Channel: Electrospaces.net
Viewing all 173 articles
Browse latest View live



A previous article on this website showed that the charts in the NSA's BOUNDLESSINFORMANT tool are not so easy to interpret as it may seem. Screenshots from this tool were published by a number of European newspapers saying that they are proving that NSA is intercepting phonecalls from these countries. This article will show and examine a new image which literally provides context to these screenshots.

In a less known follow-up article from November 4 on the website of the spanish paper El Mundo there are four slides from a powerpoint presentation about BOUNDLESSINFORMANT. Three of the slides were published earlier, but the fourth one was never shown before. This new slide shows a screenshot of an Internet Explorer browser window with the BOUNDLESSINFORMANT tool in it:

For the first time, this screenshot reveals what the actual BOUNDLESSINFORMANT interface looks like. It shows that the bar charts and the details below it, as published by the newspapers, appear in a pop-up window above the world map of the global overview.

The global overview window

The presentation slide shows that the main screen of this tool is the global overview, which was initially published by The Guardian in June and later by some other media too. Here's a high resolution version of this screen (click for a bigger version):

On the left side we see the overall numbers for DNI (internet), DNR (telephony), SIGADs, Case Notations and Processing Systems for the last 30 days. This time period can be changed, probably by using the slide button underneath this list, next to the dark grey box. It seems that 30 days is its maximum. In the slide screenshot this time period is 7 days, which can be seen in the pop-up window and explains the smaller numbers in the list at the left side of the map.

The lower part of the screen shows a Top 5 of countries and their total numbers of DNI and DNR records. These total amounts of data can be sorted in three different ways: Aggregate, DNI and DNR, which can be selected with the radio buttons above the map. Each option results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map. These three versions were published by the Indian paper The Hindu last September.

Next to these radio buttons is a search box with a button named "Country View", which is maybe for entering a country name. Finally, there are two buttons in the upper right corner to switch between the two main viewing modes of this tool:

- The Map View, which "allows users to select a country on a map and view the metadata volume and select details about the collection against that country".

- The Org View, which "allows users to view high level metrics by organization [NSA divisions] and then drill down to a more actionable level - down to the program and cover term".

According to a Frequently Asked Questions (FAQ) paper for BOUNDLESSINFORMANT from June 2012, this tool can graphically display information about collected metadata in a map view, bar chart and simple table. The map view can be seen in the main window with the global overview, the bar charts appear in a pop-up window. How the simple table view looks like is not known.

The Map View pop-up window

In the Map View, users can click on a country from the world map and then a pop-up window appears. According to the BOUNDLESSINFORMANT FAQ paper this window shows "the collection posture (record counts, type of collection, and contributing SIGADS or sites) against that particular country in addition to providing a graphical display of record count trends". These elements are in the screenshot of this window:

Unfortunately the resolution of the slide is too low to make everything readably, but still we can see that in this screen there's a lot more than in the images which were published by the various newspapers. For comparison, here's the screenshot that was shown in Norwegian media (click for a bigger version):

Comparing these two screenshots reveal that the images shown in the papers are just a part of the actual pop-up window. We recognize the four sections with the different charts, but there are also some minor differences. The slightly different layout may have been caused by the different time period: 30 days gives in a much wider bar chart than 7 days.

Apart from that, we see that in the screenshots from the newspapers the whole frame is missing. The example from the presentation has "SIGAD" with a symbol next to it in the upper left corner, but we don't know if that's standard, or that it indicates a specific view mode.

Below this are a search box and a scroll box with a relatively long list of options - unfortunately impossible to read, but it's not a list of SIGADs. The display section has two tabs, the active one white, the other one black, indicating that there are apparently two main options for presenting the information.

Left of the bar chart there's a section that could be titled "Active Summary" and seems to contain symbols and headers very similar to those below the bar chart. Probably one can select different kinds of details about the data collection to be shown. The images from the papers have "Top 5 Techs" in the lower section at the right side, but in the pop-up example something different is shown, ineligble again.

Another small difference is in the "Signal Profile" section: the pop-up screen shows four different types of communication systems (maybe DNI, DNR and two others), but the screenshots from the papers have seven. As the presentation is from July 2012 and the images in the papers are from early 2013, maybe during that period more options were added to the tool.

Multiple options

All this shows that in the Map View alone there are more options to select than just clicking a country and getting one standard overview of NSA's collection against that country - that's how Glenn Greenwald and the newspapers brought it.

The fact that there are more ways to select and present the information already became clear by analysing the screenshots published by the papers. For at least five countries (France, Spain, Norway, Afghanistan and Italy) the charts only show one technique, DRTBOX.

If NSA really spies on these countries, it's unlikely they use only one system and collect only telephone (meta)data. Therefore, it seems more as if in this case DRTBOX was used as the primary selector, resulting in charts showing how many data this system processed from different SIGADs and different countries.

A more complete overview of data collection against a country is given by the screenshot for Germany, which shows multiple systems collecting both internet and telephone data. Also interesting to see is that there are not only such charts about countries, but also about collection programs like WINDSTOP (which could be from the 'Org View' mode).


Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection.

The screenshots published in various European newspapers were cut out from their original pop-up windows, which makes that we are missing their context. We can't see what options there were and which selections were made to present the information as we see it.

We don't know who cut out the charts: was it Edward Snowden, or someone else at NSA (for preparing a presentation), or was it Glenn Greenwald? These questions are of some importance, because these screenshots are used as evidence for rather grave accusations.

Until now, neither Glenn Greenwald, nor editors of some of the involved newspapers were willing to answer any questions about the origins of these screenshots. Instead, Greenwald still sticks to his own initial interpretation and lets papers publish that over and over.

Links and Sources
- The Guardian: BOUNDLESSINFORMANT - Frequently Asked Questions
- Wikipedia: Boundless Informant

14-Eyes are 3rd Party partners forming the SIGINT Seniors Europe


On December 11, the Swedish public television channel SVT published a range of new NSA-documents from the Snowden-collection. One is a text which for the first time proves that intelligence agencies of nine European countries are 3rd Party partners of NSA.

These countries are: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Earlier, these nations were identified as forming the 14-Eyes group, for which we now also have a real name: SIGINT Seniors Europe or SSEUR.

(Click for a bigger version)

Unfortunately only this very small excerpt was published, so we don't know what the rest of the document is about. But as small as it is, it reveals some interesting new things, which will be explained in this article:
- The 3rd Party status of a number of European countries
- The existance of a group called SIGINT Seniors Europe
- More clarity about the mysterious 14-Eyes

3rd Party countries

This is probably the first time that an official NSA document is published in which several 3rd Party countries are named. Until now, we only had documents proving this status for only a few separate countries, and we had a range of countries that were suggested to be 3rd Party partners by intelligence experts.

From the countries mentioned in the fragment published by Swedish television, only France, Germany, Norway, Italy, Belgium and probably Spain were supposed to be 3rd Party partners. Sweden, Denmark and especially The Netherlands were not listed as such, so with this new disclosure, we now know for sure that the intelligence agencies of all these nations have the 3rd Party status.

Being a 3rd Party means that there's a formal bilateral agreement between NSA and a foreign (signals) intelligence agency. Probably the main thing that distinguishes this from other, less formal ways of cooperating, is that among 3rd party partners, there's also exchange of raw data, and not just of finished intelligence reports or other kinds of support. Also both parties have a Special Liaison Officer (SLO) assigned at each others agency.

It's not quite clear what the initial 3rd Party agreements are called, but we know that later on specific points are often laid down in a Memorandum of Understanding (MoU). An example is the Memorandum of Understanding between NSA and the Israeli signals intelligence unit, which was published by The Guardian on September 11, 2013.

SIGINT Seniors Europe

As the newly published fragment starts with an asterisk, it seems to be a footnote in a document about intelligence training, explaining which countries are "SSEUR members": the Five Eyes (United States, Great Britain, Canada, Australia and New Zealand) and nine other European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden.

The abbreviation SSEUR is seen here for the first time, and luckily Swedish television also published another document which says that SSEUR stands for SIGINT Seniors Europe (SIGINT is an acronym for Signals Intelligence):

Fragment of an NSA document mentioning SIGINT Seniors Europe (SSEUR)
(Names whited out are replaced by black bars for better readability)

Apart from this, we have no further information about the SIGINT Seniors Europe. But there's an explanation, provided to this weblog by our French counterpart Zone d'Intérêt, which probably comes very close to what this group could be:

The term "SIGINT Senior" may designate the highest ranking SIGINT officer of a foreign (signals) intelligence agency, rather than a country as a whole. For example, in France, the Directeur Technique (DT) inside the foreign intelligence agency DGSE is called "le Senior SIGINT" exactly.

Intelligence agencies aren't organized the same way in each country. Some countries have intelligence agencies inside police forces, military intelligence in the field, defense agencies which collect both for military operations and counterterrorism, etc. Also the laws aren't the same in every country.

Therefore, it's obviously more convenient to have one single point of contact in each country, to discuss SIGINT-related issues, or even for actually passing signals intelligence, with maybe some pre-processing already done, instead of having to do this with different people from different agencies and units in each country.

This explanation fits the fact that the document mentions SSEUR together with the NATO Advisory Committee on Special Intelligence (NACSI), which is also a platform for discussing SIGINT-related issues.

From the nine European countries of SSEUR, only Sweden is not a member of NATO, but as mentioned earlier, Sweden is often cooperating with NATO countries. More interesting is that Belgium is part of this group too. Belgium is a small country and reportedly has hardly any SIGINT capabilities. That is to say: domestically, but maybe there's some more substantial SIGINT collection by Belgian troops participating in military operations abroad.

With SSEUR containing European 3rd Party partners, it's very well possible that there are also similar groups of partner agencies in other parts of the world.

The 14-Eyes

The SIGINT Seniors Europe comprise 14 countries, and when we look at their names, we see that they are identical to the nations of which The Guardian in November said they form a group called 14-Eyes.

As this latter group was also never heard of, we looked for some possible explanations in an article on this weblog last month. But by then we didn't know exactly and for sure which countries were 3rd Party partners, so it was hard to get things clarified.

Now that we know that all nine European countries, including Sweden, Denmark and The Netherlands, have 3rd Party status, it's clear that our option "A" came closest: 14-Eyes stands for a number of 3rd Party countries who have something in common - likely having a 'SIGINT Senior' officer as single point of contact for NSA and the Five Eyes.

As explained in our earlier article, an 'Eyes' designation is most often used as a handling instruction for restricting dissemination of sensitive information among a certain group of countries. In this case, 14-Eyes apparently serves as dissemination marking for information authorized for release to the 14 members of the SIGINT Seniors Europe group.

Links and Sources
- SVT.se: Läs dokumenten om Sverige från Edward Snowden (2013)
- Heise.de: Paper 1: Echelon and its role in COMINT (2001)

The British classification marking STRAP


Most of the documents leaked by Edward Snowden are from the American signals intelligence agency NSA, but there are also quite a number from their British counterpart GCHQ. Documents from both countries are classified as TOP SECRET and often have additional markings to further restrict their dissemination.

Where on American documents we see markings like COMINT (Communications Intelligence) and NOFORN (No Foreign Nationals), the British have the mysterious term STRAP followed by a number.

Information about American classification and dissemination markings can rather easily be found on the internet (see also The US classification system on this weblog), but there are hardly any details about the British classification system.

But luckily, there's one source available which describes STRAP and other British classification practices in detail: the extensive Defence Manual of Security from 2001. Chapter 17 (page 1131-1135) of Volume 1 gives an overview of the STRAP Security Guidelines.


In the manual, STRAP is described as a set of nationally agreed principles and procedures to enhance the "need-to-know" protection of sensitive intelligence (and related operational information) produced by the British intelligence agencies, including military sources.

It adds additional procedures to the standard security measures employed for intelligence matters. STRAP is therefore comparable with the American system of protecting the most sensitive information by control systems with separate compartments, which are generally designated by codewords.

Although on some websites it's suggested that STRAP might stand for "STRategic Action Plan", the Defence Manual clearly states that STRAP is a codeword, not an acronym. The STRAP codeword itself is not classified.

Some intelligence information, handled within the STRAP System, require more stringent protection than others. To assure this, there are three levels of STRAP protection. These levels are designated, in ascending order of sensitivity and, hence, access control: STRAP 1, STRAP 2 and STRAP 3.

Examples of STRAP documents

An example of a document from the least sensitive category, marked STRAP 1, is a slide from a powerpoint presentation about the BULLRUN program aimed at breaking encryption methods used on the internet:

Information that is somewhat more sensitive is marked STRAP 2, like this presentation slide about operation SOCIALIST, which infiltrated the network of the Belgian telecommunications provider Belgacom:

From the category of most sensitive documents, marked STRAP 3, there are no actual examples available. Maybe Snowden had no access to this level, or if he had, Greenwald and the papers may have decided not to publish such documents because they are too sensitive.

STRAP protection measures

The STRAP system is designed to protect information against threats that are specific for sensitive intelligence. A principal threat is when a target becomes aware of an intelligence attack against him, so he can initiate countermeasures. Therefore, the STRAP system aims to minimise the risk of leakage of sensitive intelligence operations and products into the public domain - whether by accidental exposure or deliberate intent. This is done through the following measures:

- Restricting access to sensitive intelligence material on a strict "need-to-know" basis;
- Agreeing the appropriate facilities for its protection in transit ("STRAP Channels") use, storage and disposal;
- Providing explicit briefings and guidance for individuals who handle this type of material.

Information that requires protection under the STRAP system has to be clearly defined and labelled with the appropriate STRAP level marking. It has to be carried by authorized couriers during transit, and signed receipts have to be obtained at all stages of handover.

Within the British Ministry of Defence, the implementation of the approved STRAP security measures is overseen by individually appointed STRAP Security Officers (STRAPSOs). The overall responsibility for the review and formulation of STRAP policy and guidelines is with the STRAP Management Board.

NSA's organizational designations


After providing lists of NSA-related codenames, abbreviations and SIGADs, we now publish a list of the designations of the numerous divisions and units of the NSA organization itself, which has an estimated 40,000 employees.

This list only gives the alphanumeric designations and the official name of NSA branches. For a description of what the most important divisions do, click the links in the list or visit the websites mentioned under Links and Sources.


D: Office of the Director
D0: ?
D01: Director’s Operations Group
D05: Director’s Secretariat
D07: Office of Protocol
D08: Homeland Security Support Office
D1: Inspector General
D2: General Counsel
D5: Corporate Assessments Office
D6: Office of Equal Employment Oppertunity
D7: Deputy Chief, Central Security Service (CSS)
D7P: CSS Office of Military Personnel
D8: Community ELINT Management Office
DA: Senior Acquisition Executive
DB: Corporate Strategy
DC: Director’s Chief of Staff

E: Directorate for Education and Training

F: Field units
F1: ?
F1C: ?
F1CA: Cryptologic Services Group USSTRATCOM
F1CD: Life Cycle Logistics
F1CD1: Technical Services Group
F1I: ?
F1I2: Joint Interagency Task Force South
F1T: ?
F1T1: Cryptologic Services Group USSOCOM
F1Z: Cryptologic Services Group CENTCOM
F1Z2: Deputy Chief, CSG CENTCOM
F2: NSA/CSS Europe
F20: ?
F204: Support to Military Operations for AFRICOM
F22: European Cryptologic Center (ECC)
F23: NCER Mons, Belgium
F3: ?

F4: ?

F411: Military Operations Branch
F5: ?

F6: Special Collection Service (SCS)
F666E: (SCS unit in the US embassy in Berlin?)
F7: ?
F74: Meade Operations Center (MOC)
F741: Deployments & Training Division
F77: ?
F77F: Menwith Hill
F79: ?
F79F: Misawa Security Operations Center (MSOC)
F91: ?
FC: NSA/CSS Colorado

FG: NSA/CSS Georgia
FGD: Director, Georgia
FGS: SID, Georgia
FGS3: Transnational issues group
FG32: ?
FG3223 - Media Exploitation & Analysis
FH: NSA/CSS Hawaii
FHS: Signals Intelligence Department, Hawaii
FTS: Signals Intelligence Department, Texas
FTS2: Analysis and Production
FTS2F1 - "Southern Arc"
FTS3: Data Acquisition
FTS32: Tailored Access Operations
FTS327: Requirements & targeting

I: Information Assurance Directorate (IAD)
I1: ?
I2: Trusted Engineering Solutions
I21: Architecture
I22: Engineering
I2N: National Nuclear Command Capabilities (NC2) Mission
I3: Information Assurance Operations
I31: Current Operations
I33: Remote & Deployed Operations
I3?: Mission Integration Office
I3?: Technical Security Evaluations
I3?: Red Cell
I3?: Blue Cell
I3?: Advanced Adversary Network Penetration Cell
I3?: Joint Communications Security Monitoring
I4: Fusion, Analysis, and Mitigations
IC: Cyber Integration Division
IE: Engagement Division

J: ?
J2: Cryptologic Intelligence Unit

K: National Security Operations Center (NSOC)

L: Installation and Logistics

M: Human Resources
M2: Office of Military Personnel
M3: Office of Civilian Personnel
M4: ?
M43: Information Policy Division
MJ: ?
MJ1: HR operations/global personnel SA

Q: Security and Counterintelligence
Q123: ?
Q5: Office of Security
Q509: Security Policy Staff
Q51: Physical Security Division
Q52: Field Security Division
Q56: Security Awareness
Q57: Polygraph
Q7: Counterintelligence

R: Research Directorate (RD)
R0: ?
R05: Center for Advanced Study of Languages
R1: Math Research
R2: Trusted Systems Research
R3: Lab for Physical Sciences (LPS)
R4: Lab for Telecom Sciences (LTS)
R5: ?
R6: Computer and Information Sciences
RX: Special Access Research

S: Signals Intelligence Directorate (SID)
S0: SID Staff
S01: Deputy for Integrated Planning
S012: ?
S02: Deputy for Communications and Support Operations
S1: Customer Relations
S11: Customer Gateway
S111: (Desk for coordinating RFIs and responses)
S12: Information Sharing and Services Branch
S12?: Partnership Dissemination Cell (PDC)
S124: Staff Services Division
S17: Strategic Intelligence Issues
S1E: Electromagnetic Space Program Management Office
S1P: Plans & Exercises Division
S2: Analysis and Production
S2A: South Asia Product Line
S2A4: Pakistan
S2A5: (South-Asia)
S2A51: S-A Language Analysis Branch
S2A52: S-A Reporting Branch
S2B: China and Korea Product Line
S2C: International Security Product Line
S2C32: European States Branch
S2C41: Mexico Leadership Team
S2C42: Brazilian Leadership Team
S2D: Counter-intelligence Product Line
S2E: Middle East/Asia Product Line
S2F: International Crime Product Line
S2F1: ("Southern Arc"?)
S2G: Combating Proliferation & Arms Control Product Line
S2H: Russia Product Line
S2I: Counter-Terrorism Product Line
S2I4: Homeland Mission Center (HMC)
S2I42: Hezbollah Team
S2I43: NOM Team
S2I5: Advanced Analysis Division (AAD)
S2I?: Metadata Analysis Center (MAC)
S2IX: Special CT Operations
S2J: Weapons and Space Product Line
S2T: Current Threats
S2T3: NSA/CSS Threat Operations Center (NTOC)?
S3: Data Acquisition
S31: Cryptologic Exploitation Services (CES)
S3132: Protocol Exploitation and Dissemination
S31091: Military Operations Branch
S31174: Office of Target Pursuit
S3161: Special Deployments Division
S32: Tailored Access Operations (TAO)
S321: Remote Operations Center (ROC)
S321?: Network Ops Center (NOC)
S321?: Oper. Readiness Division (ORD)
S321?: Interactive Ops Division (IOD)
S321?: Production Ops Division (POD)
S321?: Access Ops Division (AOD)
S322: Advanced Network Technology (ANT)
S3221: (persistence software)
S3222: (software implants)
S32221: ?
S32222: (routers, servers, etc.)
S3223: (hardware implants)
S3224: ?
S32241: ?
S32242: (GSM cell)
S32243: (radar retro-refl.)
S323: Data Network Technologies (DNT)
S324: Telecomm. Network Technologies (TNT)
S325: Mission Infrastructure Technologies (MIT)
S327: Requirements & Targeting (R&T)
S326: ?
S328: Access Technologies Operations (ATO)
S32?: Network Warfare Team (NWT)
S33: Global Access Operations (GAO)

S332: Terrestrial SIGINT
S33223: Processing Systems Engineering and Integration Sector
S333: Overhead SIGINT
S333?: Overhead Collection Management Center (OCMC)
S33P: Portfolio Management Office (PMO)
S33P1: ?
S33P2: Technology Integration Division
S33P3: Tactical SIGINT Technology Office
S33?: CROSSHAIR Network Management Center (CNMC)
S34: Target Strategies and Mission Integration (TSMI)
S342: Collection Coordination and Strategies
S3421: ?
S3422: Geographical Regions
S3423: Technical Services
S343: Targeting and Mission Management
S344: Partnership and Enterprise Management
S35: Special Source Operations (SSO)
S351: ?

S352: ?
S3520: Office of Target Reconaissance and Survey (OTRS)
S3521: Special Signal Collection unit (MUSKETEER)
S353: ?
S3533: ?
S35333: PRISM Collection Management
S35P: Portfolio Management Office
S35P2: Technical Integration Division
S35P3: Capabilities Integration Division
SE: SIGINT & Electronic Warfare

SV: Oversight and Compliance
SV4: Special FISA Oversight and Processing

T: Technology Directorate
T1: Mission Capabilities
T132: Scissors team
T1?: Strategic SATCOM Security Engineering Office
T2: Business Capabilities
T3: Enterprise IT Services
T3221: Transport Field Services
T332: Global Enterprise Command Center
T334: National Signals Processing Center
T335: Deployable Communications Operations
T5: High Performance Computing Center (CARILLON)
T6: Technical SIGINT and ground capabilities
TE: Enterprise Systems Engineering and Architecture
TS: Information Systems and Security
TT: Independent Test and Evaluation

V: NSA/CSS Threat Operations Center (NTOC)
V3: NTOC Operations
V34: Next Generation Wireless Exploitation Program

? Foreign Affairs Directorate (FA)

? Acquisitions and Procurement Directorate

Links and Sources
- TheWeek.com: The NSA's org chart
- MatthewAid.com: Updated NSA Order of Battle
- William M. Arkin Online: NSA Tailored Access Operations
- Independent.co.uk: Inside the NSA: Peeling back the curtain on America's intelligence agency

Slides about NSA's Upstream collection


In July and September of last year, the Brazilian television magazine Fantástico broadcasted news reports about NSA operations, while in the background showing a series of slides from an unpublished NSA powerpoint presentation.

The slides seem to be about NSA's corporate partners for the "collection of communications on fiber cables and infrastructure as data flows past" - which became known as "Upstream collection", a term mentioned in one of the PRISM-slides.

The corporate partnerships are one of three ways NSA is intercepting the world's main internet cables:
- Cooperation with telecommunication companies
- Cooperation with foreign intelligence agencies
- Unilateral cable tapping operations

On twitter, Glenn Greenwald once said that these slides would also be published and explained separately, but so far this hasn't happened - that's why it's done here.


The first series of slides was shown in the weekly television magazine Fantástico on September 8, 2013. These slides are posted here in the order in which they were seen in the report, which might be the order of the original NSA powerpoint presentation.

The slides show the logos of the National Security Agency (top left) and its Special Source Operations (SSO) division (top right). They are marked TOP SECRET // COMINT // NOFORN, which means they are classified Top Secret, in the compartment for Special (Signals) Intelligence and that it's not allowed to distribute them to foreigners, not even to the Five Eyes partners.

Probably one of the first slides of the presentation shows a map of "optical fibre submarine networks", which was prepared by the telecommunications company Alcatel Lucent in 2007. Based upon dates in some of the slides, this NSA presentation seems to be from late 2011 or early 2012.

The Corporate Portfolio of collection programs in which SSO is cooperating with corporate partners is listed in the following slide. It is assumed that FAIRVIEW, BLARNEY and STORMBREW are for collection within the US and the programs under the OAKSTAR umbrella are intercept facilities elsewhere in the world. Two programs seem to be conducted by SSO in cooperation with TAO, which is NSA's computer hacking division:

Transit Authority applies when both ends of a communication are foreign, which is checked by filters at the front-end collection systems. When the TOPI (Target Office of Primary Interest, a unit which does the analysing of data) discovers that accidently one end of the communication is in the US, the SSO Corp Team has to be informed, which reports to the Oversight and Compliance unit (NSA/SV):

The Transit Authority is illustrated in the next slide. With a close look one can see there's a star placed between Iran and Iraq, one in the US and one somewhere near French Guyana. There's an elliptical line connecting them, as an example of communications traffic from Iran to Guyana, which transits the United States:

Some "unique aspects" of the upstream collection are that it takes place under various legal authorizations:
- Executive Order 12333: for collection outside the US
- Transit: for collection within the US with both ends foreign
- FISA: for collection within the US with one end foreign
- FAA: for collection within the US with one end foreign
The actual intercept facilities are probably located at sites of telecommunication companies or collection is done with their assistance.
There are delays between the tasking, which is when an analyst orders particular information to be collected, and the actual collection of those data.

The following slides show details of a number of different programs involved in the Upstream collection. For each program there's the SIGAD, the Producer Designator Digraph (PDDG), the legal authority, what is collected, the key targets and in some cases a custom logo for the program. There are no slides with details about DARKTHUNDER, STEELFLAUTA, ORANGEBLOSSOM, BLUEZEPHYR and COBALTFALCON.

SILVERZEPHYR is for collecting internet content and metadata under FAA authority, and telephony content and metadata under Transit Authority, focussed on South, Central and Latin America. As the program operates under Transit Authority, the intercept facility is most likely located in the US. The corporate partner is codenamed STEELKNIGHT:

YACHTSHOP is for collecting worldwide internet metadata, which are stored in the MARINA database. Probably the program operates under EO 12333 authority and the corporate partner, codenamed BLUEANCHOR, is outside the US:

ORANGECRUSH was not active at the time of the presentation, but should collect internet and telephony content and metadata at an intercept facility outside the US in cooperation with a corporate partner codenamed PRIMECANE and a 3rd Party partner agency:

SHIFTINGSHADOW is for collecting telephony content and metadata from the telecommunications providers MTN Afghanistan, Roshan GSM and Afghan Wireless Communication Company (AWCC). This is done through an intercept facility which is probably in or near Afghanistan:

MONKEYROCKET is for collecting internet metadata and content focussed on counter-terrorism in het Middle East, Europe and Asia. The collection takes place at an intercept facility outside the US and is therefore authorized under EO 12333:

There are also a number of programs and partners for collection of both internet and telephony data under FAA authority. They are designated by a SIGAD in the format US-984X*. From another source we know that there are:
- Eight facilities under STORMBREW (US-984XA-H)
- Two facilities under FAIRVIEW (US-984XR and US-984X2)
- Nine companies cooperating in the PRISM program (US-984XN)
As this is under FAA authority, the intercept facilities and corporate partners are in the United States. Maybe some of these partners are the ones with the codenames WOLFPOINT, ARTIFICE, LITHIUM, SERENADE and STEELKNIGHT, which are mentioned in otherdocuments.

The next slide shows a bar chart with green bars for sources where the SSO division uses arrangements with corporate partners, and blue bars for sources where there are no such arrangements needed, which means SSO can collect the data on its own. By far the most productive sources are those under FAA authority (US-984X*). Second comes information from what is called "transit only" traffic under the FAIRVIEW program (US-990). Two blue bars represent a facility of which a codename is known: US-3171 which is DANCINGOASIS, and US-3180, which is SPINNERET.

BLARNEY is for collecting telephony and internet data under FISA authority, which means a FISA Court order is needed. Main targets are foreign diplomats and governments, terrorists and economic targets. As collection is under FISA authority, the intercept facility is in the US. According to the Wall Street Journal, BLARNEY stands for cooperation with AT&T.

MADCAPOCELOT is for collecting internet content and metadata focussed on Russia and European counter-terrorism. Collected data are processed and analysed by XKEYSCORE with metadata being stored in MARINA and content in PINWALE. As the program is operating under EO 12333, the intercept facility must be outside the US. For reasons unknown, MADCAPOCELOT is closely related to the STORMBREW program.

For the STORMBREW program a map shows a line marked as OC-3, which runs across the United States. OC-3 is a network line with a transmission data rate of up to 155.52 Mbit/s using fiber optics. This is too low for being a regional, let alone a national backbone link, so the blue line does not represent an intercepted internet backbone. The cable connects eight locations marked with a green dot, one with a grey dot, one with a sun symbol and one marked as "Site C":

STORMBREW is for collecting internet data under FISA and FAA authority and telephony data according to a certain directory. With collection being authorized under FISA and FAA, the interception takes place in cooperation with a major US telecommunications provider with access to international cables, routers and switches. According to NSA historian Matthew Aid, STORMBREW stands for cooperation with Verizon.

For the FAIRVIEW program there's also a map, but this one shows a large number of many different markers with no lines or cables between them. At the moment it isn't clear how to interpret this:

From a similar presentation we know that FAIRVIEW is for collecting internet and telephony data (the latter using Directory ONMR) and is a "key corporate partner with access to international cables, routers and switches" just like STORMBREW. Slides from this second presentation will be posted on this weblog separately.

Former NSA official Thomas Drake told DailyDot.com that FAIRVIEW is a highly classified program for tapping into the world’s intercontinental fiber-optic cables. It's an "umbrella program" with other programs underneath it. One of them is BLARNEY, which accesses internet data at key junctions and is facilitated by arrangements with commercial cable companies and internet service providers.


According to The Guardian, the real names of the corporate partners mentioned in various of these slides are so sensitive that they are classified as Exceptionally Controlled Information (ECI), which is "a higher classification level than the Snowden documents cover", thereby suggesting that he had no access to that kind of information - although a regional German paper was able to publish the real names of seven major submarine cable companies.

In the Upstream slides we see partners codenamed STEELKNIGHT, BLUEANCHOR and PRIMECANE. In otherdocuments, WOLFPOINT, ARTIFICE, LITHIUM and SERENADE are also mentioned as covernames for corporate partners. Most likely all four are American companies.

Another series of slides was shown in a Fantástico report from July 9, 2013. Maybe they are from another presentation, but because they have the same layout and are also about "upstream collection" it's also possible they belong to the series posted above.

This series contain a number of maps, which, according to Brazilian media, show the amount of exchanged messages and phone calls (although actually DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran on March 4-5, 2012.

In the first slide we see internet traffic to Pakistan, which is eligible for collection under Transit authority:

The slide below has a map showing the internet traffic to Pakistan, which is eligible for collection under FAA authority:

The next slide shows a list of "Top 20 Pakistani domains (.pk)" which where tracked between February 15, 2012 and March 11, 2012:

A map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment", which means internet traffic which is eligible for collection under FAA authority:

Next is a list op "Top 20 North Korean domains (.kp)" which where tracked between February 15, 2012 and March 11, 2012. Note that only two websites generate notable traffic, all other have less than 1 Kbps:

A map showing internet traffic to Iran, which is eligible for collection under FAA authority:

A map showing internet traffic to Russia, which is eligible for collection under Transit authority:

The following slide says the collection programs in which Special Source Operations (SSO) cooperates with corporate parters, contributed to 1230 reports of NSA's Counter Foreign Intelligence Product Line (S2D). As this represented circa 29%, this product line produced a total of some 4240 reports in 2011:

The next slide shows a table with the headers and/or some of the top rows apparently blacked out, so we can only see a list of some programs and a range of numbers without knowing what they stand for. The SIGADs at the left designate the following programs:
- US-984*: BLARNEY under FISA authority
- US-984X*: Programs under FAA authority
Although we don't know what the numbers stand for, it's clear that the programs under FAA authority (which also include PRISM) are by far the most productive ones:

Probably one of the final slides provides contact information: first the names/e-mail aliasses of the collection managers for the FAIRVIEW, STORMBREW, BLARNEY, OAKSTAR, and MADCAPOCELOT programs. Brazilian television showed this slide uncensored with the names visible, but here we blacked them out. Under "Mission Management" is an e-mail address (in the strange format NSA uses for internal messages) for contacting the SSO corporate program mission management and finally there are keywords for finding out more information on NSA's intranet and the NOFORN-Wiki:

Links and Sources
- EmptyWheel.net: Federated Queries and EO 12333 FISC Workaround
- DailyDot.com: Forget PRISM: FAIRVIEW is the NSA's project to "own the Internet"
- The Guardian: Snowden document reveals key role of companies in NSA data collection

(credits for providing the video footage go to @koenrh)

Did CSEC really track Canadian airport travellers?

(Updated: February 9, 2014)

On January 30, the Canadian television channel CBC broke a story written by Greg Weston, Glenn Greenwald and Ryan Gallagher, saying that the Communications Security Establishment Canada (CSEC), which is Canada's equivalent of NSA, used airport WiFi to track Canadian travellers - something which was claimed to be almost certainly illegal. This story was apperently based upon an internal CSEC presentation (pdf) from May 2012 which is titled "IP Profiling Analytics & Mission Impacts":

The CSEC presentation about "IP Profiling Analytics & Mission Impacts"
(click for the full presentation in PDF)

However, as is often the case with many of the stories based on the Snowden-documents, it seems that the original CSEC presentation was incorrectly interpreted and presented by Canadian television.

The presentation was analysed by a reader of this weblog, who wants to stay anonymous, but kindly allowed me to publish his interpretation, which follows here. Only some minor editorial changes were made.

The CSEC project was not surveillance of Canadian citizens per se but just a small research project closely allied with the previous Co-Traveller Analytics document. The report was written by a 'tradecraft developer' at the Network Analysis Centre. The method was not 'in production' at the time of the report though the developer concludes it is capable of scaling to production (real surveillance).

The Five Eyes countries are trying out various analytics that work on cloud-scale databases with trillions of files. Some analytics work well, others don't or are redundant and are discarded. This one worked well at scale on their Hadoop/MapReduce database setup, giving a 2 second response. However, we don't know which this or any other cloud analytics ever came into actual use.

In this case, CSEC was just running a pilot experiment here - they needed a real-world data set to play with. This document does not demonstrate any CSEC interest in the actual identities of Canadians going through this airport, nor in tracking particular individuals in the larger test town of 300,000 people. While they could probably de-anonymize user IDs captured from airport WiFi (the Five Eyes agencies ingest all airline and hotel reservation with personal ID tagging etc. into other databases) that was not within the scope of this experiment.

Technically however, CSEC does not have a legal mandate to do even faux-surveillance of Canadian citizens in Canada. So they could be in some trouble - it could morph into real surveillance at any time - because the document shows Canadian laws don't hold them back. They should have used UK airport data from GHCQ instead. But there they lacked the 'Canadian Special Source' access to Canadian telecommunication providers.

The pilot study monitored Canadian airports and hotels but the goal was foreign: slide 19 says "Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs ... hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai". However, this seems far-fetched: the printer bombs were UPS cargo, not passenger-carried. Would someone shipping cargo even go near the airport, much less check their gMail there? More convenient just to stop by the UPS office in town.

The role of the five companies mentioned in the presentation is not always clear:

The first company mentioned, Quova, does bulk IP geo-location lookup. CSEC passes that outcome on to their own ATLAS tool as we saw in the slides about the OLYMPIA program. Given an IP, Quova seems to return only five fields: latitude, longitude, city, country, network operator. The Quova latitude/longitude data shown is not very precise: only degrees and minutes. For comparison, iPhone 4S photo exif metadata provides seconds of GPS lat/long out to six decimal points even with poor tower coverage.

Bell Canada and its ISP portal division Sympatico are mentioned in regards to the unnecessarily redacted IP (a minor settlement west of Hudson Bay, probably just the Baker Lake mine in Nunavit).

Boingo is a post-start-up in the US which is the main WiFi provider to airports and hotels worldwide. Boingo is in some trouble financially, so NSA might have an entry point there, yet the CSEC document makes it sound like they are not especially cooperative.

Akamai is a very US large company that spreads corporate web site servers around the globe for faster response and DDoS resistance. So when you point your browser at ford.com the packet doesn't go or come back from Detroit, but rather Akamai intercepts the URL and sends you packets from a local mirror (i.e. Amsterdam) without disclosing that in the URL. CSEC seems to have found that frustrating and of little value.

It goes without saying that Bell Canada is the top suspect if a telecom ISP is providing backbone intercepts. Rogers Communications is the only (implausible) alternative. However all the document says is: "Data had limited aperture – Canadian Special Source ... major CDN ISPs team with US email majors, losing travel coverage" ... "Have two weeks worth of ID-IP data from Canadian Special Source"

At NSA, a Special Source Operation (SSO) refers to a corporate partner, so this is very likely the CSEC counterpart, by context a major Canadian ISP. Here 'aperture' means the corporate partner could only do so much - as soon as the Canadian ISP hands off to Google or Yahoo, CSEC cannot follow the trail any longer. So it is not a big US firm.

I found it odd that the name of the corporate partner was redacted in slide 8. The explanation: news media don't like to mention corporate names in a bad light. Not fear of lawsuits (it's not defamation, slander or libel to merely post a government document) but probably fear of advertising revenue loss.

How is CSEC getting their data? I think we can rule out direct radio frequency signal interception here - they have the capability to do this, but it does not scale, not even to a large airport. So it's most likely done through a corporate partner but which one, where along the internet does the intercept occur, and what data fields are recorded?

Let's think about scenarios for data travelling: Boingo receives the initial URL request, passes it off to their ISP Sympatico, who pass it along to the Bell Canada network, where it is routed to Akamai or the usual internet, until it is received by the requested website and all its associated ad and image servers, and the usual TCP/IP response occurs, loading the requested web page along with all the auxillary cookies, beacons, trackers, and widgets.

From "two weeks worth of ID-IP data" it sounds like they are not collecting establishment-of-connection events to the airport WiFi but only collecting when someone actually visits a web site. That's in contrast to cell phone metadata which also includes attempted and unanswered call events.

But what exactly does the presenter mean by ID-IP? Some people suggest it might be MAC address and IP address in combination. Or user agent device string (device, OS, browser version etc). Others say advertising cookies and cookie chaining or CSEC might be hacking WiFi to install FinFisher spyware for persistent access. NSA likely owns or partners with several advertising companies and/or buy tracking data wholesale from corporate data aggregators.

I think the analyst muddles terminology here in calling this contact-chaining across air gaps, trying to be trendy. The first has meant going out from an initial individual selector to circles of secondary and tertiary selectors thus finding different individuals or IPs linked to the first selector, as seen both in NSA use and in OLYMPIA DNI and DNR chaining. Here, nobody contacts anybody else; the person is fixed, CSEC is just assigning a few travel points to each individual.

The term 'air gap' originally meant an offline computer that could not be exfiltrated, here it just means intermitent online presence at a free WiFi spot, not even sequential because the traveller may not have always used free WiFi spots. Most US travellers would connect via a cell phone accessory to their laptop, i.e. use their cell data provider the minute they got free of the airport. They would be far easier to track with by passive cell phone tower than by sporadic WiFi internet usage.

The SIGINT collection downside: now everyone is alerted about geo-tracking of movements from global free WiFi site use. So collection now provides a gigantic haystack with no needles. Although these guys with the 4th grade madrassa educations, maybe they remain clueless about snooping techniques.


Security expert Bruce Schneier also concluded that the CSEC presentation is not about tracking Canadian travellers, but actually shows "a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using that data to identify individual users".

On his weblog, one of the journalists working on the story of the Canadian broadcaster CBC has now responded to the critical remarks expressed here.

Links and Sources
- Schneier.com: CSEC Surveillance Analysis of IP and User Data
- ArsTechnica.com: New Snowden docs show Canadian spies tracked thousands of travelers
- Lux ex Umbra: More on the wi-fi spy guys
- TorontoSun.com: 'Too early' to tell if spy agency broke any laws, privacy commissioner says
- CBC.ca: CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents

New interpretations of NSA monitoring the German chancellor


One of the biggest scandals that arose from the Snowden-leaks, was the revelation in October 2013, that NSA was monitoring a mobile phone used by the current German chancellor Angela Merkel (although not her secure government cell phone, but the unsecured one provided by her political party).

But on February 4th, the German newspaper Süddeutsche Zeitung and the regional television channel NDR came with a somewhat different interpretation of this story.

Both media presented the document which proofs the monitoring to NSA insiders, who explained that it shows that since 2002 NSA was targeting the German chancellor, and not specifically Angela Merkel, who became chancellor just by the end of 2005.

In 2002, this office was held by her predecessor Gerhard Schröder, who was chancellor from October 1998 to November 2005, leading an unprecedented coalition with the Green Party for two terms.

Citing a number of US government sources and NSA insiders, both media say that Schröder's opposition to the American invasion of Iraq - and fears of a split within NATO as a result - was the primary reason to start monitoring his communications (in those days, NSA and GCHQ also eavesdropped on UN Secretary-General Kofi Annan and members of the Security Council).

The NSA document mentioning the surveillance of the German chancellor was published in the print editions of several German newspapers:

NSA record mentioning the phone number of the German chancellor
(Source: FAZ newspaper website)

Apparently this document comes from an NSA database in which the agency records its targets. This could be a tasking database codenamed OCTAVE, which is used for starting telephony interceptions. An explanation of the various entries can be found in my earlier article How NSA targeted chancellor Merkel's mobile phone.

There, I already noticed that it's somewhat strange to see Merkel mentioned as 'GE CHANCELLOR', as she was still the opposition leader when the surveillance started in 2002. Therefore, either this particular entry or the whole record must have been updated somewhere after she became chancellor in November 2005.

That action has now been confirmed by Süddeutsche Zeitung and NDR, saying that NSA started monitoring the 'German chancellor' in 2002 - which by then was Gerhard Schröder. When he was succeeded by Angela Merkel in 2005, and she became the incumbent of the chancellor's office, her name was entered in the subscriber line of the targeting record.

The initial story by Der Spiegel from October 23, 2013, apparently ignored this discrepancy and concluded that "the NSA would have targeted Merkel's cellphone for more than a decade, first when she was just party chair, as well as later when she'd become chancellor".

In the new interpretation, NSA was not specifically looking for Angel Merkel, as the Spiegel story suggests, but rather trying to monitor the person holding the office of German chancellor.

A third interpretation was brought forward by 'hacktivist' Jacob Appelbaum, who contributes to the Snowden-stories in Der Spiegel, saying that the NSRL (National SIGINT Requirements List) code 2002-388 stands for "a set of people - under which Merkel has been monitored".

This could explain the asterisk in 2002-388* - as a placeholder for a fourth digit after 388, designating multiple sub-targets under that number. If that's the case, then probably also other high-ranking German cabinet members and government officials could have been monitored by NSA, maybe even including Angela Merkel when she was still opposition leader.

Another question is about the origin of the NSA tasking-record which appeared in German newspapers. It clearly looks like scanned or photographed from a piece of paper (showing dust or ink spots, wavy lines) and the text is in the rather unusual Ayuthaya font, which normally comes with Macintosh OS X, primarily to display Thai script. The phone number also seems to be blacked out by a marker, rather than digitally.

Could it be that Snowden printed this database record in order to smuggle it out of his NSA office and then digitalized it by making a picture of it? Another question is whether there are more such (hard copy) tasking records among the Snowden-documents, or how else could Appelbaum know that there were multiple people targeted under that particular NSRL number?

German chancellor Gerhard Schröder
using a mobile cell phone

Although there are pictures of chancellor Schröder using a mobile phone, it was said in German media that he actually hadn't one for himself, but used a cell phone from people in his entourage whenever that was necessary.

Other sources say that Schröder's communications appeared to have been hacked or intercepted in the late 1990s, after which he ordered a secure (mobile) phone system to be developed.

One of the very first highly secure mobile phones, called TopSec GSM, was made by Siemens (later Rohde & Schwarz) and became available in 2001. Another solution, the Enigma encryption system for GSM phones, was apparently developed by Deutsche Telekom and sold since 2002 by the Beaucom Group.

It's not clear whether Gerhard Schröder actually used one of these phones, but it's an interesting coincidence that they became available around the same time NSA started its monitoring of the German chancellor.

Links and Sources
- Deutsche Welle: Reports: NSA first targeted German Chancellor Schröder, then Merkel
- SuedDeutsche.de: NSA hatte auch Gerhard Schröder im Visier
- Spiegel.de: How NSA Spied on Merkel's Cell Phone

BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

(Updated: February 12, 2014)

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, can be read here!

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:

Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network. This is the traditional telephone infrastructure, consisting of telephone lines, (undersea) fiber optic cables, microwave transmission links, cellular networks, and communications satellites, all interconnected by switching centers.

In this case, MIVD collected the metadata from PSTN traffic using their satellite station near Burum, which is operated by the signals intelligence unit NSO. This station is conveniently situated next to a big commercial ground station operated by Stratos Global, which provides access to Inmarsat, and Castor, providing access to Intelsat, Eutelsat, Gazprom, RSCC, SES (Astra), Telesat, and Arabsat satellites.

Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some less-developed countries like Afghanistan, Sudan, Somalia, Cuba and North-Korea, and remote regions in Russia, China and Africa apparently still use Intelsat satellite links for their international telecommunications. A number of these countries are also linked to Intersputnik satellites.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.

The Burum teleport, with the NSO intercept station (left) and the
ground station operated by Stratos Global and Castor (right)
(photo: Castor - click to enlarge)

According to a reply from the Dutch government, the 1,8 million metadata were collected by the MIVD from phonecalls, including some sms and fax messages, that "originated and/or terminated" in foreign countries. After all communication data with a Dutch phone number were filtered out, the remaining data were "shared with partner agencies".

This means, these data weren't just shared with NSA on a bilateral basis, but also in multinational military intelligence sharing groups like the 9-Eyes and the 14-Eyes, which is actually called SIGINT Seniors Europe. Both groups consist of the Five Eyes plus a number of 3rd Party nations.

Most Volume

In the screenshot we can see that the metadata records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data could be derived from multiple collection platforms and not just from the satellite intercept station near Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch SIGINT unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile signals intelligence units which can be deployed during foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.

The headquarters of the Dutch military intelligence agency MIVD,
which is located in the Frederikkazerne in The Hague
(photo: GPD)

Top 5 Techs

This section of the screenshot mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense.

It was strange that there was no word for the letter F, but some research revealed that the F most likely stands for Format. In several jobvacancies CERF can be seen as listed among a number of other NSA data formats like CSDF and ASDF. We can assume now that CERF = Contact Event Record Format.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Maybe CERF is used for collected metadata in general and CALL specifies that for telephony metadata (although in NSA-speak, telephony is always designated as DNR). An additional codeword like MOSES1 could then be used to further specify these data sets.

Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.

The satellite intercept station of MIVD near Burum
(photo: ANP)

We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts. Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.

(This article was updated with more details about the Burum satellite station and an explanation for the CERF abbreviation)

> More about the background: Dutch government tried to hide the truth about metadata collection

Links and Sources
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie

Dutch government tried to hide the truth about metadata collection

(Updated: February 19, 2014)

On February 4, the Dutch government admitted that it was not NSA that collected 1,8 million metadata from phone calls of Dutch citizens, but actually their own military intelligence service MIVD. They gathered those data from foreign communications and subsequently shared them with partner agencies like NSA.

Just like everyone else, the Dutch interior minister was mislead by how Glenn Greenwald erroneously interpreted the data shown in screenshots from the NSA tool BOUNDLESSINFORMANT. This let him misinform the Dutch public and parliament too, and only after being faced with a lawsuit, he finally disclosed the truth. Here's the full story.

How it started

The first charts from the BOUNDLESSINFORMANT tool were published by the German magazine Der Spiegel on August 5, 2013. Next to a bigger chart about Germany was a smaller one about the Netherlands, but this was completely overseen by Dutch media.

Only after the French paper Le Monde came with a big story about alleged NSA eavesdropping on French citizens on October 21, 2013, the Dutch IT website Tweakers.net published on October 22 about the screenshot that was in Der Spiegel several months before:

The report by Tweakers.net was correct in explaining that the chart only shows metadata, but the headline initially read "NSA intercepted 1.8 million phonecalls in the Netherlands". It was the first time a news medium correctly presented the BOUNDLESSINFORMANT chart as showing metadata instead of content.

But as the initial headline had immediatly been copied by other media, many people, including politicians, got the idea that NSA was actually eavesdropping on a vast number of Dutch phone calls. After discussing this on Twitter, Tweakers corrected the title by adding "metadata" and "per month".

> See also: BOUNDLESSINFORMANT only shows metadata

A talkative minister

On the night of October 22, the Dutch interior minister Ronald Plasterk was asked about these revelations in the late night talk show Pauw & Witteman. He gave a clear explanation about what metadata are used for, and guessed that with around 60.000 phone calls per day between the Netherlands and the United States, this would make 1,8 million calls per month - apperently assuming that numbers of metadata equals phone calls.

He said that he wasn't yet certain whether it was actually NSA that collected those metadata from Dutch phonecalls, but that a European group of experts was established to clarify this with the Americans. The minister said that it would not be acceptable if NSA was monitoring Dutch citizens without asking permission from the Dutch government before doing so.

According to a statement by the interior minister during the parliamentary debate on February 11, 2014, it was only by now that AIVD and MIVD started communicating with NSA about the exact origins of these particular data. It would last 4 weeks to get this clear - rather quick, according to the minister.
(286e minuut)

Before this bilateral investigation was initiated, it seems that the Dutch government was relying on the work of a multinational group of experts on behalf of 27 European countries. This group seems to be different from the Civil Liberties Committee of the European Parliament, which started an inquiry in September 2013.

Dutch interior minister Ronald Plasterk in the talk show Pauw & Witteman
(October 22, 2013 - in Dutch)

Almost one week later, on October 28, the Spanish paper El Mundo also published a screenshot from BOUNDLESSINFORMANT. The article, written by Glenn Greenwald and a Spanish journalist, once again said the chart proved that NSA had spied on 60 million phonecalls from Spain in one month.

This was the standard interpretation that Greenwald gave to BOUNDLESSINFORMANT charts for Germany, France, Spain, Norway, Afghanistan and Italy. He used them to demonstrate the claim made by Edward Snowden, that NSA is eavesdropping on innocent people everywhere in the world.

By framing the public debate in this way, most people, including politicians, assumed these claims were true, and therefore it was for example the Dutch interior minister, responsible for the civilian intelligence and security service AIVD, who was asked for explanation. Only people familiar with Dutch intelligence knew that SIGINT collection is actually done by the NSO, which is part of the military intelligence agency MIVD.

NSA strikes back

On October 29, NSA director Keith Alexander testified before a hearing of the House intelligence committee. He forcefully denied that NSA was collecting millions of phone calls from European countries by saying "Those screenshots that show or at least lead people to believe that we, NSA, or the US, collected that information is false".

Instead, data shown in charts from the Snowden document were collected not just by the NSA itself, but were also "provided to NSA by foreign partners," Alexander said. "This is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations". The next day, this statement was also sent to European partner agencies, including AIVD.

The same day, the Wall Street Journal reported that according to US officials, the metadata records for France and Spain were not collected by the NSA, but by French and Spanish intelligence services. The metadata were gathered outside their borders, like in war zones, and then shared with NSA.

Then, interior minister Plasterk was invited to appear in the Dutch television news magazine Nieuwsuur on October 30. According to a reconstruction by the newspaper NRC Handelsblad, he was advised by Defense minister Hennis-Plasschaert not to go, because her department, responsible for Dutch SIGINT collection through the MIVD, was irritated by Plasterk's willingness to talk about this issue.

Before going to Nieuwsuur, Plasterk had a meeting with Marc Kuipers, the deputy director of his own AIVD and asked him about the metadata. He was told that there was no hard evidence that the statement of NSA was correct, and Kuipers reportedly denied that the 1,8 million metadata were collected by Dutch agencies. As their research started just a week before, AIVD apparently wasn't sure yet about the exact origins of these data.

During the Nieuwsuur broadcast, minister Plasterk showed the letter (pdf) with the statement from general Alexander, but completely misinterpreted it as being a confirmation that the number of 1,8 million metadata were actually collected by NSA - something that was not acceptable for him. He also strongly denied that the 1,8 million were collected by Dutch agencies and subsequently shared with NSA.

Dutch interior minister Ronald Plasterk in the television
magazine Nieuwsuur, October 30, 2013

A few weeks later, NRC Handelsblad announced that they would soon start disclosing Snowden documents related to the Netherlands. NSA watchers expected that one of the first disclosures would be the complete BOUNDLESSINFORMANT screenshot, including the bottom part showing the technical specifications. But that didn't happen. NRC published two articles, on November 23 and November 30, but both contained more background information than spectacular new revelations about the Netherlands.

Most surprising was that the BOUNDLESSINFORMANT screenshot wasn't published. Maybe it had something to do with the fact that this weblog explained on November 23, that Greenwald's interpretation of these charts was not correct, which became clear after comparing two screenshots published by Greenwald in a Norwegian paper in the days before.

A few days later, on November 27, I published my research revealing that the DRTBox technique used to collect the metadata shown in the charts about France, Spain, Italy, Norway and Afghanistan is mainly used for short-range radio and cell phone interception during military operations.

Not NSA, but MIVD

These analysis not only support the official statement by NSA, but also confirm what the intelligence agencies from Germany and Norway had said earlier: that the metadata shown in the charts were collected by them as part of military operations abroad, and not by NSA.

After an investigation of exactly 4 weeks, experts from AIVD and MIVD, who compared actual data collected by the SIGINT unit NSO with data in the systems of their counterparts from NSA, concluded that there was a "perfect match". This was shared with defense minister Hennis and interior minister Plasterk on November 22. Prime minister Mark Rutte was informed during a regular meeting on December 10.

After it became clear that the metadata were not collected by NSA, but by the Dutch agency MIVD, the whole issue automatically became something that was not in the interest of the state to disclose (although not a formal state secret). The interior and the defense minister argued about whether to inform parliament and the public, like in Germany and Norway, but ultimately decided not to do so, following the standard practice to Never Say Anything about the modus operandi of the intelligence and security services.

This is a rather strange argumentation, as "collecting and sharing (meta)data" doesn't reveal any specific methods or operations. Both practices are regularly mentioned in the public reports of MIVD and the oversight committee CTIVD. But as almost no one reads these, the parliament and the people still thought it was NSA that monitored their phone calls.

Presently, it's still not clear whether or not the government informed the parliamentary intelligence oversight committee (CIVD or Commissie Stiekem), because ministers and members aren't even allowed to mention which topics were discussed during the committee meetings.

According to NRC Handelsblad, defense minister Hennis informed the parliamentary oversight committee on December 12, by saying that the telephony data were collected by Dutch services and shared with NSA. Because she didn't link this to minister Plasterk's statement from October 30, apparently none of the members of the committee was aware of the political impact...

The headquarters of the AIVD in Zoetermeer
(photo: ANP)

Citizens against the State

But then there was a lawsuit on behalf of a coalition of citizens and organizations against the Dutch state, as represented by the interior minister. It aims at stopping Dutch intelligence agencies acquiring data from NSA that might be obtained illegally if Dutch and European law would apply. Furthermore, the coalition demands that the state informs the citizens whose illegally obtained data have been used.

Faced with the possibility of a court ruling that acquiring foreign intelligence might be illegal, which would de facto end the intelligence sharing relationships with foreign countries, the Dutch government was forced to reply. So on February 4, 2014, the state advocate came with a response (pdf), which contains two interesting points:
- The demands are mainly based upon press reports speaking of intercepted phone calls, which is incorrect, because in fact it's not about content, but about metadata. These are collected by the state, lawfully acquired in the context of international cooperation and subsequently passed on to other countries. (par. 6.2)

- Dutch intelligence services are using data derived from undirected interception of cablebound communications by foreign agencies. This method is (still) prohibited in the Netherlands, but legal in the US, and therefore the state sees this as lawful acquisitions. (par. 2.17 - revealing that this is apparently one of the things that the Dutch get in return for the metadata they share)

Misleading the parliament

Now that the state advocate had disclosed the true nature of the 1,8 million, the interior and the defense minister also had to inform the parliament and the public. This was done by a short official statement saying:
"The graph in question points out circa 1.8 million records of metadata that have been collected by the National Sigint Organization (NSO) in the context of counter-terrorism and military operations abroad. It is therefore expressly data collected in the context of statutory duties. The data are legitimately shared with the United States in the light of international cooperation on the issues mentioned above."

This was exact the opposite of what interior minister Plasterk had said during the Nieuwsuur broadcast on October 30 and subsequently to parliament. He was accused of lying or at least witholding crucial information and now had to fear for his position.

On Saturday, February 8, the newspaper NRC Handelsblad published out of the blue the long-awaited complete BOUNDLESSINFORMANT screenshot regarding the Netherlands, including the bottom part which was seen now for the first time since the initial publication by Der Spiegel in August 2013:

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

> See for all details about this screenshot: BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

On February 11, there was a parliamentary debate about the whole issue. Interior minister Plasterk sincerely apologized for his misleading statements on October 30, saying that he just wanted to make sure to the public that it was not his own AIVD that eavesdropped on Dutch citizens.

This statement was hardly convincing, and many parliament members were not satisfied with the fact that he didn't correct his statement after he was informed about the truth on November 22. Both the interior and the defense minister continuously replied that it was not in the interest of the state to provide any more information.

Given this overstretched secrecy, it almost seemed a slip of the tongue when minister Plasterk explained that because "under different programs, different types of metadata are shared" it was not so easy to attribute the 1,8 million to collection by MIVD.

After a debate of almost 8 hours, most opposition parties voted against the interior minister, but that wasn't enough to force a resignation. However, the whole affair weakened his position, he can't afford new mistakes anymore.


With claims made by Edward Snowden that NSA is monitoring innocent civilians all over the world being spread by media for months, it's understandable that the BOUNDLESSINFORMANT charts were seen as evidence for American spying on European countries. Glenn Greenwald presented them in that way to major European newspapers and supported his interpretation by a FAQ document saying that this tool shows "How many records (and what type) are collected against a particular country".

But now that it has become clear this interpretation was false, it also reveals that Greenwald apparently relied solely on these few documents, and was unaware of what the charts really show. I think we have to assume that Snowden also had no idea about their factual context, let alone any experience with the program - if he had, it would be even worse.

The whole story about BOUNDLESSINFORMANT not only backfired upon Snowden and Greenwald, but also upon several European governments, for example the Spanish and the French ones, who fiercly protested against the alleged US spying on their countries, and of course the Dutch one, where interior minister Plasterk was almost forced to resign because of the misinterpretation of the BOUNDLESSINFORMANT chart.

Links and Sources
- Jan Dirk Snel: De Tweede Kamer heeft zelf boter op het hoofd – Over de zogenaamde affaire-Plasterk
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie

NSA director Alexander's phones


After a range of articles about how NSA intercepts foreign communications, we now take a look at the equipment that NSA uses to secure their own telecommunications, more specific those of its director.

We can do this because last December, the CBS program 60 Minutes offered some unprecedented insights into the NSA headquarters. Of course very limited, but still interesting for those with a sharp eye. Perhaps the most revealing was that for the first time ever it was shown how the office of the director of NSA looks like:

The office of NSA director Alexander, December 2013
(click to enlarge)

The office of the director is at a corner on the eighth floor of the OPS 2B building, which is the wider and lower one of the two black mirrored glass structures of the NSA headquarters at Fort George G. Meade. Contrary to what many people would probably expect, the director's office is far from high tech. We see a rather traditional interior with a classic wooden desk, shelfs with books, picture frames and lots of memorabilia, a conference table and a group of old-fashioned seatings with a large plant in a shiny copper pot.

Most interesting for us is the telecommunications equipment used by the current director, Keith B. Alexander, which can be seen in the following screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment
(click to enlarge)

VTC Screen
In the corner at the left we see a video teleconferencing screen with a high-definition camera, made by the Norwegian manufacturer Tandberg. In 2010 this company was bought by Cisco Systems, so their equipment can be safely used for US Top Secret/SCI videoconferencing. From within secured locations (SCI enclaves), the video feed goes over the JWICS IP network for the intelligence community, which is secured by stream-based Type 1 bulk encryption devices.

STE Phone
At the left of general Alexander there's a large black telephone called Secure Terminal Equipment (STE), which is made by L3 Communications. The STE is a highly secure phone, which means that this device is capable of encrypting calls up to the level of Top Secret/SCI. This phone can be used to make secure calls to anyone with a similar or compatible device. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

With an estimated 400.000 users, STE is used for secure communications with everyone working for the US government, the military or its contractors, who can not be reached through a more select secure phone network for the US military (IST/DRSN) or the SIGINT community (NSTS).

IST Phone
At the far right we see a big white Integrated Services Telephone (IST), which was designed by Electrospace Systems Inc. and manufactured by Raytheon. This is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Although this IST phone looks very futuristic, it was gradually replaced by the newer IST-2 since 2003. Remarkable to see that notably the highest NSA official still uses the old model. The new IST-2 was also on the President's desk in the Oval Office, before it was replaced by a Cisco IP phone for the new Executive Voice over Secure IP-network in 2011, to provide a dedicated link between the President and his senior cabinet members.

It's revealing to see that there's no such new IP telephone in the office of the director of NSA, which means that he has no direct line to the President. Which is according to the fact that NSA actually falls under the Department of Defense and its intelligence gathering is coordinated by the Director of National Intelligence.

NSTS Phone
A third, white phone set is hidden right behind general Alexander's back, but we can see a glimpse of it in this screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment

This telephone is part of NSTS, which stands for National (or NSA/CSS) Secure Telephone System and is the NSA's internal telephone network for calls up to the level of Top Secret/SCI. Newer NSTS phones are connected by fiber optic modems to a fiber backplane that interfaces with an NSANet access point router. The voice traffic is then encrypted together with data traffic utilizing a Type 1 bulk encryption device.

As can be seen in other pictures from inside NSA, the devices used on the NSTS network are white Nortel M3904 executive phones - a very reliable high-end model which is also used at the offices of both the Israeli and the British prime minister. Nortel was a big Canadian telephone equipment manufacturer, but was dissolved in 2009. Thereafter, the Enterprise Voice and Data division of Nortel was bought by the US telecommications company Avaya (formerly Lucent)

A Nortel M3904 phone from the NSTS network as seen
elsewhere in the NSA headquarters building

Predecessors of these three types of telephones (STE, IST and NSTS) were also present in the office of then NSA director Michael V. Hayden, when James Bamford described a meeting with him in his 2001 book Body of Secrets:
"There are also several telephones on the table. One for secure internal calls; another is a secure STU-III for secret external calls; and a "red line" with buttons that can put him through instantly to the secretary of defense, the Chairman of the Chiefs of Staff and other senior officials.
No phones, however, connect the director to the White House; indeed, during Hayden's first year in office, he never, once spoke directly to president Clinton".*

In a separate program, called 60 Minutes Overtime, CBS showed 'The Making Of' their previous 60 Minutes report about NSA. It included some new video fragments, like one in which we get a better look at the computer equipment on the desk behind director Alexander's chair:

NSA director Alexander being interviewed by John Miller, December 2013
At the left side we see the director's computer equipment
(click to enlarge)

We see a common HP office keyboard, two computer screens and in between them there's a so-called KVM-switch with some colorful stickers on it.

The latter device is used to work on multiple computers or networks operating at different classification levels, all with one Keyboard, Video screen and Mouse, hence the abbreviation KVM. By pushing a button, the device can switch between four different connections, which is done by the hardware in order to keep them physically separated. The KVM Switch in this picture is the SwitchView SC4 from Avocent (formerly Cybex) with four secure channels.

From the stickers with the color codes, we learn that this device enables the director to switch between three separate computer networks at the following classification levels:
- Green: UNCLASSIFIED, which is the military NIPRNet
- Red: SECRET, which is the military SIPRNet
- Orange: TOP SECRET and Yellow: TOP SECRET/SCI

The latter connection is most often used for access to JWICS, the highly secure network used by the American intelligence community, but here it may also be used for NSANet. It's not clear whether the second compter screen is for one of these networks, or for a separate access to the common internet. Both screens have a blue label which might denote that the screens can be used for multiple classification levels.

60 Minutes
The CBS program Inside the NSA was broadcasted on December 15, 2013, but was immediatly heavily critized as being too less critical in approach to the NSA, some people even said it was NSA propaganda. This seems not quite fair, as Snowden reporter Glenn Greenwald had numourous occasions in media from all over the world to present his interpretation of what NSA is doing - which went almost unquestioned.

CBS reporter John Miller asked NSA director Alexander about all the major things that came up from the Snowden-leaks and he also got answers. NSA even showed an actual example of how the metadata contact chaining method works. Whether one is satisfied by these anwers is another thing, but we should keep in mind that Greenwald's version is not always the right one and NSA is not always lying.

CBS 60 Minutes: Inside the NSA (December 15, 2013)

NSA director Keith Alexander, who's a four-star general and a career Army intelligence officer, will retire on March 14. He was head of the National Security Agency and the Central Security Service since August 2005 and the US Cyber Command since May 2010. It's expected that he will be replaced by US Navy Vice Admiral Michael S. Rogers.

Links and Sources
- HuffingtonPost.com: '60 Minutes' Trashed For NSA Piece
- CBSNews.com: Inside the NSA - How did 60 Minutes get cameras into a spy agency

OLYMPIA: How Canada's CSEC maps phone and internet connections


On October 6, 2013, the Brazilian television program Fantástico revealed the existance of a software program called OLYMPIA. In this case, the program was used by the Communications Security Establishment Canada (CSEC) to map the telephone and computer connections of the Brazilian Ministry of Mines and Energy (MME).

OLYMPIA is a sophisticated software framework that combines access to a range of databases and analytic tools. It's used to discover and identify the telephone and computer infrastructure used by potential targets. This information can then be used for setting up tapping, bugging and/or hacking operations. OLYMPIA itself does not collect any actual content of communications.

In this article we take a close look at the OLYMPIA tool, based on the powerpoint presentation that was first shown on Brazilian television on October 6, 2013. On November 30, the Canadian newspaper The Globe and Mail published most of the slides on its website. Here, all available slides are pulled together, including one that had to be reconstructed from the video footage (click the slides to enlarge them).

The OLYMPIA presentation was dissected and analysed in depth by a reader of this weblog, who wants to stay anonymous, but kindly allowed me to publish his interpretation here. I did some editing to make his text fit the format of this weblog.

For some readers these explanations may be too complex and detailed, but for those who are interested, they provide a unique look at this part of the signals intelligence tradecraft. We can assume that similar tools are used by NSA, GCHQ and other agencies.

The OLYMPIA presentation was held in June 2012 during the "SD Conference", where SD stands for SIGINT Development - an intelligence term for testing and creating new ways to collect signals intelligence information. According to Fantástico this is an annual conference for members of the Five Eyes partnership, which consists of the United States, United Kingdom, Canada, Australia and New Zealand.

This case study was presented by what seems to be someone from the Advanced Network Tradecraft unit of CSEC, probably because "one of the things Canada does very well is analysis" - according to NSA historian Matthew Aid. (or could Advanced Network Tradecraft be the ANT unit of NSA's Tailored Access Operations (TAO) division?)

This slide gives an overview of the Olympia interface which can present all sorts of different types of information at the same time and probably can be customized by the user. Right in the middle, probably just to have something graphical amidst all the tables, there is a map, showing the central part of Brasil, with a purple dot marking the capital Brasilia. It's not a Google map, because that would have replaced the jagged coastline with bathyometeric shaded relief and would look much nicer than this geolocation satellite view.

This slide shows the same image of the Olympia interface as in the previous slide, but this time with a pop-up menu open. The list shows eight previously known NSA tools and databases, a GCHQ tool, commercial software, and software tools developed by CSEC staff which are recognizable by their classical Greek names. Arranged in alphabetical order, the tools and databases listed in the pop-up menu and in another list from the interface are:
ATHENA - Ports Information (CSEC)
ATLAS - Geolocation and Network Information (CSEC)
BLACKPEARL - Survey Information (NSA)
COEUS - WHOIS Information (CSEC)
EONBLUE - Decoding Hostnames? (commercial)
EVILOLIVE - Geolocation (NSA)
GCHQ Geofusion - Geolocation (GCHQ)
HYPERION - IP-IP Communication Summaries (CSEC)
LEVITATE - FFU (FireFox User??) Events
MARINA - TDI Online Events (NSA)
PEITHO - TDI Online Events (CSEC)
PEPPERBOX - Targeting Requests
PROMETHEUS - CNO Event Summaries (CSEC)
QUOVA - Anonymizers, Geolocation Map (commercial)
SLINGSHOT - End Product Reports
STALKER - Web Forum Events
STARSEARCH - Target Knowledge
TIDALSURGE - Router Configs
TOYGRIPPE - VPN Detailed Events (NSA)

Only a handful of Olympia's tools do all the heavy lifting in the slide algorithms. The rest get passing mention in pull-down menus. Thus the presentation provides only a glimpse of Olympia's capabilities - we see for example TRITON for attacking the TOR network and TOYGRIPPE and FRIARTUCK for attacking VPN (virtual private networks) but not examples of their actual use.

The tools of Olympia represents a very large team effort at CSEC over several years with sheltering nearly all its database processing resources under the Olympia umbrella. The shelf life of the Olympia environment may be longer than its tools.

Of the 13 tools that are used, their use in the following algorithmic slides is almost entirely restricted to ATLAS, DANAUS, HYPERION, PEITHO and HANDSET. The reporting tool of course finishes every slide but two others, EONBLUE and QUOVO, only appear obliquely as report sources.

This slide presents a simple algorithm by using drag 'n' drop icons linked by arrows to specify its operations step-by-step. It draws on entries data records already stored in NSA's huge telephony database MAINWAY of call metadata. As NSA does the hoovering down in Brazil, the slide does not build use fresh Canadian surveillance by intercepts or insertion of malware on Brazilian cell phones or servers - that comes later in partnership with NSA's Tailored Access Operations (TAO) as warranted and informed by initial results obtained here.

Olympia is thus modular software that allows a mid-level analyst (who cannot write computer code) to specify and test advanced NoQYL database queries from within an intuitive visual environment. It provides an intuitive graphical interface allowing to assembly some 40 component tools into a flexible fit-for-purpose logic pipeline by simple drag and drop of icons. Such pipe-and-flow visual programming environments have a rich history – they match how Unix developers can quickly put together complex processes from the simple ones provided by the operating system.

Should an analyst drag one of the widgets into the design, a form window will pop up asking for parameters to be supplied. After stepping through the algorithm to fill in various pop-up forms that address database housekeeping issues, Olympia can then button up (compile) the tested product into a new icon that the next analyst can use as a trusted component for an even more complex investigative process. This allows analysts to conduct sophisticated target-development with minimal additional training.

With a database like MARINA consisting of trillions of rows (records) and 13 columns (fields), it is very easy to pose a query (play a design) that, after hours of delay, returns way too much data, or submit a query so complex or boolean-illogical that it freeezes NSA's server. To prevent this, it would make sense to have expert analysts work out main designs once and for all. Low-level analysts then just enter specific parameter ranges in the forms, but this of course would undercut the whole modular design power of Olympia.

So the whole process can be buttoned up, enabling one-button automation from a few business cards to the best phones to turn into meeting listening devices. While Olympia is a MySQL query builder, it does much more than that, notably advanced post-processing analytics of query results (which amount to a derived special-purpose database or QFD in NSA-speak: Question-Focused Dataset) resulting in convenient output to CSEC's reporting tool Tradecraft Navigator.

In the slide we see the following process:
-1- The process begins with a 'TC Init' widget that initializes processes Olympia needs to run. That may include starting up software, locating Five Eyes network resources, and verifying security authorizations for the analyst's 'thin client' interface to Olympia and NSA's remote network databases. That is, for security purposes following the Jeffrey Delisle spy case, Canadian analysts are given desktop computers without hard drives that cannot copy files to inserted thumb drives nor write to blank CDs. TC is used later in lower case to personalize data field header names so could alternatively represent the initials of the analyst (for logging purposes).

-2- The analyst next fills in a pop-up form called 'Dynamic Configuration' to provide initial data and establish project-specific terminology. The form amounts to a small database with one record (row) for each configuration needed and 7-8 fields (columns) with the specifics: configuration name and number, initial data, default value to use if actual value is missing after enrichment, true/false option to govern whether a later filter condition is met, field names to begin with tc_ (for thin client), and field type.

Configuration here seeds the coming discovery process with the MSISDN (SIM card routing number) for nine cell phones linked to staff at Brazil's Minerals Mining Energy (MME), either from business cards acquire by Canadian diplomats and mining executives or as metadata incidentally ingested by NSA from rooftop mobile phone intercepts at the American embassy in Brasilia. Recalling that MAINWAY has many billions of records just for Brazil, a narrow date range will keep the number of records, and so the subsequent latency (processing delay), manageable

-3- The initial set of phone numbers is then greatly expanded (enriched) by contact-chaining in the huge NSA metabase MAINWAY. This process collects the MSISDN of recipients of calls from the seed numbers, and recipients of their calls (two or more hops). Some of these will be just pizza joints or calls home but others will belong to coworkers at MME.

TAPERLAY is one of the most common skills listed in LinkedIn profiles, with one SIGINT analyst writing he "was responsible for entering numbering information for 132 countries and multiple service providers in each country by reviewing forms and reports and conferring with management." It is often used in conjunction with CHALKFUN, a NSA tool that searches the vast FASCIA database of device location information to find past or current location (notably US roaming) of mobile phones.

-6- The original phoneNumber field has now been supplemented by Last Seen (last recorded use), City and Country of initial registration, Identity (target's name), FIPS, destination number called and its fields, and others we cannot see on the alphabetical pulldown list. Here FIPS is an open source geolocation code maintained by the US government.

-7- The 'Sort' widget is then configured to re-order the records in some sensible way, say reverse chronological order and most frequent MSISDN.

-9- Prior to writing up a final report, the analyst could return to step 7 and insert further operational icons - 29 options are shown (even with A-E and Q-Z missing from the pop-up menu).

This slide says that the presentation is a case study about how to map the target's communication infrastructure when there's only very little information to start with, in this case:
- One known e-mail domain: @mme.gov.br
- Nine known phone numbers
- Very little data collected earlier

Starting with the single e-mail domain @mmm.gov.br for Brazil's Ministry of Mines and Energy (MME), the algorithm works out IP numbers of MME's mail and internet servers plus their network owners and backbone carriers. Note the potential target here is the entire department, not an individual.

-0- After initialization, the input - here just a single domain @mmm.gov.br but optionally a list of thousands - is put in a storage area (buffered) until its entries can be processed.

-1- The CSEC-developed tool DANAUS looks up the domain in its DNS (Domain Name System) repository. For one domain, this can easily be done by google search on the open internet but that is inefficient on a larger scale. Olympia will not only automates this process but can re-package it as a meta-tool icon that can be re-used as a component (sub-routine) of more ambitious algorithms.

-2- The DNS are next sorted by IP record type which splits them into two streams (Type A and Type MX records in DNS nomenclature). Here MX (Mail Exchanger) records specify the mail servers accepting e-mail messages on behalf of the recipient's domain. Type A (address) records specify IP numbers of the mail servers sending email from this domain.

-3a- The MX fork of the diagram filters records according to analyst specifications (pop-up window not shown), changes out value names, and merges text strings with certain information (extracted by the small 'i' icon, never explained) derived from records rejected by the filter. The output to Tradecraft Navigator is a simple database called 'Mail Servers' having six fields discussed below: Response_MX, Hostname, IPv4, Source, FirstSeen and LastSeen.

The Source field is a bit mysterious. It takes on only two values, EONBLUE and QUOVA. These are tool icons within Olympia whose names lie outside the Greek mythology theme, suggesting software from elsewhere. The explanation: a US company named Quova provides online blocking based on geolocation of a computer's IP address, like for example blacking out URL access to a football game in the home team's city so people purchase stadium tickets. Quova was acquired in 2010 by Neustar which provides a much broader range of backbone internet registry services. EonBlue is also corporate but more obscure.

Between them, EONBLUE and QUOVA can report on recorded activities and attributes of the IPs at Brazil's MME: the MX record of correio.mme.gov.br shows it was first seen active from 17 Jun 09 and last seen active on 15 Feb 10; similar dates for correio2.mme.gov.br active are later and don't overlap, namely 21 Jun 10 to 19 Jun 11.

Later Olympia slides show QUOVA within a diagram, so this one should show both QUOVA and EONBLUE but does neither. QUOVA concerns itself with IP ranges, IP geolocation, and anonymizers (proxy servers relaying on a user's behalf, hiding identifying information), yet ATLAS provided IP geolocation in later slides and HYPERION and PEITHO the IP proxies. So it must be that QUOVA add value to the in-house DNS lookup tool DANAUS.

-3b- The A fork is filtered differently but here rejects are discarded. A new Canadian tool icon labelled ATLAS acts on the records that have been stored in fastBuffer to look up geospatial locations of the IPs. After a sort, duplicated IP locations can be eliminated by a standard database reporting feature (break on change in geolocation field). Duplicates might arise from a single server location hosting multiple IPs or a server cluster.

-4b- Records passing another filter (e.g. geolocation Brasilia) are then sorted by IP number for orderly output to Tradecraft Navigator for report-generation. Here the resulting database 'Domain's IPs' has 9 columns (fields) for IP Range, Country, ASN, Owner, and Carrier in addition to the ones above. The Autonomous System Number (ASN) provides the officially registered IP routing prefix that uniquely identifies each network on the Internet. Here the IPv4 numbers correspond to Global Village Telecom, Embratel and Pelpro. The analyst wants to know this because some carriers sell access to NSA while others have been hacked.

From the mail server records, it turned out the Ministry only used correio.mme.gov.br and correio2.mme.gov.br for their mail servers (correio means mail in Portuguese). Journalists have inexplicably blacked out IPv4 numbers but anyone can look up the IP address for a given domain name at WHOIS websites, or apply the COEUS widget if they work at CSEC.

The analyst has now actually determined the IP addresses, their blocks of consecutive numbers (ranges), geolocation of servers used by MME's internet services providers plus the identities of backbone carrier networks. Some 27 IPs shown associated with the domain @mme.gov.br came out of processing A type records.

Some of this is unremarkable (the hostname www.mme.gov.br is MME's public home page, ns1.mme.gov.br is just a name server) while others have undeterminable relevance (being barely legible) to commercial espionage. One of these, acessovpn.mme.gov.br ( running on http port 80 with A, comes up later as a potential target for a man-on-the-side attack.

This slide shows how the analyst can identify a proxy server at the Ministry of Mines and Energy based on its observed behavior. It's not clear whether a discovered proxy server has been identified for certain, or that is only the strongest candidate seen, nor whether the full set of MME proxy servers have been located or just one of several. However, this is the most promising site for defeat of SSL by a man-on-the-side attack to intercept of transiting documents before they can be encrypted.

-1- After initialization, the Dynamic Configuration for the IPs of MME determined above is set with three lines: high, low, high - low +1 = range for each block. Here a reverse proxy server (firewall surrogate) often holds the first number of the range block and sits in front of a local network of other computers utilizing the rest of the range block as their addresses. Those other IPs don't show up in metabases because the URL requested by an outside visitor passes through the proxy on its way to the server (that actually can fulfill the request) is returned as if it came from the proxy server.

-2- The initial data is split at an enhancement fork which is not described further. Buffers should have been created for two subsequent tools PEITHO and HYPERION because they are sent large files (as indicated by the little 2-page icon on the connecting line). Those icons are missing from the algorithm, breaking it. Both PEITHO and HYPERION also need demultiplexing as followup but the De-Mux icons (the all-purpose dummy widget) are also missing from the diagram.

Recall many different ongoing processes on a given server are sending (and receiving data) simultaneously using the same Internet Protocol software. To accomplish this, packets of different types are intermingled ('multiplexed') in the exit stream. As the stream of packets is received, it is sorted out by type (demultiplexed) and passed to appropriate application on the receiving client.

-3a- PEITHO specializes in "TDI events" and has the same iconography as MARINA, tinted blue instead of pink. A menu in another slide ties MARINA to these same mysterious TDI events. MARINA is known to be a vast NSA metabase of internet metadata. An online LinkedIn profile speaks of having "used MARINA as a raw SIGINT data viewer for detection and analysis of priority targets and as a tracking and pattern-of-life tool."

PEITHO can thus be presumed very similar to MARINA, probably a refined subset of it adapted to dissecting out the TCP/IP connection metadata needed here, in particular recognizing and compiling the exchange of SSL certificates that are the hallmark of a secure (https) site. In one scenario, an off-site MME staffer uploading oil lease data points a web browser at the MME server that will host the documents, which sits within a LAN (local area network) behind a proxy server running port 443 for https.

After exchange of SSL certificates, the content can be sent over the internet encrypted rather than as plain text, and will decrypted at the MME repository. NSA data trawling - while not specifically seeking them out - intercepts these exchanges and stores them as a Sigint record subset in MARINA. PEITHO extracts these for the specified IP address ranges. This has nothing to do with defeating SSL - that comes later.

PEITHO can only provide half of a full TCP/IP 4-tuple (the output of this algorithm), namely the connection pairs with mentioning MME and server port numbers. This is done by filtering records in PEITHO high and low IP values provided by the initial configuration file, partitioning it into passing and not-passing. Values from both are renamed and retained in output because they define IP blocks.

-3b- Meanwhile, HYPERION works in parallel to PEITHO to provide IP to IP communication summaries, how data flows in and out of MME servers and their IP range blocks, in response to remote IP requests. This data too undergoes similar filtering and re-mapping of value names and formats, again with ultimate retention of both streams as the entity_IP and remote_IP components of the TCP/IP 4-tuple.

-4- The four fields of a TCP/IP 4-tuple are called entity_IP, remote_IP, remote_port, entity_port and will appear as a small table on the proxy output page. They are obtained by merger of the PEITHO 2-tuple with that of HYPERION.

-5- At this point, only https (port 443) and http (port 80) metadata remains as remote_port values. The latter is discarded on the basis of its port value under the assumption that high-value data will be encrypted in transit by a secure socket layer (SSL) using port 443. Note email servers use port 25 - that will show up in the next slide in the context of correio.mme.gov.br.

On the results page provided by Tradecraft Navigator, only the two port columns are visible from the original socket pair 4-tuple. Ports are described by an esoteric compressed four-field format such as 6:443:TS(1) where the second element is the actual port number.

Here every port entry starts with 6: (making it uninformative) followed by 443 in the case of a remote https port, respectively high and variable (ephemeral) port numbers in the case of the entity_port column. The port description is then completed by a cryptic digraph drawn from TS, TC, FS, FC and a small qualifying number in parentheses.

It's not clear whether any more than just the straight port number needed to be retained here to substantiated a discovered proxy. Curiously, Olympia contains a distinct tool called ATHENA specializes in port information but it is not applied in this algorithm or any of the other slides.

The bottom line here is the analyst seems to have identified MME's proxy server and so a line of attack to be described later. That is of interest because closely held documents (like providing extents of offshore oil reserves or assay grade of mineral deposits being auctioned off) would be sent through this server as a measure to protect them from theft.

This slide presents a more complicated diagram of how an analyst can discover IP addresses the target, in the case the Brazilian MME, communicates with. This information can later be used to intercept these communications links.

-1- This starts with DNS lookup of the hostnames (eg correio.mme.gov.br). That process can give duplicates and other records that are empty with respect to fields of interest. These are discarded.

-2- After appropriate menu enrichments have expanded out from the initial seeds, PEITHO and HYPERION act again in parallel to reconstruct the TCP 4-tuples (or socket pairs). The stream of internet packets sent out by a given server are a mix of packets from whatever processes are running, for example http, https, ftp, smtp and telnet on the TCP side and dns, dhcp, tftp, snmp, rip, voip via UDP.

-3- As only http and https are of interest here, the other packets are discarded via the De-Mux widget. Note the packets are not really multiplexed in the traditional sense used in signal electronics but remain discrete and merely alternate in the packet stream connecting server to client. De-multiplexing in this context simply means separating the packets as they come along, retaining only the subset of interest.

-4 - Not everything is of interest here, so the 'select values to carry' widget is necessary to whittle down the fields retained. Since TCP processes are bi-directional, with some of the packets coming from the server and others heading to the server, it's necessary to flip the latter set so that FROM always goes with the MME server and TO goes with IP addresses it communicates with. The two streams are then sorted by IP contacted which allows them to merge coherently to the 4-tuples described before.

-5a- The results are duplicated and split with one fork - after a sort and break-on-same field value reduction - sent to Tradecraft Navigator as a summary of the number of times each IP pair has connected, with most frequent presumably on top. No data page is provided in the slides.

-5b- The other duplicate is sorted so that each client is represented just once for geolocation lookup by ATLAS. That needs another version of de-multiplexing, followed by discard of empty rows. ATLAS is mentioned in three slides; from those annotations, it has to do with geolocation of network information and is filterable by date and IP range.

-6- The output to Tradecraft Navigator is sorted by ASN (Autonomous System Number, the unique identifier for an ISP network). The internet had some 42,000 unique autonomous networks in the routing system at the beginning of 2013; ten distinct ASN networks that MME connects with are discovered here. These include ASNs 6453 and 32613 in Canada, 16322 for Iran, 25019 and two others for Saudi Arabia, plus inexplicable IPs in Eritrea, Jordan and Thailand. ASN lookup is readily available and it provides country, date of registration, registrar, and owner name.

The data page is quite instructive. It shows the silliness of newspaper redactions: Fantástico/Greenwald scrubbed out all tool annotations on the algorithm and blocked columns 2, 4, 5, and 8 in the output whereas the Globe & Mail showed the whole algorithm legibly and redacted columns 2, 3 and 8.

Column 2 is merely DNS lookup, freely available on the open internet. Column 3 in the Globe & Mail can be restored using the months-earlier Fantástico publication. The IP ranges of MME's contacts in Column 8 are not too hard to get at using the initial IP contact from Fantástico as they will be a block extending the last 3 digits of the initial IP contact out to 255, e.g. the first row gives the range to, all assigned to Eritrea.

Here MOEM, the Ministry of Energy and Mines in Eritrea, is located at www.moem.gov.er. While their server is not often working, the IP address there does not correspond to any result found by the algorithm. Those IP addresses are assigned to Eritrea but do not have Hostnames and may be routers. Note that British Telecom provides the ASN network so all traffic there is routinely ingested by GCHQ and available to the Canadians. However there is no evidence from this algorithm that MME had any interest in its Eritrean counterpart MOEM.

The algorithm here re-uses tools and widgets seen before with very similar logic: previously determined hostnames associated with Brazil's MME seed the IP address look-up via 'Forward DNS' (Danaus) followed by DNI enrichment at unspecified NSA databases, the symmetric same split to PEITHO and HYPERION to collect IPs and ports, followed by filters, sorts and field renaming (no pop-up details provided) as seen in slides 2 and 4. After Atlas provides geolocation of the retained IPs (note the never-explained x5 in the upper left corner of the ATLAS icon), the fields are consolidated, with just the ones geo-located to non-Five Eyes countries retained.

It's not clear why results for the Five Eyes countries are discarded. These countries by agreement don't launch spying operations on each other; Canada could certainly launch attack on IPs on itself but that may not be within the remit of CSEC. It's hard to believe the analyst would not take a peak at friendly country IPs - perhaps these were only discarded for purposes of this presentation (at which NSA and GCHQ analysts were surely represented).

From other Snowden leaks, it's known NSA also runs its own Brazilian espionage program; if Canada installed its own man-in-the-middle malware on top of a pre-existing NSA attack, these could conceivably collide and crash the Brazilian system, or at least alert the Brazilians via degradation of network performance. For this reason, the analyst contacted TAO prior to the presentation, turning over subsequent man-in-the-middle attack details to them. TAO maintains the central malware repository and is better positioned to vett installations for redundancy and collisions.

These four output tables provide the best view to what CSEC learned about MME's vulnerabilities from applying the algorithm:

-1- The first table consists of two records for acessovpn.mme.gov.br. This Brazilian server was obtained earlier as record 5 from the slide 2 processing (which started with mme.br.gov and provided IPs and ISPs in the 'Domain's IPs Output' table). Here journalists have blacked out the target column out of internet illiteracy (they are and and the IP it contacts. The port numbers indicate the target server is using ephemeral ports and the contact http port 80, meaning it is not a mail server nor secure like https.

This server in Brasilia has been assigned a new database field with value Case Notation MA10099(1) here that was added by the analyst later (certainly not produced from running the algorithm). It's not clear whether this case notation is that of GSEC or joint notation with NSA's TAO.

It's instructive to look at what anyone can learn in seconds for free on the open internet -- and how this works. In the case of acessovpn.mme.gov.br, the TLD (top level domain) acessovpn is recognized by the Root Server i.root-servers.net which redirects to c.dns.br which redirects to two name servers ns1.mme.gov.br and ns1.mme.gov.br which themselves have A type records and so separate IP addresses both located at the same geolocation in Brazil.

-2- This pair of tables unfortunately has the headers censored. They may simply represent the two IP addresses and They are sorted by order of use - number IPs contacted. Thus the ASN contacted the most (26 and 15 times respectively in the time frame considered) was 18881. That indicates the IPS was Global Village Telecom, a formerly Brazilian telecom owned since 2010 by the French company Vivendi. After that, the first IP contacted ASN 7738 11 times whereas the second IP contacted ASN 26599 9 times. Farther down the list, providers in Columbia, Mexico, India and China are listed.

-3- The final result table utilizes two tools not mentioned in the script suggesting these were applied from within Tradecraft Navigator: Reverse DNS (DANAUS) and EONBLUE. The latter is a closely held corporate tool, apparently used here for decoding Hostnames behind proxies, though nothing came of it here. EONBLUE surfaced earlier in slide 2 paired with corporate tool QUOVA (that was the source of acessovpn.mme.gov.br there). The entire table refers to A type rather than MX (email servers).

This slide shows the contact chaining for Brazil's Ministry of Mines and Energy on both the internet and telephony side, mostly the latter. The process is initialized from a small plaintext file of initial selectors (CSV comma separated values, records separated by carriage returns) which is reconfigured to a standardized database format with administrative oversight (front door rules: legal and policy justifications for collection) before being passed to the thin client of the analyst. This is the only appearance of 'Justification' in the slide set.

-1- Another field is added, 'SelectorRealm'. Realm isn't explained here by a popup or sample output slide but in the MonkeyPuzzle memo it meant divisions of a large database (emailAddrm, google, msnpassport, and yahoo). Realm here might specify a subset of collection SIGADS. Thus this step is narrowing the field of inquiry by adding a realm field to the input records to restrict subsequent processing to that realm.

-2a- The records are now filtered by their DNR (telephony) selectors in an unspecified manner. The fork meeting filter conditions is expanded by DNI (internet) chaining via unspecified databases (web email contacts possibly being the realm) and using one hop (see below) for output to Tradecraft Navigator. The fork of records failing to meet filter conditions is discarded.

-2b- The other fork meeting filter conditions, after specifying date ranges etc, is sent out to be expanded DNR contacted chaining. This enrichment step is quite instructive: it involves four telephony databases (FASTBAT, DISHFIRE, FASCIA, MAINWAY). Here FASTBAT appears for the first time in Snowden document releases. It must be partially non-redundant with respect to the others or it would make no sense to include it. It is possibly a SIGAD specific to Brazil or South America, possibly CSEC collection at the Canadian Embassy in Brasilia (the other three are NSA). DISHFIRE holds SMS records (cell phone texting).

It would be amazing if this contact-chaining step did not take overnight (or at least involve long latency) - these databases contain many trillions of records and NSA could be running thousands of multi-hop contact-chaining requests simultaneously for analysts throughout Five Eyes. It's not clear whether NSA's move to the cloud will expedite such searches or break algorithms such as this for whom the haystack has gotten too large.

-3- Because of how realms, date ranges, country of call origin etc were initially specified, not all records produced by contact chaining having any data left in the fields of interest. (It is very common for some fields to be blank in database records) These empty records are discarded so they don't contribute rubbish to the output.

-4a- After renaming records for consistent output, the records are sorted by an important field (e.g. MSISDN phone number) and split, with one fork going to summary statistics (how many records had a given value for the fixed field), as seen by the capital greek letter Sigma (symbol for sum in math) in the 'Group by' icon. These are likely sorted to highest frequency order.

-4b- The other fork simply outputs all the records to Tradecraft Navigator, which may have its own social networking visualization tool or just pass it on to RENOIR. The original presentation may have contained a sample of output but if so, Greenwald may not have included it or if he did, the Globe and Mail didn't publish it.

In this important Olympia algorithm slide, CSEC leverages an initially modest collection of 9 cell phone call records (called DNR selectors) to successively recover the three identification numbers characterizing a cell phone, which in turn lead the analyst to identification of two obsolete handset models (Nokia 3120c-1c and Motorola MURQ7) owned by top MME staffers at one time. The handset models might next be checked against NSA's collection of cell phone malware at TAO or NAC to see if existing tools could hack the phones and turn them into surveillance devices.

A Snowden document disclosed earlier revealed the NSA asking State Department to pass along all cell phone numbers they had been given in the course of normal high level contacts with foreign counterparts. Thus numbers turned in by the American Embassy representatives in Brazil with day-to-day dealings with MME were ingested into an NSA database to which Canada had ready access to. These 9 selectors probably have originated by this route.

What all can be deciphered from this slide?

-1- The overall logic flow is very clear: start from the 9 DNR call record seeds, determine the MSISDN number of the two cell phones, with that find the IMSI, from that the IMEI, and finally the handset model. This is far from trivial due to the properties of cell phone numbers (see below) and devious manufacturing practices in countries such as China. Unlike in previous slides (where anyone online can do reverse DNS lookup in seconds), cell phone owners cannot follow CSEC's logic flow even for their own phone.

-2- The three ellipses show a practically identical logic flow. Even though the tool and widget logos are barely legible, they are evidently the same. In fact, the ellipse processes make very little use of high-powered Olympia tools. The icons primarily represent housekeeping widgets (filter, dummy, rename, sort, delete, etc) that are useful but don't provide enough muscle to do more than shuffle record formats. The real work is done almost entirely by the large outlined-text H icon, not named in the redacted slide or seen elsewhere in menus or other algorithms. It will be called H for HANDSET here.

-3- The output (smaller orange rectangle on far right holding the Tradecraft Navigator icon) is key to understanding the steps of the algorithm. The output is provided for us below the schematic in the form of a small database with 8 fields and two records (the upper dark blue line is highlighted). Although it is highly unlikely these phones are still in use, the MSISDN numbers providing the original input are blued-out as are the IMSI and IMEI. Interestingly, their field names include the work 'correlation' suggesting that they cannot be unambiguously determined but are instead inferred from associations. The Motorola model is more specifically the MURQ7-3334411C11.

-4- The last column TOPI (Target Office of Primary Interest) here takes on the value CSEC, suggesting it is Five Eyes terminology. It's not clear why TOPI needs to be included as a database field. Perhaps adding MME to the NSA's target database - where priority, legal authority, resources needed and operational risk are reviewed - requires tracking of the originating partner agency. Since Canada lacks the malware and insert capabilities of NSA, Brazil's MME must go in the queue to compete with many other projects in the works.

-5- The output line 'Bands Supported by IMEI' can be read well enough that google search can be used to correct any letters mis-read initially. The result provides a look-up of the band wavelengths that the cell phone can use - that might be useful down the roar for DRTBOX interception - and the various communication protocols, like GSM, WCDMA, FDD, HSUPA and HSDPA.

-6- To understand the main algorithm flow, it is necessary to delve into the meaning of the MSISDN, IMSI and IMEI, the three main numbers associated with a cell phone. While that seems straightforward, nominal explanations have to be corrected for online tools that make end runs around official protocols. Cell phones are commonly lost, stolen, re-sold, unlocked, unblocked, registered in one country but used in another, SIM cards replaced, chip sets re-soldered and so on. And that can take place on phones whose manufacturers violated all the rules for unique serial numbers, billing information and so forth.

MSISDN (Mobile Subscriber ISDN Number) is just the ordinary telephone number of a mobile cell that would be on a business card. CSEC may have asked their Brazilian embassy to scan business cards of high level MME staff acquired in the course of ordinary interaction. These selectors could account for the 9 DNR records mentioned here as initializers.

-7- Due to the blurred slide and erased annotations, we cannot follow exactly how CSEC get from the MSISDN to the IMSI to IMEI to the handset model. This cannot be straightforward because the headers indicate correlation (possibly via different databases that share time of call) rather than a determinative algorithm.

In the CO-TRAVELER cloud analytics document, we see two years later that NSA cannot routinely obtain either the MSISDN or IMEI starting from the IMSI in the SEDB Tower QFD summary database. Thus this slide is in some ways the most interesting of all, more the pity that it was so poorly disclosed.

This slide provides a summary showing how all the information gathered can be used for BPoA (Backdoor Point of Access?) leading to further actions through:
- CNE (Computer Network Exploitation, such as cookie-replay, man-on-the-side attacks, CDR, etc.)

- Passive tasking (Upstream collection through backbone cable splitting and filtering, router intercept or telecom carrier cooperation)

- HUMINT-enabled (Human Intelligence, like information derived from voluntary, paid or bribed informants)
It's not clear whether CSEC could take things only so far and then NSA and GCHQ had to step in to aid in an actual tapping, bugging or hacking operation.

This slide is reconstructed from the video footage and shows a diagram containing all the telephone and internet connections discovered in the OLYMPIA case study. At the left side of the slide there are the telephone connections and at the right side the internet links.

It's interesting to see that in this diagram there are also a number of SIGADs, which are codes designating interception facilities. It's not really clear whether they were used to collect the metadata used for the chaining by the OLYMPIA tools, or whether they were eventually used to conduct interception of content on these communication links.

At the telephony side we see DS-800 as the facility for phone lines between the Brazilian ministry and numbers in Equador and Venezuela. Telephone communications to some other countries are monitored by facilities designated US-3294 and US-966V.

Internet traffic between IP addresses from Global Village Telecom and internet providers in Africa, the Middle East and Canada are also monitored by DS-800. We can also see that for internet traffic to India there's a facility designated DS-200 (maybe because GCHQ has good access to India?).

> See also: What are SIGADs starting with DS for?

This slide seems to be the final one of the OLYMPIA case study presentation. The analyst writes that he identified mail servers, which meanwhile have been targeted by means of passive collection. That means by tapping the traffic from internet backbone cables. Analysts have been assessing the value of these e-mail data.

The analyst also says that he is working with NSA's TAO division "to further examine the possibility for a Man on the Side operation". Here he's evidently referring to acessovpn.mme.gov.br. Based on the network information gathered, the Network Analysis Centre (NAC) of the British signals intelligence agency GCHQ has started "a BPoA analysis on the MME".

This shows that the OLYMPIA presentation was not just a software tutorial or an example of coding. The results prove CSEC actually ran this exercise against the Brazilian Ministry of Mines and Energy and got some real results: information about their telephone and internet connections, although probably by far not complete.

As OLYMPIA is target-development software, this tool didn't gather any content of phone calls or e-mail messages, but this last slide tells us that as a result of the OLYMPIA effort, at least the e-mail of the Brazilian ministry became subject of an actual collection operation.

> See also: An NSA eavesdropping case study

Links and Sources
- Theoreti.ca: Interpreting the CSEC Presentation: Watch Out Olympians in the House!
- TheGlobeAndMail.com: Slides reveal Canada’s powerful espionage tool
- Globo.com: American and Canadian Spies target Brazilian Energy and Mining Ministry
- Anonymous: Total tear-down of Canada's Olympia spyware (pdf)

Video demonstration of two intelligence analysis tools


In a previous article we provided a very extensive description of a communications analysis tool used by the Canadian agency CSEC. Here we will show two video demonstrations of analysis tools which are used by intelligence and law enforcement agencies all over the world: Sentinel Visualizer and Analyst's Notebook.

Sentinel Visualizer

The first intelligence analysis program is Sentinel Visualizer, which was developed by FMS Advanced Systems Group. This is a "minority-owned" small business founded in 1986 and based in Vienna, Virginia, which provides custom software solutions to customers in over 100 countries.

This video shows a demonstration of how the Sentinel Visualizer software program can be used to analyse telephony metadata in order to discover new targets:

FMS claims that In-Q-Tel, the CIA's venture capital arm is an investor in FMS, apparently in order to improve their products so they can fit the needs of the CIA. FMS also claims that its product is much cheaper than the alternative, with the price of a single-computer license for its Sentinel Visualizer starting at 2699,- USD, while IBM's Analyst's Notebook tool starts at 7160,- USD.

Analyst's Notebook

Very similar to the Sentinel Visualizer is Analyst's Notebook, which was developed in the early 1990's by i2, a UK-based arm of software company i2 Group which produced visual intelligence and investigative analysis software. After a number of acquisitions, it became part of IBM in 2011.

Both programs offer similar functions, like metadata/link analysis, call chaining, timeline views, social network analysis, geospatial visualizations, and the import of data from knowledge bases and other data sets.

For analysing telephony metadata, Analyst's Notebook has an extension called Pattern Tracer, which enables rapid pattern analysis for "quickly identifying potential targets and predict future incidents more accurately".

This video demonstrates how a "Pattern-of-Life Analysis" can be conducted by using Analyst's Notebook - Esri Edition:

Analyst's Notebook is said to be used by about 2500 intelligence, security and law enforcement agencies, as wel as police forces (like for example the Dutch police, the German Federal Criminal Police Office and the London Metropolitan Police) and investigative organizations and companies in over 150 countries. According to a range of job descriptions, Analyst's Notebook is also used by analysts at NSA.


As can be seen in the second video, these intelligence analysis tools are quite powerful and able to provide a deep insight into the life of a targeted person. But the presentation also shows that this kind of surveillance is consuming too much time and resources for using it against millions of innocent civilians.

Like the example in the second video, these tools are mainly used for operations against known and potential terrorists and a number of other people of interest, like drugs and weapons traffickers, and also some high level foreign government and military officials.

Regarding the intrusiveness of these tools, we should also keep in mind that they are used by law enforcement and police forces too. Where intelligence agencies use these tools generally for preparing reports for political and military decision makers, their use in numerous criminal investigations by the police can affect ordinary citizens much more directly.


On December 15, 2013 the CBS television program 60 Minutes provided some hitherto unseen vieuws from inside the NSA headquarters. One of those was an NSA employee who gave a demonstration of how the metadata contact chaining method works. The following screenshots show a tool very similar to the ones in the videos above:

Today, the German magazine Der Spiegel published in its print edition a slide from an NSA presentation that shows a contact graph based upon a social network analysis for the CEO and the Chairwoman of the Chinese telecommunications company Huawei:

(image provided by @koenrh)

See our previous article about the Canadian OLYMPIA tool for how intelligence agencies can map such a social communications network by using just one or two e-mail addresses to start with. See also an earlier article about how NSA used similar techniques to create contact graphs about the Mexican and the Brazilian president.

Links and Sources
- FMSASG.com: How Sentinel Visualizer is a Superior Alternative to IBM's i2 Analyst's Notebook

Some SIGINT and COMSEC during the Nuclear Security Summit

(Updated: March 25, 2014)

On March 24 and 25, the third Nuclear Security Summit (NSS) is held in The Hague, the seat of the government of the Netherlands. As 58 world leaders will be present, including US president Obama, the summit takes place under severe security measures.

Here we will take a look at some noticable things on the Signals Intelligence (SIGINT) and Communications Security (COMSEC) front. When some new details or pictures come up, they will be added.

US presidential motorcade

On the morning of Monday, March 24, president Obama flew in aboard Air Force One, accompanied by all the famous vehicles like the helicopters which become Marine One when he is aboard, and the cars of the presidential motorcade. As can be seen in this video, there are actually 4 identical and heavily armored presidential limousines, so two motorcades with each two identical limousines can be formed - so no one knows which one is carrying the president.

One of the last cars in the motorcade is the WHCA Roadrunner which is recognizable by a small antenna dome on its roof. Also known as the Mobile Command and Control Vehicle (MC2V), it serves as the communications hub for the motorcade by beaming up encrypted duplex radio and streaming video to a military satellite, which in turn beams that data back down to a ground entry point and through to the switchboard of the White House Communication Agency (WHCA).

The WHCA Roadrunner arriving in Noordwijk, where Obama is staying
(screenshot from a video by VOLMedia)

US communications aircraft

Also present is an aircraft most people don't know of and will rarely see. But it was noticed by air traffic spotters: a small US Army Beechcraft RC-12P Huron with tail number 92-13123 entered Dutch airspace around the same time as Air Force One.

A Beechcraft RC-12P surveillance and communications aircraft
(photo: Wikimedia Commons)

The Beechcraft C-12 Huron is a small twin-turboprop aircraft, which is used for many years by the US Army under its Guardrail/Common Sensor System program. In many different versions, the Beechcraft planes are widely used in war zones like Afghanistan, mainly for collecting Signals Intelligence. For that purpose they have highly specialized equipment on board, like for example DRT devices, which can be used to intercept and monitor short range radio and cell phone communications.

When following the president, the Beechcraft is probably also used as an additional communications hub between for example the presidential motorcade and the White House Communication Agency (WHCA) as this aircraft can also serve as a relay for satellite communications. The mission equipment of the RC-12P version includes datalink capability, and has fibre optic cabling and smaller and lighter wing pods.

World leaders' telephones

For secure phone calls, president Obama can use his highly secured BlackBerry, which connects to a secure base station that follows him where ever he goes.

Besides that, the WHCA also installs secure wireline phones at every place the president stays. Nowadays that includes a vIPer'Universal Secure Phone' which can connect through analog, digital or VoIP networks, and a Cisco IP phone that connects to the highly secured Executive Voice over Secure IP-network through dedicated and encrypted satellite links.

Other world leaders will also have brought their own equipment for secure communications with their capitals, including landline and mobile telephones that are able to perform end-to-end encryption of the calls.

For example, German chancellor Angela Merkel can use her secured BlackBerry 10 smartphone or a landline secured by the Elcrodat 6-2 encryption device. The French president Hollande has a Teorem secure cell phone and can also place secure calls through a wireline DCS 500 telephone set.

Russian spy ships?

There was some speculation about two Russian crab fishing trawlers lying in the harbour of Scheveningen, which is a small port next to The Hague. People noticed that these ships had so many antennas, and thought they could be Russian spy ships, trying to intercept communications from the world leaders attending the Nuclear Security Summit.

Two Russian trawlers in Scheveningen
(photo: Ferry Mingelen)

However, it stated out that both ships, from Petropavlovsk-Kamtsjatski in the far eastern part of Russia, came in three weeks ago having problems with their engines. This was solved rather quickly, but then problems with some neccessary certificates appeared, and both ships had to stay until that issue has been cleared.

Regarding the antennas, some people say that they are quite ordinary VHF antennas, which were used by ships before maritime satellite communication was introduced.

Known Russian spy ships are much larger, with high capacity equipment so they don't have to go into the territorial waters of a country they want to monitor, but can operate safely from international waters. An example is the Viktor Leonov SSV-175 from the Vishnya class in the picture below, but a ship like this one has not been seen near the Netherlands.

The Russian spy ship Viktor Leonov SSV-175
(photo: Stringer/Reuters)

What is known about NSA's PRISM program

(Updated: April 28, 2014)

In June last year the Snowden-leaks started with the disclosure of the PRISM-program. For many people it stands for NSA surveillance in general because they often have still no idea what PRISM is actually about.

Therefore, this article presents a wrap up of almost everything we know about the PRISM program, combining information from my earlier postings and from other media and government sources.

It shows that PRISM is not about bulk or mass surveillance, but for collecting communications of specifically identified targets. NSA also has no "direct access" to the servers of companies like Microsoft, Facebook and Google - it's a unit of the FBI that actually picks up the data. In total, ca. 227 million internet communications are collected under the PRISM program each year, contributing to reports about terrorism and a wide variety of other national security issues.

Most of what we know about PRISM comes from an internal NSA presentation of 41 slides. Edward Snowden initially asked The Washington Post to publish the full slide deck, but the paper refused and so only 4 were subsequently published by The Guardian. A few other slides were revealed later on. In total 13 slides have been published and 4 were incidentally or partially shown on television.

All of them are shown here, in an order that probably comes closest to the original presentation (click them to enlarge). The slides have a number which is only for reference. If new slides of this PRISM presentation become available, they will be added here.

1. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the title of the presentation.

All slides are marked TOP SECRET//SI//ORCON/NOFORN, which means they are classified as Top Secret and protected by the control system for Special Intelligence (SI). The dissemination is strictly controlled by the originator, while it's generally prohibited to release them to foreign nationals.

The SIGINT Activity Designator (SIGAD) of the PRISM program is US-984XN, which indicates that PRISM is part of the BLARNEY-family and used for collecting data under the authority of the FISA Amendments Act.

> See also: PRISM as part of the BLARNEY program

The media have redacted the name of the person who is the PRISM collection manager, a title which is followed by S35333, which is NSA's internal organization designator for a unit of the Special Source Operations (SSO). The logo of this division is in the top left corner of each slide, with in the opposite corner a logo for the PRISM program itself.

Immediatly after the first slides of the presentation were published, some people thought it could be fake or photoshopped because of the not very professional looking design and the copy-paste elements. After more slides became available, we can now assume the presentation to be genuine.

> See also: Are the NSA's PRISM-slides photoshopped?

This presentation about PRISM was given in April 2013, which is just a month before Edward Snowden left his job at NSA and therefore this seems to be one of the most recent documents he was able to download from the internal NSA network.

General aspects of PRISM

The following slides are about the workings of the PRISM program in general:

2. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows a short introduction of the world's telecommunications backbone.

The diagram shows that the majority of international communications from Latin America, Europe and even from Asia flow through the United States, which makes it easy for NSA to intercept them on American soil.

Note that most of the communications from Africa (the continent where many jihadist groups from the Middle East went to in recent years) are going through Europe, which explains why NSA sometimes needs European partner agencies (like from the Netherlands) to access them.

3. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows which internet companies are involved and what kind communications can be received by the NSA.

We see that under PRISM the NSA is able to collect e-mail, chat, video and voice messages, photo's, stored data and things like that. But there are also "Notifications of target activity - logins, etc". This was interpreted by The Washington Post as a function that gives NSA analysts live notifications "when a target logs on or sends an e-mail".

But as these notifications are clearly listed as collected data (see also slide 8 down below), it's more likely they refer to the notification messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client.

It is possible though that NSA analysts can get a notification when new communications from a target they are watching becomes available in NSA systems. Whether (near) real-time monitoring of a target's communications is possible, depends on the way these data are made available to NSA (see slide 5 below).

4. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the dates when PRISM collection began for each provider:
- Microsoft: September 11, 2007
- Yahoo: March 12, 2008
- Google: January 14, 2009
- Facebook: June 3, 2009
- PalTalk: December 7, 2009
- YouTube: September 24, 2010
- Skype: February 2, 2011
- AOL: March 31, 2011
- Apple: October 2012

According to the book 'Der NSA Komplex', which was published by Der Spiegel in March 2014, PRISM also gained access to Microsoft's cloud service SkyDrive (now called OneDrive) as of March 2013. This was realized after months of cooperation between FBI and Microsoft.*

The Washington Post reported that in the speaker's notes accompanying the presentation, it's said that "98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources". The Post also says that "PalTalk, although much smaller, has hosted traffic of substantial intelligence interest during the Arab Spring and in the ongoing Syrian civil war".

The program cost of 20 million dollar per year was initially interpreted as being the cost of the program itself, but later The Guardian revealed that NSA pays for expenses made by cooperating corporations, so it seems more likely that the 20 million is the total amount paid by NSA to the companies involved in the PRISM program.

5. This slide was one of four disclosed by The Washington Post on June 29, 2013 and shows the PRISM tasking process, which means how the actual collection facilities are instructed about what data should be gathered.

The process starts with an NSA analyst entering selectors into the Unified Targeting Tool (UTT). In this case, selectors can be e-mail or IP addresses, but not keywords. According to an article in the French paper Le Monde, there are some 45.000 selectors involved in the PRISM collection.

Analysts can order data from two different sources:
- Surveillance, which means communications that will happen from the moment the target was selected (although the media interpreted this as the ability to real-time "monitor a voice, text or voice chat as it happens")
- Stored Comms, which are communications stored by the various providers dating from before the moment the target was selected

Edward Snowden vehemently accuses NSA for a lack of control and oversight mechanisms, which according to him, makes that analysts have unrestricted access to the communications of virtually everyone in the world. But the diagram in the slide clearly shows that there are multiple steps for approving every collection request:

1. For Surveillance a first review is done by an FAA Adjudicator in the analysts Product Line (S2) and for Stored Comms there's a review by the Special FISA Oversight and Processing unit (SV4).

2. A second and final review is done in both cases by the Targeting and Mission Management (S343) unit. Only after passing both stages, the request is released through the UTT and the PRINTAURA distribution managing system.

3. For Stored Comms the Electronic Communications Surveillance Unit (ECSU) of the FBI even does a third check against its own database to filter out known Americans.

Then it's the Data Intercept Technology Unit (DITU) of the FBI that goes to the various internet companies to pick up the requested data and then sends them back to NSA.

As indicated by companies like Google, they deliver the information to the FBI in different ways, like through a secure FTP transfer, an encrypted dropbox or even in person. According to a report by the journalist Declan McCullagh, the companies prefer installing their own monitoring capabilities to their networks and servers, instead of allowing the FBI to plug in government-controlled equipment.

> See also: The PRISM tasking process

6. This slide was shown on Brazilian television and seems also to be about PRISM Tasking, more specifically about a procedure for emergency tasking when lives are in danger. The slide was uploaded to Wikipedia, where there's also a transcript of the text:
[...] your targets meet FAA criteria, you should consider tasking to FAA.
Emergency tasking processes exist for [imminent/immediate] threat to life situations and targets can be placed on [...] within hours (surveillance and stored comms).
Get to know your Product line FAA adjudicators and FAA leads.

According to an NSA report (pdf) published in April 2014, analysts "may seek to query a U.S. person identifier when there is an imminent threat to life, such as a hostage situation".

Just like a number of other slides and fragments thereof shown on television, there seems to be no good reason why a slide like this is still not published in a clear and proper way. They contain nothing that endangers the national security of the US, but instead would help to much better understand how the PRISM program is actually used.

7. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the flow of data which are collected under the PRISM program. Again we see that it's the FBI's DITU that picks up the data at the various providers and sends them to the PRINTAURA system at NSA.

From PRINTAURA some of the data are directed to TRAFFICTHIEF, which is a database for metadata about specifically selected e-mail addresses and is part of the TURBULANCE umbrella program to detect threats in cyberspace.

The main stream of data is sent through SCISSORS, which seems to be used for separating different types of data and protocols. Metadata and voice content then pass the ingest processing systems FALLOUT and CONVEYANCE respectively. Finally, the data are stored in the following NSA databases:
- MARINA: for internet metadata
- MAINWAY: for phonecall metadata
- NUCLEON: for voice content
- PINWALE: for internet content, video content, and "FAA partitions"

> See also: Storage of collected PRISM data

8. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the composition of the Case Notation (CASN) which is assigned to all communications which are intercepted under the PRISM program.

We see that there are positions for identifying the providers, the type of content, the year and a serial number. Also there's a fixed trigraph which denotes the source. For NSA's PRISM collection this trigraph is SQC. From another document (pdf) we learn that the trigraph for FISA data used by the FBI is SQF.

The abbreviations stand for: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?); RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking.

> See for more about this slide: PRISM case notations

9. This slide was one of four disclosed by The Washington Post on June 29, 2013.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but if we look at the word REPRISMFISA we can imagine the application is for going "back to data collected under the PRISM program according to the Foreign Intelligence Surveillance Act (FISA)".

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This shows that both NSA, FBI and the Department of Justice (DOJ) are using data collected under the authority of the Foreign Intelligence Surveillance Act (FISA), and that the NSA's part is codenamed PRISM.

Below these icons there is a search field, to query one or more databases resulting in a partial list of records. The search options seem rather limited, as only two keywords can be entered, with an additonal "and/or" option. At the left there's a column presenting a number of options for showing totals of PRISM entries.

> See for more about this slide: Searching the collected data

Section 702 FAA Operations

The following slides are about how PRISM can be used to collect various types of data. This collection is governed by section 702 of the FISA Amendments Act (FAA), which in NSA-speak is called FAA702 or just merely 702.

Section 702 FAA was enacted in 2008 in order to legalize the interception that was going on since 2001 and that became known as the "warrentless wiretapping" because it was only authorized by a secret order of president George W. Bush. The FAA was re-authorized by Congress in December 2012 and extended for five years.

Under section 702 FAA, NSA is authorized to acquire foreign intelligence information by intercepting the content of communications of non-US persons who are reasonably believed to be located outside the US. This interception takes place inside the United States with the cooperation of American telecommunication and internet companies.

Operations under the original Foreign Intelligence Surveillance Act (FISA) from 1978 require an individual determination by the FISA Court, but under FAA the Attorney General and the Director of National Intelligence (DNI) certify an annual list of targets. These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like the minimization rules for hiding names and addresses of US citizens.

10. This slide was additionally published by The Guardian on June 8, 2013, to clarify that PRISM, which involves data collection from servers, is distinct from the programs FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. These involve data collection from "fiber cables and infrastructure as data flows past", which is called Upstream collection.

NSA can collect data that flow through the internet backbone cables, as well as data that are stored on the servers of companies like Google, Facebook, Apple, etc. The latter are collected "directly from the servers" as opposed to the communications that are still on their way to those servers when passing through the main internet cables and switches.

Directly from servers

The words "directly from the servers" were misinterpreted by The Guardian and The Washington Post, leading to the claim that NSA had "direct access" to the servers of the internet service providers. As the next slide will show, there's no such direct access.

(The claim of NSA having "direct access" was not only based on this slide, but also on misreading a section from the draft of a 2009 NSA Inspector General report about the STELLARWIND program, which on page 17 says: "collection managers sent content tasking instructions directly to equipment installed at company-controlled locations". The Washington Post thought this referred to the companies involved in the PRISM program, but it actually was about Upstream Collection, which has filters installed at major internet switches. This follows from two facts: first, that the STELLARWIND program was terminated in January 2007 while PRISM only started later that year; second, that STELLARWIND only involved companies that operate the internet and telephony backbone cables, like AT&T and Verizon, not internet service providers like Microsoft and Google)

Upstream collection

An important thing that wasn't well explained by the media, is that not only PRISM, but also the domestic part of Upstream collection is legally based upon section 702 FAA. Note that NSA also conducts Upstream collection under three other legal authorities: FISA and Transit inside the US and Executive Order 12333 when the collection takes place abroad.

> See for more: Slides about NSA's Upstream collection

From a 2011 FISA Court ruling (pdf) that was declassified upon request of the Electronic Frontier Foundation we learn that under section 702 FAA, NSA acquires more than 250 million "internet communications" each year. This number breaks down as follows:
- Upstream: ca. 9% or more than 22 million communications *
- PRISM: ca. 91% or more than 227 million communications
The ruling doesn't explain what exactly a "internet communication" is. A problem that troubled both NSA and the FISA court was that under Upstream it's technically very difficult to distinguish between single communications to, from or about targeted persons and those containing multiple communications, not all of which may be to, from or about approved targeted addresses. The latter may contain to up to 10,000 domestic communications each year.*

11. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013. It compares the main features of the PRISM program and the Upstream collection.

Direct Access?

The last line says that for PRISM there is no "Direct Relationship with Comms Providers". Data are collected through the FBI. This clearly contradicts the initial story by The Guardian and The Washington Post, which claimed that NSA had "direct access" to the servers of the internet companies. This led to spectacular headlines, but also a lot of confusion, as it allowed the companies involved to strongly deny any direct relationship with the NSA - because it's actually the FBI that is picking up their data.

Had this slide been published right in the beginning, then more adequate questions could have been asked and probably we could have got answers that made more sense.

A direct relationship does exist however with the companies which are involved in the Upstream collection, like AT&T and Verizon, who most likely have high volume filtering devices like the Narus STA 6400 installed at their switching stations. Unlike intercept facilities outside the US, where the XKeyscore system can store and search 3 days of content, the sites inside the US only seem to filter data as they flow past, and hence there's no access to Stored Communications.

About Collection

The slide also shows that the so-called "Abouts" collection is only conducted under the Upstream method. As we learned from a hearing of the Presidential Civil Liberties Oversight Board (PCLOB ), this About Collection is not for gathering communications to or from a certain target, but about a specific selector, like for example an e-mail message in which an e-mail address or a phone number of a known suspect is mentioned. This About Collection is not looking for names or keywords, is only used for internet communications and was authorized by the FISA Court.

Because under Upstream NSA is allowed to do About Collection which pulls in a broader range of communications, the retention period (the time the data are stored) is only two years. Data collected under PRISM, which are restricted to communications to and from specific addresses, are stored for the standard period of five years. Both under PRISM and Upstream there's no collection based upon keywords.

12. The slide was seen in a television report and shows a world map with the undersee fiber optic cables according to the volumes of data they transmit. This map is used as background of a number of other slides about FAA 702 Operations. In seems that additional information, like in the next slide, appears by mouse clicking the original powerpoint presentation.

13. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and in the central cyan colored box the codenames FAIRVIEW and STORMBREW are shown subsequently. Maybe other codenames are in the yellow box at the right side. It's not clear what the irregular blue shapes in the Indian Ocean are. The figure which is right of New Zealand is a stereotype depiction of a terrorist with a turban.

14. This partial slide was seen on the laptop of Glenn Greenwald in a report by Brazilian television and shows two scenarios for collection data under FAA 702 authority. It has two boxes with text, the one on the right reads:
Scenario #2
OPI tasks badguy@yahoo.com under FAA702 and 12333 authority in UTT
Badguy sends e-mail from [outside?] U.S. and comms flow inside U.S.
FAIRVIEW sees selector but can't tell if destination end is U.S. or foreign
Collection allowed
Only the target end needs to be foreign
OPI stands for Office of Primary Interest and UTT for Unified Targeting Tool, the NSA application used for instructing the actual collection facilities.

15. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a list of 35 IP addresses and domain names which are the "Higher Volume Domains Collected from FAA Passive". Data from these domains are collected from fiber optic cables and other internet infrastructures - the Upstream or Passive Collection, complementary to the PRISM collection which involves some major US domains like hotmail.com and yahoo.com.

All IP addresses and domain names are blacked out, except for two French domains: wanadoo.fr (a major French internet service provider) and alcatel-lucent.com (a major French-American telecommunications company). The rest of the list will most likely contain many similar domain names, which shows that redactions of the Snowden-documents are not only made to protect legitimate security interests, but also when the papers, in this case Le Monde, want to keep these revelations strictly focussed to their own audience.

Reporting based on PRISM

The following slides show some of the results from the PRISM program:

16. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a highlight of reporting under the section 702 FAA authority, which in this case includes both PRISM and the STORMBREW program of the Upstream collection capability. Information derived from both sources made the NSA/CSS Threat Operations Center (NTOC) figure out that someone had gotten access to the network of a cleared defense contractor (CDC) and was either preparing to, or at least had the ability to get 150 gigabytes of important data out. NTOC then alerted the FBI, which alerted the contractor and they plugged the hole the same day, apparently December 14, 2012.

Another cyber attack that was detected by PRISM occured in 2011 and was directed against the Pentagon and major defense contractors. According to the book 'Der NSA Komplex' this attack was codenamed LEGION YANKEE, which indicates that it was most likely conducted by Chinese hackers.*

17. This slide of the PRISM presentation appeared on the website of O Globo and is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013.

It seems the bottom part of this slide was blacked (or actually whited) out by Brazilian media, as the Indian paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as topics under "India", and also information from Asian and African countries, contributing to a total of "589 End product Reports".

These lists show that collection under the PRISM program is not restricted to counter-terrorism, but is also not about monitoring ordinary people all over the world, as many people still think. PRISM is used for gathering information about a range of targets derived from the topics in the NSA's Strategic Mission List (pdf). The 2007 edition of this list was also among the Snowden-documents and subsequently published, but got hardly any attention.

According to former NSA deputy director Chris Inglis some 41 terrorist plots were foiled by information collected under section 702 FAA, most of them by PRISM. This is not a very large number, but as we've seen, PRISM is also used for creating intelligence reports about many other topics.

In 2012, these were cited as a source in 1477 items of the President's Daily Brief, making PRISM one of the main contributors to this Top Secret intelligence briefing which is provided to the president each morning.

Links and Sources
- MatthewAid.com: New NSA Report on Its Electronic Eavesdropping Programs
- EmptyWheel.net: Back Door Searches: One of Two Replacements for the Internet Dragnet?
- DNI.gov: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702 (pdf)
- TED.com: Edward Snowden: Here's how we take back the Internet
- C-Span.org: Privacy and Civil Liberties Oversight Board Hearing, Government Officials Panel
- TechDirt.com: Why Does The NSA Focus So Much On 'TERROR!' When PRISM's Success Story Is About Cybersecurity?
- SealedAbstract.com: The part of the FISC NSA decision you missed
- GlobalResearch.com: New Documents Shed Light on NSA’s Dragnet Surveillance
- TheGuardian.com: Microsoft handed the NSA access to encrypted messages

Pictures from inside the German intelligence agency BND


The German foreign intelligence agency Bundesnachrichtendienst (BND) is moving to a brand new headquarters in Berlin. Here we show some unique pictures from inside the former headquarters in the village of Pullach and also give an impression of what the new building looks like.

Unlike for example the United States and the United Kingdom, Germany has no separate agency for collecting Signals Intelligence (SIGINT) - this is done by the BND, and as such this agency is a 3rd Party partner of NSA since 1962 and also participates in the SIGINT Seniors Europe or 14-Eyes group.

The former Pullach headquarters

Since its formal creation in 1956, the Bundesnachrichtendienst had its headquarters at a 68-hectare compound in Pullach, a village near Munich in the southern province of Bavaria, which was initially build as a model village for staff members of the Nazi party in the years 1936-1938. On the eastern part of the compound there are nowadays also a number of modern office blocks:

As a farewell to this old headquarters, the German photographer Martin Schlüter was allowed to take pictures of almost every corner of the complex, but only at night, when there were no employees present. His pictures now available in a book called "Nachts schlafen die Spione" (at night the spies are sleeping), published by the Sieveking Verlag.

Pictures from the book were shown in the German television magazine TTT - Titel, Thesen, Temperamente, which made it possible to take the following screenshots of those that show some of the telecommunications equipment used by the BND (click the pictures to enlarge).

One picture shows a larger room which is used as an operations center with all the common stuff, like various computers, large video screens and teleconferencing equipment:

In the next picture we see a smaller operations center room with desks and a lot of computer screens:

We see that every monitor has its own keyboard and mouse, which seems not very practical. In the US for example, military and intelligence agencies use so-called KVM-switches, which allows users to work on multiple computers and networks with just one keyboard, video screen and mouse.

A close up of the previous picture gives a somewhat more detailed view of the equipment:

On the left there are computer screens which show content inside a red and with a blue border. This most likely indicates the classification level of the network they're connected to:
- Blue: VERSCHLUSSSACHE (which equals Confidential)
- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)
Content without such a border is apparently unclassified.

In the center we see two telephones: at the left a Cisco Unified IP Phone 7961 and at the right a rather common looking but yet unidentified office telephone, which can be seen in the other pictures too. The Cisco phone is for a Voice over IP (VoIP) network, where the other one is probably part of a traditional Private Branch eXchange (PBX) internal telephone system.

In these pictures we see no secure telephones, ones that are capable of encrypting calls by themself, like the ELCRODAT 5-4, made by the German manufacturer Rohde & Schwarz. Probably BND uses network encryptors to secure the calls before they leave the internal network.

That there's also some amount of crazyness, can be seen in this picture of an office room, used by a BND employee who cleary is a hardcore fan of Elvis Presley:

The new Berlin headquarters

The new BND headquarters is a huge office building at the Chausseestraße in the centre of Berlin. The construction started in 2006 and the overall costs for the building and moving the inventory of some 6000 employees are estimated at 1,3 billion Euro.

The architecture expert Niklas Maak points to a striking difference between the former and the new headquarters: in the past, the enemy was known, the communists from the Warsaw Pact, it was known where they came from, and hence the intelligence agency was hidden in the Bavarian woods. Nowadays, enemies like terrorists and hackers are unvisible and could be everywhere, but the BND is now as visible as it can be, almost as to scare them off.

The new BND headquarters building in Berlin
(photo: DAPD/TAZ.de)

In the new building each employee has a desk with two computers and a telephone, as can be seen in this picture:

(photo: Franz Solms-Laubach/BZ-Berlin.de)

There are two wide-screen monitors, each one with its own keybord and mouse and connected to a thin client. Apparently the BND still doesn't want to use KVM switches. A thin client is a device that just creates a virtual desktop environment, all files are stored at centralized servers, which also makes it more easy to control and limit the access to sensitive and secret documents.

One of the thin clients has a red and the other one a blue sticker, which probably once again denotes the classification level of the network to which it connects:
- Blue: VERSCHLUSSSACHE (which equals Confidential)
- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)

The telephone on the desk is a Alcatel-Lucent 4068 IP Phone or a smiliar model, which is a high end full-featured office telephone for Voice over IP networks. Alcatel was a major French telecommunications company which merged with the American telephone manufacturer Lucent Technologies in 2006.

It seems somewhat strange for an intelligence agency to use telephones that are made by a foreign company, as for example the German company Siemens manufactures telephony equipment for almost a century.

Links and sources
- More pictures of the Berlin headquarters: Eröffnung der BND-Zentrale
- A 2006 photobook about BND Standort Pullach

Five Eyes, 9-Eyes and many more

(Updated: January 22, 2014)

On November 2, The Guardian published a lenghty article about the Snowden-leaks, which said that besides the close intelligence-sharing group of the US, Britain, Canada, Australia and New-Zealand, known as 5-Eyes, there are also groups called 9-Eyes and 14-Eyes.

According to The Guardian, the first consists of the 5-Eyes countries plus Denmark, France, the Netherlands and Norway and the latter adding another five European nations. This caused some embarrassment, as especially France and The Netherlands were heavily opposed to NSA's eavesdropping operations.

For almost everyone the existance of these 'Eyes' came as a surprise, but as this article will show, there are also 3-, 4-, 6-, 7-, 8-, 9- and 10-Eyes communities. They were created for restricting access to military and intelligence information to respective numbers of coalition nations. These 'Eyes' are used as handling instructions and often supported by dedicated communication networks.

Many new 'Eyes'

First we take a look at what The Guardian wrote about the 9-Eyes and other intelligence-sharing groups:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

In a similar article, The New York Times also mentioned these two new Eyes-groups, but without naming the participating countries, and instead of the 41-Eyes, adding NACSI, the NATO Advisory Committee for Special Intelligence:
"More limited cooperation occurs with many more countries, including formal arrangements called Nine Eyes and 14 Eyes and Nacsi, an alliance of the agencies of 26 NATO countries".

These new revelations seem to be confirmed by what is said in an informative 2012 paper (pdf) about Canada and the Five Eyes Intelligence Community:
"The Five Eyes sigint community also plays a ‘core’ role in a larger galaxy of sigint organizations found in established democratic states, both west and east. Five Eyes ‘plus’ gatherings in the west include Canada’s NATO allies and important non-NATO partners such as Sweden. To the east, a Pacific version of the Five Eyes ‘plus’ grouping includes, among others, Singapore and South Korea. Such extensions add ‘reach’ and ‘layering’ to Five Eyes sigint capabilities."

This text suggests that there are several western Five Eyes 'plus' groups, one of which sounds like the 14-Eyes mentioned by The Guardian. The eastern Five Eyes 'plus' refers to the 10-Eyes group, which will be described down below.

The existance of these hitherto unknown Eyes-groups came as a surprise, because it was generally assumed that NSA only had two kinds of partners for sharing signals intelligence:

- 2nd Party: the Five Eyes based upon the UKUSA-Agreement of 1946
- 3rd Party: a range of countries that have bilateral agreements with NSA

The CFBL Network

The term 9-Eyes could already be found in some other sources. One is an extensive article by the French weblog Zone d'Intérêt about the NATO exercise Empire Challenge 2008 (EC08), in which a number of operational and testing networks were used. One of them is the Combined Federated Battle Laboratories Network (CFBLNet), which is for research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.

The CFBL network consists of an unclassified (black) backbone network (the Blackbone) with transporting the encrypted traffic of several classified and unclassified enclaves as its main purpose. The main secure domains on the CFBL Blackbone are:
- The CFBLNet Unclassified Enclave (CUE), which is unclassified, but traffic is secured using 128 bit Advanced Encryption Standard (AES) encryption.

- The Four-Eyes Enclave (FEE), which is a classified enclave at the SECRET level, accessible for USA, GBR, CAN and AUS only. This enclave was moved from behind the BLUE enclave to the Blackbone in 2006.

- The 6-Eyes or BLUE Enclave, which is a classified enclave at the SECRET level, accessible for the Five Eyes plus NATO (see paragraph about 6, 8 and 10-Eyes)

- The 9-Eyes or NATO RED Enclave, which is also a classified enclave at the SECRET level, accessible for the NATO members of the Five Eyes plus France, Germany, Italy, Spain, The Netherlands and Norway. This enclave was established in 2006 for classified initiatives among NATO members.

- The Initiative Enclaves, which are created temporarily to support specific initiatives and are classified according to the initiative requirements.

We can see these parts of the CFBL Network mentioned in this slide about the networks used in the EC08 exercise:

The various networks involved in Empire Challenge 2008 (EC08)
(COI = Community of Interest, CFE = CENTRIXS Four Eyes,
DDTE = Distributed Development and Test Enterprise)
(full presentation: EC08 Networks (pdf), May 2008)

The 9-Eyes countries are also listed in a table in a NATO standardization document (pdf) from 2010. There we see that from the 4-Eyes only the US, the UK and Canada are part of the 9-Eyes, which makes sense, as Australia is not a NATO partner:

This table lists the groups of nations to which some specific multi-national intelligence and reconnaissance information can be released. This is shown by using the dissemination markings or handling instructions: REL NATO, REL 4-EYES, REL 9-EYES.

The famous Five Eyes term also has its origins in the former NSA dissemination marking EYES ONLY, which defined which 'eyes' may see certain material. Accordingly, documents authorized for release to the five UKUSA-countries were initially marked as AUS/CAN/NZ/UK/US EYES ONLY.

In conversations, allied intelligence personnel adopted the term "Five Eyes" as a shorthand because it was much easier to say. This term became widely used and even got its own abbreviation: FVEY, which is now used in REL FVEY, after the EYES ONLY marking was being replaced by the REL TO [country/coalition designator] format.

A classification line showing the REL FVEY marking

Two different 9-Eyes?

If we compare the nine members of the CFBLNet NATO domain with the 9-Eyes countries mentioned in The Guardian article, we see some differences:


The Guardian:

From the European NATO countries, France, The Netherlands and Norway are in both lists. The Guardian adds Denmark and the non-NATO members of the Five Eyes, which leaves Germany, Italy and Spain out.

Especially Germany and Italy not being included in this apparently close alliance seems strange, as both countries participate in other coalition groups and are both considered to be 3rd party partners of NSA. Maybe this explains Germany being "a little grumpy at not being invited to join the 9-Eyes group" as The Guardian read in GCHQ documents.

Unfortunately, The Guardian failed to provide any context or even a time period for their 9-Eyes and 14-Eyes listings, which makes it quite difficult to find an explanation for the different membership countries of these groups.

At first sight it seems there are two different 9-Eyes groups: one apparently closely related to NSA, and another one as a sharing group in the CFBLNet environment. But as 9-Eyes is used as a handling instruction for classified information, it has to be perfectly clear to which group of countries information marked REL 9-EYES may be released. Therefore we have to assume there can be only one 9-Eyes group at a time.

The 9-Eyes NATO group of the CFBL network was first mentioned in 2008 and still comprised the same nations in 2012. In the meantime, Sweden also became a full member of CFBLNet, but not being a NATO member, it wasn't included in the 9-Eyes sharing group.

The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)

One option to explain the differences between the two 9-Eyes could be changing membership, with countries added or removed on an annual basis depending on their participation in the CFBLNet. But this also wouldn't fit with the Guardian's list, as Australia and New Zealand are no NATO-members and Denmark is not a fully participating member nation of the CFBL network.

Unless The Guardian misinterpreted the Snowden-documents, it seems quite unlikely that their 9-Eyes could be the same as the NATO 9-Eyes on the CFBL network, but it seems also unlikely that there are two groups called 9-Eyes at the same time. The best guess at this moment would be that the Guardian's 9-Eyes was a group that only existed somewhere before the NATO group was formed.

From remarks made on Twitter by a Dutch journalist who works on the Snowden-papers, it seems that the 9-Eyes is a group for exchanging military signals intelligence related to operations in Afghanistan.

There's also the Multinational Interoperability Council (MIC), which is a forum for identifying interoperability issues and articulating actions to enhance coalition operations. It started in 1999 as the Six Nation Council and now has seven members: the US, Canada, Australia, Britain, France, Germany and Italy. It might be this group which is called7-Eyes.

Also interesting is Alliance Base, which was the cover name for a secret Counterterrorist Intelligence Center (CTIC) that existed between 2002 and 2009. It was based in Paris and was a cooperation between six countries: the US, Canada, Australia, Britain, France and Germany. There's no indication this group was designated by a number of 'Eyes'.

The 14-Eyes and 3rd and 4th party partners

Now let's take a look at the 14-Eyes community, which was revealed for the first time by The Guardian. Looking at the number and the participating countries, it comes very close to CFBLNet, which had 13 full members (12 nations + the NATO organization) since 2010. But there are also some differences again:

CFBLNet members:

The Guardian:

These lists are very similar, except that Denmark and Belgium, which are on the Guardian's list, are not a (full) member of CFBLNet. Maybe these two countries joined CFBLNet only very recently, and in that case the 14-Eyes could refer to this group. It does show though that these NATO countries (and Sweden) are cooperating in additional information-sharing initiatives.

The exact purpose of such a cooperation in the 14-Eyes group isn't clear. The New York Times only says that the nations comprising the 9-Eyes and 14-Eyes groups have formal arrangements with NSA, which is something that also makes a country a traditional 3rd party partner.

According to Snowden-documents, about 30 countries have this status, but so far only the names of Germany, France, Austria, Denmark, Belgium and Poland were published. Some othersources say that Norway, Italy, Greece, Turkey, Thailand, Malaysia, Singapore, Japan, South-Korea, Taiwan, Israel and South Africa are 3rd party partners too.

If we compare this to the 14-Eyes, we see that only France, Germany, Norway, Italy, Belgium and probably Spain are known 3rd party partners. Sweden, Denmark and The Netherlands are not, but it's assumed they had or have less formal arrangements for exchanging SIGINT and cryptologic information with NSA. This also applies to Finland and Taiwan, and therefore these countries are sometimes called 4th party partners.

It seems there are roughly three possibilities:

A. All countries of the 14-Eyes (and subsequently those of the 9-Eyes) are actually 3rd party partners, because of having formal arrangements with NSA. Which means Sweden, Denmark and The Netherlands must have acquired that position in recent years. Grouping them in two 'Eyes' would only make sense if that's for some specific initiatives.

B. Countries belonging to the 9-Eyes and 14-Eyes have a more close relationship with NSA and are therefore somewhere in between the 2nd party and the 3rd party nations. This is what both papers suggest, but it seems not very likely that relationships like these allow that much of (formal) refinement.

C. The 9-Eyes and 14-Eyes are groups created for specific goals and consist of the Five Eyes with some additional 3rd and 4th party nations, depending on whether their participation is needed for achieving those goals.

A newly disclosed document has shown that all countries of the 14-Eyes are 3rd Party partners of NSA and that the actual name of this group is SIGINT Seniors Europe (SSEUR). More about this: 14-Eyes are 3rd Party partner forming the SIGINT Seniors Europe

In 2010, France was apperently ready to join the Five Eyes, but at the last moment the Obama White House said no.

The CFBL Network

The Combined Federated Battle Laboratories Network (CFBL or CFBLNet) is a distributed Wide Area Network (WAN), which allows for the testing of new multinational information-sharing capabilities before they're transitioned to the actual operational networks which are used worldwide to support Combatant Command operations. CFBLNet enables the sharing and exchange of information on experimentation and interoperability testing.

Each member nation operates several "Battle Lab" sites which are hook into the CFBLNet backbone at a national Point-of-Presence (PoP). In 2012 there were 247 sites divided over 12 countries. The backbone traffic is secured with TCE621 (in Europe) and TACLANE E100 (or KG-175 in the US) network encryptors. The Multinational Information Sharing Program Management Office (MNIS PMO) maintains day-to-day control and coordination of the network.

Every year, also several other NATO countries participate or observe as guest nations in one or more CFBLNet initiatives at existing lab sites.

The CFBLNet grew out the network designed to support the US Joint Warfighter Interoperability Demonstrations (JWID), which used to build a support network for the period of the demonstrations and tear it down afterwards. In 1999, the JWID exercise used, for the first time, a permanent infrastructure that became what is now called the Combined Federated Battle Lab Network (CFBLNet), as established by the NATO Consultation, Command and Control Board (NC3B) in 2001.

The 6, 8 and 10 Eyes

Creating separate access groups for coalition operations, and describing them with a certain number of 'Eyes' can be traced back to the early years of this century. The first occasion seems to have been the Joint Warrior Interoperability Demonstration 2003 in which also non-traditional partner countries were added to the communications network used by the UKUSA and NATO coalition.

Information sharing between different groups of coalition partners required that separate domains had to be created within one network: in 2003, the 5-Eyes countries and the NATO organization comprised the 6-Eyes domain, while these six members plus four Pacific Rim nations (Japan, South Korea, Thailand and Singapore) comprised the 10-Eyes domain. Each domain had its own Type-2/3DES-encrypted Virtual Private Network (VPN) which ran over a network secured by classified Type-1 encryption algorithms.

Slide with an overview of the 6-Eyes and 10-Eyes network domains
(full presentation: Agile Coalition Environment (pdf), 2003)

The 2004 edition of the Joint Warfighter Interoperability Demonstration also involved South-Korea, officially known as the Republic of Korea (ROK). To this end, three separate domains within CFBLNet were created and organized into two classification levels named 6-Eyes and 8-Eyes. The 8-Eyes domain consisted of the 6-Eyes countries plus NATO and ROK. The ROK domain was cryptographically isolated from the rest of CFBLNet by using TACLANE encryptors with Type-1 algorithms.

The 5, 4 and 3 Eyes

The long-standing and close intelligence-sharing community of the Five Eyes was downsized on two occasions. First in 1985, when New Zealand refused US nuclear-armed or nuclear-powered ships to visit its ports. As a result, the island was cut out of most intelligence arrangements led by the US. Some SIGINT was still being shared, but New Zealand got no American HUMINT or military intelligence anymore, except for operations in which it's actually participating.

Things not to be shared with New Zealand, were 4-Eyes only now. Staying outside most of the allied military operations, New Zealand was also not connected to the CENTRIXS Four Eyes (CFE) network (also called X-Net), which was created in 2001 and is extensively used for operational coordination between the remaining four partners: Australia, Canada, Great Britain and the US. Sites on this network have addresses in the format www.website.xnet.mnf

For information sharing and exchange between these nations, there's also a separate network codenamed STONEGHOST, which is maintained by the US Defense Intelligence Agency (DIA). This network was previously called Intelink-C, which runs over it, and is now sometimes referred to as Q-Lat or Quad link. Information restricted to the 4-Eyes partners is marked with their respective country codes or the abbreviation thereof: ACGU.

A document showing the REL TO USA ACGU marking (source)

For collaborative planning at the strategic level there's another network called Pegasus (until 2010: GRIFFIN), which provides secure e-mail, chat and VoSIP communications for the 5-Eyes partners, as the military cooperation between the US and New Zealand was restored again in 2007. Probably by then, a separate network called CENTRIXS-NZ was set up, which connects the Four Eyes with New Zealand. Sharing intelligence information between the US and the Five Eyes is done through NSANet, which is a TS/SCI network controlled by NSA.

Another sub-group of the Five Eyes was formed when Canada didn't join the US in the 2003 war against Iraq. With New Zealand also not formally engaging, the 5-Eyes were now reduced to just 3-Eyes: the United States, Great Britain and Australia.
The relationship between these three countries became closer as both Britain and Australia were granted an upgrade of their intelligence access by president George W. Bush: both countries were granted (temporary and limited) access to America's classified SIPRNet for certain joint missions. This also reflects their bigger SIGINT collecting capabilities, compared to those of Canada and New Zealand.

CENTRIXS networks

The main US-led multinational coalition networks are called CENTRIXS, which stands for Combined ENTerprise Regional Information eXchange System. It's a secure wide area network (WAN) architecture, which can be established according to the demands of a particular coalition exercise or operation. CENTRIXS supports intelligence and operations information sharing at the SECRET REL TO [country/coalition designator] level. Some notable CENTRIXS networks are:

- CENTRIXS Four Eyes (CFE) for the US, Britain, Canada and Australia.
- CENTRIXS-NZ for the Four Eyes plus New Zealand.
- CENTRIXS-JPN for the United States and Japan.
- CENTRIXS-K for the United States and South-Korea.
- CENTRIXS-PHI for the United States and the Philippines.
- CENTRIXS-CNFC for the Combined Naval Forces CENTCOM (VPN within GCTF).
- CENTRIXS-MCFI for the Multinational Coalition Forces Iraq.
- CENTRIXS-ISAF (CX-I) which is the US component of the Afghan Mission Network to share critical battlefield information among 50 coalition partners.
- CENTRIXS-GCTF (CX-G) for the Global Counter Terrorism Forces, which is the US coalition network in Afghanistan to share information among more than 80 Troop Contributing Nations.

The countries connected to CENTRIXS-ISAF can be recognized as the 41-Eyes of the allied coalition in Afghanistan mentioned by The Guardian. This group grew slowly and was called 43-Eyes in 2010, when the NATO exercise Empire Challenge 2010 (EC10) changed its "main participating security domain" to "an International Security Assistance Forces (ISAF) equivalent 43-Eyes domain".

Probably also because of the steadily increasing number of coalition partners, shareable information is not marked with REL [..] EYES anymore, but with REL ISAF and REL GCTF.

Slide showing the complexity of multi-national information sharing
(full presentation: MultiNational Information Sharing (pdf), 2011)


We have seen that designations consisting of a number of 'Eyes' are used as a dissemination marking or handling instruction showing among which group of countries specific military or intelligence information may be shared.

The Guardian and the New York Times listed various 'Eyes' and some other groups in a way that suggests a hierarchy of how close their relationship with NSA would be: first the Five Eyes community, followed by 9-Eyes, 14-Eyes, NACSI, and with the 41-Eyes Afghanistan coalition being the loosest kind of cooperation.

A scheme like this looks attractive, but is at least partially misleading. For sure the Five Eyes are cooperating in the closest way, but the other groups have different scopes. NACSI is more like an advisory working group of NATO than an alliance of signal intelligence agencies, and the 41/43-Eyes community is for sharing battlefield information between members of the Afghanistan coalition.

Regarding the 9-Eyes and 14-Eyes communities, it's now up to journalists who have access to the Snowden-documents to provide more detailed information about whether they really represent more close alliances with NSA, or whether they're just 'working groups' of selected 3rd and 4th party nations, like most of the other 'Eyes' communities.

A newly disclosed document has shown that all countries of the 14-Eyes are 3rd Party partners of NSA and that the actual name of this group is SIGINT Seniors Europe (SSEUR). More about this: 14-Eyes are 3rd Party partner forming the SIGINT Seniors Europe

From remarks made on Twitter by a Dutch journalist who works on the Snowden-papers, it seems that the 9-Eyes is a group for exchanging military signals intelligence related to operations in Afghanistan.

Summary of all known 'Eyes'

- 3-Eyes: USA, GBR, AUS (TEYE)
- 4-Eyes: USA, GBR, CAN, AUS (ACGU)
- 5-Eyes: USA, GBR, CAN, AUS, NZL (FVEY)
- 7-Eyes: USA, GBR, CAN, AUS, FRA, DEU, ITA (MIC?)
- 8-Eyes: USA, GBR, CAN, AUS, NZL, NATO, ?, South-Korea
- 9-Eyes: Five Eyes + FRA, DNK, NLD, NOR (Guardian)
- 10-Eyes: USA, GBR, CAN, AUS, NZL, NATO, Japan, South-Korea, Thailand, Singapore
- 14-Eyes: Five Eyes + FRA, DNK, NLD, NOR, DEU, ESP, ITA, BEL, SWE (SSEUR)
- 41-Eyes: ISAF-countries in ? (Guardian)
- 43-Eyes: ISAF-countries in 2010

Links and Sources
- DeCorrespondent.nl: Over Five Eyes en Third Parties - Met wie werkt de NSA samen (2013)
- Privacy International report: Eyes Wide Open (pdf)
- DailyDot.com: How the NSA ranks its international spying partners
- Disa.mil: Multinational Information Sharing (MNIS)
- Article in French about Empire Challenge 2008
- The 2004 listing of Country Code Trigraphs and Coalition Tetragraphs (pdf)
- About Canada and the Five Eyes Intelligence Community (pdf)
- Far-Reaching Scenario Reflects Changing World (2003)
- Article about CENTRIXS-Maritime: connecting the warfighter
- Combined Operations Wide Area Network (COWAN)/Combined Enterprise Regional Information Exchange System (CENTRIXS) (pdf)
- The 1999 DMS GENSER Message Security Classifications, Categories, and Marking Phrase Requirements (pdf)

NSA's largest cable tapping program: DANCINGOASIS

(Updated: May 26, 2014)

On May 13, Glenn Greenwald published his book 'No Place To Hide' about the Snowden-disclosures. It doesn't contain substantial new revelations, but from one of the original documents in it we can determine that NSA's largest cable tapping program is codenamed DANCINGOASIS, something which was not reported on earlier.

Here we will combine information from a number of other documents and sources to create a somewhat more complete picture of the DANCINGOASIS program.

Special Source Operations

In Greenwald's book and on his website, the following chart from NSA's BOUNDLESSINFORMANT tool was published. Although these charts are not always easy to interpret, we can rather safely assume that this one gives the overview for NSA's Special Source Operations (SSO) division, which is responsible for collecting data from major telephony and internet cables and switches.

During the one month period between December 10, 2012 and January 8, 2013, a total of more than 160 billion metadata records were counted, divided into 93 billion DNI (internet) data and 67 billion DNR (telephony) data:

In the "Most Volume" section we see that the program which collects most data is identified by the SIGINT Activity Designator (SIGAD) US-3171, a facility that is also known under the codename DANCINGOASIS, which is sometimes abbreviated as DGO.

During the one month period covered by the chart, this program collected 57.7 billion data records, which is more than twice as much as the program that is second: US-3180, which is codenamed SPINNERET. Third is US-3145 or MOONLIGHTPATH and fourth DS-300 or INCENSER. This chart will be analysed in general in a separate article.


Previously it seemed that it was INCENSER that collected the biggest number of data. A BOUNDLESSINFORMANT chart published in November 2013 said that this program gathered some 14 billion metadata a month. Now we know that DANCINGOASIS is collecting almost 4 times as much: more than 57 billion records each month, or 684 billion every year.

Comparing some numbers learns us that DANCINGOASIS (57 bln.) accounts for more than a third of everything the SSO division collects (160 bln.). It is also far more than what is collected under FAIRVIEW (6 bln.), which is one of the big domestic cable tapping programs that NSA operates in cooperation with US telecom providers.

Comparing DANCINGOASIS with the total number of data that is collected worldwide during one month early 2013 (221 bln.), as presented in the BOUNDLESSINFORMANT heat map, we see that DANCINGOASIS alone seems to account for almost a quarter of the entire NSA data collection.

Given this large share, it could be that DANCINGOASIS is an umbrella program which encompasses various smaller sub-programs. However, DANCINGOASIS is different from MYSTIC, which is an umbrella program containing facilities that monitor at least five entire countries, as was revealed recently by The Intercept. The part of MYSTIC that stores all phone calls of two countries, codenamed SOMALGET, processes only about 3 billion telephony metadata every month.


Strangely enough we haven't (yet) read about DANCINGOASIS in media reports, nor in the book of Glenn Greenwald, and also we haven't seen any slides or documents that specifically deal with this program.

But in the book 'Der NSA Komplex' written by two journalists from the German magazine Der Spiegel, there's more information. It says that the DANCINGOASIS program started in May 2011 and monitors a fiber optic cable between Western Europe and the Far East.*

It is not clarified what kind of targets DANCINGOASIS collection is used for, but given the enormous amounts of data (57 billion), it has to be from top priority countries from the Middle East. According to the BOUNDLESSINFORMANT heat map, NSA collected more than 27 billion data a month from Pakistan, 24 billion from Afghanistan, 15 billion from Iran and 13 billion from Jordan - all countries that are along the fiber optic cables between Europe and the Far East.

Blocking address books

Such a huge collection of communications inevitably comes with data that are useless, like for example address books from e-mail accounts that are not related to target persons. Because the number of these address books grew steadily, NSA started to block these from being ingested by installing the SCISSORS selection system.

This is shown in slides published by The Washington Post on October 15, 2013. We see that SCISSORS was enabled for DANCINGOASIS (US-3171) on March 13, 2012:


The slide on the right shows two codes associated with content collected under DANCINGOASIS: DGOT and DGOD. Similar codes for metadata are written reverse: TOGD and DOGD respectively.


The systems which are used to process the data from DANCINGOASIS are listed in the "Top 5 Tech" section of the SSO chart. Of the four most important systems, three are used for processing internet data: XKEYSCORE (42 bln.), TURMOIL (23 bln.) and FALLOUT (12 bln.), with LOPERS (41 bln.) being a system for processing data derived from telephone networks.

This means that there are two options regarding what kind of data are collected under the DANCINGOASIS program:
- Either 100% derived from the internet and then being processed by a combination of the XKEYSCORE, TURMOIL and FALLOUT systems;
- Or a mix of internet and telephony data, which are processed partly by the internet processing systems and partly by LOPERS.

Clarity about this can be provided by the BOUNDLESSINFORMANT chart about the DANCINGOASIS program specifically, which hasn't been published yet.

Data filtering

The cable intercepted by DANCINGOASIS transfers 25 petabyte of communications data each day. Between 3 and 6 petabyte of them are being scanned by NSA computers. These systems search the data for keywords that are determined by NSA's targeting offices and are derived from the topics in the Strategic Mission List (pdf) and the National Intelligence Priorities Framework, as approved by the White House.

Based upon an unpublished NSA presentation from March 22, 2013 titled "Cyber Threats and Special Sources Operations", the Spiegel book says that between 10 and 40 percent of the data (both content and metadata) collected under the DANCINGOASIS program are filtered out and stored in two databases: 43 gigabyte in one and 132 gigabyte in another database, every day.*

The book doesn't provide the names of the databases, so probably it aren't the known ones like PINWALE, MAINWAY and MARINA. Therefore, the data from DANCINGOASIS might be stored in the NSA's new cloud systems, the names of which NSA likes to keep secret for some reason or another.

Because of similar capacity limits across a range of collection programs, the NSA is leaping forward with cloud-based collection systems and a huge new "mission data repository" in Utah.

Metadata processing

According to the excerpt of an NSA document published in the book of Glenn Greenwald, metadata records from DANCINGOASIS are processed by a system codenamed SHELLTRUMPET. This system "began as a near-real time metadata analyser in December 2007 for a CLASSIC collection system":

On December 21, 2012 SHELLTRUMPET had processed its 1 trillionth metadata record. Almost half of this volume was processed during 2012, and half of that volume, so one quarter of a trillion (250 billion) metadata records, came from DANCINGOASIS.*


A system that collects a huge amount of data does not automatically contribute to equal numbers of intelligence reports. We can see this in a slide about results from NSA's Upstream collection during the fiscal year 2010/2011.

In the chart, US-3171, the SIGAD of DANCINGOASIS, ranks 6th with some 5452 so called "Serialized Product Reports". Data collected under section 702 FAA authority (PRISM and the domestic Upstream cable tapping) led to almost 4 times more reports:

With a blue bar, DANCINGOASIS is listed as a "SSO Non-Corporate Program", which means the collection is done without cooperation of a commercial telecommunications company. Although this does not exclude foreign government or foreign partner agency cooperation, it's remarkable that NSA is able to collect these huge amounts of data from a fiber optic cable without the help of the operating companies.

Some numbers about NSA's data collection

(Updated: June 9, 2014)

Today it's exactly one year ago the Snowden-leaks started. Among the many highly classified documents which were disclosed during the past year are various charts that provide us with actual numbers about the amount of data the National Security Agency (NSA) is collecting.

Here we will take a look at those numbers and see what we can learn from them by comparing various sources and from breaking them down into NSA-divisions, countries and collection programs. As still only fragmented parts have been published, this overview cannot provide completeness or full accuracy (estimates are shown as round numbers).


The most detailed numbers about NSA's data collection are from the BOUNDLESSINFORMANT tool, which is used by NSA officials to view the metadata volumes collected from specific countries or by specific programs.

A worldwide overview is provided by a heat map which was published by The Guardian on June 11, 2013. It displays the figures over a 30-day period ending in March 2013:

NSA worldwide total:

Internet records (DNI):
Telephony records (DNR):

This total of 221 billion telephony and internet records a month equals 2,6 trillion a year and 7,3 billion a day.

The BOUNDLESSINFORMANT worldwide overview for March 2013
(click to enlarge)

NSA volumes and limits

The BOUNDLESSINFORMANT tool seems to be very accurate, but there's another chart that gives different numbers. It's from a 2012 presentation for the SIGINT Development conference of the Five Eyes community and shows the volumes and limits of NSA metadata collection. The chart was published by The Washington Post on December 4, 2013 and again in Greenwald's book 'No Place To Hide' on May 13, 2014.

Chart showing the volumes and limits of NSA metadata collection
between January and June 2012
Redactions by Greenwald or the press, explanations added by the author
(click to enlarge)

This chart shows:
- the numbers of telephony metadata which are received by FASCIA, which is NSA's main ingest processor for telephony metadata;
- the numbers of internet metadata that are transferred to MARINA, which is a huge NSA database that can store internet metadata for up to a year;
- the numbers of internet metadata that had to be deleted because there was apparently not enough storage space.

Except for the deleted metadata, the charts shows ca. 10,4 billion internet metadata (DNI) a day, which makes 312 billion a month or 3,7 trillion a year. There are ca. 4,5 billion telephony metadata (DNR) a day, which makes 135 billion a month or 1,6 trillion a year. If we compare these numbers with those from BOUNDLESSINFORMANT, we see a big difference:

Internet metadata (DNI):
Telephony metadata (DNR):
Volumes and Limits
(a month, 1st half 2012)

(a month, 1st half 2013)

There's a difference of 11 billion telephony metadata between both charts, but an even bigger gap exists between the internet metadata: the Volumes and Limits chart shows 215 billion more than BOUNDLESSINFORMANT. This discrepancy wasn't noticed in the press reportings, nor in Greenwald's book, so at the moment there's no clear explanation for this.

Telephony metadata

After being processed by FASCIA, the telephony metadata go to MAINWAY, which is another huge NSA database that keeps these kind of data for at least five years. In 2006 it was estimated that MAINWAY contained 1,9 trillion (1.900.000.000.000) call detail records.

For comparison: in 2007, AT&T's Daytona system, which is used to manage its call detail records (CDR's) supported 2,8 trillion records. In 2012, T-Mobile USA Inc. upgraded to an IBM Netezza 1000 platform with a capacity of 2 petabytes. This is used for loading 17 billion records a day, making 510 billion a month and more than 6 trillion a year.

If we assume the telecom providers and NSA use "records" in the same sense, than this shows that the telecommunication companies produce far more phone call metadata than NSA collects. As T-Mobile USA alone apparently creates 4 times more records as presented in NSA's BOUNDLESSINFORMANT tool, the domestic telephone metadata collection under section 215 Patriot Act cannot be included in the numbers we've seen so far.

GCHQ metadata collection

Even more metadata seem to be collected by NSA's British partner agency GCHQ, which according to this slide from 2011 collects 50 billion metadata per day. This makes 1,5 trillion a month and an astonishing 18 trillion ( a year!

This (partial) slide was published in Greenwald's book No Place To Hide, but without any further explanation, so we don't know whether GCHQ is able to actually store everything or has to delete large amounts, like NSA. From the slide itself it seems that the number of 50 billion refers to internet metadata alone, which would make this number even more remarkable.

According to a report by The Guardian, GCHQ also collects 600 million telephony metadata a day, which makes 18 billion a month - a small number compared to the internet metadata this agency receives:

Internet metadata per month:
Telephony metadata per month:

97 bln.
124 bln.
and Limits

312 bln.
135 bln.


1500 bln.
18 bln.

NSA collection by country

The main BOUNDLESSINFORMANT interface with the heat map also lists the names of the countries which provide the highest numbers of data. These can be sorted in three different ways: Aggregate, DNI (internet) and DNR (telephony), each resulting in a slightly different top-5. The following aggregated totals (so both DNI and DNR) are known:

NSA worldwide total:

United States:
221.919.881.317 (100%)

27.275.944.618  (12%)
24.293.973.693  (11%)
15.834.475.801   (7%)
14.374.155.469   (6%)
12.616.915.557   (5%)
9.064.623.040   (4%)

These numbers indicate from which countries NSA gathers most data, but the exact meaning of the numbers has still not been clarified. We do know that BOUNDLESSINFORMANT counts metadata records, but what these records exactly are (for example: how many records are created by one phone call?), and how they are attributed to a specific country is not clear.

Communications by definition have two ends: the originating and the receiving end. When both ends are in the same country, it's easy to attribute it to that particular country. But when the originating and the receiving ends are in a different country, how is such a communication registered? Maybe for both countries, although that would make many of them appear in these numbers twice.

United States

Edward Snowden saw the heat map with the 3 billion attributed to the United States as a proof that NSA was conducting domestic surveillance, although the heat map itself cannot provide sufficient evidence for that. The 3 billion could very well relate to foreign communications which are just transiting the US or to the American end of for example phone calls where the other end is a foreign suspect. Somewhat more information could have been provided by the bar charts for the US, but these haven't been published.

The number of 3.095.553.478 for the United States is the aggregated total. The number of internet records (DNI) for the US is 2.892.343.446, which leaves just 203.210.032 telephony records (DNR) or 0,065% of the aggregated total. In a table this looks like this:

United States total:

Internet records (DNI):
Telephony records (DNR):
3.095.553.478 per month

2.892.343.446 per month
203.210.032 per month

This tiny share for telephone metadata is rather strange given the fact that NSA is collecting all American phone records, but does not so with internet metadata. This seems to indicate that these domestic phone records are not counted by BOUNDLESSINFORMANT and that the internet records are from communications with at least one end foreign.

NSA divisions

With a BOUNDLESSINFORMANT chart about the NSA's Special Source Operations (SSO) division published in Greenwald's book, we can also compare the number of data collected by this division with the total number of NSA data collection. We see that SSO, which is responsible for tapping the world's main fiber optic cables, accounts for 72% of all data:

NSA worldwide total:

Special Source Operations (SSO):
Other NSA divisions:
221.919.881.317 (100%)  (72%)
61.751.000.000  (28%)

This leaves the remaining 28% of the data to be collected by NSA's other main divisions: Global Access Operations (GAO), which operates mobile collection platforms like satellites, planes, drones and ships, and Tailored Access Operations (TAO), which collects data by hacking into foreign computer networks. The remaining 28% could also encompass data collected by the joint NSA/CIA Special Collection Service (SCS) units and by 3rd Party partner agencies.

BOUNDLESSINFORMANT chart about the SSO division
(click to enlarge)

SSO Collection programs

From the BOUNDLESSINFORMANT chart about Special Source Operations we can see how the total number of data collected by this division breaks down into the 5 biggest collection programs. From other charts we also know the numbers collected by some other programs, and these are added here too:

SSO worldwide total:

? (US-3721):

Other programs in total: (100%)

57.788.148.908  (36%)
23.003.996.216  (14%)
15.237.950.124   (9%)
14.100.359.119   (9%)
13.255.960.192   (8%)


This listing shows that roughly one third of the data from telecommunication cables are collected by just on single program: DANCINGOASIS. Another third part is intercepted by the programs ranking second, third and fourth, but despite their weight, we still don't know more about them than just their names. Finally, the last third part of this type of collection is divided into numerous smaller and very small programs, a number of which have been disclosed through the Snowden-documents.

Metadata from a number of big and important SSO collection programs are processed by a system codenamed SHELLTRUMPET. As can be read in the document below, this system processed almost 500 billion metadata records in 2012, which gives an average of 41,6 billion a month, but by the end of 2012 SHELLTRUMPET was already processing 2 billion call detail records a day, which would make 60 billion a month:

As no BOUNDLESSINFORMANT chart about PRISM was published, we do not know the ranking of that famous collection program. Another source (pdf) says that under PRISM, more than 227 million "internet communications" are collected annually, which is ca. 19 million a month, but it is not known whether these "internet communications" are the same kind of records as presented by BOUNDLESSINFORMANT.

Shared by partner agencies

NSA also gets data provided by 3rd Party partner agencies. These are counted by the BOUNDLESSINFORMANT tool too, as we know from charts about a number of European countries:

Germany (US-987LA + US-987LB):
Poland (US-916A):
France (US-985D):
Spain (US-987S):
Italy (US-987A3005):
Norway (US-987F):
Denmark (?):
The Netherlands (US-985Y):

The total number of data received from these eight countries is ca. 859 million a month, which is just a tiny 0,0038% of NSA's overall collection as counted by the BOUNDLESSINFORMANT tool.

Initially, Glenn Greenwald reported in various European newspapers that these numbers represented the phone calls of European citizens intercepted by NSA. But gradually it came out that his interpretation was wrong.

The charts actually show numbers of metadata that were collected from foreign communications by European military intelligence agencies in support of military operations abroad. These data were subsequently shared with partner agencies, most likely through the SIGDASYS system of the SIGINT Seniors Europe (SSEUR) group, which is led by NSA.

Links and Sources
- Syncsort.com: How Hadoop is Transforming Telecom
- Secret-bases.co.uk: Secret Data Centres, including GCHQ's Tempora and NSA's PRISM projects
- Cryptome.org: Numbers of reports generated by various NSA programs (pdf)

Snowden-documents show no evidence for global mass surveillance

(Updated: July 9, 2014)

Earlier this month, it was the one year anniversary of the Snowden-leaks, by far the biggest disclosure ever of highly secret documents from the US National Security Agency (NSA). Edward Snowden and Glenn Greenwald are using these documents to show how eager NSA is to collect every bit of communication that travels around the world.

But by taking a close and careful look at the original slides and reports which have been published so far it comes out that they contain no hard evidence for a massive abuse of power or violation of the law, not even for the alleged monitoring of "every single conversation and every single form of human behavior".

Headquarters of the National Security Agency at Fort George G. Meade
(screenshot from PBS Frontline - United States of Secrets)

No Place To Hide

Edward Snowden and Glenn Greenwald claim that NSA wants to collect, store, monitor and analyse the electronic communications of innocent citizens all over the world, which would be an unprecedented abuse of power and a violation of the American constitution. This is how the story is told over and over in numerous media reports worldwide, and also in Greenwald's book 'No Place To Hide', which was published in over twenty countries on May 13, 2014.

After a year of countless revelations, people might have expected that this book would provide a detailed and comprehensive explanation of all those confusing NSA programs, tools, and operations. But although it contains a range of new documents, these go without any proper explanation. Greenwald just uses them for picking a phrase or a number to illustrate his own argumentation.


Both Snowden and Greenwald are acting from points of view that are based on Libertarianism, a political ideology which encompasses minimizing the influence of government and maximizing the freedom and liberties of individual citizens. They argue that state surveillance is a big evil, not at least because when people are knowing that they are being watched and followed, most of them will going to behave compliant to the existing powers all by themselves.

But for that, people first have to know that they are being monitored, and NSA actually did everything to keep the extent of its spying operations secret from the public. Only after the documents taken by Edward Snowden were published, people actually learned about how massive that spying is - through the eyes of Snowden and Greenwald.

NSA's military tasks

The Snowden-leaks of the past year learned us a lot about NSA, but there are also some important aspects that were ignored. One is the fact that NSA is a military signals intelligence agency: it falls under the US Deparment of Defense (DoD), is led by a high-ranking military officer and plays an important role in supporting the US armed forces.

For that, NSA is not only intercepting communications that are of strategic or tactical importance, but also collecting and analysing many other types of electromagnetic radiation, like from radar, which is called ELINT. All five US Armed Services have dedicated signals intelligence and cryptologic units, which together form the Central Security Service (CSS), the tactical part of NSA:

Neither Snowden, nor Greenwald, nor the vast majority of the media reports even came close to mentioning the true extent of NSA's military job. One indication that can be put together from the numbers from the BOUNDLESSINFORMANT tool is that 54% of the data that NSA collects globally comes from countries in the Middle East plus India.

Because also no NSA activities related to US military operations, like for example in Afghanistan, have been revealed, most people will now think that NSA is only spying on civilians. One of the very few exceptions was the Dutch newspaper NRC Handelsblad, which revealed how the Dutch military intelligence service MIVD cooperated with American troops in Afghanistan and helped mapping a network of Somali pirates.

One example of where the military aspect seems to have been withheld deliberately, was the revelation by The Guardian and the New York Times of the 9-Eyes and the 14-Eyes, groups in which a number of European countries closely cooperate with NSA. Later it became clear that both groups are for exchanging data and intelligence for military purposes.
On July 9, 2014, Glenn Greenwald indicated on Reddit, that it was part of the agreement with Snowden not to publish anything about Afghanistan and other military operations

NSA spying in Europe?

And then there was the case of BOUNDLESSINFORMANT, the tool used by NSA for counting and visualizing its worldwide data collection activities. Initially, Glenn Greenwald reported in various European newspapers that charts from this tool show that tens of millions of phone calls of citizens from Germany, Spain, France, Norway and Italy were intercepted by NSA.

But then, military intelligence services from various European countries declared that this interpretation was wrong and that the charts actually show metadata that were not collected by NSA, but by them. These statements are supported by the fact that the related BOUNDLESSINFORMANT charts show the DRTBox technique, which is primarily used in tactical military environments.

The metadata were derived from foreign communications in crisis zones and collected in support of military operations abroad. Subsequently these data were shared with partner agencies, most likely through the SIGDASYS system of the SIGINT Seniors Europe (SSEUR or 14-Eyes) group, which made them also available for NSA.

In the end, the disclosures about various European countries did not proof massive spying by NSA, but rather show how close European agencies are cooperating with the Americans in the field of military intelligence.

Chart from the BOUNDLESSINFORMANT tool that was released by Der Spiegel on June 18, 2014
It shows that SIGADs related to European countries are actually part of 3rd Party collection
(click to enlarge)

NSA's goals

One thing that Snowden en Greenwald are repeating over and over is that NSA wants to have all digital communications from all over the world: "Collect it All". But the evidence they present is very thin and not very convincing. According to Greenwald's book, that alleged goal is from a memo about the satellite intercept station Misawa in Japan and from a few slides about the Menwith Hill satellite station in the UK:

About the Foreign Satellite Collection (FORNSAT)
at Menwith Hill Station (MHS) in the UK

NSA Director Keith Alexander talking about FORNSAT
during a 16 June 2008 visit to MHS

Since international telecommunications shifted to undersea fiber-optic cables after the year 2000, satellite links nowadays carry only a small share. It could be possible to collect all of that, but that aim can't be applied to the entire collection effort of NSA, which is so much larger. Furthermore, if "Collect it All" really was NSA's ultimate goal, then it certainly would have been in more high-level policy documents for the entire organization - which have not been presented so far.

Strategic Mission List

The real and far more specific goals for NSA can actually be found in the 2007 Strategic Mission List (pdf). This document was revealed by The New York Times in November 2013, but got hardly any attention.

Besides the strategically important countries China, North-Korea, Iraq, Iran, Russia and Venezuela, which are enduring targets, the document also lists 16 topical missions. The most important ones are: winning the war against terror; protecting the US homeland; supporting military operations; preventing the proliferation of weapons of mass destruction by countries like China, India, Iran and Pakistan.

Some of the non-military goals for NSA are: anticipating state instability; monitoring regional tensions; countering drug trafficking; gathering economic, political and diplomatic information; ensuring a steady and reliable energy supply for the US. All these are goals that are quite common for a large (signal) intelligence agency.

Economic espionage

The US government insists that it's intelligence agencies are not spying on foreign companies for the benefit of individual American corporations: economic intelligence is only used to support policies, lawmaking and negotiations that benefit the US economy as a whole. Greenwald doesn't make that distinction, so every reference in NSA documents to economic goals is interpreted in the worst possible way.

He also tried to proof economic espionage by publishing a slide that shows the names of companies like Petrobras, Gazprom and Aeroflot. But the slide clearly says "Many targets use private networks", which indicates that NSA is focussing at specific targets, more than at the companies themselves:

Just like in many other publications based upon the Snowden-documents, conclusions are drawn from a very selective reading of a single slide, out of its context and with parts of the content redacted. Such can not be sufficient evidence for the far-reaching claims and accusations that Greenwald and Snowden are making.


For getting certainty about whether NSA conducted the unwanted economic espionage, or about the results from its eavesdropping operations are in general, we should see the end-product intelligence reports that NSA analysts write after having analysed the collected data. But apparently access to these reports is more strictly controlled, or else Snowden would have taken them too.

This indicates that NSA actually has internal access control systems that do work. Which contradicts the alleged uncontrolled access that analysts have to virtually anyone's communications - according to Snowden, who also hasn't provided any documents that prove that claim, for example by showing deficiencies of NSA's user authentication system CASPORT.

At first sight it looks very impressive that almost all documents he leaked are stamped TOP SECRET//COMINT, but inside NSA information at that classification level is actually available to virtually everyone. Really sensitive secrets are in compartments like those for Exceptionally Controlled Information (ECI) of which often not even the codeword is known.
On July 5, 2014, The Washington Post revealed that Snowden actually did had access to reports containing full internet messages that were intercepted under FISA/FAA authority and that he was able to exfiltrate some 160.000 of them. The article suggests that he could do this because he had authorized access to at least the RAGTIME compartment.

Some other ECI-codewords that have been disclosed are REDHARVEST (RDV) and WHIPGENIE (WPG), and also details about the scope of the STELLARWIND (STLW) control system came out.

Hacking operations

Misleading are also the press reports about NSA hacking into smartphones and computers, whether through the telephone networks, the internet or by bridging the "air gap". Without mentioning for what kind of targets these methods are used, and by using general terms like "internet users" instead of "targets", people get the idea that it can effect everyone.

This is illustrated by the story that NSA has facilities where they intercept shippings of commercial computer hardware in order to covertly install spying implants. A scary idea if NSA would do that randomly with hundreds of thousands of shipments, but as we can see in this internal report, the method is used to "Crack Some of SIGINT's Hardest Targets" - in which case it seems legitimate and proportionate:

Damaging disclosures

It may not have been that lives of American officials or specific operations have been endangered, but there's no doubt that disclosing these methods damaged NSA's ability to get access to communications which are otherwise impossible to intercept. Both friends and enemies will now check every new computer shipment and all of their sensitive existing computer and telephone systems in order to remove every piece that resembles those shown in the media.

Snowden said he doesn't want to harm the US and also not to constrain bilateral relations with other countries. But as the opposite has happened, it seems that some journalists to whom he gave his documents are not always publishing them according to his intentions.

For example, the German magazine Der Spiegel revealed details about the computer spying implants and the eavesdropping on chancellor Merkel, while Greenwald did the same regarding the presidents of Mexico and Brasil, which put their relationship with the US under severe pressure.

Similar were disclosures about the NSA eavesdropping on the communications of the UN, the European Union, a number of foreign embassies, international conferences and some large private companies. It was embarrasing for the US having these activities exposed, although it's nothing more or less than the core business of every foreign intelligence agency.

GCHQ operations

Looking at the legal framework and official tasks also helps to better understand the disclosures about the British signals intelligence service GCHQ. From various documents, it seems this agency is especially eager and agressive, like for example in collecting webcam images and planning "disruption" operations against hackers associated with Anonymous.

These activities would fit the broader mandate and the less legal restrictions which the British service has compared to the NSA. For example, GCHQ is allowed to operate domestically and assist the security service MI5 as well as law enforcement, where activities of NSA are strictly limited to foreign intelligence. The examples of GCHQ's domestic activities show that ordinary people have to fear more direct consequences from law enforcement than from intelligence.

GCHQ also wants to be a major player in the field of foreign intelligence. As such it has access to 200 fiber-optic cables, and is able to intercept 46 cables of 10 gigabits per second at a time. This makes that 21 petabytes of data flow past these systems every day.

To filter and search this traffic, there's a system codenamed TEMPORA, which incorporates NSA's XKEYSCORE machines and is thereby able to preserve all content for 3 days and all metadata for 30 days in a rolling buffer. TEMPORA is located at three GCHQ processing centers and is 10 times larger than the next biggest XKEYSCORE site:

Explanation of the TEMPORA system used by GCHQ

NSA collection worldwide

One of the major accusations of Snowden and Greenwald is that NSA is indiscriminately gathering and storing electronic communications from all over the world. From quite a number of leaked internal documents we now have a lot more information about NSA's global interception capabilities.

They tell nothing about the tactical systems for military purposes, but we learned a lot about various ways to tap into general telecommunication channels like satellite links and fiber-optic cables, both submarine and landbased. NSA's access to them can be unilateral or in cooperation with 2nd Party partners (the WINDSTOP program) and 3rd party agencies (the RAMPART-A program).

Some numbers

From the BOUNDLESSINFORMANT tool and some other charts we know that NSA collects billions of data a day. That sounds like a huge number, but remarkably enough there was not one press report that provided numbers on the telecommunication traffic in general for comparison.

The NSA itself issued a statement (pdf) in August 2013 saying that about 30 petabytes a day pass their collection systems, which filter out and store about 7,3 terabyte. Cisco estimates that in 2013 there was some 181 petabyte of consumer web, email, and data traffic a day, which means that roughly 16% passes through NSA systems, which eventually store 0,00004% of it.


At 150 sites where NSA intercepts cables, satellites and other communication channels, the agency has installed the XKEYSCORE (XKS) system, which is able to store a "full take" of the communications that flows past, but only 3 to 5 days of content and 30 days of metadata. At some sites, the amount of data exceeds 20 terabyte a day, which can only be stored for 24 hours:

With this temporary buffer, XKEYSCORE provides NSA analysts with the opportunity to search these data for "soft selectors" like keywords and for other target related characteristics like the use of encryption, virtual private networks, the TOR network or a different language. This enables analysts to use data that otherwise would have been dropped by the front-end collection systems, this in order to find internet activities that are conducted anonymously and therefore cannot be found by just looking for a target's e-mail address.

Before XKEYSCORE was installed, there were only the more traditional systems that automatically filter out content that comes with so-called "strong selectors" like e-mail and IP addresses. This is less than 5% of the internet communications that passes NSA's front-end filters.

Both the traditional filters and the XKEYSCORE system are picking out a relatively small number of communications in a targeted and focussed way. Traffic that is not of interest is only stored for a few days and then automatically disappears as it's overridden by new data. So, although these NSA systems "see" a huge amount of data, there's no "Store it All".

Entire countries

XKEYSCORE is only used for searching and analysing internet communications, but a similar function for telephone calls is available under the MYSTIC program, which was revealed on Greenwald's website The Intercept on May 19, 2014. Under MYSTIC, NSA has access to the entire mobile phone traffic of five or six countries.

But also in this case, the storage of communication data is limited to thirty days and from the networks of three countries (Mexico, Kenya and the Philippines) this only applies to metadata. Content of phone calls is only stored from two countries: from the Bahama's in order to test this system, and it's probably Afghanistan where it eventually went live.

For these countries NSA's collection effort comes close to a mass surveillance, but strangely enough, the SOMALGET program that comprises the content collection, only accounts for less than 2% of NSA's cable tapping programs, which could indicate the program is used in a very focussed way.

Bulk collection of metadata

Probably even more misleading and exaggerated are what most Snowden-stories say about the collection of metadata, which is the information needed for the technical and administrative handling of communications. This matter is important, first because NSA collects far more metadata than content, probably up to several trillion records a month.

Chart showing the volumes and limits of NSA metadata collection
(the domestic metadata collection seems to be excluded)

Secondly, the collection of metadata is even more controversial than storing contents. Not only Snowden and Greenwald, but also most civil liberties organizations say that "bulk collection"equals"mass surveillance", because analysing metadata is more intrusive and thus a bigger violation of privacy than looking at the content of phone calls or e-mail messages.

That might be correct in theory and in potential, but in reality the collection of huge amounts of data doesn't automatically mean that equal numbers of individuals are being actively tracked and traced. From the documents that have been disclosed by Snowden and from those that have been declassified by the US Director of National Intelligence (DNI), we learn that NSA uses metadata in two ways:

1. To discover new suspects through a method called "contact chaining". Starting with say the phone number of a known foreign bad guy, a specialized tool presents the numbers with he was in contact with, which by cross-referencing can point to conspirators that were previously unknown.
In 2012, NSA used 288 phone numbers as a "seed" for starting such a query in its domestic phone record database and this resulted in a total of twelve "tips" to the FBI that called for further investigation. In 2013 the number of selectors had raised to 423. This domestic collection is legally authorized under section 215 of the Patriot Act and is additionally regulated by the FISA Court, so under the existing legal framework this is not illegal spying on Americans.

2. Only for people who are identified as legitimate foreign intelligence targets, the metadata of their phone numbers are pulled from the databases to be used for creating a full "pattern-of-life" analysis. There's no evidence that NSA is randomly querying the metadata they collected for some kind of profiling without any specific lead.

Most of what we know about the domestic collection of US telephone metadata comes from declassified court orders, because Snowden hasn't revealed any internal NSA documents about this so-called Section 215 program. At least in this case, NSA seems to be able to "Store it All", even though there's no "Analyse it All".

Collection inside the US

Probably Snowden's biggest disclosure was the existance of the PRISM-program, through which NSA collects communications from major American internet companies like Facebook, Google, Microsoft and Apple. However, the initial claim that NSA had direct access to the servers of these companies proved to be misleading, and also PRISM is not used for spying on ordinary citizens, but for gathering information about a wide variety of foreign intelligence topics, like mentioned before.

Slide from the PRISM-presentation that shows NSA has no direct
relationship with communication providers - only through FBI

The disclosure that had the biggest impact on the American public was that large telecommunication providers like Verizon are handing over all their telephone records to NSA. Apparently Americans became only fully aware of this after being revealed by Snowden, as the collection of domestic telephony metadata was already revealed in 2006.

Upstream collection

Also in 2006 it was disclosed that NSA had installed intercept devices at switching stations of major fiber-optic cables inside the United States. This equipment is used to filter the phone and internet traffic, but because this was done inside the US, it looked like NSA was eavesdropping on Americans, something that is strictly prohibited.

Sensationalist headlines of many press reports following the Snowden-leaks also suggested that NSA was "listening on American phone calls" and "reading American e-mails". This however is only the case for people in the US who are known associates of terrorist groups or foreign governments.
On July 5, 2014, The Washington Post revealed that Snowden exfiltrated some 160.000 internet messages collected under FISA/FAA authority and that almost 90% of them were from persons, both American and foreign, who were not listed as a foreign intelligence target. A large number were correctly minimized and there's no evidence the overcollected messages were actually read or used, but they also weren't deleted.

The domestic cable tapping is part of NSA's Upstream collection program, which is primarily used for access to communications between foreigners or foreign targets and possible conspirators inside the US. Most surprising is probably how close the cooperation with American telecommunication companies is.

The codenames for these domestic programs are FAIRVIEW, BLARNEY and STORMBREW, and under OAKSTAR, American telecoms are providing cable intercept facilities abroad.

In filtering the traffic from these cables, it proved to be impossible for NSA to fully separate communications of approved foreign targets from those of uninvolved Americans. Up to 10.000 of the latter landed in NSA databases each year and the agency was repeatedly critized for this overcollection by the FISA Court.*

This shows that this oversight mechanism isn't the mere "rubber stamp" as Snowden and Greenwald continuously call it. The fact that the FISA Court decides behind closed doors is also not a scandalous exception, as the same applies to grand juries in ordinary crime cases.


Except for some other similar minor violations of internal rules and legal requirements, the documents published so far don't contain evidence of large scale abuse of power, mismanagement or deliberate illegal behaviour. Therefore, it seems that Edward Snowden can not be considered a whistleblower in the traditional and official sense of the word. Snowden himself said that he lacked whistleblower protection because he was just a contractor, but actually it seems more like the formal whistleblowing criteria won't apply to his case.

US Federal Government whistleblower
awareness poster

Of course, not everything that is legally allowed is always right, and many people don't agree with the actual scope of NSA's spying operations. Snowden additionally warns against the (future) misuse that can be made from this kind of systems in general, also in other countries worldwide. That's a legitimate cause, but a personal disagreement with current policies and practices alone doesn't constitute whistleblowing. It's rather a political and/or moral issue.


In the past year we really learned a lot about the methods and the collection programs of the NSA. But in the media, the facts that arise from the original documents have often been instrumentalized for the ideological fight between Snowden and Greenwald on one side and the NSA and the US government at the other side. Latter parties are being accused of trying to eliminate all forms of privacy, but in the documents that have been disclosed, there's no hard evidence that proofs that claim.

The documents show that NSA has a large, worldwide network of data collection systems, but these systems are not capable of collecting, let alone storing all the communications that occur all over the world. Instead, NSA tries to collect it's data as targeted and focussed as possible, in order to fulfill it's foreign intelligence tasks, many of which are of a military nature.

The NSA is trying to do this carefully and complient to the laws and the policies, although it is sometimes operating on the edge of what is legally and politically acceptable. Preventing those borders being crossed can only be done by taking a very close look at what NSA is actually doing. The documents leaked by Snowden give us some insight into that, but the myth of an agency that is able to know everything we are doing, saying, thinking and planning is just distracting.

(The conclusion about the legality of NSA's operations may have to be changed partially, as Glenn Greenwald has announced that he soon will publish details showing that NSA does eavesdrop on ordinary American citizens)

Links and Sources
- Blog.Erratasec.com: NSA: walk a mile in their shoes
- Director of National Intelligence: Statistical Transparancy Report
- Heise.de: Was war. Was wird.
- DailyKos.com: The 18 Biggest Myths of the Snowden Saga
- TheRegister.co.uk: NSA: Inside the FIVE-EYED VAMPIRE SQUID of the INTERNET
- LennartHuizing.nl: Snowden overdrijft?!? Zeg dat nog eens?
- DeCorrespondent.nl: De les na één jaar Snowden: de misstanden van de NSA zijn stelselmatig overdreven
- TheWeek.com: 13 more unanswered questions for Edward Snowden
- Newsweek.com: 16 Questions Edward Snowden Wasn't Asked
- ProspectMagazine.com: The errors of Edward Snowden and Glenn Greenwald
- ArsTechnica.com: NSA loves The Bahamas so much it records all its cellphone calls
- TheWeek.com: What Edward Snowden didn't disclose
- TheWeek.com: 10 things we've learned about the NSA over the past year
- Paul Canning: The left must challenge Greenwald
- DavidSimon.com: We are shocked, shocked...
- All the leaked documents: IC off the Record

The National Security Agency in 2002


During the past year, a number of slides from a 2002 NSA presentation titled "National Security Agency: Overview Briefing" were disclosed as part of the Snowden-leaks.

This presentation as a whole would have been a great comprehensive overview of the structure and the mission of NSA at the start of this millennium, but until now only six slides were made public, widely scattered over a period of almost a year and media from 3 continents, almost as to prevent people getting to see the whole picture.

All slides from this presentation can be recognized by their rather overloaded blue background, combining the seals of NSA and CSS, a globe, numerous ones and zeros representing digital communications, and a fancy photoshopped lens flare. In a number of slides, the font type of the classification marking looks different, which could indicate that the presentation was altered and/or re-used several times.

This slide was published by Brasilian media in July 2013. A somewhat distorted version (pdf) was published by Der Spiegel on June 18, 2014. It shows a world map with all the locations where there's a satellite intercept station, which is used for the collection of foreign satellite (FORNSAT) communications.

Nine stations are operated by NSA, including two as part of an SCS unit (see below), and seven stations operated by 2nd Party partners, in this case Great Britain, Australia and New Zealand:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, Oman
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, ? (New Zealand)

All these satellite intercept stations were interconnected, and it was this network that became publicly known as ECHELON. Revelations about this eavesdropping system in the late 1990s led to public and political outrage and subsequent investigations very similar to what happened since the start of the Snowden-leaks.

Until the new millennium, international communications travelled via satellite links, which made ECHELON one of NSA's most important collection systems. But since then, international traffic has shifted almost entirely to fiber-optic cables, making this the agency's current number one source.

We have no slide about NSA's cable tapping capabilities in 2002, but from other sources we know that there were at least three programs operational outside the US:
- RAMPART-M for access to undersea cables
- RAMPART-T for land-based cables, in cooperation with CIA
- RAMPART-A for cable access in cooperation with 3rd Party partner agencies

This slide was published by the Italian paper L'Espresso on December 6, 2013. It once again shows a world map, this time with the names of over 80 cities where there's a joint NSA-CIA Special Collection Service (SCS) unit. These units operate covertly from inside a US embassy or consulate to get access to targets that are difficult to reach otherwise. The names of cities in countries that are hostile to the US are redacted by the paper.

There are also four "Survey Sites" and seven "Future Survey Sites", but at present it is not clear what that means. Finally, there are two Technical Support sites: PSA in Bangkok, Thailand, and RESC (Regional Exploitation Support Center?) at the US Air Force base in Croughton, UK. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

This slide was published by Der Spiegel on June 18, 2014. It shows a world map with the locations where there's a Cryptologic Support Group (CSG). These CSGs are part of the signals intelligence and cryptologic branches of the five US Armed Services (Army, Navy, Air Force, Marines, Coast Guard), which together form the Central Security Service (CSS) - the tactical part of NSA.

Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:
- STRATCOM: United States Strategic Command, Omaha
- TRANSCOM: United States Transportation Command, Belleville
- USSPACECOM: United States Space Command, Colorado Springs
- JSOC: Joint Special Operations Command, Spring Lake
- State Department, Washington
- NMJIC: National Military Joint Intelligence Center, Washington
- CIA: Central Intelligence Agency, Langley
- ONI: Office of Naval Intelligence, Suitland
- San Francisco
- FORSCOM: United States Army Forces Command, Fort Bragg
- JFCOM: United States Joint Forces Command, Norfolk
- SOCOM: United States Special Operations Command, MacDill AFB
- CENTCOM: United States Central Command, MacDill AFB
- Key West (Naval Air Station)
- SOUTHCOM: United States Southern Command, Doral
- EUCOM: European Command, Molesworth
- NAVEUR: United States Naval Forces Europe, London
- USAREUR: United States Army Europe. Wiesbaden
- USAFE: United States Air Forces in Europe, Ramstein
- EUCOM: European Command, Stuttgart
- USFK: United States Forces Korea, Seoul
- Japan
- Hawaii (United States Pacific Command)

This large number of CSG locations is one of the things that reflects the importance of NSA's military mission, which is almost completely ignored in the Snowden-reportings (the slide was published rather unnoticed as part of a batch of 53 NSA-documents)

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It shows what NSA saw as current threats in 2002, with an overlay that seems to have been added later and which lists a range of communication techniques. Greenwald says this slide shows that NSA also counts these technologies, including the Internet, as threats to the US, proving that the US government sees this global network and other types of communications technology as threats that undermine American power.*

This interpretation is rather far-fetched because in that case, pagers and fax machines would also be a threat to the US. It's obvious the list shows the means by which individuals and organisations that threaten the US can communicate - which of course is important to know for a signals intelligence agency like NSA.

The actual threats listed in the slide are:
- Hackers
- Insiders
- Traditional Foreign Intelligence
- Foreign [...]
- Terrorists
- Criminal elements
- Developing nations

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It says that NSA has alliances with over 80 major global corporations supporting both missions (i.e. Signals Intelligence and Information Assurance) and presents the names of a number of big American telecommuncations and internet companies, along with pictures of some old-fashioned communication devices.

Greenwald's book says that in the original presentation, this slide follows some unpublished ones that are about "Defense (Protect U.S. Telecommunications and Computer Systems Against Exploitation)" and "Offense (Intercept and Exploit Foreign Signals)".*

This slide was also published in Greenwald's book on May 13, 2014. It shows the three main categories of "customers" of NSA, which are government and military organizations that can request and receive intelligence reports. Besides other major US intelligence agencies, we see that NSA works for civilian policy makers as well as for military commanders, from the Joint Chiefs of Staff (JCS) and the Commanders-in-Chief (CINCs) down to tactical commanders.

Greenwald uses this slide to point to the Departments of Agriculture, Justice, Treasury and Commerce, the mentioning of which he sees as proof for an economic motive of NSA's spying operations.* Although almost all countries (try to) spy in order to get information that can be usefull for their national economic interests, Greenwald is doing as if this kind of intelligence is somehow off limits, and thereby discrediting NSA.

> See also: NSA's global interception network in 2012

Links and Sources
- National Security Agency: Transition 2001 (pdf)

Viewing all 173 articles
Browse latest View live

Latest Images