Channel: Electrospaces.net
Viewing all 174 articles
Browse latest View live

Abbreviations, Acronyms, Nicknames and Codewords

The communications security and intelligence branch is notorious for its abbreviations, acronyms, nicknames and codewords, and recently we learned a number of new NSA codewords from many classified documents which Edward Snowden handed over to The Guardian.

Here we provide two listings, one of abbreviations and acronyms, and one of nicknames and codewords, to get somewhat more grip on these things:

- Abbreviations and Acronyms

- Nicknames and Codewords

Listings like this can never be complete, and therefore expect new entries to be added gradually.

Is PRISM just a not-so-secret web tool?

(Updated with an infographic on June 30, 2013)

Since The Guardian first published about the PRISM data collection program on June 6, there have been new disclosures of top secret documents almost every day, resulting in some fierce protests against apparently illegal wiretapping by the NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The Guardian didn't provide any new details or disclosed more than 5 of the 41 presentation slides about the program.

This makes it hard to determine whether PRISM really is the illegal or at least embarrassing program which most people now think it is. Especially, because it could even be the hardly secret Planning tool for Resource Integration, Synchronization and Management (PRISM), which is a web-based tool to manage information requests widely used by the US military. Here we will take a closer look at this program and try to determine whether this could be the same as the PRISM revealed by The Guardian.

> See also:New insights into the PRISM program

Planning tool for Resource Integration, Synchronization and Management

The earliest document which mentions the Planning tool for Resource Integration, Synchronization and Management (PRISM) is a paper (pdf) from July 2002, which was prepared by the MITRE Corporation Center for Integrated Intelligence Systems. The document describes the use of web browsers for military operations, the so-called "web-centric warfare", for which intelligence collection management programs were seen as the catalyst. These programs fuse battlefield intelligence information with the national data that they already possess, in order to provide a complete picture to their users.

PRISM was developed by SAIC (formerly Science Applications International Corporation, a company that was also involved in the 2002 TRAILBLAZER program for analyzing network data). The program was originally prototyped and fielded for the US European Command, but is also being used in other military operation areas such as Iraq. Involved in the establishment of PRISM was Ron Baham. His LinkedIn profile says that he currently is senior vice president and operations manager at SAIC and that he worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed somewhere between 2000 and early 2002.

On an older page of its website, SAIC says that the PRISM application allows theater users, in various functional roles and at different echelons, to synchronize Intelligence, Surveillance and Reconnaissance (ISR) requirements with current military operations and priorities. The application was first developed for use on JWICS, the highly secure intelligence community network, but is now also being used on SIPRNet, the secure internet used by the US military.

Screenshot of the PRISM Input Tool (EEI = Essential Elements of Intelligence)
source: GMTI Utility Analysis for Airborne Assets (pdf)

Other sources clarify that PRISM consists of a web-based interface which connects to PRISM servers, and that it's used by a variety of users, like intelligence collection managers at military headquarters, to request the intelligence information which is needed for operations. These requests are entered in the PRISM interface, which sends them to the PRISM server. From there the request goes to units which collect the raw data. These are processed into intelligence, which then becomes available through the PRISM server.

PRISM is able to manage and prioritize these intelligence collection requirements to ensure critical intelligence is timely available to the commander during crisis operations. The application integrates these requirements and, with other tools, generates the so called daily collection deck. PRISM also provides traceability throughout the so-called intelligence cycle, from planning through exploitation to production.

The PRISM application made by SAIC is still widely used. It's mentioned in joint operations manuals from 2012 and in quite a number of job descriptions, like this one from March 2013 for a systems administator in Doha, Qatar, which says that part of the job is providing on-site and off-site PRISM training and support. Also these US government spending data show that in 2011 a maintaince contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC, with options for 2012 and 2013.

Are there two different PRISMs?

So now it looks like as if there are two different programs called PRISM: one is a web-based tool for requesting and managing intelligence information from a server that gets input from various intelligence sources. The other is the program from which The Guardian says it's a top secret electronic surveillance program that collects raw data from the servers of nine major US internet companies.

If the Guardian's claims are true, it's strange that two important intelligence programs apparently have the exact same name. For sure, this would not be very likely, if "PRISM" would be an acronym or a codeword in both cases. But if we assume one PRISM being an acronym and the other PRISM a codeword, it could be somewhat more likely.

As we know, the PRISM tool developed by SAIC is an acronym, just like the names of many other military and intelligence software tools are often lengthy acronyms. This leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or more correctly said, a nickname. NSA data collection methods, officially designated by an alphanumerical SIGAD like US-984, can have nicknames which may or may not be classified.

These are different from codenames, which are always classified and often assigned to the intelligence products from the various data collection methods. This can cause some confusion, as "PRISM" perfectly fits in the NSA tradition of using 5-letter codewords for products of sensitive Signals Intelligence programs.

If PRISM had been a classified codename, it should also have been part of the classification line, and the marking should have read TOP SECRET // SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This indicates that if there are two PRISMs, and one is an acronym, the other PRISM isn't a codeword for intelligence from a specific source, but most likely the unclassified nickname of a collection method.

This still leaves the question of why in 2007 an apparently new collection program got a nickname which is exactly the same as the acronym of an already widely used computer application - which is even going to be one of its tasking systems.

A less spectacular PRISM?

Allthough The Guardian presented PRISM as a method of directly collecting raw data from major internet companies, other sources say that PRISM might well be a much less spectacular internal computer program.

Initially, The Washington Post came with the same story as The Guardian, but revised some of its claims by citing a classified report from the NSA Inspector General that describes PRISM as allowing "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." These words very much resemble the way the PRISM Planning Tool is described.

National security reporter Marc Ambinder describes PRISM as "a kick-ass GUI (Graphical User Interface) that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States" - which also sounds much more like the SAIC application, than like a data dragnet with free access to commercial company servers.

This view was also confirmed by a statement (pdf) of Director of National Intelligence (DNI) James Clapper, which says: "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s [...] collection of foreign intelligence information from electronic communication service providers [...]".

With this statement, Clapper officially confirms the existance of a program called PRISM, and allthough his description could also fit that of the Planning tool for Resource Integration, Synchronization and Management, he didn't positively identified PRISM as such.

Finally, an anonymous former government official told CNet.com that The Guardian's reports are "incorrect and appear to be based on a misreading of a leaked Powerpoint document", making journalist Declan McCullagh go one step further by suggesting that PRISM might be actually the same as the web application named Planning Tool for Resource Integration, Synchronization, and Management.

PRISM as an all-source planning tool

Some sources, like a joint operations manual and a number of job descriptions, seem to indicate that the PRISM planning tool is primarily used for geospational intelligence (GEOINT), which is analysed imagery of the earth as collected by spy planes and satellites.

However, more extensive research has shown that the Planning tool for Resource Integration, Synchronization and Management (PRISM) is not only used for geospatial intelligence, but for fusing intelligence from all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT (Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human Intelligence), probably through additional modules for each of these sources.

Even the 2006 Geospatial Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements."
More specifically, the 2012 Joint and National Intelligence Support to Military Operations manual describes that where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by a military commander.

In a job description for an Intelligence Training Instructor from 2010 we see a distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn profile mentions the IMINT/SIGINT PRISM training in 2006 of someone who was administrator for PRISM, which is described as the system of record USCENTCOM uses for submitting, tracking, and researching theater ISR requirements. In a job description for a SIGINT Collection Management Analyst (by Snowden-employer Booz Allen Hamilton!) experience with PRISM is required too.

Also a module was added to PRISM for accessing information from HUMINT (Human Intelligence) sources. Testing of this module was done during the Empire Challenge 2008 exercise. In the daily reports of this exercise we can read that for example the Defense Intelligence Agency's HUMINT team loaded "additional data into PRISM HUMINT module for operations on Tuesday morning". From a French report about this exercise we learn that the PRISM HUMINT module was a new application, just like the Humint Online Tasking & Reporting (HOT-R) tool, which runs on SIPRNet. This indicates that modules for different -INTs were added gradually in time.

Are both PRISMs one and the same?

If The Guardian's PRISM really is just a computer system for sending tasking instructions to equipment that collects the raw data, it is hard to believe that it's different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which for many years is used to order and manage intelligence from all sources.

If this could be true, and there's only one PRISM program, what about the slides which were disclosed by The Guardian? First of all, as this newspaper is not willing to publish all PRISM-slides, we cannot be sure about what this presentation is really about, but it's possible that it's not about a PRISM which is the nickname of the US-984XN collection method, but about how to gather material from that source by using the PRISM web tool. This way around, the SIGAD US-984XN can still deliver for most NSA reporting, including the President's Daily Brief.

More specific, we can think of a machine-to-machine interface between the PRISM system and dedicated data collection devices at remote locations, like a secure FTP server or an encrypted dropbox at sites of the internet companies. At the PRISM desktop interface this tasking may be done through a separate SIGINT module. As one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for requesting intelligence from intercepts of foreign communications under the conditions of the FISA Amendment Act (FAA) from 2008.

Infographic of the PRISM Planning Tool as part of the Intelligence Cycle,
with a possible way of how it could be the same as the
PRISM internet data collection program
(click for a bigger picture)

By publishing the PRISM slides, The Guardian for the first time revealed evidence about the NSA collecting data from major internet companies. But as this apparently surprised the general public, the practice is hardly new. Spies and later intelligence agencies of all countries have always tried to intercept foreign communications and of course tried to do this with every new way of communication: first letters, later phonecalls and radio communications, and nowadays internet based social media. Therefore, it may hardly come as a surprise that NSA found ways to intercept those new means of communications too.

What looks more of a problem, is the fact that in the past, enemies were nation states, which could be targeted by focussing on diplomatic and military communications, leaving most people's privacy untouched. Nowadays, with terrorism considered as the main enemy, almost every (foreign) citizen could be a potential adversary. This made intelligence agencies try to search everyone's communications, which are also more internationally intertwined than ever before.

Next time we will discuss more specific details of the Planning tool for Resource Integration, Synchronization and Management (PRISM), as this gives an interesting look at internal intelligence procedures.


- TheWeek.com: Is the NSA PRISM leak much less than it seems?
- CNet.com: What is the NSA's PRISM program? (FAQ)
- CNet.com: No evidence of NSA's 'direct access' to tech companies
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”
- ExtremeTech.com: Making sense of the NSA Prism leak as the real details emerge
- Medium.com: The PRISM Details Matter
- Reflets.info: #PRISM: let’s have a look at the big picture
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”- Mashable.com: See How PRISM May Work — in This Infographic
- ZDNet.com: How did mainstream media get the NSA PRISM story so hopelessly wrong?

New insights into the PRISM program

(Updated: July 10, 2013)

Last Saturday, June 29, the Washington Post unexpectedly disclosed four new slides from the powerpoint presentation about the PRISM data collection program.

This disclosure came as a surprise, because earlier, Guardian-journalist Glenn Greenwald said that no more slides would be published because they contain very specific technical NSA means for collection, for which The Guardian would probably be prosecuted.

That The Washington Post now disclosed them, is even more surprising, not only because it's an American paper, but also because it's said that Edward Snowden initially went to The Post asking to publish all 41 slides of the PRISM presentation. But The Washington Post refused to do so and therefore Snowden gave the scoop to The Guardian, which published the first four slides.

It's not clear who exactly released the four new slides, whether it was Snowden himself or editors of The Washington Post, and what the reason was for doing it. Allthough these new slides show some of the same oddities we already saw in the first series, these new ones have a very specific and detailed content. This makes them look far more genuine and, more importantly, show much better how PRISM actually works.

We now learn that PRISM is not one single technical system or computer application, but a data collecting project which combines a number of different tools, computer systems and databases, some existing, some maybe new. This also means that this PRISM program is not the same thing as the Planning tool for Resource Integration, Synchronization and Management (PRISM), a theory which was examined in our previous posting.

The PRISM tasking process

In this first new slide (below) we see details of the PRISM Tasking Process, which is how instructions for gathering the requested data are sent and reviewed. This process starts with an NSA analyst typing one or more search terms, or "selectors" as NSA calls them, into the Unified Targeting Tool (UTT). Selectors may refer to people (by name, e-mail address, phone number or some other digital signature), organizations or subjects such as terrorism or uranium related terms.

Along with the selectors, the analyst must fill out an electronic form that specifies the foreign-intelligence purpose of the search and the basis for the analyst’s reasonable belief that the search will not return results for US citizens or foreign nationals who are within the US at the time of data collection.

The slide shows that it's possible to search existing communications that are already stored ("Stored Comms") and also to initiate a search for future communications of selected targets. The latter option is called "Surveillance", which by a number of media was erroneously interpreted as the possibility of real-time monitoring of for example an internet chat.

According to one of the earlier slides, NSA analysts should also use other sources, like data which can be gathered through access points that tap into the internet’s main gateway switches ("Upstream"). This is done through collection programs codenamed FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. Allthough by its name the Unified Targeting Tool (UTT) seems to be of a generic nature, it's not clear whether it can be used also for tasking these other sources, or that they need other tasking tools.

The NSA unit S343 for Targeting and Mission Management does a final review of the analysts' determination and releases the tasking request through the Unified Targeting Tool. Then it's apparently a computer system called PRINTAURA which distributes the requests to the different collection sites.

For searching stored communications, there are two extra checks. First there's a review and validation by "Special FISA Oversight and Processing", which seems to refer to the federal judges of the secret Foreign Intelligence Surveillance Court (FISC). According to The Washington Post this oversight only provides a generic approvement once a year and no individual warrants, even for access to full content. Second, there's the Electronic Communications Surveillance Unit (ECSU) of the FBI, which checks against its own database to filter out known Americans.

Different tasking tools

In another source the Unified Targeting Tool (UTT) is described as a DNR tasking tool, which means it's a software program used to send so called tasking instructions to dedicated devices, telling them which data should be collected. As DNR stands for Dial Number Recognition, this sounds like the targeting tool is aimed at finding out who is behind a certain phone number, but as NSA sources often mention DNR equal to DNI ( Digital Network Intelligence or internet content), it seems DNR stands for information derived from telephone networks in general.

From a number of jobdescriptions we learn that this Unified Targeting Tool is often mentioned in connection to GAMUT and sometimes also to CADENCE. We see this written like "GAMUT-UNIFIED TARGETING TOOL", "GAMUT/UTT" or "CADENCE/UTT". Both GAMUT and CADENCE are nicknames for what is said to be a "collection mission system for tasking", but it's not really clear how this relates to the Unified Targeting Tool. Another NSA tasking tool is called OCTAVE.

An interesting coincedence is that the word gamut means a range of colors that can be reproduced by a certain technique - like a prism can break light up into its constituent spectral colors.

More important is that the new slide shows that for PRISM the Unified Targeting Tool (UTT) is used for tasking, which means that this PRISM program is different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which itself is a tasking tool. Before the new slides were released, The Guardian and The Washington Post failed to explain whether PRISM was a single application or a project-like program.

Infographic comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Now we know that the PRISM planning tool isn't the application used for tasking the data collection from the internet companies, it's also clear that the PRISM planning tool is used primarily for requesting information needed for military operations and therefore tasks various intelligence sources deployed to those operations. By contrast, the Unified Tasking Tool used under the PRISM program is for requesting information on the national level.

The actual data collection

The actual collecting of the internet data under the PRISM program is not done by the NSA, but by the Data Intercept Technology Unit (DITU) of the FBI. This makes sense, as the FBI is the agency which is primarily responsible for investigating US companies and citizens.

From one source it seems that the Data Intercept Technology Unit was set up in 2011 or 2012 to monitor new and emerging technology with court-authorized intercepts, but this source says that it already existed in 1998 and managed the FBI's e-mail monitoring programs Omnivore and Carnivore. There's a challenge coin of DITU (right) from after 9/11, as it shows pictures of the World Trade Center and the Pentagon.

In it's comments on this slide, The Washington Post says this FBI "interception unit [is] on the premises of private companies", which isn't the case as DITU is an FBI unit based at Quantico, Virginia. They can have equipment installed at sites of the internet companies, but for that no evidence is presented, making one author questioning whether there is such equipment at all.

Initially the DITU was only tapping into the internet and decoding the raw data with the Packeteer en Coolminer tools, as can be read in this document (pdf) from 2010, but according to the PRISM-reporting, the unit can now also order data from companies like Google, Yahoo, Microsoft, Apple and others directly. Google has said that when it receives a valid FISA court order, it delivers the information to the US government through secure FTP transfers or in person. Another option is doing this by using an encrypted dropbox, where an internet company can drop the requested data.

Depending on the company, a tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and metadata that identify the locations, devices used and other information about a target. After collecting, the FBI's Data Intercept Technology Unit passes this information to one or more so called customers at the NSA, the CIA or the FBI itself.

Storage of collected PRISM data

A second slide (below) shows how collected data flows into the various NSA servers. It's the Data Intercept Technology Unit (DITU) of the FBI which collects raw data from the internet companies, and sends them to the NSA. At NSA the data first go to a system called PRINTAURA, which, according to the Washington Post, automates the traffic flow. As we learn from the slide, PRINTAURA is managed by NSA unit S3532.

All NSA offices, operations, units and cells have their own designation, consisting of a letter, followed by some numbers. We remember that the first slide of the PRISM presentation has a line which says "[...] PRISM Collection Manager, S35333" which means the author of the slides was a collection manager attached to unit S35333, which looks closely related to the PRINTAURA unit S3532.

From PRINTAURA data go to a database called TRAFFICTHIEF, which probably stores all the collected data like some kind of backup, allthough in this resume TRAFFICTHIEF is listed as a "Net Centric Capability". Data to be processed are send to a system called SCISSORS, which is managed by unit T132, and from there onto unit S3132 for "Protocol Exploitation". This does the processing of something which is blacked out - probably the specific classified codeword used for these internet data.

This processing sorts the data into different types and protocols and dispatches them to the various NSA databases for storage. But before that, metadata and voice content have to pass FALLOUT and CONVEYANCE. According to the Washington Post, these systems appear to be a final layer of filtering to reduce the intake of information about Americans. All other data once again pass the SCISSORS system.

Finally, the collected data are stored in the following databases:
- MARINA: for internet metadata
- MAINWAY: for phonecall metadata
- NUCLEON: for voice content
- PINWALE: contrary to what many other media say, this database is not only for video content, but also for "FAA partitions" and "DNI content". DNI stands for Digital Network Intelligence, which is intelligence derived from digital networks, or simply: internet content, like forum postings and e-mail and chat messages. The word PINWALE is often combined with the abbreviation UIS, which could expand to something like "Unified Information Storage". Some related digital network intelligence tools are AGILITY and AGILEVIEW.

Analysing collected data

There are no slides available saying what happens with these data after being stored, but The Washington Post says that "After processing, [collected data] are automatically sent to the analyst who made the original tasking. The time elapsed from tasking to response is thought to range from minutes to hours. A senior intelligence official would say only, Much though we might wish otherwise, the latency is not zero."

At the moment it's not clear which tool or application is used to analyse the data gathered from the US internet companies. National security reporter Marc Ambinder says that PRISM itself might be "a kick-ass GUI [graphic user interface] that allows an analyst to look at, collate, monitor, and cross-check different data types".

However, until now there's no evidence for PRISM being such a tool for analysis. Most tools used by NSA employees are listed in job descriptions and the PRISM we see there is always the Planning tool for Resource Integration, Synchronization and Management, that we talked about in our previous posting. Therefore, it's likely that data gathered under the PRISM program are analysed using common NSA analysing tools, like for example a DNI visualization tool called TREASUREMAP.

Based upon what such analysis presents, the NSA analyst uses another tool, like CPE (Content Preparation Environment), to write a report. Such reports are then stored in other databases, like MAUI, which is used for finished NSA intelligence products. Finally, these intelligence reports are available to end users through the Top Secret section of INTELINK, which is the intranet of the US intelligence community.

PRISM case notations

A third slide (below) shows how each target gets a unique PRISM case notation and what the components of these notations are.

Abbreviations: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?);
RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking; CASN = ?

The first position is the designation for each of the providers from which internet data are collected. Some people noticed the numbers jumped from P8 for AOL to PA for Apple, but someone suggests that P9 was maybe assigned to a company that fell out, and that the numbers may be hexadecimal, so the next provider will be PB, followed by PC, etc., as B = 11, C = 12, etc.

The next position of the case notation is a single letter, designating the content type, like e-mail and chat messages, social network postings, but also so-called real-time notifications (RTN) for e-mail and chat events. The Washington Post and other media apparently misinterpreted this by saying that NSA officials "may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens".

In the slide, the real-time notifications are clearly listed as being "Content Type" and most of us will know them as the messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client. These notification messages are also available for NSA analysts, but only after being collected and stored, just like all other types of internet content.

Searching the collected data

The fourth new slide (below) is presented by The Washington Post as being about "Searching the PRISM database", but as we just learned from the dataflow slide, there is no single PRISM-database. Data collected from the internet companies go into separate databases, according to the type of data. Some of these databases already existed before the PRISM program was started in 2007.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but if we look at the word REPRISMFISA we can imagine the application is for going "back to data collected under the PRISM program according to the Foreign Intelligence Surveillance Act (FISA)". Remember also that in one of the earlier slides it's said: "Complete list and details on PRISM web page: Go PRISMFAA".

Above the olive green bar, there is a line saying: "DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // [blacked out] / SI / TK // ORCON // NOFORN" This means that depending on the generated content of the page, it has to be classified as TOP SECRET, with additionally one or several of the following Sensitive Compartmented Information control systems:
- TALENT KEYHOLE (TK - for data collected by space-based collection platforms)
- Special Intelligence (SI - for data from communications intercepts)
- an undisclosed control system marked by a classified codeword, which is blacked out by The Washington Post. Probably this is the codeword used for information which is based upon data derived from the internet companies. As said earlier, "PRISM" is not a codeword used for content, but rather the (unclassified) nickname of the program for collecting raw internet data.

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This seems to confirm that this application is used to search data collected under the Foreign Intelligence Surveillance Act (FISA), specified for use by NSA, FBI and the Department of Justice (DOJ).

Below these icons there is a search field, to get a partial list of records. The search options seem rather limited, as only two keywords can be entered, with an additonal "and/or" option. At the left there's a column presenting a number of options for showing totals of PRISM entries. For checking the record status, one can click the following options:
- See Entire List (Current)
- See Entire List (Expired)
- See Entire List (Current and Expired)
- See NSA List
- See New Records
- Ownership count

Below this list, the text says: "If the total count is much less than this, REPRISMFISA is having issues, E-MAIL the REPRISMFISA HELP DESK AT [address blacked out] AND INFORM THEM"

The numbers below that text are hardly readable, but the Washington Post says that on "April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database". This sounds like a huge number, but without any further details about these targets it's almost impossible to give some meaningful opinion about it.

Links and Sources

- The Week: Solving the mystery of PRISM
- ForeignPolicy.com: Evil in a Haystack
- WashingtonPost.com: Inner workings of a top-secret spy program
- TechDirt.com: Newly Leaked NSA Slides On PRISM Add To Confusion, Rather Than Clear It Up
- Technovia.co.uk: Something doesn’t add up in the lastest Washington Post PRISM story

New slides about NSA collection programs


Over the last month, the publication of various slides of a powerpoint presentation about the top secret NSA collection program PRISM caused almost worldwide media attention. Less known is that a number of new slides about other NSA collection programs were published on July 6 by the Brazilian newspaper O Globo. These slides were also shown on Brazilian televion, combined with an interview with Guardian-columnist Glenn Greenwald, who lives in Rio de Janeiro. Screenshots of some of the slides shown on Brazilian television became available on Flickr (see Links and Sources).


Brazilian television and the O Globo website presented a whole new series of four slides from what seems to be a presentation about the FAIRVIEW program or maybe the broader "collection of communications on fiber cables and infrastructure as data flows past", which was called "Upstream" in one of the PRISM-slides.

The first slide (below) shows a map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment". As DNI stands for Digital Network Intelligence, this map apparently shows internet traffic to North Korea, as traced by the FAIRVIEW program.

According to O Globo these maps show the amount of exchanged messages and phone calls (allthough DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran. Below we see DNI traffic to Pakistan on March 4 and 5, 2012:

A third slide shows a list op "Top 20 Pakistani domains (.pk)" which where apparently tracked between February 15, 2012 and March 11, 2012:

A fourth slide shows some lines with names of collection managers of OAKSTAR, BLARNEY and what appears to be the STORMBREW and (the hitherto unknown) OCELOT programs. Brazilian television showed this slide uncensored with the names visible, but here we blacked them out:


The Brazilian television also showed one slide from a presentation which wasn't mentioned or seen earlier. The only information we have, is the slide itself and what the O Globo website tells about it:

The slide is titled PRIMARY FORNSAT COLLECTION OPERATIONS, and the O Globo website says it shows a network of 16 operations to intercept transmissions from foreign satellites. The slide shows markings in blue and green, where blue represents "US Sites" and green "2nd Party" for intercepting locations run by partner signals intelligence agencies of the UKUSA Agreement.

- US Sites are at Yakima (US), Sugar Grove (US), Harrogate (Great Britain), Bad Aibling (Germany), New Delhi (India), Misawa (Japan) and three other places.
- 2nd Party Sites are at Cyprus, Oman, Nairobi (Kenya), Geraldton (Australia), New Zealand and two other locations.

Most of these locations were part of the ECHELON satellite intercept program. As the station at Bad Aibling in Germany was closed down in 2004, it seems however, that the slide shows a situation from about 10 years ago.


Already nine slides from the presentation about the PRISM data collection program were published on the websites of The Guardian and The Washington Post. On this weblog we also discussed the first five slides and the following four slides, which were additionally published by the Post.

The Brazilian television showed two new pictures, the first is the fifth slide published by The Guardian, but only showing the world map with fiber optic cables, and without the text balloons about "Upstream" and "PRISM" collection methods, which apparently show up after clicking the original powerpoint presentation:

The slide which is below was not published earlier. Just like the previous slide, this one is also about "FAA702 Operations", which means operations under section 702 of the FISA Amendment Act (FAA) of 2008. The slide shows the same world map with fiber-optic cables, but unfortunately the rest is hardly readable:


Brazilian television showed a whole new set of slides about the X-KEYSCORE program. According to O Globo, X-KEYSCORE detects the nationality of foreigners by analysing the language used within intercepted emails, which the paper claims has been applied to Latin America and specifically to Colombia, Ecuador, Venezuela and Mexico.

On Wikipedia it's explained that X-KEYSCORE is a mass surveillance programme run jointly by the United States' National Security Agency (NSA), Australia's Defence Signals Directorate (DSD), and New Zealand's Government Communications Security Bureau (GCSB), and that it's aimed at surveillance of foreign nationals across the world.

In total, O Globo showed four slides about the X-KEYSCORE program, which are classified as TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL. This means this information can be shared with signals intelligence agencies from Australia, Canada, Great Britain and New Zealand, which are cooperating under the so called UKUSA Agreement.

X-KEYSCORE collects data with the help of over 700 servers based in "US and allied military and other facilities as well as US embassies and consulates" in several dozen countries. These locations are shown on the slide below:

The next slide shows how the collected data of so-called sessions are processed by separating them into different communication information, which are stored in various databases:

According to O Globo the X-KEYSCORE can also track people by localities when they are using Google Maps:

This slide is follewed by one showing a map of Afghanistan and surrounding countries with a lot of coloured marking points, without any clarification of what they represent:

Links and Sources

- Brazilian television report: La CIA y la NSA espiaron mediante satélites desde Brasil & Slides
- O Globo slides: Mapa mostra volume de rastreamento do governo americano
- Cryptome translations: NSA Email and Phone Tracking Programs
- Screenshots on Flickr: NSA Hawaii in USB Made in China

NSA says there are three different PRISMs

(Updated: July 28, 2013)

Yesterday, German media wrote about an official letter from the NSA, which was sent to the German government to clarify some misconceptions about PRISM. This because German media and politics were heavily confused after it became clear that there's more than one program named PRISM.

The NSA letter explains what the PRISM data collection program is about and then confirms that this program is different from a more common military web tool called "Planning tool for Resource Integration, Synchronization and Management" (PRISM).

Surprisingly, the NSA also reveals that there's even a third program called PRISM. In this case the name stands for "Portal for Real-time Information Sharing and Management" and it's apparently an internal NSA information sharing program. It was unknown until now, probably because it's used in the NSA's highly sensitive Information Assurance Directorate (IAD).

Initially: two different PRISMs

Almost immediately after The Guardian and The Washington Post came with their disclosure of PRISM on June 6, some people googled and found out there were also a number of other programs called PRISM. Because both papers failed to clarify the precise nature of PRISM, it seemed that the program could have been the same as a more common application called "Planning tool for Resource Integration, Synchronization and Management" (PRISM). We examined this in an earlier article.

However, this option of both PRISMs being one and the same had to be abandoned after The Washington Post published four new slides from the PRISM-presentation on June 29. These slides presented many new details and also proved that the PRISM which collects data from internet companies is different from the PRISM planning tool. The first operates on the national intelligence level, and the latter is used by the various military commands. These new insights were discussed on this weblog in this article and graphically shown in this figure:

Comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Confusion in Germany

On July 17, the German tabloid BILD came with big headlines claiming that troops of the German federal defense forces (Bundeswehr) in Afghanistan already knew about PRISM in 2011. This suggested that the German government was lying, because earlier it had denied all accusations of knowing anything about the PRISM program as unveiled by Edward Snowden.

BILD found "PRISM" mentioned in a confidential e-mail, which the ISAF Joint Command Headquarters in Kabul sent to all Regional Commands (RC) in Afghanistan on September 1, 2011:

Screenshot of the front page of the German tabloid BILD,
as shown on the German television channel ZDF

This publication caused a lot of discussion, so already on the same day, spokesmen from both the German foreign intelligence agency BND and the German defense forces declared that there are two different PRISM programs: the first one being the program unveiled by Edward Snowden, and the second one being a "computer supported US communications system", which is used in Afghanistan "to coordinate US reconaissance systems and to present collected information" - as we can read from this letter of the assistant Defense minister:

Screenshot of a letter from the assistent German Defense minister to the German parliament,
explaining the PRISM confusion, as shown on the German television channel ZDF

Both officials didn't say that the full name of this second PRISM is "Planning tool for Resource Integration, Synchronization and Management", making it harder to proof that both programs are different.

Again this shows severe deficiencies in informing the public and in research by the media. The BILD-article is pure sensationalism. Simply googling key words from sections of the e-mail like "collection management shop", "COMINT nominations [...] must be resubmitted into PRISM" and "SIGINT Operational Tasking Authority" would have rapidly pointed to the PRISM planning tool.

As described earlier, the second PRISM is a so-called tasking tool, which is used to request the intelligence information which is needed for military operations. As such it's the core application of the military intelligence collection management. This PRISM planning tool runs over the intelligence community's JWICS and the military's SIPRNet networks. It was developed by SAIC, first mentioned in 2002 and since then in many job descriptions on the internet.

Only very few media did this kind of research and found out that there are really two different PRISM programs. We can see for example one article at Netzpolitik.org, which connects a bit too many things, and another one at Golem.de, which is based upon research by this weblog.

A letter from the NSA

On July 25, the website of the German newspaper WELT cited a letter which the NSA sent to the German federal government to answer official questions about PRISM. The letter says the media is "confusing two separate and distinct PRISM programs" and continues with explaining what the first program is about:

"The first PRISM pertains to the foreign intelligence collection being conducted under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA). This is the program that has caught the most attention of our publics, politicians and the media.
This is not bulk collection, and there are restrictions on how long the information can be retained. It is carefully targeted in accordance with a public law and requires court approval and supervision.
A fundamental, protective requirement of FISA is that it restricts the ability of the U.S. Government to obtain the contents of communications from communications service providers by requiring that the court find that the government has an appropriate and documented foreign intelligence purpose, such as the prevention of terrorism, hostile cyber activities or nuclear proliferation."

Screenshot of the letter from the NSA to the German government,
as shown on the German television channel ZDF

According to German media, the NSA letter continues by saying that the second PRISM program is a tool, which is used by US troops in Afghanistan to order and search intelligence information. This is the program mentioned in the ISAF e-mail from 2011 and is clearly the Planning tool for Resource Integration, Synchronization and Management (PRISM), allthough that's not only used in Afghanistan, but also at other US military commands.

Surprisingly and all by itself, the NSA added that there's even a third program called PRISM, which is fully independent from the two PRISM programs mentioned before. In this case the name is also an acronym, which stands for "Portal for Real Time Information Sharing and Management" and the program is apparently used for internal real-time exchange of information.

By now we already have quite some information about the first PRISM program, we know there's a clear distinction from the second PRISM tool and we even learned about a third PRISM. Nonetheless, German opposition leaders said they still hardly know what PRISM is all about, but this seems to be mainly for political ends, as Germany is facing general elections in September.

Now: three different PRISMs

It seems that NSA revealed the existance of the third PRISM program for the very first time, as it never appeared somewhere online before. If we google its full name, the only results are the recent German news reports. The German magazine Der Spiegel came with another quote, which seems to suggest that this third NSA tool "tracks and queries requests pertaining to our Information Assurance Directorate".

If that's correct, it could explain why we never heard of this program. The NSA's Information Assurance Directorate (IAD) is a very secretive division, because it's responsible for safeguarding US government and military secrets by implementing sophisticated encryption techniques.

Probably the most remarkable thing about the new "Portal for Real-time Information Sharing and Management" is not its function, which seems pretty obvious, but the fact that there are three programs with exactly the same name.

But from what we know by now, it also becomes clear that each program is used for different purposes and in different environments: the PRISM data collecting program is part of NSA's Signals Intelligence division, the PRISM planning tool is used for military intelligence and the PRISM information sharing portal in the Information Assurance division of the NSA.

Finally, here's a short summary of all three different PRISM programs:

This is a codeword for an NSA project of collecting information about foreign targets from data of nine major US internet companies. This program started in 2007 and was unveiled by Edward Snowden in June 2013.

2. Planning tool for Resource Integration, Synchronization and Management (PRISM)
This is a web tool used by US military intelligence to send tasking instructions to data collection platforms deployed to military operations. This program is not very secret and was first mentioned in 2002.

3. Portal for Real-time Information Sharing and Management (PRISM)
This is an internal NSA program for real-time sharing of information, apparently in the NSA's Information Assurance Directorate. Its existance was revealed by the NSA in July 2013.

NSA also has arrangements with foreign internet providers

(Updated: September 2, 2013)

Last Tuesday, August 20, the Wall Street Journal came with a big story with new details about the NSA surveillance programs. The article claims that NSA has the capacity to reach roughly 75% of all US internet traffic that flows through domestic fiber-optic cables. However, this was strongly denied by the NSA

The 75% claim got a lot of attention, but most media apparently oversaw a section later on in the article, which reveals a far more sensitive NSA collection method:

"The NSA started setting up Internet intercepts well before 2001, former intelligence officials say. Run by NSA's secretive Special Services Office, these types of programs were at first designed to intercept communications overseas through arrangements with foreign Internet providers, the former officials say. NSA still has such arrangements in many countries, particularly in the Middle East and Europe, the former officials say."

Documents which were recently leaked by Edward Snowden already confirmed that the NSA collects internet data from telecommunication cables going through the United States. But now we learn that also foreign internet providers are cooperating with NSA in order to intercept foreign communications.

For Americans it may be embarrassing that NSA is tapping into domestic internet cables, but for people elsewhere in the world it must be even more embarrassing that their telecommunications provider might have some secret agreement with a foreign intelligence agency.

Here we will combine this with stories about seven British and American internet companies cooperating with the NSA's British counterpart, the Government Communications Headquarters (GCHQ), an intercept base of this agency in the Middle East, a network security agreement between NSA and cable operator Level 3 and the names of some of the tapped fiber-optic cables. All this makes up a relatively clear picture of a global internet surveillance network.

The doughnut-shaped building of GCHQ in Cheltenham, Gloucestershire.

Cooperating with GCHQ

The names of the companies cooperating with GCHQ were published on August 2 by the German newspaper Süddeutsche Zeitung and the NDR television channel. As these are smaller regional media, it seems that The Guardian didn't dare to publish these names themselves. Both media were given access to some top secret GCHQ documents from 2009, partly from an internal system called GC-Wiki, which mention the following telecommunications providers and their codenames:

- Verizon Business (DACRON)
- British Telecom (REMEDY)
- Vodafone Cable (GERONTIC)
- Global Crossing (PINNAGE)
- Level 3 (LITTLE)
- Viatel (VITREOUS)
- Interoute (STREETCAR)

GCHQ has clandestine agreements with these seven companies, described in one document as "intercept partners", in order to give the agency access to their network of undersea cables. The companies are paid for logistical and technical assistance and British Telecom even developed software and hardware to intercept internet data. At GCHQ this collection effort is conducted under the "Mastering the Internet" component of the TEMPORA program.

The identity of the participating companies was regarded as extremely sensitive, in official documents referred to as "Exceptionally Controlled Information" (ECI), with the company names replaced with the codewords. Disclosure of the names would not only cause "high-level political fallout", but would also be very damaging for the trustworthiness of the companies.

One of the doors of room 641A in the building of AT&T in San Francisco,
where the NSA had a secret internet tapping device installed,
which was revealed by an AT&T technician in 2006.

In reaction to these disclosures, Vodafone and Verizon said that they comply with the laws of all the countries in which they operate cables and that they won't disclose any customer data in any jurisdiction unless legally required to do so. This is the same kind of reply some of the US internet companies gave regarding to their alleged involvement in the PRISM program.

Tapping the internet backbone

Together, the seven companies operate a huge share of the high-capacity undersea fibre-optic cables that make up the backbone of the internet's architecture. The German media also noted that these companies also run some important internet nodes in Germany, and for example Interoute owns and operates Europe's largest cloud services platform.

We do not know how many of the internet cables and nodes of these providers have collection and filtering devices attached. Former NSA official and whistleblower William Binney gives quite a large number of major points in the global fiber optic networks where there would likely be Narus, Verint or similar intercepting devices. In this article there's a list of the most likely surveillance nodes on the networks of AT&T, Verizon, BT Group and Deutsche Telekom - situated all over the world.

The Guardian confirms that in 2012 GCHQ had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time. The collected metadata is stored for up to 30 days, while the content of communications is typically stored for three days.

Overview of the undersea fiber-optic cables
Click for an interactive map!

The existance of internet tapping points outside the US and the UK was confirmed in a report by The Independent from August 23. It says GCHQ runs a secret internet-monitoring station at an undisclosed location in the Middle East to intercept and process vast quantities of emails, telephone calls and web traffic on behalf of Western intelligence agencies.

The station is able to tap into and extract data from the underwater fibre-optic cables passing through the region. All of the messages and data passed back and forth on the cables is copied into giant computer storage buffers and then sifted for data of special interest. These data are then processed and passed to GCHQ in Cheltenham and shared with the NSA.

On August 28, new reports by the Italian paper L'Espresso and the international website of the German paper Süddeutsche Zeitung revealed the names of at least 14 undersea fiber-optic internet cables which GCHQ is tapping:

- TAT-14, connecting the United States with the United Kingdom, France, the Netherlands, Germany, and Denmark
- Atlantic Crossing 1, linking the USA and the United Kingdom, the Netherlands and Germany
- SeaMeWe3, which connects Europe, Asia and the Middle East
- SeaMeWe4, linking Europe, North Africa and Asia
- FLAG Europe Asia (FEA), linking Europe to Japan through the Middle East and India
- FLAG Atlantic-1
- Circe North
- Circe South
- Solas
- UK-France 3
- UK-Netherlands 14
- Ulysses 1 and 2, running between Dover and Calais, resp. IJmuiden and Lowestoft
- Yellow
- Pan European Crossing

Network Security Agreements

On July 7, The Washington Post published about a "Network Security Agreement" between the US government and the fiber-optic network operator Global Crossing, which in 2003 was being sold to a foreign company. Global Crossing was later sold to Colorado-based Level 3 Communications, which owns many international fiber-optic cables, and the 2003 agreement was replaced by a new one (pdf) in 2011.

According to the Post, this agreement became a model for similar arrangements with other companies. These ensure that when US government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely. The 2011 agreement with Level 3 clearly says that all domestic communication cables shall pas through a facility from which lawful electronic surveillance can be conducted:

The bottom line here is in the word "lawful". As long as information requests by NSA or GCHQ are lawful, the internet providers will assist in gathering the required data. They even have to.

Corporate Partner Access program

Just like GCHQ, NSA is also paying telecommunication companies. This came out when on August 30, The Washington Post published parts of the highly classified US Intelligence Budget. This revealed that NSA’s Special Source Operations (SSO) division runs a project called Corporate Partner Access, which involves major US telecommunications providers to tap into "high volume circuit and packet-switched networks".

For the fiscal year 2013 this program was expected to cost $ 278 million, down nearly one-third from its peak of $ 394 million in 2011. Among the possible costs covered by this amount are "network and circuit leases, equipment hardware and software maintenance, secure network connectivity, and covert site leases". The total of 278 million breaks down as follows for specific programs:

- BLARNEY: $ 65.96 million
- FAIRVIEW: $ 94.74 million
- STORMBREW: $ 46.04 million
- OAKSTAR: $ 9.41 million

A final $ 56.6 million is for "Foreign Partner Access", but according to The Washington Post it's not clear whether these are for foreign companies, foreign governments or other foreign entities.

The article says that telecommunications companies generally charge to comply with surveillance requests from state, local and federal law enforcement and intelligence agencies. This simplifies the government’s access to surveillance and the payments cover for the costs of buying and installing new equipment, along with a reasonable profit, which makes it also profitable for the companies to cooperate with NSA and other agencies.

2nd and 3rd party countries

We can also expect similar agreements and facilities in Canada, Australia and New Zealand, as the signals intelligence agencies of these countries have a very close information sharing relationship with GCHQ and NSA under the UKUSA-Agreement from 1946. Regarding signals intelligence these countries count as 2nd party allies of the NSA.

One step below, there's a group of around 30 countries that are considered to be 3rd party partners. According to the Snowden-leaks Germany is one of them, but the other countries have not been named. Probably some Scandinavian countries, The Netherlands, Spain and Italy are among them too.

As the Wall Street Journal article says the foreign internet providers are "particularly in the Middle East and Europe", this reminds of a special relationship the United States has with a number of countries in particularly these regions. We know them by the fact that they have a so-called Defense Telephone Link with the US:

- In Europe: Albania, Austria, Bulgaria, Czech Republic, Estonia, Latvia, Lithuania, Macedonia, Poland, Romania, Slovenia and Slovakia.
- In the Middle East: Bahrein, Israel, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates.

Most of these countries are small, dependent on US military support and therefore often willing to cooperate with US intelligence agencies. Of course this doesn't necessarily mean that in all of these countries the NSA has agreements with local internet providers, but the list may give an indication of where we can expect cooperating companies. Having secret arrangements with a foreign intelligence agency is a highly sensitive and tricky business, so internet providers have to be covered by their government.

The new way of intercepting

For the NSA these arrangements with foreign internet providers make good sense. Before the Internet-age, NSA could intercept many communications on its own, for example by placing taps at underwater telephony cables and intercepting satellite transmissions and microwave links. These were the long-distance connections for the public switched telephone network, which also carried most of the early internet traffic.

The 20 feet/6 meter and 6 tons tapping device for a Soviet cable in
the Sea of Okhotsk, which was placed in the 1970's under operation Ivy Bells
and was discovered and removed by the Soviets in 1981.

With the rapid expansion of the internet after the year 2000, the copper cables and satellite and microwave links have been replaced by fiber-optic cables, which are far more difficult to intercept. NSA is reportedly capable of placing taps at underwater fiber cables, but these are of course very cumbersome and costly operations.

Therefore, the way to go was to place taps at locations where the fiber-optic communications are switched. For the internet, much of the switching occurs at relatively few sites, but this has to be done with the help, or at least the knowledge, of the companies who are operating these sites.

Before 2001, NSA was only authorized to intercept communications with both ends being foreign. So the first internet providers to cooperate with had to be outside the US. But due to the very nature of the internet, NSA soon found out that it was increasingly difficult to keep foreign and domestic communications separated.

For that reason president George W. Bush secretly authorized NSA to also wiretap international communications where just one party is believed to be affiliated with terrorism. Under this new authority NSA could now also involve American telecommunication providers, first those providing hardware transmissions (AT&T, Verizon, etc) and later companies offering the software for today's communications (Microsoft, Google, Apple, etc).

Nothing really new

Now, NSA and its UKUSA partners are cooperating with a range of national and foreign internet providers, which gives them access to the main internet cables and switching points all around the world. This is just like they operated the ECHELON network with listening stations worldwide, intercepting the former satellite communications.

For some people all this may sound like Snowden's claim about the NSA being able to eavesdrop on every conversation of everyone in the world, but there's no evidence for that. NSA does want access to as many communication channels as possible, but only for gathering information about enemies of the United States, not about ordinary people. Given the enormous amount of data traffic, NSA will just do everything to gather that info as focussed and efficiently as possible - more about that next time.

(This article was updated with info about the Level 3 agreement, the British base in the Middle East, the names of the fiber-optic cables and the budget for cooperation of telecom providers)

Links and Sources

- Wall Street Journal: New Details Show Broader NSA Surveillance Reach
- Süddeutsche Zeitung: Snowden enthüllt Namen der spähenden Telekomfirmen
- The Guardian: BT and Vodafone among telecoms companies passing details to GCHQ
- The Washington Post: Agreements with private companies protect U.S. access to cables’ data for surveillance
- Süddeutsche Zeitung: British Officials Have Far-Reaching Access To Internet And Telephone Communications
- Interactive map: Submarinecablemap.com

The 50th anniversary of the Washington-Moscow Hotline


This Friday, August 30, it's exactly 50 years ago that a direct communication link between the United States and Russia became operational. This Washington-Moscow Hotline is one of the most famous top level communications systems in modern history.

Many people think the Washington-Moscow Hotline uses red phone sets, but that's a myth. The Hotline never was a telephone line as it started with teletype terminals, later replaced by facsimile equipment. Since 2008 the Hotline uses secure e-mail, as can be seen in this most recent picture of the Hotline terminal in the Pentagon:

The Washington-Moscow Hotline terminal room at the Pentagon, 2013
Presidential communicator Navy Chief Petty Officer John E. Kelley (seated) and
senior presidential translator Lt. Col. Charles Cox man the hotline terminal
(photo: www.army.mil)

For the full history and more unique historical pictures of the Hotline, see our updated story from last year: The Washington-Moscow Hotline

A small event to celebrate the 50th anniversary will be held this Thursday, August 29, at Fort Detrick in Maryland, where the satellite ground station of the American end of the Hotline is situated. The event includes as guest speakers the former American ambassador, Jack Foust Matlock, Jr. and a son of the former Soviet Premier Nikita Khrushchev, Dr. Sergei Khrushchev.

There seems to be no commemoration involving the American and Russian presidents. Maybe this is due to the fact that the relationship between both countries has troubled after Edward Snowden, who leaked many top secret documents from the NSA, was granted asylum in Russia recently.

Some articles about the 50th anniversary of the Hotline:
- Army.mil: Hotline, now 50 years old, continues to promote dialog with Russians
- FoxNews.com: 50 years later, hotline to Washington-Moscow hotline still relevant
- RussianReport: Washington – Moscow “hotline” turns 50 years old this month
- Itar-tass.com: "Горячая линия" связи между Москвой и Вашингтоном отметила полувековой юбилей
- Redstar.ru: На связи – Белый дом

The red phone that was NOT on the Hotline


Today, it's exactly 50 years ago that the famous Washington-Moscow Hotline became operational. Allthough this link has always been for written communications only, many people think there are red telephones on the Hotline, as this is often depicted in popular culture.

One wide-spread image is from the article about the Hotline on the online encyclopedia Wikipedia. It shows a non-dial red telephone which is on display in the Jimmy Carter Library and Museum in Atlanta, Georgia:

Much of the confusion about the real purpose of this phone was due to the fact that in this picture, the text on the plate below the phone wasn't readable. But now, upon request of this weblog, the curator of the Jimmy Carter Library and Museum kindly provided the text, which reads as follows:

During Jimmy Carter’s presidency, the “red phone” was a hotline to the Kremlin in Moscow. A U.S. president could pick up the phone and speak directly to Soviet leaders in times of crisis.

The text is about a red phone used for the Hotline, but more important is the fact that the telephone which is on display, is just a reproduction. This is also confirmed by the curator, who said that this phone is a prop that the exhibition designer wanted to use.

Now it's clear that the actual red phone in the picture was never used on the Hotline between Washington and Moscow, nor on any other secure telephone network (allthough red phone sets were regularly used for predecessors of the Defense Red Switch Network, which is the main secure voice network of the US military).

The picture on Wikipedia shows just an ordinary phone set, like the ones that are quite commonly used for emergency telephone lines of any kind which don't require a dialing capability. Probably because the designer of the exhibition at the Jimmy Carter Museum also thought there were red telephones on the Hotline, such a common phone set was used to represent this.

For people visiting the museum it must have looked like a confirmation of their idea of the red phone hotline. When someone uploaded a picture of this phone to Wikipedia in March 2011, it soon found its way to articles about the Washington-Moscow Hotline in eleven languages, most of them erroneously saying the Hotline also having a voice capability. It was only after research done for this weblog, which resulted in an extensive article about the Hotline last year, that some of the Wikipedia articles were corrected.

What the Washington-Moscow Hotline looks nowadays: the terminal room
at the Pentagon showing the secure computer link equipment
(photo: www.army.mil, 2013)

An NSA eavesdropping case study


On September 1, the popular Brazilian television news magazine Fantástico reported about an NSA operation for wiretapping the communications of the presidents of Mexico and Brazil. Fantástico is part of the Globo network, which already disclosed various top secret NSA presentations last July.

Now, the Brazilian magazine showed some new top secret NSA documents, like a powerpoint presentation about the eavesdropping operation, which were all among the thousands of documents which Edward Snowden gave to Guardian journalist Glenn Greenwald in June.

Fantástico also published the slides on their website, but as that's only in portuguese, we show these slides too, because they give a nice graphical insight in how the NSA intercepts foreign communications.

The Fantástico news magazine started showing a cover sheet of a presentation which bears the logo of the SIGDEV Strategy and Governance division of the NSA, where SIGDEV stands for SIGINT Development. However, it's not quite clear whether this division is also responsible for the eavesdropping operation which is shown below.

The presentation was prepared in June 2012 by a hitherto unknown division of the NSA, which is still only known by the abbreviation SATC. The Fantástico website says this stands for "Secure and Trustworthy Cyberspace" (SaTC), but that's actually a program of the US National Science Foundation. Brazilian television briefly showed the name of the author of the presentation, but here we blacked that out.

This slide shows the overall classification level of the presentation: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL. This means the information is Top Secret, contained in the COMINT (Communications Intelligence) control system and is only to be released to the US and it's "Five Eyes" or UKUSA partners: the UK, Canada, Australia and New Zealand.

The first target of the operation were the Brazilian president Dilma Rousseff and her key advisers. The information was analysed by NSA unit S2C42 which is focussed on the Brazilian leadership. This unit is part of the NSA's S2C production line for International Security.

The second target of the operation was the then Mexican candidate for the presidency, Enrique Peña Nieto. The information was analysed by NSA unit S2C41 which is the Mexican Leadership Team and is also part of the S2C production line for International Security.

This slide shows that the actual intelligence gathering process starts with a few DNI Selectors (like e-mail or IP addresses) which act as seeds growing into a 2-hop contact graph. This graph shows all the addresses which had 2-hop or 2-step contacts with the original seed addresses.

Below the graph is the word SCIMITAR, seen here for the first time, which could be a tool to create such contact graphs, or maybe a database containing metadata from which these contacts can be derived.

From the 2-hop contact graph NSA apparently discovered new selectors (e-mail or IP addresses) associated with the Brazilian president and her advisers. Another slide, which was not published, is said to show all the names associated with the colored dots in this graph.

On overview of the whole process is shown in this slide:

1. Selectors, like known e-mail adresses or phone numbers related to EPN (Enrique Peña Nieto) are used as seeds to start the process.

2. The initial seeds lead to 2-hop graphs, apparently based upon metadata which are in the databases mentioned below the graph: MAINWAY is the NSA's database of bulk phone metadata, CIMBRI is seen here for the first time, and could be another kind of metadata database. JEMA probably stands for Joint Enterprise Modeling and Analytics, which is a tool that allows analysts to create more complex analytic scenarios.

3. Next, addresses discovered by creating the contact graphs can act as selectors for collecting SMS messages. For this the MAINWAY database is used too, just like ASSOCIATION, which, according to the Fantástico website, gathers information circulating on social networks.

4. Finally, these messages go to a filter named DISHFIRE, which searches them for certain keywords.

The next three slides show somewhat more about the specific elements of the process:

This slide shows two "interesting messages", proving that also content of text messages was collected. In the two quoted passages, the Mexican presidential candidate Enrique Peña Nieto is in discussion with some of the designated ministers of his future government. Parts of the messages are blacked out by Brazilian media.

The presentation concludes that there was a successful cooperation between the mysterious unit SATC and the Latin American units from the S2C International Security division. This led to a successful implementation of contact filtering by using graphs, resulting in the interception of communications of high-profile, security-savvy Brazilian and Mexican targets.

This presentation gives insight in a specific eavesdropping operation, but also gives a good idea of how NSA is collecting information from the internet in general, for example through PRISM and various other programs which gather data from internet backbone cables.

Allthough the presentation is clarifying, it could also have been published without mentioning the specific targets involved. Showing that this operation targeted the presidents of Mexico and Brazil did not serve a public interest, but unnecessarily damaged the relationship between the United States and both countries.

Glenn Greenwald seemed to justify the publication by saying that the presentation proved that NSA was also intercepting the content of phone calls and e-mail messages. After earlier disclosures, the US had said that they only collect bulk metadata from Brazil and no content. But of course this statement only applied to ordinary citizens, as eavesdropping on foreign political and military leaders is generally considered to be a legal activity of (signals) intelligence agencies.

Greenwald, who lives in Rio de Janeiro, also said that "most of the spying they [= the US] do does not have anything to do with national security, it is to obtain an unfair advantage over other nations in their industrial and commerce economic agreements". But with this motive he also acts more in the national interest of Brazil, or at least like an activist, than as a journalist working for the public interest.

Links and Sources
- Globo.com: Documentos revelam esquema de agência dos EUA para espionar Dilma
- Cryptome.org: Translation in English
- The slides with Portuguese description: Veja os documentos ultrassecretos que comprovam espionagem a Dilma
- Bloomberg.com: U.S. Spied on Presidents of Brazil and Mexico, Globo Reports

The US classification system


Top Level Telecommunications often involve information that has to be kept secret. To ensure that, governments have systems to protect sensitive information by classifying it, which is best known from document markings like "Top Secret".

Here we'll explain the classification system of the United States, which is far more complex than most people think, also because it's one of the world's biggest secrecy systems. In 2012 almost 5 million (!) people in the US had a clearance for access to classified information.*

The deeper parts of this classification system are classified, but some new details and codewords have been revealed in documents from the recent Snowden-leaks.

Classification markings

All documents that contain classified information, whether digital or hard copy, have to be marked with the appropriate markings. These are shown in the classification or banner line, which is shown at the top and bottom of every document and usually has three parts, separated by double slashes:

Additionally, all sections of a document should have a portion marking, which is an abbreviation of the full classification line. Below, the abbreviations for these portion markings are shown in brackets.

When a document contains joint or Foreign Government Information (FGI), the necessary markings are shown in a separate part of the classification line. These markings will not be discussed here.

The meaning of abbreviations and codewords can be found in the separate listing of Abbreviations and Acronyms and the listing of Nicknames and Codewords.

Classification levels

The United States government classifies information according to the degree which the unauthorized disclosure would damage national security. Like many other countries, the US has three classifications levels. From the highest to the lowest level these are:


Government documents that do not have a classification can be marked as:

With 1.4 million people having a Top Secret clearance, it's more than clear that additional measures are needed to protect the more sensitive information. Therefore, that information is put in separated compartments, only accessible for those people who have the 'need-to-know'.
This is called Sensitive Compartmented Information (SCI) for intelligence information, while other highly secret and sensitive information is protected by a Special Access Program (SAP). Both sub-systems will be explained below.

SCI compartments

Sensitive Compartmented Information (SCI) is a system to protect national intelligence information concerning sources and methods, and is divided into control systems and compartments, which are further subdivided in subcontrol systems and subcompartments. These systems and compartments are usually identified by a classified codeword, some of which have been declassified. In total, there may be between 100 and 300 SCI compartments and subcompartments, grouped into about a dozen control systems.
Known and supposed SCI control systems are:
- COMINT or Special Intelligence (SI)
- HUMINT Control System (HCS)
- BYEMAN (BYE or B, defunct since 2005)
- LOMA (?)
- Special Navy Control Program (SNCP)
- an undisclosed codeword has the abbreviation OC

In a classification line this is shown like: TOP SECRET//SI

Multiple control systems are shown like: TOP SECRET//SI/TK

This control system is for communications intercepts or Signals Intelligence and contains various sub-control systems and compartments, which are identified by an abbreviation or a codeword. In a classification line they follow COMINT or SI, connected by a hyphen.

Known COMINT sub-control systems are:
- Very Restricted Knowledge (VRK)
- Exceptionally Controlled Information (ECI)
- DELTA (D, now defunct)

In a classification line this is shown like: TOP SECRET//SI-ECI

Exceptionally Controlled Information (ECI)
This sub-control system of SI contains compartments, which are identified by a classified codeword. In the classification line there's a three-letter abbreviation of this codeword.

Recently disclosed codewords for ECI compartments are:
- AMBULANT (AMB), APERIODIC, AUNTIE, PAINTEDEAGLE, PAWLEYS, PENDLETON, PIEDMONT, PICARESQUE (PIQ) and PITCHFORD. There's also an undisclosed codeword which has the abbreviation RGT.

In a classification line this is shown like: TOP SECRET//SI-ECI PIQ

Multiple compartments are shown like: TOP SECRET//SI-ECI PIQ-ECI AMB

This sub-control system of SI is for highly sensitive communication intercepts and contains compartments, which are identified by an identifier of four alphanumercial characters. In the past this were four-letter codewords, but it's not clear whether this practice is still used today.

Some former GAMMA compartments were:

In a classification line this is shown like: TOP SECRET//SI-G GUPY

This control system is for products of overhead collection systems, such as satellites and reconnaissance aircraft, and contains compartments, which are identified by a classified codeword.

Some former TK subcompartments were:

In a classification line this is shown like: TOP SECRET//TK-ZARF

SAP compartments

Special Access Programs (SAP) are created to control access, distribution, and protection of particularly sensitive information. Each SAP is identified by a nickname which consists of two unassociated, unclassified words or a single classified codeword. Such an identifier is abbreviated in a two or three-character designator.

There are apparently over 100 SAPs, with many having numerous compartments and sub-compartments. The classification line for SAP information shows the words SPECIAL ACCESS REQUIRED (SAR), followed by the program nickname or codeword. Examples of program nicknames are BUTTER POPCORN, MEDIAN BELL, SENIOR ICE and SODA.

In a classification line this is shown like: TOP SECRET//SAR-MEDIAN BELL

Multiple SAP's are shown like: TOP SECRET//SAR-MB/SAR-SD

SAP sub-compartments
Subcompartments of SAPs are separated by spaces and they are listed in ascending alphabetic and numeric order. The classification markings do not show the hierarchy beyond the sub-compartment level. Sub-sub-compartments are listed in the same manner as sub-compartments.

In a classification line this is shown like: TOP SECRET//SAR-MB A691 D722

Dissemination markings

Dissemination markings or caveats are used to restrict the dissemination of information within only those people who have the appropriate clearance level and the need to know the information. Dissemination markings can also be used to control information which is unclassified. Some markings are used by multiple agencies, others are restricted to use by one agency.

Markings used by multiple agencies:

Intelligence community markings:
- REL TO [country trigraph]

National Security Agency (NSA) markings:
- [country trigraph] EYES ONLY

National Geospatial intelligence Agency (NGA) markings:
- one undisclosed marking

Department of Defense (DoD) markings:

State Department (DoS) markings:

Drug Enforcement Administration (DEA) markings:

Nuclear weapons related markings:

In a classification line this is shown like: SECRET//SI//ORCON

Multiple markings are shown like: SECRET//SI//ORCON/NOFORN

Nuclear weapons related markings
The markings Restricted Data (RD) and Former Restricted Data (FRD) are used by the Department of Defense and the Department of Energy for information about design and operation of nuclear warheads. Both can have the following two additional sub-markings:

- SIGMA (SG, followed by a number between 1 and 99)

In a classification line this is shown like: SECRET//RD-CNWDI

Multiple SIGMA markings are shown like: SECRET//RD-SIGMA 2-SIGMA 4

National Security Agency (NSA) markings
The Intelligence Community classification manual from 2009 lists four undisclosed dissemination markings which are used by the NSA. Maybe these are the same, or similar to a new kind of markings which were unveiled by the Snowden-leaks in 2013, but were already used in 2010. These markings are used to identify a COI, which apparently stands for Community Of Interest. COI identifiers are shown at the very end of a classification line.

Recently disclosed COI identifiers are:
- NOCON (this could be an abbreviation of No Contractors)

In a classification line this is shown like: TOP SECRET//SI//NOFORN/BULLRUN

Links and Sources

- Wikipedia articles:
&nbsp - Classified information in the United States
&nbsp - Sensitive Compartmented Information
&nbsp - Special access program
- The 2010 Project BULLRUN Classification Guide
- The 2009 Intelligence Community Classification and Control Markings Implementation Manual (pdf)
- Article about Security Clearances and Classifications
- Some notes about Sensitive Compartmented Information

PRISM as part of the BLARNEY program

(Updated: September 23, 2013)

Last June, the still on-going Snowden-leaks started with the unveiling of PRISM, an NSA program which collects information about foreign targets from American internet companies like Facebook, Google, Yahoo and Microsoft.

Since then, no new information about PRISM was published, but recently some new details could be found. These show that PRISM is part of another NSA program, codenamed BLARNEY, and that US-984XN is not a single designator for PRISM, but stands for multiple designators, one for each of the internet companies.

New slides

On September 8, the Brazilian television news magazine Fantástico aired a report about the NSA trying to access the network of the Brazilian oil company Petrobras. In the background of this report, a number of hitherto unseen NSA slides were shown.

One of the slides shows details about the BLARNEY program, which has the SIGAD, or SIGINT Activity Designator US-984 and the PDDG, or Producer Designator Digraph AX. The slide says that BLARNEY collects DNR (telephony) and DNI (internet) communications under authority of the FISA court. Main targets of the program are diplomatic establishments, terrorists, foreign governments and economic targets:

Top left the slide shows the NSA seal and top right we see a green leprechaun hat with a clover leaf, symbolizing Blarney, as this is also the name of a small town in Ireland.

However, the most intesting fact is that the BLARNEY SIGAD US-984 is almost the same as US-984XN, which is prominently shown on the first slide of the PRISM presentation that was published in June:

This similarity indicates that PRISM is part of BLARNEY, which is also suggested in the Wikipedia article about the latter program.


Wikipedia also has a good article about the SIGAD or SIGINT Activity Designator itself, which teaches us that a SIGAD with two letters followed by three or four numbers, like US-984, is for identifying signals intelligence collection programs and activities.

An additional alphabetic character is added to denote a sub-designator for a subset of the primary collection unit, like a detachment. Lastly, a numeric character can be added after the aforementioned alphabetic to provide for a sub-sub-designator. This already confirms that with the designation US-984XN, PRISM is a sub-program of BLARNEY.

But there's more. In the Wikipedia-article the SIGADs are represented like XX-NNNxn, where an X represents an alphabetic character and an N represents a numeric character. Here we see the same XN-suffix as in the alleged PRISM designator US-984XN, so it seems that XN is only meant as a placeholder for the actual designations of PRISM subsets.

This is confirmed by another slide from Brazilian television, which says that the SIGAD US-984X stands for multiple programs and partners collecting under FAA authority:


In one of the PRISM slides published in June, there's an explanation of the PRISM case notations. These start with a designation for each PRISM provider, like P1 for Microsoft, P2 for Yahoo, etc. (the first position in the slide below). These designators fit the XN-scheme of one alphabetic character followed by one numeric character.

If we combine this, it seems likely that instead of US-984XN as a single PRISM SIGAD, there are multiple SIGADs, one for each of the internet companies:
- Microsoft: US-984P1
- Yahoo: US-984P2
- Google: US-984P3
- Facebook: US-984P4
- PalTalk: US-984P5
- YouTube: US-984P6
- Skype: US-984P7
- AOL: US-984P8
- Apple: US-984PA

After P8 for AOL, the final number becomes the letter A for Apple. Maybe this is because more than nine companies became involved, and so NSA chose to go on with hexadecimal numbers, so PA can be followed by PB, PC, etc.

Having separate SIGADs for each internet company makes sense, because a SIGAD identifies a specific facility where collection takes place, like a ship or a listening post. PRISM as a program is not such a facility, but comprises a number of them.

The notation of the multiple PRISM SIGADs is also more like that of other collection facilities, for example AFP-827F2 for a CANYON-class satellite and US-987LA and US-987LB for the Bavarian and Afghanistan listening posts of NSA's German partner-agency BND.


Under BLARNEY, information is collected from both telephone and internet communications. The program was started in 1978 under the authority of the Foreign Intelligence Surveillance Act (FISA), which was enacted in the same year for regulating foreign intelligence collection in which communications of Americans could be involved. The SIGAD for BLARNEY collection under this initial FISA authority is US-984.

According to a report of the Wall Street Journal, BLARNEY was established with AT&T, for capturing foreign communications at or near key international fiber-optic cable landing points, like the AT&T facility Room 641A in San Francisco that was revealed in 2006. A similar facility was reportedly built at an AT&T site in New Jersey.

After the 2001 attacks these intercept capabilities were expanded to top-level telecommunications facilities within the United States, like main switching stations for telephone and internet traffic. These are accessed through arrangements with American internet backbone providers. Finally companies providing internet services like Microsoft, Google and Facebook were added.

Since 2008 this collection takes place under authority of the FISA Amendments Act (FAA) and the dedicated BLARNEY sub-programs and corporate partners are identified by SIGADs in the format US-984X. Except for PRISM, none of them are publicly known.

A chart showing the top ten SIGADs under US-984X is presented in the slide below, but unfortunately, the details aren't readable:

According to the recently disclosed US Intelligence Budget, NSA pays 65.96 million USD for costs made by corporate partners under the BLARNEY program. As PRISM is part of BLARNEY, it's possible that part of that money is also for expenses made by the internet companies like Facebook, Google and Yahoo.

When PRISM was unveiled in June, the Guardian said this program was one of the main contributors to the President's Daily Brief, the top-secret document which briefs the US president every morning on intelligence matters. Being the PRISM parent program, BLARNEY is also one of the top sources to this document. According to a report by Der Spiegel, some 11,000 pieces of information reportedly come from BLARNEY every year.

Some more information about BLARNEY is in another slide that was shown on Brazilian television:

Click for a readable version

Among other things, the slide says that BLARNEY is used for gathering information related to counter proliferation, counter terrorism, foreign diplomats and governments, as well as economic and military targets. PRISM seems to be used against more or less the same targets, as can be seen in a lesser known slide of the famous PRISM powerpoint presentation:

Once again this makes clear that programs like BLARNEY and PRISM are used to gather information about the usual strategic and tactical topics and therefore not for spying on Americans or other ordinary people.

(Updated on September 23 with the slide describing US-984X, the slide with the PRISM topics and some additional information from the WSJ report)



On September 5, The Guardian, The New York Times and ProPublica jointly revealed that NSA has a top secret program to break encryption systems used on the internet. This is done by for example inserting vulnerabilities into commercial encryption and IT systems. This program is codenamed BULLRUN, which, according to NSA documents, is not a regular sensitive information compartment, but a "secure COI".

COI or CoI stands for Community of Interest, a more common computer security feature by which network assets and/or users are segregated by technological means. This is done through a logical or physical grouping of network devices or users with access to information that should not be available to the general user population of the network. According to the 2011 Classification Manual (pdf), information residing on secure COIs may not be taken out of the COI or moved to other databases without appropriate approval.

ECI = Exceptionally Controlled Information; PTD = Penetrating Target Defences
IIB = Initial Infrastructure Build ?

According to a GCHQ briefing sheet about BULLRUN, there are at least two other COIs: ENDUE and NOCON, both for sensitive materials. These Community of Interest codenames were revealed here for the first time. For classification purposes they are treated as dissemination markings: they appear at the very end of a classification line, separated from other markings (like NOFORN and ORCON) by a single forward slash. For example: TOP SECRET//SI//NOFORN/BULLRUN


As the COI codenames BULLRUN, ENDUE and NOCON are used within a Top Secret environment for highly sensitive NSA operations, it was quite a surprise to find the NOCON marking on another document too: an appendix (pdf) of a very secret NSA document. This appendix is about Public Key crypto systems and has no date, but seems to be from the 1980s. It was declassified by the NSA in March 2007 upon request of the Cryptome website:

The document was marked TOP SECRET UMBRA LACONIC NOCON. This old style classification marking (without slashes between the categories and terms) means that the document has the overall classification level TOP SECRET and was protected by putting it in the UMBRA compartment, which was designated for the most sensitive communications intercept material. The LACONIC and NOCON markings will be explained below.


The function of LACONIC is clarified in the NSA's internal Cryptolog (pdf) magazine, 2nd issue from 1988, which says that LACONIC is not a clearance or a classification, but a handling control marking. It's described as a restrictive distribution indicator for certain techniques - what kind of techniques is blacked out. Access to documents marked with LACONIC does not require a special clearance, but the reader must have a need to know certain details about those undisclosed things.

An indication about what kind of techniques are blacked out can be found in the Cryptolog (pdf) issue of January/February 1986. There it's said that "LACONIC access" is required for attending the CRYSCO-86 conference about computer technology and cryptanalysis, so it seems likely that LACONIC is about sensitive computer codebreaking techniques.

This comes close to the BULLRUN program and therefore it's not unthinkable that LACONIC was one of its forerunners, allthough according to the New York Times, the direct predecessor of BULLRUN was a program codenamed MANASSAS.

The LACONIC marking was retired as of October 2006 and apparently replaced by a new compartment within the control system for Exceptionally Controlled Information (ECI).


In addition to restricting access to people with the need-to-know, the 1988 Cryptolog explanation says that LACONIC was also designed to deny access to contractors and consultants. Therefore, LACONIC had always to be accompanied by the NOCONTRACT marking. Apparently this marking could also be shortened to NOCON, as can be seen in the aforementioned document about public key crypto systems.

The Director of Central Intelligence Directive (DCID) 1/7 from April 12, 1995 ruled that as from that date, the NOCONTRACT marking should not be used anymore. This because it had "clearly outlived [its] usefullnes". Officials could now release intelligence bearing the NOCONTRACT marking to appropriately cleared and access-approved contractors. It's no surprise that this came at a time when US intelligence agencies started their large-scale outsourcing to private contractors.

However, it seems strange that Directive 1/7 eliminated the NOCONTRACT marking in 1995, but at the same time we still see NOCON as a COI in recent BULLRUN documents. A possible explanation could be that NSA still wanted to keep some sensitive materials out of the hands of contractors, and therefore continued to use the NOCON marking internally.

This could also explain the fact that NOCON, like the BULLRUN and ENDUE COI markings, are not listed in the extensive classification marking manuals for the intelligence community. The 2010 BULLRUN Classification Guide confirms that "the BULLRUN data label (for use in databases) and marking (for use in hard- or soft copy documents) are for NSA/CSS internal use only".


At least since the 1980s, NSA used the LACONIC marking to protect sensitive information, which was probably related to computer codebreaking techniques. Whether LACONIC was for internal NSA use only is not entirely clear, but as LACONIC material was not meant for contractors and consultants, it had to be accompanied by the NOCONTRACT marking which was used throughout the intelligence community.

After the general use of NOCONTRACT or NOCON was prohibited in 1995, NSA seems to have continued it as an internal marking. Similar are the probably more recent markings ENDUE and BULLRUN, which are all used for highly sensitive information that is protected by putting it in separated and secured parts (COIs) of NSA's internal computer networks.

What are SIGADs starting with DS for?

(Updated: November 7, 2013)

Recently, some new NSA powerpoint presentations were published which mention communication intercept facilities with designators like DS-200, DS-200B, DS-300 and DS-800.

These don't fit the regular format for such SIGINT Activity Designators (SIGADs), as they normally begin with two letters indicating one of the UKUSA or Five Eyes-countries: US for the United States, UK for the United Kingdom, CA for Canada, AU for Australia and NZ for New Zealand.

Initially, the Washington Post wrote that DS referred to NSA's Australian counterpart, the Defence Signals Directorate, probably because of its abbreviation DSD, although this agency was recently renamed to Australian Signals Directorate or ASD. Later the Post corrected this and now says DS refers to the British signals intelligence agency GCHQ (see below)


But there's another lead. In the third slide of a presentation about SSO Collection Optimization, which was published by the Washington, we see that the collection facility designated DS-200B is codenamed MUSCULAR.

This codename was mentioned earlier in a document with Frequently Asked Questions (pdf) about the BOUNDLESSINFORMANT tool. On page 2 it reads:
"Only metadata records that are sent back to NSA-W through FASCIA or FALLOUT are counted. Therefore, programs with a distributed data distribution system (e.g. MUSCULAR and Terrestrial RF) are not currently counted."

The first sentence is about data sent back to the NSA headquarters in the Washington-area (NSA-W) through FASCIA or FALLOUT, which are ingest processors for phone and internet metadata respectively.

In the second sentence we see MUSCULAR mentioned as an example of programs with a "distributed data distribution system". Another example is the interception of Terrestrial RF (Radio Frequency), which are communications through microwave radio relay systems.

Presently, it's not clear what the "distributed data distribution system" might be, but for now it's interesting that this description could very well fit the abbreviation DS.

A SIGAD like DS-200 might then stand for a particular (Distributed Data) Distribution System, not related or bound to a specific country, like the regular SIGADs starting with the country codes.

As "data distribution" is a way to describe how files are stored in data clouds, it's probably a good guess that also in this case, the "distributed data distribution system" may refer to one or more NSA data clouds. This could also explain the fact that the SIGADs starting with DS don't fit the country code scheme, this because the data cloud might be a repository shared by all five UKUSA partners.

DS-200: GCHQ Special Source collection

On October 30, the Washington Post provided more details about the MUSCULAR program, with a follow-up on November 4. Attached to that story are a number of new slides showing that MUSCULAR is a joint NSA-GCHQ operation to collect data by tapping the main communication links which connect the Yahoo and Google data centers around the world. This interception takes place at a "large international access located in the United Kingdom".

More specific, the MUSCULAR "distributed data distribution system" is described by Sean Gallagher as a way to collect, filter, and process the content from the internal networks of Google and Yahoo. For doing this, the data streams, which are optimized by Google and Yahoo to be sent across wide-area networks over multiple simultaneous data links, have to be broken apart again. After that, the system separates the traffic which is of intelligence interest from the vast amount of intra-data center communications that have nothing to do with user activity.

One slide, titled "2nd Party Accesses", shows that DS-200B/MUSCULAR is a sub-program of DS-200, which is "NSA's reporting of GCHQ's "Special Source" collection", where Special Source means gathering data from private companies:

Unfortunately, the rest of the slide is completely blacked out, so we aren't even allowed to see the other SIGADs which may also be part of the DS-200 program. Nevertheless we learned from other sources about the existance of facilities designated DS-200A and DS-200X, which are clearly sub-programs of DS-200, and therefore probably similar private network tapping operations as MUSCULAR.


In an explanation of a screenshot of the BOUNDLESSINFORMANT tool, the Washington Post says that the SIGAD DS-300 refers to INCENSER, which is another high-volume cable tapping operation, jointly run by NSA and GCHQ. But INCENSER is not just "another" cable tapping operation, it's a far bigger program, collecting over 14 billion metadata records, which is 77 times as much as MUSCULAR!

Both MUSCULAR and INCENSER are part of WINDSTOP. According to the Washington Post, this is an umbrella program for at least four collection systems which are jointly operated by NSA and one or more 2nd Parties (2P) - the signals intelligence agencies of Britain, Canada, Australia and New Zealand.


A report by Brazilian television magazine Fantastico from October 6, about how American and Canadian intelligence agencies tried to intercept communications from the Brazilian Ministry of Mines and Energy. A program codenamed Olympia shows step-by-step how all the ministry’s telephone and computer communications were mapped.

Reconstruction of a slide showing the interception of the
communications of the Brazilian Ministry of Mines and Energy
(click for a bigger version!)

Links and Sources
- ArsTechnica.com: How the NSA’s MUSCULAR tapped Google’s and Yahoo’s private networks
- Golem.de: Dokumente belegen Zugriffe auf Google- und Yahoo-Clouds

BOUNDLESSINFORMANT only shows metadata

(Updated: November 5, 2013)

Yesterday, the French paper Le Monde broke with a story saying that NSA is intercepting French telephone communications on a massive scale. This is mainly based upon a graph from the BOUNDLESSINFORMANT program, which shows that during one month, 70,3 million telephone data of French citizens were recorded by the NSA.

Here, it will be clarified that the BOUNDLESSINFORMANT tool only shows numbers of metadata. Also some screenshots will be analysed, showing information about the collection of:


As the Le Monde article, written by Jacques Follorou and Glenn Greenwald, failed to clarify the exact nature of the 70,3 million, it was unclear whether this number was about metadata or also about the content of phone calls. Combined with some sensationalism, this led to headlines like U.S. intercepts French phone calls on a 'massive scale'.

But this is incorrect. According to a presentation and a FAQ document, the BOUNDLESSINFORMANT tool is for showing the collection capabilities of NSA's Global Access Operations (GAO) division, which is responsible for intercepts from satellites and other international SIGINT platforms.

The program presents this information through counting and analysing all DNI (internet) and DNR (telephony) metadata records passing through the NSA SIGINT systems.

This means, all figures shown in the BOUNDLESSINFORMANT screenshots are about metadata and not about content. It is unclear how many phone calls are represented by the numbers of metadata records, but it's likely much less.

So for France, we only know for sure that NSA collected 70,3 million metadata records and not how many phone calls were actually intercepted in the sense of recording the call contents.

It should also be noted that BOUNDLESSINFORMANT is apparently only showing metadata collected by the GAO division. Therefore, data gathered by NSA's other main Signals Intelligence divisions, SSO (for collection in cooperation with private companies) and TAO (for collection by hacking networks and computers), may not be included in the charts and the heat maps.

On October 29, the Wall Street Journal reported that according to US officials, the metadata records for France and Spain were not collected by the NSA, but by French and Spanish intelligence services. The metadata were gathered outside their borders, like in war zones, and then shared with NSA.
This confirms the explanation of the numbers of German metadata, given by Der Spiegel on August 5. We can assume that the numbers of metadata for the Netherlands and Italy, as shown in some other BOUNDLESSINFORMANT charts, are also collected by their national intelligence agencies and subsequently shared with NSA.

On October 30, Glenn Greenwald published a statement claiming that his original reports, saying that NSA massively collected data in foreign countries, are still correct. Also, the Dutch interior minister Ronald Plasterk denied the suggestion that the 1,8 million Dutch metadata were collected by Dutch agencies and then shared with NSA.

French metadata

Below is a screenshot from BOUNDLESSINFORMANT that shows information about collection from France between December 10, 2012 and January 8, 2013. In total, almost 70,3 million metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue. In this case only telephony metadata were collected, so we only see green bars.

In the lower part of the screenshot we see three sections with break-ups for "Signal Profile", "Most Volume" and "Top 5 Techs".

Signal Profile

The Signal Profile section shows a pie chart which can show the following types of communication:

- PCS: Personal Communications Service (mobile phone networks)
- INMAR: INMARSAT (satellite communications network)
- MOIP: Mobile communications over IP
- VSAT: Very Small Aperture Terminal
- HPCP: High Power Cordless Phone
- PSTN: Public Switched Telephone Network
- DNI: Digital Network Intelligence (internet data)

In this case, the majority of the signals are from PCS or mobile phone networks (dark blue) and a minor fraction from the Public Switched Telephone Network (dark yellow).

Most Volume

This section shows that all French metadata during the one month period were collected by a facility designated US-985D. This SIGAD is seen here for the first time and also Le Monde has no further information, except for the suggestion that it's from a range of numbers corresponding to the NSA's third party partners.

As the French metadata are all collected from mobile and traditional telephone networks, they may have been intercepted with the help of a (foreign or even French) telecommunications provider. In that case, it's possible that the metadata are from French phone numbers which are used by foreign targets (see Germany below).

Top 5 Techs

The techniques used for these interceptions appear under the codenames DRTBOX and WHITEBOX, which are disclosed here for the first time. Le Monde wasn't able to provide any more details about these programs or systems, but if we compare the numbers collected by these programs with the pie chart under Signal Profile, it seems likely that DRTBOX (which collected 89% of the data) accounts for the big PCS part of the pie chart, and WHITEBOX (11%) for the small PSTN part.

Therefore, DRTBOX could be a program for collecting (meta)data from mobile phone networks and WHITEBOX for doing the same on the Public Switched Telephone Network in general.

Dutch metadata

Almost immediatly after Le Monde came with their story, the Dutch IT website Tweakers.net noticed that the German magazine Der Spiegel had published a similar screenshot about collection from the Netherlands early August:

In this case we only have the top part, with a bar chart showing that during a one month period, about 1,8 million telephony metadata records were collected from the Netherlands.

Again, this number is only about metadata, and therefore it doesn't tell us how many phone calls, let alone how many phone numbers were possibly involved.

The report by Tweakers.net was correct in explaining that the chart only shows metadata, but unfortunately, the headline initially said "NSA intercepted 1.8 million phonecalls in the Netherlands". This gave many people, including politicians, the idea that NSA was actually eavesdropping on a vast number of Dutch phone calls, which is not what the chart says, and which is also probably not what NSA is doing.

Similar "bar chart-only" screenshots were published for Spain and Italy, which also show only telephony metadata.

German metadata

On August 5, the German magazine Der Spiegel published a screenshot from BOUNDLESSINFORMANT which shows information about collection from Germany between December 10, 2012 and January 8, 2013. In total, more than 552 million metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue. In the lower part see the three sections with break-ups for "Signal Profile", "Most Volume" and "Top 5 Techs" again.

Signal Profile

In case of Germany, the pie chart shows that the communication systems are roughly divided into:

- 40% PCS (mobile communications)
- 25% PSTN (traditional telephony)
- 35% DNI (internet traffic)

Most Volume

This section shows that all German metadata were collected by two facilities, designated by the following SIGADs:

- US-987LA (471 million records)
- US-987LB (81 million records)

In an additional article by Der Spiegel, it's the German foreign intelligence agency BND itself saying that it believed "that the SIGADs US-987LA and US-987LB are associated with Bad Aibling and telecommunications surveillance in Afghanistan". Bad Aibling is a small town in Southern Germany which had a huge listening post during the Cold War, which was also part of the ECHELON system. In 2004, the listening post was moved to a smaller facility nearby.

According to Der Spiegel, the BND collects metadata from communications which it had placed under surveillance and passes them, in massive amounts, on to the NSA. BND says that it's operating within German law and doesn't spy on German citizens. Therefore, Der Spiegel suggests that the data are only technically acquired in Germany, but are actually about foreign targets.

However, this explanation would only make sense if those foreigners were contacting (or using) German phone numbers and e-mail addresses, because otherwise there would be no reason for NSA to count their metadata as being German.

Top 5 Techs

The techniques used for these interceptions appear under the following codenames:

- XKEYSCORE (182 million records or 33% of the total of 552 million)
- LOPERS (131 million records or 24%)
- JUGGERNAUT (93 million records or 17%)
- CERF CALL MOSES1 (39 million records or 7%)
- MATRIX (8 million records or 1,4%)

(the record numbers don't add up to the total of 552 million, apparently there are more, smaller systems involved than the 5 shown here)

If we compare these percentages with the pie chart showing the signal profiles, we see that XKEYSCORE corresponds to the DNI or internet metadata. XKEYSCORE is a tool used for indexing and analysing internet data and therefore it's possible that also the other programs mentioned in the Top 5 Tech section are not for collecting data, but for processing and analysing them.

According to Der Spiegel, LOPERS is a system to intercept the public switched telephone network. Indeed, the approximately 24% of the data collected by LOPERS fits the PSTN part of the pie chart.

This leaves the other three programs, and also those not mentioned in this Top 5, being used for data from mobile communication networks. Der Spiegel confirms this for JUGGERNAUT, but we can assume this for CERF CALL MOSES1 and MATRIX too.

WINDSTOP metadata

On November 4, the Washington Post published a screenshot from BOUNDLESSINFORMANT which shows information about collection under the WINDSTOP program. Between December 10, 2012 and January 8, 2013, more than 14 billion metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue.

According to the Washington Post, WINDSTOP is an umbrella program for at least four collection systems which are jointly operated by NSA and one or more signals intelligence agencies of the 2nd Party countries Britain, Canada, Australia and New Zealand.

Signal Profile

The pie chart shows that more than 95% of the metadata are collected from internet traffic (DNI), less than 5% is from mobile networks (PCS).

Most Volume

This section shows that under WINDSTOP, the metadata were collected by at least the following two facilities, designated by their SIGADs:

- DS-300 (14.100 million records)
- DS-200B (181 million records)

In a sidenote, the Washington Post says that DS-300 is the SIGAD for an interception facility which is also known under the codename INCENSER. With 14 billion internet metadata records in one month, INCENSER seems to be one of NSA's major internet collection programs, as for March 2013, the total of internet metadata collected worldwide was 97 billion records. For now, it's unclear where this enormous amount of data comes from.

DS-200B is a facility codenamed MUSCULAR, which is used for tapping the cables linking the big data centers of Google and Yahoo outside the US. This intercept facility is located somewhere in the United Kingdom and operated by GCHQ and NSA jointly. MUSCULAR collected some 181 million records, a small number compared to the 14 billion of INCENSER, but still way too much given its low intelligence value - according to NSA's Analysis and Production division.

It's interesting to see data from MUSCULAR mentioned in this screenshot, because a FAQ document about BOUNDLESSINFORMANT from 2010 said that no metadata from MUSCULAR were counted by this tool. But as this chart shows records from December 2012 and January 2013, it seems that meanwhile also metadata from MUSCULAR were added.

Top 5 Techs

The programs used for processing and analysing these interceptions are:

- XKEYSCORE (14.100 million records)
- TURMOIL (141 million records)
- WEALTHYCLUSTER (1 million records)

Just like we saw in the chart about the German metadata, the internet (DNI) data are processed by the XKEYSCORE tool. Almost all these internet data are collected by the facility designated DS-300 and codenamed INCENSER.

TURMOIL is a database or a system which is part of the TURBULENCE program, and seems to be used for selecting and storing common internet encryption technologies, so they can be exploited by NSA. If we compare the numbers, we see that TURMOIL is used for processing most of the data collected by DS-200B or MUSCULAR. An NSA presentation confirms that data collected by MUSCULAR are ingested and processed by TURMOIL.

WEALTHYCLUSTER is also related to the TURBULENCE program and is described as "a smaller-scale effort to hunt down tips on terrorists and others in cyberspace" and is said to have helped finding members of al-Qaida.

(Updated with the information about the German metadata, the new explanation by the Wall Street Journal and the WINDSTOP metadata)

Links and Sources
- Wall Street Journal: U.S. Says France, Spain Aided NSA Spying
- Cryptome.org: Translating Telephone metadata records to phone calls
- The Week: Why the NSA spies on France and Germany
- Le Monde: France in the NSA's crosshair : phone networks under surveillance
- Tweakers.net: NSA onderschepte in maand metadata 1,8 miljoen telefoontjes in Nederland
- De Correspondent: Wat doet de NSA precies met het Nederlandse telefoonverkeer?
- Der Spiegel: Daten aus Deutschland

How secure is the Merkel-Phone?

(Latest update: October 28, 2013)

In an article by the German magazine Der Spiegel it was said that the NSA probably also eavesdropped on the mobile phone of chancellor Angela Merkel, which is dubbed Merkel-Phone in popular media. Der Spiegel provided little detail, but according to an article in Die Welt, the old cell phone number of Merkel was mentioned in a document provided by Edward Snowden.

Der Spiegel presented their evidence to the German government, which led to an investigation by German intelligence and security agencies. Apparently the material proved to be trustworthy and chancellor Merkel expressed her anger in the media and even in a phone call to president Obama.

For now, we have no further details about the alleged monitoring of Merkel's phone, like whether her number was just on an NSA 'wish-list', or that only metadata were gathered. Here we will take a closer look at how the official mobile phone of chancellor Merkel has been secured.

A new article by Der Spiegel says that a phone number of chancellor Merkel was on an NSA target list since 2002. Targeting Merkel's phone number was requested by NSA unit S2C32 or the "European States Branch", and had to be done by a unit of the joint NSA/CIA Special Collection Services (SCS), which is covertly based inside the US embassy in Berlin. The document doesn't say what kind of communications were monitored or whether actual content had been recorded.

> Much more about this: How NSA targeted chancellor Merkel's mobile phone

German chancellor Angela Merkel using
her former Nokia 6260 Slide phone
(photo: dapd, March 1, 2011)

If NSA targeted Merkel's old cell phone number, it's likely the one that belonged to her former smart phone, a Nokia 6260 Slide. This phone was used heavily by Merkel from October 2009 until July 2013. Voice communications through this device were secured by a system called SecuVOICE, made by the small Düsseldorf based company Secusmart GmbH, which was founded in 2007.

Initially, the solution provided by Secusmart could only encrypt voice, not text messages (SMS) or e-mail. For encrypting text messages Secusmart introduced a separate solution called SecuSMS in 2010, which means that between October 2009 and the implementation of SecuSMS, it was rather easy for NSA to at least intercept the text messages from Merkel's official phone (maybe in the same way they collected text messages of the Mexican president).

Other easy options could have been the monitoring and/or intercepting of the non-secure mobile phones which chancellor Merkel uses, like the one provided by her political party (so no government money is used for party politics) and her private cell phone. For convenience, many politicians often use their private cell phones for government business too.

On October 27, the German tabloid paper BILD revealed that according to anonymous intelligence officials, it was president Obama who ordered the monitoring of chancellor Merkel's communication and that NSA was apparently able to intercept her newest secure mobile phone (see below). Only the secure landline telephone in her office wasn't intercepted.

In an unusual rapid and specific response, NSA said that director Alexander "did not discuss with President Obama in 2010 an alleged foreign intelligence operation involving German Chancellor Merkel, nor has he ever discussed alleged operations involving Chancellor Merkel. News reports claiming otherwise are not true".

Already on October 24, the German paper FAZ learned that the Snowden-document seen by Der Spiegel mentioned the number of the cell phone provided to chancellor Merkel by her political party, which has no security features. There's no evidence that NSA targeted or even broke the encrypted communications from her secure mobile phone.

SecuSUITE @ BlackBerry 10

Since last July, chancellor Merkel uses the new BlackBerry Z10, which is equipped with the SecuSUITE system, consisting of SecuVOICE for encrypting voice, SecuSMS for encrypting text messages and some other applications for securing e-mail and sensitive data stored in the phone (SecuVOICE should not be confused with SecurVoice, the software which was used to secure Obama's Blackberry in 2009).

German chancellor Angela Merkel at the CeBIT 2013, showing
the BlackBerry Z10 with Secusmart encryption chip
(photo: Bundesregierung/Bergmann, March 4, 2013)

A new feature, which is standard available for this phone, is BlackBerry Balance. This enables users to keep both personal data and office work data securely separated in different partitions. In the personal section one can freely use social media and downloaded apps. These are separated from the business section, which can be automatically configured with business applications and e-mail through the Blackberry Enterprise Service 10 server. Users can easily switch from the personal to the business profile by entering a password. Stored user data are protected via 256-bit AES encryption.

For secure communications, the SecuSUITE application is added by inserting a Micro-SD card, called the Secusmart Security Card, in the memory card slot of the phone. This card contains a tamper-proof crypto-controller made by NXP, with a PKI-coprocessor for performing the user authentication and a high speed coprocessor for encrypting voice and other data using the 128-bit AES algorithm. These encryption keys are transmitted using the Elliptic Curve Diffie Hellman (ECDH) protocol.

The BlackBerry Z10 with SecuSUITE application has been approved by the German government for use at the classification level Restricted (in German: Verschlussache - Nur für den Dienstgebrauch, abbreviated: VS-NfD). It's somewhat surprising that this is the lowest level, which might be explained by the fact that communications are encrypted using only 128-bit keys. Nowadays, it's generally advised to use keys with 256-bit length. Another reason is that a commercial available smart phone device is used, which is less secure than a custom made one.

For conversations at a higher classification level, German government and military officials are bound to dedicated landline phones, and conversations classified as Top Secret (German: Streng Geheim) may only take place from inside rooms that are secured against eavesdropping. Such high level voice and data communications are encrypted through the Elcrodat 6-2 system.

Nonetheless, the German federal government ordered 5000 secured BlackBerry devices, costing around 2500,- euro a piece. The new BlackBerry 10 with SecuSUITE was first presented by Secusmart at the IT business event and conference CeBIT 2013 in March:

The SecuVOICE solution is also available in the Netherlands, where it is (or was?) sold by Fox-IT and approved by the government for encrypting phone calls at the classification level Restricted (in Dutch: Departementaal Vertrouwelijk). NATO also approved SecuVOICE for usage at the level of Restricted.

SiMKo3 @ Samsung Galaxy

The secured BlackBerry 10 is not the only secure mobile smartphone approved for German government use.

There's also the SiMKo3 (the abbreviation of the German Sichere Mobile Kommunikation, Generation 3) solution from Deutsche Telekom, which comes with the Samsung Galaxy S III smart phone devices. Presently, this application is only approved for data communications at the Restricted level, but priced at 1700,- euro a piece, these phones are less costly than the BlackBerrys.

The SiMKo3 technique is similar to that of GD Protected, a system developed by General Dynamics to secure Samsung Galaxy S IV and LG Optimus smart phones so they can be used by high level government officials in the United States.

Links and Sources
- BILD.de: Obama wollte alles über Merkel wissen
- Spiegel.de: NSA-Überwachung: Merkels Handy steht seit 2002 auf US-Abhörliste
- T-Online.de: Mit welchem Handy hat die Kanzlerin telefoniert?
- Welt.de: Merkels Handy-Nummer in Snowdens Dokumenten
- WiWo.de: Sicherheitshandys: Blackberry sticht Telekom aus
- Heise.de: Technische Details zum Merkel-Phone 2.0
- ComputerWoche.de: Das können die neuen „Merkel-Phones“

How NSA targeted chancellor Merkel's mobile phone


Last week, the German weekly Der Spiegel revealed that NSA intercepted the mobile phone of the German chancellor Angela Merkel. Although most details were not known yet, the fact itself caused a severe crisis in the relationship between the United States and Germany.

Meanwhile, the original NSA targeting record containing chancellor Merkel's phone number has been published. One of the entries refers to a document about the NSA's SYNAPSE data model, which was disclosed earlier and provides us with a context for the targeting record. Finally, an impression of how the interception could have been conducted is given by a picture of the SCS interception equipment, which is presumably located in the US embassy in Berlin.

The NSA targeting record

The NSA document mentioning Merkel's phone number was published in the print editions of several German newspapers, but the tabloid paper BILD made a scan for their website:

Acoording to Der Spiegel, this document apparently comes from an NSA database in which the agency records its targets. This could be a database codenamed OCTAVE, which is used for tasking telephony targets. This record has the following entries:

- SelectorType: a selector is the intelligence term for a name or a number that identifies an espionage target. This line says the type of the selector is PUBLIC DIRECTORY NUM[ber]

- SynapseSelectorTypeID: this designator, SYN_0044, refers to the SYNAPSE Data Model (see below).

- SelectorValue: here's the actual phone number of Merkel. In the print edition of the magazine we can see this phone number written as +49173-XXXXXXX. The country code for Germany (+49) is followed by the prefix code for mobile phone numbers from Vodafone (0173). According to Der Spiegel this is the number of Merkel's cell phone which was provided by her political party and which is the one she uses most to communicate with party members, ministers and confidants, often by text message. It's is just an ordinary cell phone without any security features, and therefore an easy target for intelligence agencies like NSA. It means that her official secure mobile phone wasn't targeted nor compromised.

- Realm: according to Der Spiegel, this field determines the format.

- RealmName: the name of the format, in this case 'rawPhoneNumber'

- Subscriber: GE CHANCELLOR MERKEL. As Angela Merkel wasn't yet chancellor when the surveillance started in 2002, either this entry or the whole record must have been updated after she became chancellor in November 2005.

- Ropi: stands for Responsible Office of Primary Interest, an NSA unit that selects which targets should be monitored. In this case it's S2C32, the European branch of the so-called Product Line for International Security Issues.

- NSRL: stands for National SIGINT Requirements List, which is a daily updated compendium of the tasks, and the priority of those tasks, given to the various Signals Intelligence collection units around the world. 2002-388* indicates that this target was set in 2002, when Angela Merkel was head of the Christian democratic party CDU. Then Bundeskanzler Gerhard Schröder refused to join the US in the war against Iraq, so the US government could have been interested in knowing the position of his main political opponent.

- Status: A, which stands for Active. Der Spiegel says this status was valid a few weeks before President Obama’s Berlin visit in June 2013.

- Topi: stands for Target Office of Primary Interest. According to an NSA document, TOPIs are part of the Analysis & Production division, but Der Spiegel says these are units which are doing the actual interception. In this case, the TOPI is designated F666E, where F6 stands for the joint NSA/CIA Special Collection Service (SCS), which performs eavesdropping actions from inside US embassies in foreign capitals. 66E might then be (a part of) the SCS unit based in the US embassy in Berlin.

- Zip: this Zip code, 166E, is a distribution code for the OCTAVE tasking database (see below).

- Country Name: left blank, apparently the country code below was sufficient.

- CountryCode: which is GE for Germany

An interesting question is how Edward Snowden obtained this database record. Is it part of an NSA document for internal education or presentation purposes, or did he made a copy from the database itself? And if so, are there (many) more of these tasking records in his collection?

A targeting record like this marks the starting point of NSA's collection process. Because of that we know nothing about the follow up, except for the involvement of SCS unit F666E. Therefore, we have no indication about what form of surveillance has taken place: were only metadata gathered or also conversations recorded and text messages stored? And was this continuously, or (given the presumably small number of German linguists) only when there was a more specific need for information ?

The SYNAPSE data model

As we have seen, the second entry of the targeting record refers to SYNAPSE, which is some kind of data model used by NSA to analyze connections of foreign intelligence targets. A slide from a powerpoint presentation about this model was published by the New York Times on September 29, 2013. Note that the title has a huge spelling error as it reads SYANPSE instead of SYNAPSE:

SYNAPSE slide as published in the print edition of the NY Times
(scan by Cryptome - click for a bigger version)

The slide shows a rather complex diagram of all elements involved in examining the communications of a target. We will go through this diagram from top to bottom:

First we see a target, like a person or an organization, mentioned as "agent". These agents are designated by a name and identified by a NIC, which could stand for something like National Identification Card. 'Paki' could be a database for these ID numbers. The agents (targets) themselves are registered in TKB, which stands for Target Knowledge Base.

Agents use various devices, identified by designators like an e-mail or an IP address, a phone number or an IMEI, IMSI, IMN, RHIN or FHIN number (not clear what the last three stand for). The designations of these devices and the connections between them are collected in MAINWAY, which is NSA's main database for bulk telephone metadata.

The designators of the devices used by an agent/target get a 'Subscriber ID' for the OCTAVE database and are listed in the OCTAVE Tasked List. They also get a 'ShareableName' for the Unified Targeting Tool (UTT) to be listed in the UTT Active List. The designators are also labeled with UTT categories and OCTAVE Zip Codes.

Bottom right we see the Responsible Office of Primary Interest (ROPI) which somehow seems to manage the designators, maybe because these are the offices where Tasking takes place, which means selecting the targets to be monitored. Device designators (like phone numbers) of which the communications have to be collected are called Selectors.

Finally, the designators are referenced in the SIGINT Product Reports (blue dot) and the Intelligence Community (IC) Product Reports (red dot) which are released by the various Target Offices of Primary Interest (TOPI). LEXHOUND could be a database for these reports.

As the diagram shows pictures of a personal computer, but OCTAVE and MAINWAY are for telephony data, it seems the whole process is meant for both internet and telephony data.

The SCS interception equipment

Except for the targeting record, there is no information about how exactly NSA intercepted Merkel's phone, but there are some strong indications. In Berlin, Vodafone mostly uses microwave transmissions on its mobile network and intelligence agencies can intercepted these without much effort.

To show how this could have taken place, Der Spiegel published a slide from a presentation of the Special Collection Service (SCS) showing pictures of an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. This unit can apparently intercept cell phone signals while simultaneously locating people of interest.

In Berlin, the SCS unit operates from inside the US embassy, which is in a building next to the famous Brandenburger Tor. It was opened on July 4, 2008 - in the presence of chancellor Merkel. Before, the US embassy was in a 19th century building in the Neustädtischen Kirchstraße. The spying equipment of the SCS unit is likely to be on the roof of the building, in a structure with conceiled windows:

(photo: Christian Thiel/Der Spiegel)

According to investigative journalist Duncan Campbell, who revealed the existence of the ECHELON system, these windows are covered by special dielectric (insulating) panels, that allow radio waves to pass through and be intercepted, while blocking visible light and concealing the interception equipment behind it.

This equipment usually consists of antenna, dishes or arrays which can collect every type of wireless communications on all available wavelengths. On the opposite side of the embassy's rooftop stucture there's a similar conceiled window right at the corner. With these corner windows on both sides, SCS can catch signals from all directions:

(photo through Dailyphotostream.blogspot.com)

On German television, the US embassador to Germany said that on the embassy's roof there's rather ordinary communications equipment, to stay in touch with Washington and other US embassies around the world. The embassy wouldn't let reporters and politicians in to take a look inside the rooftop structure, probably also because only people with the proper security clearance are allowed to enter these areas.

Because the targeting record clearly mentions unit F666E, it's most likely that chancellor Merkel's cell phone was intercepted by SCS from inside the US embassy. But as her phone uses the Vodafone network, it's also possible that NSA has some kind of backdoor access to this cellular network. Vodafone is a British company and at least NSA's British counterpart GCHQ has an arrangement with this company for tapping undersea fiber optic cables.

It is supposed that data gathered by the various SCS embassy units are send to the SCS headquarters at the joint CIA/NSA facility in College Park, Maryland, through an SCS communications hub, which is at the US Air Force base in Croughton, Northamptonshire, England.

Infrared images taken by the German television station ARD showed that behind the windows there was heat producing (electronic) equipment. But shortly after the eavesdropping came out publicly, the heat signature dropped dramatically. This seems to indicate that the spying facility has been shut down for the time being.

Ending the interception

The phone number of Angela Merkel was finally removed from the NSA's target list this Summer. According to the Wall Street Journal there was an internal government review which turned up that the agency was monitoring some 35 world leaders.

After learning this, the White House ordered to cut of some of these programs, including the one tracking the German chancellor and some other world leaders. Obama also ordered NSA to stop eavesdropping operations against the headquarters of the United Nations, the International Monetary Fund and the World Bank.

Links and Sources
- NYTimes.com: Tap on Merkel Provides Peek at Vast Spy Net
- DuncanCampbell.org: How embassy eavesdropping works
- TheWeek.com: Did the NSA mislead the President and Congress about foreign leader spying?
- FAZ.net: Es war Merkels Parteihandy
- Spiegel.de: How NSA Spied on Merkel Cell Phone from Berlin Embassy

Five Eyes, 9-Eyes and many more


On November 2, The Guardian published a lenghty article about the Snowden-leaks, which said that besides the close intelligence-sharing group of the US, Britain, Canada, Australia and New-Zealand, known as 5-Eyes, there are also groups called 9-Eyes and 14-Eyes.

According to The Guardian, the first consists of the 5-Eyes countries plus Denmark, France, the Netherlands and Norway and the latter adding another five European nations. This caused some embarrassment, as especially France and The Netherlands were heavily opposed to NSA's eavesdropping operations.

For almost everyone the existance of these 'Eyes' came as a surprise, but as this article will show, there are also 3-, 4-, 6-, 7-, 8-, 9- and 10-Eyes communities. They were created for restricting access to military and intelligence information to respective numbers of coalition nations. These 'Eyes' are used as handling instructions and often supported by dedicated communication networks.

Many new 'Eyes'

First we take a look at what The Guardian wrote about the 9-Eyes and other intelligence-sharing groups:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

In a similar article, The New York Times also mentioned these two new Eyes-groups, but without naming the participating countries, and instead of the 41-Eyes, adding NACSI, the NATO Advisory Committee for Special Intelligence:
"More limited cooperation occurs with many more countries, including formal arrangements called Nine Eyes and 14 Eyes and Nacsi, an alliance of the agencies of 26 NATO countries".

These new revelations seem to be confirmed by what is said in an informative 2012 paper (pdf) about Canada and the Five Eyes Intelligence Community:
"The Five Eyes sigint community also plays a ‘core’ role in a larger galaxy of sigint organizations found in established democratic states, both west and east. Five Eyes ‘plus’ gatherings in the west include Canada’s NATO allies and important non-NATO partners such as Sweden. To the east, a Pacific version of the Five Eyes ‘plus’ grouping includes, among others, Singapore and South Korea. Such extensions add ‘reach’ and ‘layering’ to Five Eyes sigint capabilities."

This text suggests that there are several western Five Eyes 'plus' groups, one of which sounds like the 14-Eyes mentioned by The Guardian. The eastern Five Eyes 'plus' refers to the 10-Eyes group, which will be described down below.

The existance of these hitherto unknown Eyes-groups came as a surprise, because it was generally assumed that NSA only had two kinds of partners for sharing signals intelligence:

- 2nd Party: the Five Eyes based upon the UKUSA-Agreement of 1946
- 3rd Party: a range of countries that have bilateral agreements with NSA

The CFBL Network

The term 9-Eyes could already be found in some other sources. One is an extensive article by the French weblog Zone d'Intérêt about the NATO exercise Empire Challenge 2008 (EC08), in which a number of operational and testing networks were used. One of them is the Combined Federated Battle Laboratories Network (CFBLNet), which is for testing new ways of collecting and sharing intelligence, surveillance and reconnaissance (ISR) data.

The CFBL network consists of an unclassified (black) backbone network (the Blackbone) with transporting the encrypted traffic of several classified and unclassified enclaves as its main purpose. The main secure domains on the CFBL Blackbone are:

- The CFBLNet Unclassified Enclave (CUE), which is unclassified, but traffic is encrypted using Advanced Encryption Standard (AES) algorithms.
- The Four-Eyes Enclave (FEE), which is a classified enclave at the SECRET level, accessible for USA, GBR, CAN and AUS only.
- The 9-Eyes or NATO Red Enclave, which is also a classified enclave at the SECRET level, accessible for the NATO members of the Five Eyes plus France, Germany, Italy, Spain, The Netherlands and Norway.
- The Initiative Enclaves, which are created temporarily to support specific initiatives and are classified according to the initiative requirements.

We can see these parts of the CFBL Network mentioned in this slide about the networks used in the EC08 exercise:

The various networks involved in Empire Challenge 2008 (EC08)
(COI = Community of Interest, CFE = CENTRIXS Four Eyes,
DDTE = Distributed Development and Test Enterprise)
(full presentation: EC08 Networks (pdf), May 2008)

The 9-Eyes countries are also listed in a table in a NATO standardization document (pdf) from 2010. There we see that from the 4-Eyes only the US, the UK and Canada are part of the 9-Eyes, which makes sense, as Australia is not a NATO partner:

This table lists the groups of nations to which some specific multi-national intelligence and reconnaissance information can be released. This is shown by using the dissemination markings or handling instructions: REL NATO, REL 4-EYES, REL 9-EYES.

The famous Five Eyes term also has its origins in the former NSA dissemination marking EYES ONLY, which defined which 'eyes' may see certain material. Accordingly, documents authorized for release to the five UKUSA-countries were initially marked as AUS/CAN/NZ/UK/US EYES ONLY.

In conversations, allied intelligence personnel adopted the term "Five Eyes" as a shorthand because it was much easier to say. This term became widely used and even got its own abbreviation: FVEY, which is now used in REL FVEY, after the EYES ONLY marking was being replaced by the REL TO [country/coalition designator] format.

A classification line showing the REL FVEY marking

Two different 9-Eyes?

If we compare the nine members of the CFBLNet NATO domain with the 9-Eyes countries mentioned in The Guardian article, we see some differences:


The Guardian:

From the European NATO countries, France, The Netherlands and Norway are in both lists. The Guardian adds Denmark and the non-NATO members of the Five Eyes, which leaves Germany, Italy and Spain out.

Especially Germany and Italy not being included in this apparently close alliance seems strange, as both countries participate in other coalition groups and are both considered to be 3rd party partners of NSA. Maybe this explains Germany being "a little grumpy at not being invited to join the 9-Eyes group" as The Guardian read in GCHQ documents.

Unfortunately, The Guardian failed to provide any context or even a time period for their 9-Eyes and 14-Eyes listings, which makes it quite difficult to find an explanation for the different membership countries of these groups.

At first sight it seems there are two different 9-Eyes groups: one apparently closely related to NSA, and another one as a sharing group in the CFBLNet environment. But as 9-Eyes is used as a handling instruction for classified information, it has to be perfectly clear to which group of countries information marked REL 9-EYES may be released. Therefore we have to assume there can be only one 9-Eyes group at a time.

The 9-Eyes NATO group of the CFBL network was first mentioned in 2008 and still comprised the same nations in 2012. In the meantime, Sweden also became a full member of CFBLNet, but not being a NATO member, it wasn't included in the 9-Eyes sharing group.

The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)

One option to explain the differences between the two 9-Eyes could be changing membership, with countries added or removed on an annual basis depending on their participation in the CFBLNet. But this also wouldn't fit with the Guardian's list, as Australia and New Zealand are no NATO-members and Denmark is not a fully participating member nation of the CFBL network.

Unless The Guardian misinterpreted the Snowden-documents, it seems quite unlikely that their 9-Eyes could be the same as the NATO 9-Eyes on the CFBL network, but it seems also unlikely that there are two groups called 9-Eyes at the same time. The best guess at this moment would be that the Guardian's 9-Eyes was a group that only existed somewhere before the NATO group was formed.

There's also the Multinational Interoperability Council (MIC), which is a forum for identifying interoperability issues and articulating actions to enhance coalition operations. It started in 1999 as the Six Nation Council and now has seven members: the US, Canada, Australia, Britain, France, Germany and Italy. It might be this group which is called7-Eyes.

Also interesting is Alliance Base, which was the cover name for a secret Counterterrorist Intelligence Center (CTIC) that existed between 2002 and 2009. It was based in Paris and was a cooperation between six countries: the US, Canada, Australia, Britain, France and Germany. There's no indication this group was designated by a number of 'Eyes'.

The 14-Eyes and 3rd and 4th party partners

Now let's take a look at the 14-Eyes community, which was revealed for the first time by The Guardian. Looking at the number and the participating countries, it comes very close to CFBLNet, which had 13 full members (12 nations + the NATO organization) since 2010. But there are also some differences again:

CFBLNet members:

The Guardian:

These lists are very similar, except that Denmark and Belgium, which are on the Guardian's list, are not a (full) member of CFBLNet. Maybe these two countries joined CFBLNet only very recently, and in that case the 14-Eyes could refer to this group. It does show though that these NATO countries (and Sweden) are cooperating in additional information-sharing initiatives.

The exact purpose of such a cooperation in the 14-Eyes group isn't clear. The New York Times only says that the nations comprising the 9-Eyes and 14-Eyes groups have formal arrangements with NSA, which is something that also makes a country a traditional 3rd party partner.

According to Snowden-documents, about 30 countries have this status, but so far only the names of Germany, France, Austria, Denmark, Belgium and Poland were published. Some othersources say that Norway, Italy, Greece, Turkey, Thailand, Malaysia, Singapore, Japan, South-Korea, Taiwan, Israel and South Africa are 3rd party partners too.

If we compare this to the 14-Eyes, we see that only France, Germany, Norway, Italy, Belgium and probably Spain are known 3rd party partners. Sweden, Denmark and The Netherlands are not, but it's assumed they had or have less formal arrangements for exchanging raw and finished SIGINT and cryptologic information with NSA. This also applies to Finland and Taiwan, and therefore these countries are sometimes called 4th party partners.

It seems there are roughly three possibilities:

A. All countries of the 14-Eyes (and subsequently those of the 9-Eyes) are actually 3rd party partners, because of having formal arrangements with NSA. Which means Sweden, Denmark and The Netherlands must have acquired that position in recent years. Grouping them in two 'Eyes' would only make sense if that's for some specific initiatives.

B. Countries belonging to the 9-Eyes and 14-Eyes have a more close relationship with NSA and are therefore somewhere in between the 2nd party and the 3rd party nations. This is what both papers suggest, but it seems not very likely that relationships like these allow that much of (formal) refinement.

C. The 9-Eyes and 14-Eyes are groups created for specific goals and consist of the Five Eyes with some additional 3rd and 4th party nations, depending on whether their participation is needed for achieving those goals.

In 2010, France was apperently ready to join the Five Eyes, but at the last moment the Obama White House said no.

The CFBL Network

The Combined Federated Battle Laboratories Network (CFBL or CFBLNet) is a distributed Wide Area Network (WAN), which allows for the testing of new multinational information-sharing capabilities before they're transitioned to the actual operational networks which are used worldwide to support Combatant Command operations. CFBLNet enables the sharing and exchange of information on experimentation and interoperability testing.

Each member nation operates several "Battle Lab" sites which are hook into the CFBLNet backbone at a national Point-of-Presence (PoP). In 2012 there were 247 sites divided over 12 countries. The backbone traffic is secured with TCE621 (in Europe) and TACLANE E100 (or KG-175 in the US) network encryptors. The Multinational Information Sharing Program Management Office (MNIS PMO) maintains day-to-day control and coordination of the network.

Every year, also several other NATO countries participate or observe as guest nations in one or more CFBLNet initiatives at existing lab sites.

The CFBLNet grew out the network designed to support the US Joint Warfighter Interoperability Demonstrations (JWID), which used to build a support network for the period of the demonstrations and tear it down afterwards. In 1999, the JWID exercise used, for the first time, a permanent infrastructure that became what is now called the Combined Federated Battle Lab Network (CFBLNet), as established by the NATO Consultation, Command and Control Board (NC3B) in 2001.

The 6, 8 and 10 Eyes

Creating separate access groups for coalition operations, and describing them with a certain number of 'Eyes' can be traced back to the early years of this century. The first occasion seems to have been the Joint Warrior Interoperability Demonstration 2003 in which also non-traditional partner countries were added to the communications network used by the UKUSA and NATO coalition.

Information sharing between different groups of coalition partners required that separate domains had to be created within one network: in 2003, the 5-Eyes countries and the NATO organization comprised the 6-Eyes domain, while these six members plus four Pacific Rim nations (Japan, South Korea, Thailand and Singapore) comprised the 10-Eyes domain. Each domain had its own Type-2/3DES-encrypted Virtual Private Network (VPN) which ran over a network secured by classified Type-1 encryption algorithms.

Slide with an overview of the 6-Eyes and 10-Eyes network domains
(full presentation: Agile Coalition Environment (pdf), 2003)

The 2004 edition of the Joint Warfighter Interoperability Demonstration also involved South-Korea, officially known as the Republic of Korea (ROK). To this end, three separate domains within CFBLNet were created and organized into two classification levels named 6-Eyes and 8-Eyes. The 8-Eyes domain consisted of the 6-Eyes countries plus NATO and ROK. The ROK domain was cryptographically isolated from the rest of CFBLNet by using TACLANE encryptors with Type-1 algorithms.

The 5, 4 and 3 Eyes

The long-standing and close intelligence-sharing community of the Five Eyes was downsized on two occasions. First in 1985, when New Zealand refused US nuclear-armed or nuclear-powered ships to visit its ports. As a result, the island was cut out of most intelligence arrangements led by the US. Some SIGINT was still being shared, but New Zealand got no American HUMINT or military intelligence anymore, except for operations in which it's actually participating.

Things not to be shared with New Zealand, were 4-Eyes only now. Staying outside most of the allied military operations, New Zealand was also not connected to the CENTRIXS Four Eyes (CFE) network, which was created in 2001 and is extensively used for operational coordination between the remaining four partners: Australia, Canada, Great Britain and the US. Information restricted to these 4-Eyes partners is marked with their respective country codes or the abbreviation thereof: ACGU.

A document showing the REL TO USA ACGU marking (source)

For collaborative planning at the strategic level there's another network called Pegasus (until 2010: GRIFFIN), which provides secure e-mail, chat and VoSIP communications for the 5-Eyes partners, as the military cooperation between the US and New Zealand was restored again in 2007.

Another sub-group of the Five Eyes was formed when Canada didn't join the US in the 2003 war against Iraq. With New Zealand also not formally engaging, the 5-Eyes were now reduced to just 3-Eyes: the United States, Great Britain and Australia.
The relationship between these three countries became closer as both Britain and Australia were granted an upgrade of their intelligence access by president George W. Bush. For Example, both countries were granted (temporary and limited) access to America's classified SIPRNet for certain joint missions. This also reflects their bigger SIGINT collecting capabilities, compared to those of Canada and New Zealand.

CENTRIXS networks

The main US-led multinational coalition networks are called CENTRIXS, which stands for Combined ENTerprise Regional Information eXchange System. It's a secure wide area network (WAN) architecture, which can be established according to the demands of a particular coalition exercise or operation. CENTRIXS supports intelligence and operations information sharing at the SECRET REL TO [country/coalition designator] level. Some important CENTRIXS networks are:

- CENTRIXS Four Eyes (CFE) for the US, Britain, Canada and Australia.
- CENTRIXS-J for the United States and Japan.
- CENTRIXS-K for the United States and South-Korea.
- CENTRIXS-ISAF (CX-I) which is the US component of the Afghan Mission Network to share critical battlefield information among 50 coalition partners.
- CENTRIXS-GCTF (CX-G) is the US coalition network in Afghanistan to share information among more than 80 Troop Contributing Nations.

The countries connected to CENTRIXS-ISAF can be recognized as the 41-Eyes of the allied coalition in Afghanistan mentioned by The Guardian. This group grew slowly and was called 43-Eyes in 2010, when the NATO exercise Empire Challenge 2010 (EC10) changed its "main participating security domain" to "an International Security Assistance Forces (ISAF) equivalent 43-Eyes domain".

Probably also because of the steadily increasing number of coalition partners, shareable information is not marked with REL [..] EYES anymore, but with REL ISAF and REL GCTF.

Slide showing the complexity of multi-national information sharing
(full presentation: MultiNational Information Sharing (pdf), 2011)


We have seen that designations consisting of a number of 'Eyes' are used as a dissemination marking or handling instruction showing among which group of countries specific military or intelligence information may be shared.

The Guardian and the New York Times listed various 'Eyes' and some other groups in a way that suggests a hierarchy of how close their relationship with NSA would be: first the Five Eyes community, followed by 9-Eyes, 14-Eyes, NACSI, and with the 41-Eyes Afghanistan coalition being the loosest kind of cooperation.

A scheme like this looks attractive, but is at least partially misleading. For sure the Five Eyes are cooperating in the closest way, but the other groups have different scopes. NACSI is more like an advisory working group of NATO than an alliance of signal intelligence agencies, and the 41/43-Eyes community is for sharing battlefield information between members of the Afghanistan coalition.

Regarding the 9-Eyes and 14-Eyes communities, it's now up to journalists who have access to the Snowden-documents to provide more detailed information about whether they really represent more close alliances with NSA, or whether they're just 'working groups' of selected 3rd and 4th party nations, like most of the other 'Eyes' communities.

Summary of all known 'Eyes'

- 3-Eyes: USA, GBR, AUS
- 4-Eyes: USA, GBR, CAN, AUS (ACGU)
- 5-Eyes: USA, GBR, CAN, AUS, NZL (FVEY)
- 7-Eyes: USA, GBR, CAN, AUS, FRA, DEU, ITA (MIC?)
- 8-Eyes: USA, GBR, CAN, AUS, NZL, NATO, ?, South-Korea
- 9-Eyes: Five Eyes + FRA, DNK, NLD, NOR (Guardian)
- 10-Eyes: USA, GBR, CAN, AUS, NZL, NATO, Japan, South-Korea, Thailand, Singapore
- 14-Eyes: Five Eyes + FRA, DNK, NLD, NOR, DEU, ESP, ITA, BEL, SWE (Guardian)
- 41-Eyes: ISAF-countries in ? (Guardian)
- 43-Eyes: ISAF-countries in 2010

Links and Sources
- DailyDot.com: How the NSA ranks its international spying partners
- Disa.mil: Multinational Information Sharing (MNIS)
- Article in French about Empire Challenge 2008
- About Canada and the Five Eyes Intelligence Community (pdf)
- Far-Reaching Scenario Reflects Changing World (2003)
- Combined Operations Wide Area Network (COWAN)/Combined Enterprise Regional Information Exchange System (CENTRIXS) (pdf)

Screenshots from BOUNDLESSINFORMANT can be misleading


Over the last months, a number of European newspapers published screenshots from an NSA tool codenamed BOUNDLESSINFORMANT, which were said to show the number of data that NSA collected from those countries.

Most recently, a dispute about the numbers mentioned in a screenshot about Norway urged Snowden-journalist Glenn Greenwald to publish a similar screenshot about Afghanistan. But as this article will show, Greenwald's interpretation of the latter was wrong, which also raises new questions about how to make sense out of the screenshots about other countries.

Norway vs Afghanistan

On November 19, the website of the Norwegian tabloid Dagbladet published a BOUNDLESSINFORMANT screenshot which, according to the paper, showed that NSA apparently monitored 33 million Norwegian phone calls (although actually, the NSA tool only presents metadata).

The report by Dagbladet was almost immediatly corrected by the Norwegian military intelligence agency Etteretningstjenesten (or E-tjenesten), which said that they collected the data "to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad" and that "this was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans".

Earlier, a very similar explanation was given about the data from France, Spain and Germany. They too were said to be collected by French, Spanish and German intelligence agencies outside their borders, like in war zones, and then shared with NSA. Director Alexander added that these data were from a system that contained phone records collected by the US and NATO countries "in defense of our countries and in support of military operations".

Glenn Greenwald strongly contradicted this explanation in an article written for Dagbladet on November 22. In trying to prove his argument, he also released a screenshot from BOUNDLESSINFORMANT about Afghanistan (shown down below) and explained it as follows:
"What it shows is that the NSA collects on average of 1.2-1.5 million calls per day from that country: a small subset of the total collected by the NSA for Spain (4 million/day) and Norway (1.2 million).

Clearly, the NSA counts the communications it collects from Afghanistan in the slide labeled «Afghanistan» — not the slides labeled «Spain» or «Norway». Moreover, it is impossible that the slide labeled «Spain» and the slide labeled «Norway» only show communications collected from Afghanistan because the total collected from Afghanistan is so much less than the total collected from Spain and Norway."

Global overview

But Greenwald apparently forgot some documents he released earlier:

Last September, the Indian paper The Hindu published three less known versions of the BOUNDLESSINFORMANT global overview page, showing the total amounts of data sorted in three different ways: Aggregate, DNI and DNR. Each results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map.

In the overall (aggregated) counting, Afghanistan is in the second place, with a total amount of over 2 billion internet records (DNI) and almost 22 billion telephony records (DNR) counted:

The screenshot about Afghanistan published by Greenwald only shows information about some 35 million telephony (DNR) records, collected by a facility only known by its SIGAD US-962A5 and processed or analysed by DRTBox. This number is just a tiny fraction of the billions of data from both internet and telephone communications from Afghanistan as listed in the global overview.


With these big differences, it's clear that this screenshot about Afghanistan is not showing all data which NSA collected from that country, not even all telephony data. The most likely option is that it only shows metadata from telephone communications intercepted by the facility designated US-962A5.

That fits the fact that this SIGAD denotes a sub- or even sub-sub-facility of US-962, which means there are more locations under this collection program. Afghanistan is undoubtedly being monitored by numerous SIGINT collection stations and facilities (like US-3217, codenamed SHIFTINGSHADOW which targets the MTN Afghanistan and Roshan GSM telecommunication companies), so seeing only one SIGAD in this screenshot proves that it can never show the whole collection from that country.

This makes that Greenwald's argument against the data being collected abroad is not valid anymore (although there maybe other arguments against it). Glenn Greenwald was asked via Twitter to comment on the findings of this article, but there was no reaction.

More questions

The new insight about the Afghanistan data means that the interpretation of the screenshots about other countries can be wrong too. Especially those showing only one collection facility, like France, Spain and Norway (and maybe also Italy and The Netherlands), might not be showing information about that specific country, but maybe only about the specific intercept location.

This also leads to other questions, like: are this really screenshots (why is there no classification marking)? Are they part of other documents or did Snowden himself made them? And how did he make the selection: by country, by facility, or otherwise?

There are many questions about NSA capabilities and operations which Snowden cannot answer, but he can answer how exactly he got to these documents and what their proper context is. Maybe Glenn Greenwald also knows more about this, and if so, it's about time to tell that part of the story too.

Links and Sources
- Volkskrant.nl: Bespioneerde de NSA ons of hebben wij zelf afgeluisterd?
- MatthewAid.com: Greenwald’s Interpretation of BOUNDLESSINFORMANT NSA Documents Is Oftentimes Wrong
- Dagbladet.no: NSA-files repeatedly show collection of data «against countries» - not «from»
- WSJ.com: Europeans Shared Spy Data With U.S.
- Cryptome.org: Some thoughts and explanations about the BOUNDLESSINFORMANT numbers

DRTBOX and the DRT surveillance systems

(Updated: November 29, 2013)

In recently published screenshots from NSA's BOUNDLESSINFORMANT tool about France, Spain, Norway and Afghanistan we see the mysterious term DRTBOX. For example, the screenshot for Norway presents 33 million telephony metadata, which were collected from mobile phone networks by a facility designated US-987F and processed/analysed by DRTBOX:

Unlike what it seems, DRTBOX is not a codename, but part of a wireless surveillance system, made by a company generally known as DRT. This article will show that this company manufactures a range of sophisticated surveillance and tracking devices, used by US law enforcement and signals intelligence agencies.

Digital Receiver Technology, Inc.

DRT is the abbreviation of Digital Receiver Technology, Inc. This company was formerly known as Utica Systems, Inc. and founded in 1980 in Frederick, Maryland, to produce devices for what was called the "Communications Surveillance Community". The company developed a solid reputation for communication equipment based on Digital Signal Processing (DSP).

In October 1997, the company adopted its current name and moved to a new plant in Germantown in April 1998. DRT was purchased by Boeing in December 2008 and is now a wholly-owned subsidiary of this major US military contractor. DRT continued its production of state-of-the-art DSP-based equipment and was described as a "key supplier in the growing SIGINT market" in 2009.

In 2010, Boeing also acquired Argon ST and combined with DRT this created a "SIGINT powerhouse", giving Boeing a competitive advantage in the SIGINT market, according to market analysts. In 2011, both acquisitions were consolidated into the new Electronic & Mission Systems (E&MS) division of the Boeing company.

In fall 2012, DRT moved to a new facility in the Milestone area of Germantown. This facility comprises 135,000 sq. ft. with approximately 50,000 sq. ft. dedicated to equipment manufacture, and the remainder dedicated to offices and engineering development laboratories:

The headquarters of Digital Receiver Technology, Inc. in Germantown, MD.
(photo: www.drti.com)

Currently, the company's homepage only advertises miniature multi-format wireless communications scanners to be used by the wireless industry for measurement and testing purposes. As an example, the website shows two products from the 4300-series.

But: "Due to the sensitive nature of our work, we are unable to publicly advertise many of our products". This is followed by contact information for commercial customers and for "all other" customers, which are obviously government agencies. Latter can contact DRT through a mail address and also by calling toll free: "(866) DIRTBOX" - a clear hint to the DRTBOX mentioned in the NSA screenshots.

Just like many other military contractors in recent years, DRT also removed information about national security related products from its website. Between 2003 to 2009, earlier versions of DRT's homepage frankly said:
"DRT designs and manufactures advanced electronic equipment to support the missions of the US Signals Intelligence (SIGINT) and law enforcement communities. The current product line includes a variety of portable and rack-mounted wireless communications receivers capable of processing a variety of modern wireless protocols. For more information about these products, please contact DRT."

Law enforcement

A good example of the devices which DRT manufatures and develops for use by law enforcement agencies is given by the company itself, in trying to open new markets.

In 2010, Boeing, on behalf of its subsidiary DRT, submitted a statement (pdf) before the National Telecommunications and Information Administration (NTIA) in reaction to an inquiry regarding contraband cell phone use in prisons. The statement says that:
"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use. During this registration process calls are not disrupted. All calls, including 911 calls, are released, including those made from the contraband cell phones. The DRT device identifies cell phones as “not of interest” or “of interest” (i.e., the contraband cell phones).

Cell phones not of interest, such as those belonging to prison personnel or commercial users in the area, are returned to their local network. Cell phones of interest are forced to transmit so that the DRT device can locate them by calculating a line of bearing.

In one mode of operation, the DRT device then returns the cell phone to its network, permitting it to send and receive calls. In another mode of operation designed for use by federal law enforcement entities, the cell phone can be locked onto the DRT device, preventing its contraband use."

Boeing wanted NTIA to recommend to Congress that the Communications Act of 1934 should be modified in order to allow prison officials and state and local law enforcement to use these kinds of cell phone management, prevention or location technologies. Currently, only federal agencies, like the FBI, are allowed to use devices that jam or block wireless communications. Federal Communications Commission (FCC) licensing should also apply, for which Boeing delivered a similar statement in 2012.

Prison pilots

In December 2010, DRT participated in a pilot at the Maryland Correctional Institution-Jessup (MCIJ). After sensors were placed, DRT collected data showing when cell phones were turned off, turned on and registered with the nearest cell phone tower. Data were send to a laptop used to record the data and the company then analyzed the time and length of messages over the course of the pilot. A portable sensor was used to identify particular cells that had a high probability of cell phone usage within.

In 2012, DRT was selected to develop and implement a Managed Access System (MAS) for the California State Prison system. A MAS is used to allow authorized cell phones to connect to the standard carrier networks, while preventing unauthorized cell phones (like from inmates) from connecting to the carrier networks.

Other usage

The aforementioned Boeing statement claimed that DRT's cell phone management, prevention and location technologies could also provide important benefits in a wide variety of law enforcement situations outside the prison context. For example, Special Weapons and Tactics (SWAT) teams and other paramilitary tactical units could effectively control wireless communications by suspects in a building during a raid.

Boeing carefully described only those future applications for which regulations have to be changed - trying not to admit that DRT systems are already used at the federal level for decades. They provide agencies like FBI with some powerful tools (DRT devices can be used to perform a man-in-the-middle attack), although they are expensive and must be operated by highly trained law enforcement personnel.

At the FBI, the DRT systems are likely operated by the Data Intercept Technology Unit (DITU), which is a highly secretive division specialised in intercept technology. DITU is also responsible for collecting data from US internet companies under NSA's PRISM program. For these federal agencies, a presentation about DRT devices was given at the 10th FED TECH Interagency Technical Training Conference, held in San Diego in January 2010:

In this schedule we see "DRT Box" again, but apart from a LinkedIn-profile, this term is rarely found and therefore it's not really clear what it stands for. At first glance it seems that DRTBox simply refers to box-like surveillance devices, but if we look at the BOUNDLESSINFORMANT screenshots, we see that the actual data collection is done by facilities designated by SIGADs and that DRTBOX is in the same section as for example XKEYSCORE, which means DRTBOX is probably an integrated indexing and analysing system for wireless communications data, just like XKEYSCORE is for internet data.

Signals Intelligence

Where the FBI uses systems from Digital Receiver Technology domestically, the NSA is most likely the main customer for use abroad. On a website for Signals Intelligence (SIGINT) and Electronic Warfare (EW), DRT is listed as a provider of:
- SIGINT Design Engineering Services
- SIGINT Consulting Services
- Communications ESM Systems
- COMINT Systems
- RF Receivers

DRT products for signals intelligence missions include high performance Software Definable Receiver (SDR) and transceiver products, including multi-channel platforms for man-portable, mobile and even airborne applications, aboard RC-135 Rivet Joint, Combat Sent or Cobra Ball aircraft.

From various public job descriptions it becomes clear that DRT devices are widely used in tactical ground operations, where they are part of the equipment used by SIGINT/EW collection teams assigned to field deployed Special Forces Groups. These are so-called Low Level Voice Intercept (LLVI) devices.

DRT systems are also used as remote controlled collection systems, with the surveillance devices installed at fixed locations, like in areas where there's widespread hostile cell phone or radio use. The collected data go to ONEROOF, which is NSA's main tactical SIGINT database, containing raw and unfiltered intercepts.

DRT SIGINT products

A job description for a SIGINT Systems Engineer (job location: Fort Meade) requires "experience working with SIGINT systems, especially on systems utilizing Digital Receiver Technology (DRT) Series 1000 and 2000 equipment" and also familiarity "with the software used to control the DRT systems". Software used for the 1000 series product line is called Alaska.

More specific designations of DRT devices from the 1000-series can be found in various other job resumes, reading like "SIGINT/EW collection and exploitation systems, to include the DRT-1101A/1301B/1501, MINI-EXPIATION, HIDRAH, LOGGERHEAD, Harris Suite (STINGRAY, KINGFISH, BLACKFIN, GOSSAMER), AR-8200, Explorer/Scout, and the PRD-13v2/ISSMS".

The DRT1101A was a second generation wireless communications receiver developed by DRT around the year 2000. DRT's former website described the device as follows:
"The DRT1101A provides a compact, yet powerful, test and measurement capability for a variety of first and second generation wireless standards. The system also possesses the capability to detect and extract cellular FAX signals. The system is based on an industry-standard bus format, and uses the latest in digital signal processing (DSP) and microprocessor technology."

Another device from the 1000-series is the DRT1301C, which is used by Special Operations Forces:
"The DRT1301C, manufactured by Digital Receiver Technology, Inc., is a portable, ruggedized radio designed for operations in tactical and/or harsh environments. It provides a miniature yet powerful surveillance capability. The radio has a frequency range of 20-3000 MHz and operates against a variety of analog and digital wireless standards. The transmitter has a power output range of
An example of a DRT device from the 2000-series is the DRT2101A, which was described as:
"a compact wideband tuner system consisting of up to eight wideband tuner modules, each covering the 0.5 MHz to 3 GHz frequency band. Each tuner module has a 30-MHz instantaneous bandwidth and can be operated in either an independently or coherently tuned mode under software control. The tuner module is factory configured to provide a high-level analog baseband output."
The Internet Archive also contained this picture of the DRT2101A device:

See also the description and the picture of DRT's Wireless Processor Module 2 (WPM2) in the Internet Archive.

The tactical deployed DRT systems are mainly used for operations in Iraq and Afghanistan, but it's very well possible that the equipment was also used at the joint NSA-CIA Special Collection Service (SCS) unit in the US embassy in Berlin, which intercepted the mobile phone of German chancellor Merkel.

Low Level Voice Intercept equipment being used during a field operation.
It's not clear whether the device in the video is from DRT,
but it's certainly very similar.

- Volkskrant.nl: De DRT2101A: het apparaat waarmee de NSA telefoons afluistert
- List of 217 part numbers from Digital Receiver Technology, Inc.
- Presentation about Digital receiver technology for RWR, ESM and ELINT applications (pdf)
- Washington Institute: Stabilizing Iraq: Intelligence Lessons for Afghanistan
- Journal of Electronic Defense: What's New in SIGINT software?
- Overview: Toward a Universal Radio Frequency System for Special Operations Forces (pdf)

NSA's global interception network


On November 23, the Dutch newspaper NRC Handelsblad published a new slide from the Snowden documents. The slide is from a Top Secret NSA management presentation from 2012 and shows the agency's worldwide information collection capabilities.

As the slide is titled "Driver 1: Worldwide SIGINT/Defense Cryptologic Platform" there must be more slides with "Drivers", but unfortunately these were not published.

This article will take a close look at the map and tries to provide an explanation of the various interception locations of what is NSA's new ECHELON network for the internet age:

Click the map for a bigger version - it opens in a new tab or window,
so you can keep the map stand-by while reading this article

The slide shows five types of data collection, called "Classes of Accesses". These correspond to the organizational channels through which NSA gathers it's intelligence:
- 3rd PARTY/LIAISON - Intelligence sharing with foreign agencies
- REGIONAL - SCS units, a joint venture between NSA and CIA
- CNE - NSA's Tailored Access Operations (TAO) division
- LARGE CABLE - NSA's Special Source Operations (SSO) division
- FORNSAT - NSA's Global Access Operations (GAO) division

Besides the collection capabilities shown in this map, NSA also collects data through spy planes and satellites (called Overhead Collection) and a range of tactical collection systems used to support military operations.

3rd PARTY/LIAISON- Intelligence sharing

As the first class of access, the slide lists the so-called 3rd Party liaisons with partner agencies in other countries with which NSA has formal agreements for the exchange of raw data and end product reports.

The legend designates 3rd Party Liaisons with a green dot, but there are no green dots on the map, which seems strange. One possible explanation could be that the different colored dots appear one by one after clicking the original powerpoint presentation, but according to a tweet of one of the NRC journalists, there were no green dots on the original map.

Another possible explanation is that 3rd Party stands for countries, whereas all other dots represent specific facilities. This however could have been solved by simply listing the nations just like the Regional and Fornsat lists at the top of the map.

With that not being the case, the most likely reason seems to be that NSA considers the names of these 3rd Party nations to be too sensitive to be mentioned in a TOP SECRET//COMINT document. Probably they may only be in documents classified within the Exceptionally Controlled Information (ECI) control system, just like the names of the telecommunication companies cooperating with NSA (the exact locations of the cable tapping facilities are also not mentioned in the map's legend).

This makes that it's still a big secret which 30 countries are NSA's 3rd party partners. Based upon the Snowden-documents, the German magazine Der Spiegel only published the names of these six European countries:
- Germany
- France
- Austria
- Denmark
- Belgium
- Poland
Some othersources also named the following countries as 3rd party partners:
- Norway
- Italy
- Greece
- Turkey
- Israel
- South-Africa
  - Thailand
- Malaysia
- Singapore
- Japan
- South-Korea
- Taiwan
NRC Handelsblad reported that The Netherlands is a 3rd party partner too, but presented no evidence for that. According to an article (pdf) by Dutch scolars it's not very likely that Dutch agencies are a formal 3rd party partner of NSA, as they have different political and cultural views. Nonetheless, the Netherlands has always been a loyal partner in military operations and so there is information sharing on that level.

If we include The Netherlands, the list of known 3rd party countries adds up to 19, which means there must be 11 other nations having a formal intelligence sharing agreement with NSA.

REGIONAL - Special Collection Service

Under "Regional" the map shows over 80 locations of the joint NSA-CIA Special Collection Service (SCS) units. These units are covertly based in US embassies and consulates all around the world and are charged with eavesdropping on high-level targets in difficult-to-reach places, such a foreign embassies, communications centers, and foreign government installations.

The names of 88 locations are listed at the top of the map, but 46 of them are blacked out. According to NRC Handelsblad, Glenn Greenwald asked them to do so, because of "protection of the source and the agreement we have with him: it's not really newsworthy". But Snowden apparently also insisted on this in order to protect his legal interests and therefore he provided Greenwald a "clear list" about categories of information that should not be published.

Earlier, a map showing SCS locations worldwide was published by the German magazine Der Spiegel. Initially an unredacted map was put online by accident, but before it was replaced, it was already copied onto several websites. This map showed 74 staffed SCS locations, 14 unmanned remote controlled locations and 8 other locations as of August 2010. Except for the SCS locations in Europe, the names of all other cities were blurred by Der Spiegel:

If we compare the European cities in this map from 2010 with those in the NRC map from 2012, we see that the latter doesn't show the following places: Baiku, Croughton, Kiev, Madrid, Moscow, and Tbilisi.

This could mean these SCS activities were terminated in the meantime, but also that their names were simply blacked out, which is definitely the case for Moscow and Madrid (having a dot on the map but not being mentioned in the legend) and seems likely for the technical SCS support facility at the US Air Force base in Croughton (or might this be "RESC" if it stands for something like Regional Exploitation Support Center?).

Also interesting is that the legend of the 2012 map reveals SCS locations in the US:
- Langley, Virginia, where the CIA headquarters is
- Reston, Virginia, where there's a small CIA facility too
These two locations are most likely not for eavesdropping, but rather serve as technical, training or support facilities. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

CNE- Computer Network Exploitation

The yellow dots on the map give some indication of where NSA has placed over 50.000 implants in computer networks as part of it's Computer Network Exploitation (CNE) operations. These operations are conducted by NSA's highly specialized and secretive Tailored Access Operations (TAO) division.

Last August, the Washington Post reported that the NSA installed an estimated 20.000 computer implants as early as 2008. This was based on the secret budget of the American intelligence agencies.

Compared to the over 50.000 implants, there's only a very small number of yellow dots on the map, so they probably provide only an indication of the regions where NSA placed most of them. As such we see India, China, Mexico, the northern part of South-America, north-east Africa, eastern Europe, the European part of Russia and the Middle-East.

LARGE CABLE - Access to the Internet Backbone

The big blue dots represent 20 major "covert, clandestine, or cooperative large accesses" to "high speed optical cable" links which form the internet backbone. It's this way that the Special Source Operations (SSO) division collects the largest share of NSA's intelligence and maybe therefore the blue dots are the biggest ones.

The map itself shows just 16 blue dots, but as the legend says "20 Access Programs" it's possible that there are 20 programs and only 16 actual intercept locations, or that not all locations are marked on the map (which is also the case for the FORNSAT locations).

The 16 Cable Access locations marked on the map seem to be in:
- Indonesia
- South Korea
- Guam
- one of the Caroline Islands?
- Hawaii
- 4 locations at the US West coast
- 2 locations at the US East coast
- Great Britain (Menwith Hill and/or Bude)
- France (Marseille?)
- Djibouti
- Oman
- Afghanistan?

In most of these countries there's an American military base, which probably makes it easier to get covert and clandestine access to internet backbone cables. But as we know from earlier reports, NSA and GCHQ also have secret cooperation arrangements with major American, British and foreign telecommunication and internet providers, in order to get access to internet traffic.

One supposed cable tapping location that's missing on the map is the Ayios Nikolaos station, which is part of the British Sovereign Base Area of Dhekelia on Cyprus. This station was identified as a major cable intercept facility run by GCHQ.

Some known NSA programs for intercepting internet cables are:
- OAKSTAR, which is an umbrella program for:
Most of these OAKSTAR sub-programs are "foreign access points", so maybe some of them are represented by the blue dots on the map. If we add these 12 Corporate programs to the 4 Unilateral and 2 Foreign cable access programs shown in the presentation slide below, we get a total of 18 programs, which is quite close to the number of 20 Major Accesses mentioned in the legend of the map.

A slide from a 2010 presentation of the Special Source Operations (SSO)
division about access to "high-capacity telecommunication systems"

FORNSAT - Foreign Satellite interception

Finally, the orange dots on the map represent locations where there are stations for intercepting the signals of foreign communication satellites. The orange dots are the second biggest ones, so maybe this indicates that FORNSAT collection provides the second largest share of intelligence.

The legend in the bottom right corner says there are "12 + 40 Regional" FORNSAT stations, but on the map there are only 6 dots and the list in the upper right corner lists only 10 codenames. The six locations on the map can be identified as:
- INDRA - Khon Kuen (Thailand)
- ? (Philippines)
- LADYLOVE - Misawa (Japan)
- TIMBERLINE - Sugar Grove (US)
- CARBOY - Bude, on the map combined with:
- MOONPENNY - Menwith Hill (Great Britain)
- ? (Norway or Sweden)

Five FORNSAT stations have their codename listed, but are, for reasons unknown, not marked on the map:
- STELLAR - Geraldton (Australia)
- IRONSAND - Waihopai or Tangimoana (New Zealand)
- JACKKNIFE - Yakima (US)
- SOUNDER - Ayios Nikolaos (Cyprus)
- SNICK - Oman

The locations in the map published by NRC Handelsblad can be compared to those on a map shown by Brazilian media, which is about Primary FORNSAT Collection:

In this map, which is said to be from 2002, we see the following satellite intercept stations:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, Oman
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, New Zealand

If we compare both maps, we see some notable differences. First of all, four stations from 2002 are not on the 2012 map, nor in its legend:
- CORALINE - Sabena Seca (Puerto Rico)
- GARLICK - Bad Aibling (Germany)
- SCAPEL - Nairobi (Kenya)
- SHOAL BAY - Darwin (Australia)

The stations in Sabena Seca and Bad Aibling were closed down and the same could have happened to the one in Nairobi. The Australian intercept facility near Darwin, Shoal Bay Receiving Station, is not in the 2012 map, but seems to be still operational. Therefore we should be careful in treating information in presentation slides and maps like this as perfectly accurate.

The map from 2002 also shows two SCS locations: one in Brasilia and one in New Delhi. Apparently those Special Collection Service units also had a satellite intercept capability. This is most likely also the explanation for the number of "40 regional" FORNSAT stations mentioned in the legend of the 2012 map - which means that meanwhile half of all SCS units worldwide also conduct some kind of foreign satellite interception.

This could also explain the device shown in a slide published earlier by Der Spiegel: an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. Der Spiegel said this device may be used to intercept cell phone signals, but as a dish antenna, it actually looks more like a receiver for satellite signals:

The map from 2012 as published by NRC Handelsblad also has orange dots for a FORNSAT station at the Philippines and in Norway or Sweden. These locations were not in the map of 10 years earlier, so it seems that these are new intercept stations build somewhere between 2002 and 2012.

Unfortunately we don't have their codenames, because in the list in the upper right corner, there's no codename which was not already in the 2002 map. But as this list has only 10 names, and some don't fit on one line, it's possible that two names (coincidentally those of the new stations?!) dissappeared because of bad rendering.

A final difference between the FORNSAT stations shown in the maps of 2002 and 2012 is the station in Thailand, which was codenamed LEMONWOOD in 2002. The location near the city of Khon Kaen was identified as being an intercept facility since 1979, but with a different codename: INDRA.

This facility fell into disrepair in the 1990s and seems to have been closed somewhere before 2002. In the years following 9/11, the old station apparantly has been reactivated and expanded to an important satellite intercept mission, and appeared again under its old codename INDRA in the 2012 map. Why this place (or another one?) was called LEMONWOOD in 2002 remains a mystery.

A recent Google Earth image of the INDRA
facility near Khon Kaen, Thailand

Links and Sources
- NRC.nl: NSA infected 50,000 computer networks with malicious software
- DuncanCampbell.org: The embassy spy centre network (updated)
- NYTimes.com: N.S.A. Report Outlined Goals for More Power

Viewing all 174 articles
Browse latest View live

Latest Images