters.

3. Processing and storage at NSA headquarters

In the third and final stage, which is at NSA headquarters, the data from the central processing facility PINECONE arrive at a MAILORDER box, which is on the FAIRVIEW Local Area Network (LAN) codenamed HIGHDECIBEL.

From this LAN, the data are sent to NSA's core corporate network, again via secure MAILORDER transmission, to be stored in the various and meanwhile well-known databases, like PINWALE, MAINWAY, MARINA, FASCIA and DISHFIRE.

- Internet content first passes FISHWAY, which is a "Data Batching & Distribution System", and then SCISSORS. The latter was first seen in the earliest PRISM slides, and is a "Data Scanning, Formatting & Distribution System", as we learn from this diagram.

Raw internet content and e-mails collected under FISA authority are stored in the RAGTIME partition of the PINWALE database and are classified as TOP SECRET//SI-ECI RGT//REL [...].

- Internet metadata first pass FALLOUT, which is an internet metadata ingest processor/database, while telephone metadata and SMS go to FASCIA, which has the same function for this type of data.

 Results

According to one of the newly disclosed NSA documents, the internet access under the FAIRVIEW program was initially used only for collecting e-mail messages. In 2003, this resulted in more than one million e-mails a day being forwarded to the keyword selection system at NSA headquarters.

This number had risen to 5 million a day in 2012, which remained after applying some kind of "3 Swing Algorithm" to 60 million foreign-to-foreign e-mail messages that were captured by FAIRVIEW every day under Transit Authority - according to the speaker's notes for an NSA presentation from 2012.

Again we see a huge amount of data passing (which in de documents is called "captured" by) the FAIRVIEW tapping points, but that filters only select a small part which is then forwarded to the NSA for further selection. The 5 million e-mail messages a day in 2012 made 150 million a month and 1,8 billion a year.


BOUNDLESSINFORMANT

The most recent numbers of the data collected under FAIRVIEW can be derived from a chart from the NSA's BOUNDLESSINFORMANT tool, which was published in May 2014 as part of Glenn Greenwald's book No Place to Hide:




During the one month period between December 10, 2012 and January 8, 2013, exactly 6.142.932.557 metadata records were counted for collection under Transit Authority, which for the FAIRVIEW program is denoted by the SIGAD US-990.

This means the numbers for FAIRVIEW collection under FISA and section 702 FAA authority are not included in this chart. But in those cases, only communications related to specific e-mail addresses or similar identifiers are collected, which results in far smaller numbers: according to a 2011 FISA Court ruling (pdf), Upstream collection under section 702 FAA resulted in just 22 million "internet communications" each year.

The over 6 billion records for FAIRVIEW account for only 3,75% of the total number of data the NSA collects through its cable tapping programs, which is remarkably small given the large number of access points at major internet cables and switches.


Tech details

In the lower part, the pie chart shows that under Transit Authority, roughly the following number of records were counted for FAIRVIEW:

- 87% or 5,3 billion: Personal Communications Services (PCS, cell phone, etc)
- 2% or 122 million: Mobile communications-over-IP (MOIP)
- 8% or 488 million: Public Switched Telephone Network (PSTN)
- 3% or 183 million: Internet communications (DNI)

As reflected by the bar chart, the overwhelming majority of data come from foreign-to-foreign telephone communications, mostly from cell phones. Because there's no dataflow diagram for the content of phone calls, it's possible that this is only telephone metadata and SMS messages.

Only about 3% comes from foreign-to-foreign e-mail messages, for which some 183 million metadata records were counted. This number comes close to the roughly 150 million e-mails a month that were processed in 2012, which could indicate that one metadata record equals one e-mail message.

The technology used to process 97% of these data is called FAIRVIEWCOTS, which could be a combination of the program's codename and the abbreviation COTS, which stands for Commercial-Of-The-Shelf equipment. Only nearly 3%, so probably the e-mail traffic, is processed by a hitherto unknown system codenamed KEELSON. Finally, a tiny number also went through SCISSORS.


Product reports

After the data have been collected and stored, analysts go through it, looking for useful intelligence information and put that in so-called product reports. A slide from a 2012 presentation about SSO's Corporate Portfolio, shows the Top Ten programs based upon the product reports that were prepaired during the fiscal year 2010-2011:




We see that with 7357 product reports, US-990, which is FAIRVIEW collection under Transit Authority, ranks as the second most productive source. However, 4 times more reports came from collection under section 702 FAA, which is not only derived from PRISM, but also from the STORMBREW and FAIRVIEW programs.

Although below the program ranking first, there are not very big differences in the numbers of reports, the chart still shows how focused FAIRVIEW collection must be: the 3,75% of the data it pulls in, is apparently so useful that it results in a big number of product reports.

From a different presentation, we have a similar diagram with the numbers for the fiscal year 2009-2010:



Cooperation

The FAIRVIEW map also mentions a close partnership with the FBI. Under the PRISM program it's the FBI that actually picks up the data at the various internet companies, but for Upstream collection, like under FAIRVIEW, that's not the case: here the NSA has a direct relationship with the telecoms.

This leaves the option that the FBI (just like the DEA and the CIA) is also a so-called customer of the program, meaning that the Bureau can request the collection of certain target's communications and access some of the data that NSA collected under FAIRVIEW.

 Domestic metadata

The newly disclosed documents about FAIRVIEW also provide some new details about the bulk collection of domestic metadata, which is considered to be one of the most controversial activities of the NSA. Somewhat unexpected is that for AT&T this happens under FAIRVIEW, instead of a separate program.


Internet metadata

An NSA document from 2003 seems to be about bulk internet data. It says that FAIRVIEW also collected "metadata, or data about the network and the communications it carries" and that for September 2003 alone, "FAIRVIEW captured several trillion metadata records - of which more than 400 billion were selected for processing or storage".

This doesn't really sound like AT&T handed over bulk metadata indiscriminately, but it would fit how it's described in the 2009 STELLARWIND-report (in which, according to Pro Publica, AT&T is mentioned as "Company A") about the collection efforts under the President's Surveillance Program (PSP):

"In order to be a candidate for PSP IP metadata collection, data links were first vetted to ensure that the preponderance of communications was from foreign sources, and that there was a high probability of collecting al Qaeda (and affiliate) communications. NSA took great care to ensure that metadata was produced against foreign, not domestic, communications"

It seems that at that time, AT&T did hand over massive amounts of internet metadata from its domestic infrastructure, but also made sure these were not about American communications.

Update:
The "internet dragnet", that is, the bulk collection of internet metadata of domestic communications under the authority of section 402 FISA (at NSA called PR/TT) was first approved by the FISA Court on July 14, 2004. That means, the 400 billion metadata collected under FAIRVIEW in 2003 were not yet part of the PR/TT bulk collection, and accordingly not domestic.

It is still remarkable that AT&T was able to forward 400 billion metadata records a month just from its foreign communications: in 2012, the total number of internet metadata that NSA collected worldwide was "just" 312 billion a month.

The 2003 document says these metadata were flowing to MAINWAY, which appears to be not only for telephone records, but "NSA's primary tool for conducting metadata analysis" in general.* One of the dataflow diagrams also shows that internet metadata first flow into MAINWAY, and from there to MARINA, which is the repository for internet metadata:




Telephone metadata

About bulk telephone metadata there's an NSA document from 2011. It says that as of September 2011, FAIRVIEW began handing over "1.1 billion cellular records a day in addition to the 700M records delivered currently" under the Business Record (BR) FISA authorization, which refers to section 215 of the USA PATRIOT Act.

It was already known that the major US telecoms handed over their metadata records of landline telephone calls, but here we see that AT&T also started doing so for cell phone calls.

And for the very first time we also have some numbers now: the total of 1,8 billion a day provided by AT&T make 54 billion a month and about 650 billion phone records a year. For comparison, in 2012, NSA's regular foreign collection resulted in a total number of 135 billion telephone records a month and 1,6 trillion a year.

The mobile phone metadata provided by AT&T were fed into the MAINWAY database to be used for contact chaining in order to "detect previously unknown terrorist threats in the United States". Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders, that don't allow those data to be collected.

Apparently Verizon Wireless and T-Mobile US don't strip off these location data, so their cell phone records cannot be handed over to NSA, which therefore only gets less than 30% of the domestic telephone metadata.
 
Conclusion

The reports by Pro Publica and The New York Times stress AT&T's "extreme willingness to help" the NSA, which some people consider bad and scary. But maybe this very close cooperation helps to make data collection as targeted and focused as possible. Apart from the domestic metadata collection under BR-FISA, the relatively small numbers of data collected under the FAIRVIEW program, appear to contain a lot of valuable foreign intelligence information.

The fear was that under FAIRVIEW, large numbers of American's communications were sucked up by the NSA. However, the documents and diagrams show that there are filter systems that for collection under Transit Authority only let foreign-to-foreign communications through. Collection under section 702 FAA is already about foreign targets outside the US, while under FISA authority there's an individualized FISA Court order.

Interesting questions that remain are about the function of the rapidly growing number of VoIP collection points, as well as about the scope of the cyber security effort, and how in these fields, NSA tries to protect the rights of American citizens.




Links and sources
- Bruce Schneier: NSA's Partnership with AT&T
- Matthew Green: The network is hostile
- EmptyWheel.net: What’s a Little (or a Lot) Cooperation Among Spies?
- EmptyWheel.net: AT&T Pulled Cell Location for Its “Mobility Cell Data”
- Wired.com: AT&T Whistle-Blower's Evidence
- Atlantic-cable.com: History of the Atlantic Cable & Undersea Communications