Three days ago, on July 5, 2014, The Washington Post published some of the most important stories from the Snowden-leaks so far. It revealed that Snowden did had access to the content of data collected under FISA and FAA authority - a fact that had been kept secret until now. I'll come back on that main story later.

Here we will take a look at a remarkable detail from two slides that were also disclosed in the Post's article. The classification marking of these slides contains the codeword UMBRA, which was generally considered to be abolished in 1999, but now seems to be still in use. After going through several options, my conclusion is that UMBRA is most likely the codename of a so-called unpublished SCI control system.






These slides are from a 2011 powerpoint presentation which details the plan to capture al-Qaeda facilitator Muhammad Tahir Shahzad and which pinpoints his location and his activities based upon intercepts from his various e-mail accounts. He was captured in Abbottabad the day after this presentation was finalized.


In the 2012 NRO Review and Redaction Guide (pdf) the existance of the UMBRA codeword is approved for public release, just like its paragraph portion marking TSC (for Top Secret Codeword). But as this manual also lists many revoked codewords, it is not conclusive about wether UMBRA is still used. One thing that is interesting though, is that the TSC portion marking would fit some of the redacted spaces in the newly disclosed slide:




Top Secret Codeword

UMBRA was one of three codewords that were used to protect sensitive intercepts of Communication Intelligence (COMINT). These codewords represented three levels of sensitivity:

- UMBRA for the most sensitive material (Category III)
- SPOKE for less sensitive material (Category II)
- MORAY for the least sensitive material (Category I)

These three codewords were used since the end of the 1950s and together they were commonly called "Top Secret Codeword" (TSC), which was often seen as a level "above Top Secret", although it was actually more like a "vertical" division of the Top Secret-level. The codewords UMBRA, SPOKE and MORAY can be seen on many highly secret documents, a number of which have been declassified, like for example this statement from 1980 for a court case about NSA's information about UFOs:



According to instructions like these, the use of the codewords UMBRA, SPOKE and MORAY was terminated as of May 1999. From then on, the kind of information they were used for, had now to be protected by the general COMINT control system, or by specific compartments thereof for more sensitive information.


SPOKE

Very interesting is that not only UMBRA, but also the codeword SPOKE seems to be still in use. One document from the Snowden-leaks, which was published by Der Spiegel on December 20, 2013, is marked SECRET STRAP1 SPOKE. STRAP is the codeword that GCHQ uses to protect sensitive information, with STRAP1 denoting the least sensitive category:


Given the rather old-fashioned logo-type of the letters SD, it's not quite clear whether the document, or at least the header might predate 1999, although the content is clearly from more recent years. Der Spiegel said that it's an "analysis of the communication paths between Belgium and Africa prepared in January 2009".


Possible options

NSA using codewords that were generally considered abolished, reminds of a similar case in which the NOCON marking appeared in a document from the Snowden-trove. The general use of that marking was terminated in 1995, but NSA kept using it as an internal marking. As such it isn't listed in the official Classification Manuals, which are declassified regularly.

Now it seems that the same could have happened to the codewords UMBRA, SPOKE and maybe also to MORAY, but there's a difference: NOCON is a dissemination marking, a category which is less strictly controlled than a compartment, like UMBRA.

As the classification line of the newly disclosed slides seems not fully correct (there has to be a single, instead of a double slash between ORCON and REL USA, FVEY), which makes that there are a few options for what UMBRA could actually represent.



One option is that the double slash between COMINT and UMBRA is correct. In that case UMBRA wouldn't be a Sensitive Compartmented Information (SCI) label for intelligence information - which it actually looks like most - but a codeword from another category, like for example a Special Access Program (SAP) or Foreign Government Information (FGI) (Marc Ambinder favors this option).

Another option is that there should have been just a single slash between both terms. That would mean UMBRA is a normal SCI control system, in this case one that is apparently kept secret, as it was never mentioned anywhere since 1999.

The latter option seems very well possible, because the most recent Intelligence Community Classification Manual (pdf) acknowledges the existance of "registered but unpublished SCI control systems" which "must remain unpublished due to sensitivity and restrictive access controls".

It seems less likely that UMBRA is the undisclosed compartment of the COMINT (SI) control system, which is listed in the most recent Intelligence Community Classification Manuals, because in that case the marking would have read TOP SECRET//COMINT-UMBRA//etc.

Questions

Given this sensitivity, one wonders why in the orange classification bars of the slides UMBRA hasn't been blacked out. The overall classification line in the first slide and also most of the portion markings were fully redacted, although the latter can hardly contain something that is more sensitive than the UMBRA abbreviation.

Another question is whether Edward Snowden had authorized access to the UMBRA compartment, or that he was able to just grab these slides otherwise. The Washington Post suggests that he did had access to the Exceptionally Controlled Information (ECI) compartment RAGTIME, which is similar to UMBRA, but for content collected under FISA authority (UMBRA is probably for content collected under EO 12333).


Conclusion

For those who are somehow familiar with the US classification system, it must be quite surprising to see a codeword that has been considered dead for 15 years popping up from the Snowden-leaks. The most likely explanation is that after UMBRA (and SPOKE too) was publicly abolished in 1999, NSA kept using it in secret as a compartment for very sensitive communication intercepts, but now as an unpublished SCI control system - letting outsiders think that UMBRA was something from the past!



Links and Sources
- TheWeek.com: The return of an intelligence code word with a storied history
- A work of art from the series "Secret Codewords of the NSA": UMBRA
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

Three days ago, on July 9, 2014, Glenn Greenwald published an article which he earlier announced as being the grand finale of the Snowden-revelations. It would demonstrate that NSA is also spying on ordinary American citizens, something that would clearly be illegal.

The report is titled "Meet the Muslim-American Leaders the FBI and NSA Have Been Spying On" and it tells the story of Faisal Gill, Asim Ghafoor, Hooshang Amirahmadi, Agha Saeed and Nihad Awad whose e-mail addresses were found in an NSA file from the Snowden-trove. Although the article confusingly mentions both FBI and NSA, many people and media got the impression that this was the long-awaited major NSA abuse scandal.

But as we will show here, the document that was published contains no evidence of any involvement of the NSA in this particular case. Everything indicates that it was actually an FBI operation, so it seems not justified to have NSA mentioned in the article.


The FISA spreadsheet

Greenwald's report is all about a spreadsheet titled "FISA recap" - which refers to the Foreign Intelligence Surveillance Act (FISA) from 1978. This law allows electronic surveillance of Americans who are suspected of espionage or terrorism.

The spreadsheet contains 7485 e-mail addresses that were apparently monitored under FISA authority between 2002 and 2008. Unfortunately the article doesn't say whether the addresses are all from American e-mail providers or that some of them are foreign.

We do know that 202 (or 3%) of these e-mail addresses belong to a "US person", 1782 (or 24%) to a "Non-US person" and of 5501 (or 73%) addresses the nationality of the user is unknown:




In this sample, there are 8 e-mail addresses where the nationality is marked as "US Person" and except for one, these are all under responsibility of FBI. Of the 12 marked "Non-US Person", 4 are under responsibility of the CIA, 7 under the NSA and 1 has no responsible agency.


FBI Case Notations

Each entry in the list has a unique Case Notation starting with XX.SQF followed by six numbers. Greenwald states that such a case notation starting with XX.SQF is "assigned to all “FISA accounts” as a unique identifier" and points to a slide titled "FISA dataflow" as evidence for that:



But in a little known NSA document (pdf) from 2006, which was published on March 11, 2014 by The New York Times, we see that XX.SQF is actually the prefix for FBI FISA data. It also says that US-984J is a SIGINT Activity Designator (SIGAD) which denotes FBI collection.

Data collected by NSA under FISA authority is identified by the SIGAD US-984*, in which the asterisk is a placeholder for additional suffixes (other than a J), like for example in US-984XN, which is the SIGAD for NSA's famous PRISM program.

So, the prefix XX.SQF isn't used for "all FISA accounts" as Greenwald wants us to believe, but just for those from the FBI. The 2006 document doesn't say what prefix is used for NSA data, but from the PRISM-presentation we know that communications collected by NSA through PRISM are identified by the trigraph SQC.

Analogue to the way the PRISM case notations are composed, a case notation from the spreadsheet, like for example XX.SQF055191 for the e-mail address of Asim Ghafoor breaks down into the following parts:

XX - This may stand for Internet Service Providers
. (dot) - Indicating multiple types of content
SQF - Fixed trigraph denoting FBI FISA collection
05 - Year the Case Notation was established: 2005
5191 - Serial number of the targeted address

The FBI as Responsible Agency

A second role of the FBI becomes clear when we look at the spreadsheet column for the "Responsible Agency". According to Greenwald's article, this column shows the federal agency that requested the monitoring of a particular e-mail address. In the sample shown above we see that this can either be FBI, NSA or CIA.

Most striking is that for the e-mail addresses of all five Muslim-American leaders, the FBI is the responsible agency that requested their surveillance. This was also recognized in Greenwald's story, and it's of course exactly how it should be, as it's officially up to the FBI to investigate American citizens and residents:




As we can see, these entries for the five Americans contain nothing that points to any kind of involvement of the NSA. Instead, both the case notation and the responsible agency indicate that it were FBI operations.

Greenwald and his co-author Murtaza Hussain were asked on Twitter whether there might be some additional evidence for the involvement of the NSA, but they haven't responded to this question.

The only relationship this list has to the NSA, is that it was among the Snowden-documents, but that can also be easily explained by the fact that for many other entries the NSA is the responsible agency. The list was most likely sent to all three agencies as a recap of which addresses were monitored on their behalf.

Given these considerations, it seems that the spreadsheet actually shows a large number of e-mail addresses that have been monitored by the FBI, and therefore their case notation starts with XX.SQF. This monitoring apparently took place partly for the FBI's own investigations and partly on behalf of NSA and CIA, to whom the FBI would have passed the communications from the e-mail addresses they requested.

According to a Foreign Policy article, the NSA is the most frequent requester of data from the FBI's interception unit DITU, for which there's a direct fiber-optic cable between Quantico and the NSA headquarters at Fort Meade.

Someone's suggestion that the case notation reflects the agency that requested the surveillance seems not plausible, because in that case there would have been a different prefix for FBI, NSA and CIA, but here the communications they requested all have the same XX.SQF-prefix.


How the FBI intercepts messages

All the cases on the list started before the FISA Amendments Act of 2008 was enacted, so it was done under the authority of the original Foreign Intelligence Surveillance Act (FISA) of 1978, which requires an individual order of the FISA Court (FISC) for every American that is considered a target. According to a top FBI lawyer, the application for every single US person consists of a 35 to 150 page packet that has to demonstrate the necessary probable cause.

After the FISC granted a warrant, the FBI probably went to the target's Internet Service Provider (ISP) in order to collect his communications. Each ISP is legally obliged to have LawfulIntercept (LI) equipment installed on their networks, in order to "perform electronic surveillance on an individual target as authorized by a judicial or administrative order", in this case the FISA Court warrant.

The equipment filters internet data packets based upon identifiers like e-mail and IP addresses, which means all kinds of communications that contain a particular e-mail address will be pulled out and forwarded to the FBI's Data Intercept Technology Unit (DITU). This method would also explain why in all case notations from the spreadsheet we see a dot, indicating that the collection resulted in multiple types of content.

Some people suggested that the government went to Yahoo and Google to get the messages from the Gmail.com and Yahoo.com e-mail domains (and retorically asked whether these companies did fight the order), but that is unlikely. For the assistance of these kind of web service providers, NSA set up the PRISM program, wich started in the fall of 2007, so only shortly before the surveillance cases mentioned in the spreadsheet expired. Yahoo joined PRISM in March 2008 and Google in January 2009.

The NSA has similar filtering equipment installed at switches of major internet backbone cables (for the so-called Upstream collection), but these are specifically used for foreign or international communications. One would expect that data collected this way, has a case notation with an NSA trigraph, but Washington Post journalist Barton Gellman writes that Upstream collection from network switches also has case notations that begin with XX.SQF, because this kind of collection is "managed by the bureau and shared with NSA". This seems to be a mistake because it is generally considered proven that Upstream interception is done by the NSA (for example: the Upstream slides don't mention the FBI, and a PRISM slide says NSA has a direct relationship with Upstream-providers).


There's a lot we don't know

In trying to clarify what the spreadsheet tells us, I assumed for the sake of readability that the FBI actually intercepted, processed and stored messages from these five Muslim-American leaders. But in his article, Glenn Greenwald suggests that even that is not known for sure:

"Given that the government’s justifications for subjecting [these five] U.S. citizens to surveillance remain classified, it is impossible to know why their emails were monitored, or the extent of the surveillance. It is also unclear under what legal authority it was conducted, whether the men were formally targeted under FISA warrants, and what, if anything, authorities found that permitted them to continue spying on the men for prolonged periods of time."

What he says is that we actually know hardly anything, except for the fact that the e-mail addresses of the men were found on the "FISA recap" list. Although the Muslim-leaders seem innocent of spying or acts related to terrorism, there's still the possibility that the FBI had good reasons to monitor them, but we just have no information about that.

In an ABC News report, anonymous former and current US government officials said that the five men could be guilty or innocent or even cooperating with the government (for example by having agreed with monitoring their communications in order to collect evidence against suspects).

Officials also said to ABC that Snowden or Greenwald may have misunderstood the spreadsheet and made wrong interpretations. ABC further noticed that the document was also curiously absent of the regular classification markings, but that is probably because the list isn't in a .doc or a .pdf document, but in its original .xls spreadsheet file format.


Conclusion

Just like many other documents from the Snowden-leaks that were misrepresented, the original file disclosed in this latest Greenwald piece contains no evidence that NSA had anything to do with the monitoring of the five Muslim-American leaders. In fact, everything points to the FBI, but apart from that we know too little about these cases to say whether the Bureau acted illegally or out of paranoia. However that may be, we can't blame that on the NSA.



Links and Sources
- TheWeek.com: What you need to know about the latest NSA revelations
- Salon.com: First Amendment’s racial tumult: Why Greenwald’s latest revelation matters
- ABCNews.com: Feds Spied on Prominent Muslim-Americans, Report Claims
- ForeignPolicy.com: Meet the Spies Doing the NSA's Dirty Work

The location that best represents Top Level Telecommunications in every sense of the word is probably Air Force One, the aircraft that carries the president of the United States.

As unbelievable as it sounds, the telephone sets used aboard this plane dated back to the 1980s and so they were finally replaced by new ones in August 2012. Here we will take a look at this new telephone equipment, which is now used by president Obama when he travels by air.


The new phones

In a range of pictures showing president Barack Obama using a telephone aboard Air Force One, we can see that the new phones consist of a handset in a customized cradle. In the conference room they have a rubber foot so they can be placed on the table without sliding away:




The phone sets to be used by the president in his office room and the conference room have a goldish color that matches the wood and the leather chairs. All other handsets that have been installed throughout the plane are in standard gray:




The Airborne Executive Phone

These new phones aboard Air Force One can be recognized as the Airborne Executive Phone (AEP) made by L-3 Communications. This is a military contractor that, among many other things, also manufactures the STE, the secure desktop telephone that is most widely used by US military and government.

The Airborne Executive Phone is able to make both secure and non-secure calls from a single handset. It also provides Multiple Independent Levels of Security (MILS) for digital voice and internet data access. This should provide end users with the experience of "reliable connectivity, interoperability and security they would have in an executive office environment".


Global Secure Information Management Systems

The Airborne Executive Phone is part of L-3 Communication's Global Secure Information Management Systems (GSIMS). This is an IP-based system for secure airborne communications and has a modular, scalable, and redundant design.

GSIMS integrates existing analog and digital radios and interphone systems with its own IP-based architecture, this in order to provide reliable connectivity, secure video conferencing and controlled wireless connections. The system is effectively controlled from an operator workstation.

L-3 Communications advertises (pdf) the GSIMS system as the most advanced secure communication system for VIP and Head of States aircraft:



More details about the Global Secure Information Management Systems (GSIMS) can be found in the fact sheet (pdf).


Development and installation

The installation of new phones aboard Air Force One was part of a larger, 81 million dollar contract that was awarded to L-3 Communications in 2009. This contract included the installation of Airborne Information Management Systems (AIMS) hardware and software, which modernized the on-board communication systems and replaced outdated analog systems, providing fixed bandwidth switching and integrated secure/non-secure video teleconferencing, and installed seamless passenger information interfaces throughout the VC-25A aircraft that serve as Air Force One.

It seems that the Airborne Executive Phone (AEP) was originally developed by Telecore Inc., as can be read in the resume of someone who made a video presentation of this device (he did the same for the Senior Leadership Airborne Information Management System of L-3 Communications). Telecore is the company that manufactures the IST-2 telephone for the Defense Red Switch Network (DRSN), and probably sold the AEP to L-3 Communications.


Secure and non-secure calls

As we can see in the L-3 Communications advertisement, secure calls are indicated by a red background in the display and non-secure calls by a green one. This corresponds with two lights on the back of the handset: a green light which is on when the call is non-secure, and a red light that will indicate when it's a secure call over a highly encrypted line.







The old phones

Initially, Air Force One had sets of two telephone handsets installed all over the plane. These consisted of a cradle and an old-fashioned so-called G-style handset, one in white and one in beige. The white handset was for non-secure calls and the beige one for phonecalls over a secure line. These phones were introduced on Air Force One during the presidency of Ronald Reagan.




After the new Executive Voice over Secure IP (VoSIP) telephone network was installed in 2007-2008, which connects the White House with some of the most senior policy makers, the Cisco 7975G Unified IP Phone used for this network was also placed in Air Force One, where the big device was somewhat out of place:




Links
- Tinker AFB: Maintenance in chief: Looking after Air Force One
- History of the Presidential Telephones of the United States

This time we present an article written in cooperation with the French weblog about intelligence and defence Zone d'Intérêt in which we compare the data collection of Google to intelligence agencies like NSA:

Introduction

Since 1998, Google has grown to become an essential part of the web infrastructure and took an important place in the daily lives of millions. Google offers great products, from search engine to video hosting, blogs and productivity services. Each day, users provide Google, willingly and candidly, with many different kind of personal information, exclusive data and files. Google justifies this data collection for commercial purposes, the selling of targeted ads and the enhancement of its mostly free services.

These terabytes of user data and user generated content would be of tremendous value to any intelligence service. As former director of CIA and NSA Michael Hayden half-jokingly stated at Munk debates: "It covers your text messages, your web history, your searches, every search you’ve ever made! Guess what? That’s Google. That’s not NSA."

But really, how would a company like Google compare to an intelligence agency like the NSA? How would it be able to gain access to confidential information and go beyond OSINT (Open Source Intelligence)? Does Google even have the resources, data and technical capabilities to harvest all-sources intelligence like a major intelligence service would?

Google's unofficial motto is "Don't be evil", but what if Google started being evil and used all of its collected information as an intelligence agency would? What if intelligence professionals had access to Google's resources and data ? What would it mean for the users? And can this be prevented somehow? (it’s also rather ironic that many people now see NSA as a big evil organization, but Google collects even more)

This is the worst case scenario we'd like to explore:

What if Google was an intelligence agency?

Communications to intercept, private data to collect

As a major webmail (425 million active Gmail users in 2012 - source: Google I/O 2012) and instant messaging provider with Hangouts, Google has access to the daily communications of millions of individuals, corporations and organizations. This privileged access to telecommunications worldwide gives Google the opportunity to act as a major COMINT agency, not unlike NSA or GCHQ. Storing its users e-mails and broadcasting their instant messages with audio and video, Google is able to obtain a deep-reaching knowledge of their habits, intents and projects, either personal, professional or commercial. Enhanced with behavior analysis and targeted with collection selectors, theses communications, already stored on the company's servers could be used as a very powerful intelligence database.

NSA only stores data that have any foreign intelligence value, other data that might be useful are automatically deleted after 5 years, but how is that with Google? In the European Union, administrative authorities in charge of data protection, assembled in the Article 29 Working Party of the European Commission (or "G29"), have issued multiple warnings and penalties against Google regarding this issue. In January 2014, the french CNIL, an Art. 29 Working Party member, issued a 150 000€ monetary penalty to Google for failing to define retention periods applicable to the data which it processes. Data collected by Google isn't as strictly regulated and controlled as data collected by intelligence agencies, and it can stay on Google's servers until the company decides to delete it, at its own discretion.

And how about the risk if internal policy and privacy violations by Google personnel? Does Google has access control mechanism just as strict and tight as the compartimentalization and ‘need-to-know’ at NSA? They should have, as Google has far more information about ordinary people in its databases, which could be much more tempting to look at for employees than for example all the military and terrorism stuff that NSA collects. But Google also has to protect this information against foreign intelligence agencies.

Google also provides its users with phone services through its Android phone and tablet operating system, with 1 billion users worldwide in 2014 (source: Google I/O 2014). This could be used as an opportunity to monitor the calls - made or received - by its users, collect their metadata and even record their calls for intelligence purposes. This also goes for SMS and MMS send or received by its users, as android users send 20 billion text messages each day (source: Google I/O 2014). NSA’s database for SMS-messages DISHFIRE receives just around 200 million messages a day. Google is expanding the reach of its phone services, as calls to landline and mobile phones can be placed from Hangouts by any user of Gmail, Google+ and Chrome, even without using an Android device. With Fiber, Google is providing ISP services to three cities in the United States, with plans to expand. Google even wants to introduce internet access to remote areas in Africa via solar-powered balloons – which would also make it much easier for NSA, as many of these regions are also terrorist-related conflict zones where there’s often only mobile phone and radio traffic, which is more difficult to intercept than internet traffic, especially when the latter goes through a US company.

The expanding realm of its webmail and cloud services provides Google with a rare trove of otherwise private individual data and even confidential information from governments and companies. With Gmail, Google has access to sensitive information about individuals, such as their names, phone numbers, addresses or even social security numbers which may transit via e-mail. Logins and passwords from web services are often sent by e-mail, and so are activation and authentication codes. Many users want to take advantage of the free services offered by Gmail and automatically forward e-mails from other webmails or their company e-mail address to their Gmail address, creating a POP/SMTP link. Doing so, they increase the amount of e-mails and information accessible to Google. Private information about individuals, from health and financial issues to clues about their emotional state or relationship status can be found in e-mails. Everything from their buying habits, reading habits or subscriptions, to confidential information, can be extracted from e-mails using already available software, and then easily exploited by intelligence professionals.

Contact lists from services like Gmail, Hangouts, Google+ and from operating systems like Android and Chrome OS would be a valuable source for intelligence analysts, as they allow to identify links between individuals and perform social network analysis. Contacts lists were used in many occasions by intelligence agencies leading investigations against terrorist cells or organized crime groups, but can also be used in social engineering schemes or commercial intelligence.

Corporate information is hosted by Google through most of its services, as Gmail is used by many entrepreneurs and employees, whether it is duly authorized by their company or not. Important information can be retrieved in e-mails, such as details of industrial projects, business offers and everyday company communications. Many companies use Gmail attachments to send and receive corporate documents or use Google Drive to store their information. Google Calendar can also provide a great window into the daily activities of a company, as a way to identify links between individuals, be alerted of forthcoming meetings,  receive status reports from ongoing projects, or deduce a precise timeline of employees work habits. Recently, Google announced that 58% of Fortune 500 companies have "gone Google" and so did 66% of "50 top Start-Ups" and 72 of the 100 best universities (Source: Google Enterprise).

Given all these data containing often highly sensitive and private information, it is remarkable that people, businesses and organisations are so willing to trust it into the hands of Google. One wonders why some people really don’t like it when government officials could have access to such kind of information, but apparently completely trust the Google personnel. Who guarantees that Google isn’t looking into confidential information of other businesses that can be of interest?

Google Search, the first service provided by Google since 1998, receives about 100 billion searches per month and is a great tool used every day by intelligence professionals. Google search crawlers scan the web for individual URLs, web pages and files, using the Google powerful servers. They are able to record, collect and cache any kind of text content, images, video and audio files, and most document formats such as Word and PDF. Google Search can be used to find unrestricted or insufficiently secured subdomains, files, folders and archives, from websites and networks. Using advanced operators, Google can be used to find misplaced confidential information and other vulnerabilities. If there’s one application that is able to read your deepest thoughts, fears and desires, like Edward Snowden said NSA is capable of, then it is Google Search.


Individuals to identify, targets to monitor

Google Search can also be exploited for advanced statistics, behavior analysis of users, identification of single users, and to locate them. Using cookies and connection data recorded by Google for every search, such as IP address, user agent and search terms, the user can be identified and located to a certain extent. Taking advantage of persistent cookies, IP adresses and forensic techniques, such as discourse analysis or syntax analysis, and sifting through recorded searches, online activity through Google services can then be narrowed down to a single organization, a set of users or even a single user.

Recording precisely the search terms from an identified user, company or organization can help an intelligence professional create new, more efficient selectors for intelligence collection and communication interception, based on the interest of users and unique searches. For example, many companies will use Google to find new business prospects, partners or suppliers. Journalists will do background checks on their sources using Google. Scholars and scientists will do their research using Google search, revealing precise information about what they are looking for and what they are working on.

Similar data is collected on many other websites which are not owned or related to Google, but which make use of Google Analytics, a Google-run service allowing webmasters to collect detailed information about their users, such as their IP addresses (collected by Google but not shown to webmasters), what search terms they used to reach their websites and which pages they browsed. While challenging sanctions from the European Art. 29 Working Party, Google refuted that an IP address constitutes personal data, even when associated with data from cookies, and should not be treated as such regarding privacy issues. Which once again shows the different views on privacy  in Europe and the US

But Google has access to much more precise data to identify users and monitor their online activities. Some services, such as Gmail, require users to be registered and to give accurate personal information, such as their real name, their birthdates, their country of residence or another e-mail address they own. Google is also pushing two-factor authentication, requiring that their users disclose an active phone number. While launching its Google+ service, which is now linked to other services such as Gmail and Youtube, Google discouraged the use of pseudonyms and required that all users registered using their real name, or risk account suspension. In October 2012, G29 issued a recommendation to Google that it must inform new users more clearly that they can sign-up to a Google account without providing their real name.

 When users use any Google service while logged in, or with Google cookies activated, or even from an IP address which was previously used while logged in, all of their online activity transiting on Google networks can be traced back to them. On many occasions, personal files and documents stored on Google Drive, or images stored on Google+ Images and Picasa could be traced by Google back to the real name of a registered user. E-mails, instant messages, personal documents, videos and pictures, all stored by Google, can be used to create a very complete and precise profile of a single individual. According to numbers published by Google during I/O 2014, Android users send "93 millions selfies" each day.

The Google image search algorithm is able to identify faces and places in pictures. The image search facial recognition feature is only activated to find pictures of celebrities, but Google+ Photos includes an opt-in service called "Find My Face" capable of automatically recognizing and tagging the user's face in photos uploaded by him or by his friends. Google implemented a "Face Unlock" feature in Android, allowing users to unlock their devices using their camera, showing that Google's recognition algorithms are precise enough to identify an individual, even with slight changes due to lighting conditions or face expression. In addition, Google recurring pop-ups incite Android users to activate a function which automatically uploads all new photographs taken with their device to Google+ Photos and Google Drive. EXIF data and geotags from each photo are collected too. As another option, Google image search has a "reverse image search" functionality which allows any user to upload an image from his computer and let Google's pattern recognition algorithm find similar images. In the help section of Google's image search, it is stated that "any images or URLs that you upload will be stored by Google".

Google's photos database would be an extraordinary tool to any intelligence professional trying to find someone, learn about its habits or identify people he is related to. Recently, intelligence agencies such as the American DIA (Defense Intelligence Agency) or the French DGSE have been acquiring commercial software to collect videos and photos posted online for intelligence purposes, which shows the interest of intelligence analysts for user generated content. In 2010, Google invested 100 million dollars in Recorded Future a company specializing in data mining, advanced statistics, internet traffic monitoring and defense intelligence. Recorded Future was also funded by In-Q-Tel, the technology investment firm of the CIA.

Using data collected through Google Voice Search and Google Now, intelligence technicians could be able to build a large phonemes database to enhance word recognition algorithms, but also to implement voice recognition in order to identify single users based on their voice. For advanced target monitoring, the microphone from a computer, tablet or smartphone running Android or Chrome OS could be activated in order to eavesdrop on a target, using OS-level or App-level backdoors. Coupled with voice recognition, these techniques could be used to identify and locate targets.

In such a scenario, OS-level access could be used to implement backdoors for keylogging, password collection, communication intercepts, microphone or camera hijacking, or even GPS silent activation and monitoring. Access to Google's database would make network penetration easier, as Android devices record the WiFi passwords from secured access points they connect to and store them to the cloud.


Map any place, locate anyone

In 2004, Google acquired Keyhole, a company partly funded by the CIA and the NGA, which developed the technology behind Google Earth, a Google product which provides users with maps and commercial satellite imagery from around the world. Other Google mapping initiatives are Google Maps and Street View. Google Earth is used by many intelligence professionals, whether they work for government agencies or for private contractors, and is often listed as a common tool in intelligence sector job descriptions and resumes.

A useful feature of Google Maps and Google Earth is the ability for users to add tags, photos and points of interests (POI) over the maps and imagery provided by Google. This feature results in crow-sourced sets of maps, which are improved by the output of users who have good knowledge of the places they describe, whether they are travelers, dwellers or experts. This ground knowledge is obtained at no cost by Google and can result in very detailed descriptions, even from remote places. Google also benefits from the geotagged photographs from Panoramio, acquired by Google in 2007, and from POIs added by users participating in Google side-projects, such as Niantic Labs' Field Trip and Ingress applications. Google recently acquired the imaging company Skybox, taking advantage of its growing constellation of satellites.

Another way for Google to get intel from the ground and improve its worldwide mapping capabilities is Street View, by which Google collects 360° snapshots along roads and trails. With Street View, Google is able to get detailed and fresh information about buildings, installations and constructions. This collection effort even captures photos from remote places or restricted areas, such as military bases or intelligence facilities (examples: MI5 installation in the United Kingdom, DGSE station in France) Google has recently announced Project Tango, which is aimed at developing new sensors for mobile devices, in order to map their surroundings in 3D, such as the interior of buildings. Access to the photographs and geospatial information collected by Google through Google Maps, Street View, Google Earth and Panoramio, but also from search crawlers and user content uploaded to the cloud, would be of considerable interest to intelligence technicians. For instance, Letitia A. Long, director of the National Geospatial Intelligence Agency (NGA) recently stated that her agency was increasingly taking advantage of data collected through open sources and social networks. In these cases the possibilities of Google’s commercial tools seem to have already outpaced those used by government agencies.

Google is also making considerable effort in precisely locating its users. Users are often prompted to authorize their localization by Google services, from Google Search to Google Maps and Android. To achieve precise location of a user, Google is using all data available, from search queries which mention a place, to IP addresses and connection data, to GPS signal provided by the user's device.* Google also uses a patiently crafted database of Wi-Fi access points, hotspots and cell towers, which contains MAC addresses, BSSIDs and Cell IDs. This data is collected by Google Street View cars, contractors, but also when a user device allows localization privileges to a Google service or application. This worldwide crowd-sourced database is very detailed, precise and regularly updated. This data collection is often running in the background on users' devices and provide Google with the precise location of many of its users.

For intelligence purposes, geolocation data could be used to silently track a target or get information about their routines. Localization data is stored and logged by Google, and can be accessed by registered users in their Location History. Access to such information by intelligence technicians could be used for behavior analysis, remote surveillance, forensics and social network analysis. Combined with Google access to many Wi-Fi passwords, a precise map of MAC addresses worldwide would provide intelligence technicians and operators with an opportunity to conduct network penetration and communication intercepts. All this could be very valuable for agencies like NSA, as some of the Snowden-documents showed that they now have to put much effort in mapping such communication networks “from the outside”.


A proxy in intelligence collection?

Google collects user data for commercial purposes, mainly to sustain its business model based on online targeted ads, which accounted for 96% of Google's revenue in 2011. However, Google is sharing its worthy data with governments and their intelligence services, when complying with court orders or local laws. According to its Transparency Report, in 2013 Google complied to thousands of user data requests from governments of countries such as the United States, India, France, Germany, United Kingdom, Brazil or Italy. Google reports that it provides user data to "law enforcement agencies", but does not state exactly what kind of data is given. As example, Google cites IP addresses and personal information given by the users when they register, but it is not clear whether or not data provided to authorities is restricted to these elements. Given the large amount of data collected and stored by Google on every user, government agencies could receive a very detailed history of a user's communications and online activity, or even a copy of its hosted files.

In recent NSA and FBI intelligence collection programs, user data can be requested under a legal framework, such as FISA requests, which does not authorize Google to inform its users of the request. Moreover, clandestine intelligence efforts gave the NSA access to Google's data, without the need for legal requests.

In most democratic countries, intelligence services aren't allowed to intercept communications from their citizens nor to collect user data without  the authorization of a judge or commission. Many intelligence activities are meant to be constrained by the rule of law and monitored by congressional oversight to ensure that individual liberties are respected. However, commercial companies are not subject to the same restrictions and can collect a lot of their users data, as long as they duly inform them.

Such loophole can be purposely exploited by an intelligence agency, taking advantage of the ever-growing database from big companies such as Google, either by legally requesting the information collected from their users or by trying to access it covertly. In such occurrences, Google would act as a proxy in intelligence collection, unwillingly (?) putting its resources at the disposal of intelligence services. Citizens and businesses may not want to share as much private information and contents with an internet services company given the possibility that it may later be accessed by intelligence services, domestic or foreign.

One major argument against the collection of data conducted by NSA (or other intelligence angencies) is that they can be used against the people when government is taken over by evil people. Western governments at least have checks and balances, but Google is just a commercial company, and what would happen when, say, some huge  Chinese company would take it over? Then our complete digital lives would be under control of people who care less about individual freedom and privacy. As probably no one (especially the US government) wants that to happen, Google will have to stay an American company one way or another – which makes it even more like a proxy for US intelligence.

In a recent case, Google tipped off the National Center for Missing and Exploited Children after scanning the emails of its users, looking for contents related to child pornography. It seems that Google was not asked by a law enforcement agency to monitor the communications of a single user under investigation, or even to scan emails for suspicious contents. Google acted on its own, scanning emails, maybe on a massive scale, to find suspicious activities. Even though going against child exploitation can be seen as a noble endeavor, it seems that Google may be running its own law enforcement operations, scanning its users' data for what it deems illicit. As Google gives little information about the company's operations, it is hard to know what kind of users' activities could be monitored by Google and proactively reported to authorities or others organizations. It is not clear if this proactive reporting only occurs in the United States, or if it may extend to other, less democratic countries.


Closing thoughts

From an intelligence standpoint, the sheer amount of data that Google collects about individuals and businesses is unrivaled. A single piece of information recorded by Google about a user could be considered innocuous, but the sum of all collected data which can be narrowed down to an individual or an organization gives an intimate picture of its thoughts, intent and activity.

The way Google systematically tries to gain access to new kind of data about its users, whether it's their e-mails, their work files, their personal pictures, their location, or confirmation of their real identity, is propelled by a commercial strategy and a so-called wish to "change the world", making their users' lives easier. However, this "know-it-all" approach facilitates data mining efforts from intelligence services which pursued programs such as "Total Information Awareness" and are conducting large-scale intercepts.*

Of course, this issue is not confined to Google but affects other companies such as Amazon, Apple or Facebook, as well as many other smaller companies. Still, Google owns a special place in the digital world of user data, as it concentrates a wide range of user information, operates phone and email services, develops operating systems and stores users files in the cloud. Google holds a big responsibility to ensure the security and privacy of its users data worldwide, but its ongoing efforts to do so can hardly be considered sufficient.

Google security practices are generally considered state of the art and the company recently announced support for end-to-end encryption in GMail, but the body of messages will remain unencrypted on Google's servers and accessible to the company's bots. In october 2013, Google became aware of a covert network penetration lead by the NSA, targeting communications links connecting the company's data centers, which were not encrypted.* The exact amount of user data which may have been collected by the NSA during the operation is still unclear.

- Google privacy policy is sometimes cloudy, and users trying to get informed about what data they release to Google, how this data will be used and how long it will be retained, have to sift through disclaimer pages scattered on Google's websites.

- As a major stakeholder in the worldwide web, Google has to bring more accountability and transparency about what is shared from its users. The user data that could potentially be provided to law enforcement agencies should be clearly and precisely marked as such. It should become clear to all users that some of their data, whether it's personal information, files, e-mails, messages, metadata from network traffic or phone calls, or even recorded communications may become available to intelligence services.

- Also, Google should clarify if this information can be provided only to the law enforcement agencies of the user's country of residence or also to United States government agencies, as Google is an American company with most of its servers and activities in the US.

- American web companies and cloud operators are facing growing critics about their vulnerability to US intelligence operations. Some in Europe advocates for sovereign "national clouds" restricting data retention and traffic between secured servers and users, forbidding access to the American government. During an hearing before the United States Senate in November 2013, Richard Salgado, Google's director for law enforcement and information security, stated that "in the wake of press reports about the so-called "PRISM" program", he was concerned by the trend of "data localization" that could result in the creation of a "splinternet" and the "effective Balkanization of the Internet". Data localization would also probably cost more to Google, and would place the company under the law of each country where the company processes user data. In many cases Google argued that it was established in the United States and therefore was not subjected to the law of European countries, as all data processing occurs in the USA. However in France, Google was imposed a (small) financial penalty as the administrative authority made clear that the company had to comply with the French Data Protection Act.

- Google cannot condone a systematic breach of confidentiality and privacy of its users. A call to reform US government surveillance laws cannot be considered enough. Google must implement proactive measures, reinforcing its network security, offer end-to-end encryption for all of its services, securely distribute users' files hosting in their countries of residence and better inform its users of privacy risks. These measures could be seen as costly, but are necessary to maintain the trust of Google's user base and main source of revenue.


Google has massive technical capabilities for user data retention, metadata collection, telecommunications monitoring, localization, mapping and imaging, all which could allow it to act as an intelligence agency. The main difference is that Google has a different goal (commercial) than an intelligence agency, but this also makes that Google gathers far more data than an intelligence agency is legally allowed to do.

How long is user data kept on Google's servers? What kind of user data is shared with law enforcement agencies or intelligence services around the world? How does Google prevent its employees to access their users personal data or location? How is the data you gave Google secured against hackers or from intelligence services malicious attacks?

Google don't really say, but you have to take their word for it.

Zone d'Intérêt& Electrospaces

In an earlier posting on this weblog we took a look at the phones used by the Israeli prime minister Benjamin Netanyahu, which included an eye-catching red one. In some more recent pictures we can see that this red phone has apparently been replaced by an interesting looking white telephone.


Although this device itself is white, it has a rarely seen but very distinctive feature: a red curly cord for the handset and also a red cable for the phone line. The buttons are also surrounded by some kind of red overlay:




The dark gray phone at the left is a more common Nortel M3904 executive phone - a model which is also used at the NSA headquaters and at the office of the British prime minister. Nortel was a big Canadian telephone equipment manufacturer, but was dissolved in 2009.


The white telephone with the red cord also appears on a side table in the seating corner of Netanyahu's office, where before there was only a black phone. The latter is a more common Telrad Executive Phone 79-100-0000 from the Israeli telecom equipment manufacturer Telrad. This phone is also in the office of the Israeli defense minister and therefore it seems to be part of the (non-secure) internal phone system of both ministries.






From the picture above we can make a close-up of the white telephone, which looks a bit different than the one in the first picture. It has no red overlay around the buttons, but instead a red lining around the display and red stripes on the back of the handset. Unfortunately the red letters above the display aren't readable:




The red markings and the red cords indicate that this phone is used like what in the US is called a "red phone". That's a telephone which is connected to a highly secured network for communicating with top level policymakers and military commanders. This doesn't necessarily mean that such a phone itself has to be capable of encrypting the voice data, that can also be done by an encryption device at the internal (secure) phone switch.

As the white telephone in Netanyahu's office is a rather large device, it could be possible that it can do the necessary encryption, although secure phones from other countries (like the STE used in the US) are often even bigger, so we cannot decide upon that.

Israel has its own manifacturer of secure communications equipment: the defense contractor Elbit Systems, which was formerly part of the Tadiran conglomerate. There are no pictures available of phones mabe by Tadiran or Elbit, so we cannot say whether the white telephone in the office of Netanyahu was made by this company.


The white telephone isn't actually very new, it is already in this picture from October 2011. Together with the black one from Telrad, the white phone is also on a side table next to another desk of Netanyahu, as we can see for example in this screenshot:




With the white phone not being completely new, it seems that it has been placed on Netanyahu's desk and in the seating corner on purpose: to show that the prime minister is always in charge and in contact with the military. Because of security reasons, it's rather unusual to see secure telephones with their classification markings in highly visible places like these ceremonial offices where guests are received and the press is allowed in.

For fulfilling its task of gathering foreign signals intelligence, the National Security Agency (NSA) is cooperating with partner agencies from over 35 countries all over the world.

These relationships are based upon secret bilateral agreements, but there are also some select groups in which intelligence information is shared on a multilateral basis, like the SIGINT Seniors Europe (SSEUR), the SIGINT Seniors Pacific (SSPAC) and the Afghanistan SIGINT Coalition (AFSC).

Until recently, very little was known about these foreign relationships, but the Snowden-leaks have revealed the names of all the countries that are cooperating with NSA. This made it possible to create the following graphic, which also shows various multilateral intelligence exchange groups, which will be discussed here too:





2nd Party Partners

The closest cooperation is between NSA and the signals intelligence agencies of the United Kingdom, Canada, Australia and New Zealand. Formally this is based upon bilateral agreements, the first being the UKUSA-Agreement from 1946, but soon the group got a multilateral character, which means partners can exchange information among the other members too (as far as there's a "need to know")

The five partners under the UKUSA-agreement, commonly called the Five Eyes, agreed that they would follow common procedures for operations and reporting, and also use the same target identification systems, equipment, methods and source designations. They would not only share end reports and analyses, but also most of the raw data they collect.

As a kind of gentlemen's agreement it is supposed that the Five Eyes countries are not spying on each other, although some of the documents from the Snowden-leaks show that at least NSA secretly keeps that option open.




Despite the very close and longstanding relationship between the Five Eyes partners, two sub-groups have been formed for specific military operations in which not all five partners participate. These sub-groups are designated Four Eyes (abbreviation for classification purposes: ACGU) and Three Eyes (TEYE).

Representatives

For maintaining these extensive relationships, NSA has representatives in each Second Party country. These are called Special US Liaison Officer (SUSLO), followed by the name of the nation's capital. So for example the NSA representative in Britain is the Special US Liaison Officer, London (SUSLOL) and the one in Canada the Special US Liaison Officer, Ottawa (SUSLOO).

Likewise, the other Five Eyes countries have a representative at the NSA headquarters. These are called Special UK Liaison Officer (SUKLO), Special Canada Liaison Officer (SCALO), Special Australia Liaison Officer (SAUSLO), and Special New Zealand Liaison Officer (SNZLO).






3rd Party Partners

One step below the 2nd Party partnerships, there's cooperation between NSA and agencies from countries who are called 3rd Party partners. This is based upon formal agreements, but the actual scope of the relationship can vary from country to country and from time to time.

For the US, this kind of cooperation is useful because foreign agencies can have better access to high-priority targets because of their geographic location, or they could have a specific expertise on certain areas, or just simply because they have a better knowledge of the local situation and language.

The foreign partner agencies are mostly interested in American technology, money and access to the worldwide interception capabilities of NSA and its Five Eyes partners. This makes these 3rd Party partnerships especially attractive for smaller countries, for whom it means a sometimes substantial increase of their otherwise limited capabilities.

One big difference with the countries from the 2nd Party category is that 3rd Party partners do spy upon each other, and many of the Snowden-documents have shown this. From these documents we also learned that in 2013, there were 33 countries with 3rd Party status:





The countries in the column under "CNO" are from a list which is in an undated NSA document about collaboration regarding Computer Network Operations (CNO). The document was first published on October 30, 2013 by the Spanish paper El Mundo and classifies cooperation on four different levels, which was also explained by The Guardian.

The first level is called "Tier A - Comprehensive Cooperation", which comprises Britain, Australia, Canada and New Zealand. A second group, called "Tier B - Focused Cooperation" includes the 19 mostly European countries listed above. A third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan, and finally a fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.

In May 2014, the list with the "Tier A" and "Tier B" countries was also published in Greenwald's book No Place To Hide, where he ignores the fact that the document was about CNO cooperation and simply assumes that the "Tier B" countries are the same as those with 3rd Party status.*


Representatives

The representatives of NSA in major Third Party countries are called Special US Liaison Advisor (SUSLA), followed by the name of the country. So for example the NSA representative in Germany is the Special US Liaison Advisor, Germany (SUSLAG).

The office staff of such an advisor is called the Special US Liaison Activity (also abbreviated as SUSLA), and for example the SUSLA Germany had 18 personnel (12 civilians and 6 contractors) in 2012, a number which was to be reduced to 6 in 2013.*

It is not clear whether the various Third Party agencies also have a representative at NSA headquarters and if so, what their title is. At NSA these relationships are managed by the Foreign Affairs Directorate (FAD), which has a Country Desk Officer (CDO) for every country or region that matters.



Multilateral groups

Although the Third Party relationships are strictly bilateral, some of these countries have also worked very close with each other for a long time. This has been formalized into a few multilateral groups in which intelligence is exchanged not only between one particular country and the US, but also among all other participants. Besides NATO, the following three SIGINT sharing groups are known:


- SIGINT Seniors Europe (SSEUR)
This group consists of the Five Eyes and nine European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Except for Sweden, all are NATO members. After the number of countries, the SSEUR are also called 14-Eyes. The "Seniors" refers to the heads of the participating military or signals intelligence agencies, who in this group coordinate the exchange of military intelligence according to the needs of each member. There's also a SIGINT Seniors Europe Counter Terrorism (SISECT) coalition.*


- SIGINT Seniors Pacific (SSPAC)
There's a similar group for multilateral exchange of military intelligence among some 3rd party nations from the East Asia/Pacific Rim region. Besides the members of the Five Eyes, the SIGINT Seniors Pacific include Singapore, South Korea and most likely Japan and Thailand. Probably one other country is participating too, making this group also being identified as the 10-Eyes.


- Afghanistan SIGINT Coalition (AFSC)
According to an NSA paper from 2013, this group consists of the same 14 countries as the SSEUR and is aimed at sharing Afghanistan-related intelligence reports and metadata with the other participants. At the time of the paper, each AFSC-member was responsible for covering a specific area of interest, maybe corresponding to the region in Afghanistan where they had troops deployed.

Snowden and Greenwald agreed not to publish about NSA's involvement in Afghanistan, but the German book about the Snowden-leaks, Der NSA Komplex, reveals that the 14 AFSC-members cooperated closely in decrypting and analysing mobile communications and have a dedicated data center codenamed CENTER ICE for exchanging this kind of intelligence.*

This makes it likely that much of the metadata that various European countries shared with the US, mistakenly presented by Glenn Greenwald as NSA spying on European citizens, was collected as part of this Afghanistan SIGINT Coalition.



Links and Sources
- NSA document about Foreign Relations Mission Titles
- About Canada and the Five Eyes Intelligence Community (pdf)
- Duncan Campbell, Echelon and its role in COMINT

Last week, on September 6, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program.

The memorandum (pdf) is about the legality of STELLARWIND, which was a program under which NSA was authorized to collect content and metadata without the warrants that were needed previously.

Here we will not discuss the STELLARWIND program itself, but take a close look at the STELLARWIND classification marking, which causes some confusion. Also we learn about the existance of mysterious compartments that point to some highly sensitive but yet undisclosed interception programs.





The redacted markings

The first thing we see is that two portions of the classification marking have been blacked out:


1. The redacted space beween two double slashes

This is very strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below). The classification level (in this case: Top Secret) has to be followed by the Sensitive Compartmented Information (SCI) control system (here: COMINT).

But as the US classification system is very complex, there are often minor mistakes in such classification lines. If we assume there was a mistake made here too, then the first term that has been blacked out could be another SCI compartment, which had to be followed by just a single slash (for example HCS for HUMINT Control System would fit the redacted space, although that marking itself isn't classified).

If there was no mistake, however, and the double slash is actually correct, then it would be a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.





2. The redacted space directly after STELLARWIND

The second redaction starts right after the last letter of "STELLARWIND", thereby carefully hiding the category of the redacted marking, which is determined by how it is separated from the previous term. This could be by a slash, a double slash, a hyphen or a space, each indicating a different level.

In this case, the most likely option is that "STELLARWIND" is followed by a hyphen, which indicates the next term is another compartment under the COMINT control system, equal to STELLARWIND.

Classification manuals say there are undisclosed COMINT compartments which have identifiers consisting of three alphabetical characters. This would fit the redacted space as it would read like: "COMINT-STELLARWIND-ABC".

This undisclosed compartment probably also figured in some other declassified documents, where it sometimes seems to be accompanied by a sub-compartment which is identified by three numeric characters, like for example in this and this declaration where the marking could read like "COMINT-ABC 678":




Looking at what was redacted in portions of both documents which were marked with this mysterious compartment, it seems that it's about at least two highly sensitive intelligence sources and methods. For example, pages 31-32 of this declaration (pdf) suggest that this might be obtaining metadata from specific telecom companies and search them for members or agents of particular target groups.




Markings with the mysterious undisclosed COMINT compartments weren't found on any of the Snowden-documents, but only on those that were declassified by the government, so it seems that Snowden had no access to information protected by these particular compartments.

The marking TSP (for Terrorist Surveillance Program), which is in some of the examples shown above, was used instead of STELLARWIND in briefing materials and documents intended for external audiences, such as Congress and the courts.



The STELLARWIND marking

So far, we looked at the two parts of the classification marking that were blacked out. But now we also have to look at the STELLARWIND marking itself, which wasn't redacted, but still causes confusion.

The classification marking of the 2004 memorandum of the Justice Department says "COMINT-STELLAR WIND" and according to the official formatting rules, this means that STELLARWIND would be part of the COMINT control system.

Note that the same memorandum had already been declassified upon a FOIA request by the ACLU in 2011, but in that version (pdf) the codeword STELLARWIND was still blacked out from the whole document. Both documents are compared here.




As COMINT is a control system for communications intercepts or Signals Intelligence, this seems to make sense. But what is confusing, is that the internal 2009 NSA classification guide (pdf) for the STELLARWIND program, which was disclosed by Edward Snowden, says something different.

Initially this guide calls STELLARWIND a "special compartment", but from the marking rules it becomes clear that it is treated as an SCI control system. Accordingly, the prescribed abbreviated marking reads: "TOP SECRET // STLW / SI // ORCON / NOFORN". In this way we can see STELLARWIND in the classification line of the following document:




In this document and also in a similar declaration (pdf) from 2013, the reason for the STELLARWIND classification is explained as follows:

"This declaration also contains information related to or derived from the STELLARWIND program, a controlled access signals intelligence program under presidential authorization in response to the attacks of September 11, 2001. In this declaration, information pertaining to the STELLARWIND program is denoted with the special marking "STLW" and requires more restrictive handling."

STELLARWIND is also being treated as a control system in the 2009 draft report about this program written by the NSA Inspector General, although its classification line is also somewhat sloppy: there are double slashes between STLW and COMINT (should just be a single one), and only a single one between COMINT and ORCON (where there should have been double slashes as both are from different categories):




Throughout this document, the portion markings are also not always consistent. Most of them are "TS//SI//STLW//NF", but one or two times "TS//SI-STLW//NF". But as this report is a draft, it's possible that these things have been corrected in the final version, which hasn't been disclosed or declassified yet.

The 2009 Inspector General report about STELLARWIND was one of the first documents from the Snowden-leaks to be published, and it still is one of the most informative and detailed pieces about the development of NSA's interception efforts since 9/11.


Conclusion

In the end, it doesn't make much difference whether STELLARWIND is a control system on its own, or a sub-system of COMINT, but it is remarkable that for such an important program, the people involved apparently also weren't clear about it's exact status and how to put it in the right place of a classification line.

More important though is that the declassified documents show that besides the STELLARWIND program, there's at least one COMINT-compartment with at least one sub-compartment that protect similar or related NSA collection efforts which are considered even more sensitive, but about which we can only speculate.

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, can be read here!




The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:



Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network. This is the traditional telephone infrastructure, consisting of telephone lines, (undersea) fiber optic cables, microwave transmission links, cellular networks, and communications satellites, all interconnected by switching centers.

In this case, MIVD collected the metadata from PSTN traffic using their satellite station near Burum, which is operated by the signals intelligence unit NSO. This station is conveniently situated next to a big commercial ground station operated by Stratos Global, which provides access to Inmarsat, and Castor, providing access to Intelsat, Eutelsat, Gazprom, RSCC, SES (Astra), Telesat, and Arabsat satellites.

Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some less-developed countries like Afghanistan, Sudan, Somalia, Cuba and North-Korea, and remote regions in Russia, China and Africa apparently still use Intelsat satellite links for their international telecommunications. A number of these countries are also linked to Intersputnik satellites.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.




According to a reply from the Dutch government, the 1,8 million metadata were collected by the MIVD from phonecalls, including some sms and fax messages, that "originated and/or terminated" in foreign countries. After all communication data with a Dutch phone number were filtered out, the remaining data were "shared with partner agencies".

This means, these data weren't just shared with NSA on a bilateral basis, but also in multinational military intelligence sharing groups like the 9-Eyes and the 14-Eyes, which is actually called SIGINT Seniors Europe. Both groups consist of the Five Eyes plus a number of 3rd Party nations.

In response to parliamentary questions, the Dutch government seemed to suggest that the 1,8 million metadata equals 1,8 million "unique moments/types of communication". This contrary to earlier and widespread assumptions that 1 phone call creates multiple metadata records.


Most Volume

In the screenshot we can see that the metadata records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data could be derived from multiple collection platforms and not just from the satellite intercept station near Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch SIGINT unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile signals intelligence units which can be deployed during foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.




Top 5 Techs

This section of the screenshot mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense.

It was strange that there was no word for the letter F, but some research revealed that the F most likely stands for Format. In several jobvacancies CERF can be seen as listed among a number of other NSA data formats like CSDF and ASDF. We can assume now that CERF = Contact Event Record Format.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Maybe CERF is used for collected metadata in general and CALL specifies that for telephony metadata (although in NSA-speak, telephony is always designated as DNR). An additional codeword like MOSES1 could then be used to further specify these data sets.

Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.




We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts. Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.


> More background of this story: Dutch government tried to hide the truth about metadata collection


UPDATE

On March 5, 2014, the Dutch paper NRC Handelsblad came with a follow-up story, which provided more context to the Dutch collection of metadata.

It says the Netherlands has been sharing intercepted telecommunications with the US since 2006. This partnership accelerated after the Dutch started their ISAF mission in the Afghan province of Uruzgan in 2006 and it continued after this mission ended in 2011. According to NRC there is still a steady flow of millions of telephony metadata from MIVD to NSA.

The paper presents the following example: When in August 2012 the Dutch navy ship HMS Rotterdam was the flagship for the NATO anti-piracy operation OCEAN SHIELD, this vessel was also intercepting the communications of Somali pirates. This was made possible because NSA had provided the covert Dutch SIGINT team on the ship with a special interception system.

NSA's access to the pirates’ communication had collapsed after the latter switched to land-based communications, which couldn't be intercepted by the Americans. Therefore the metadata provided by the Dutch were very welcome. A combination of the interception of Somali pirate communications from aboard the Dutch ship and through the Dutch satellite intercept station in Burum lead to successful mapping of pirate networks:




Note that the grey text in the bottom right corner says that this slide originally was classified as TOP SECRET//SI//NOFORN, but apperently later this was lowered to SECRET//SI//REL TO USA, NLD, probably to share it with the Dutch.

The diagram from the slide is also shown in a larger version. Some connections and icons have Dutch labels, so this seems to be generated by a software tool used by the Dutch MIVD. Probably it's Sentinel Visualizer or Analyst's Notebook or a similar software program, but it also resembles the SYNAPSE data model used by NSA.






Links and Sources
- DeCorrespondent.nl: Op dit grasveldje in de Achterhoek luistert Nederland de Taliban af
- NRC.nl: The secret role of the Dutch in the American war on terror
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie

One of the most important documents that has been disclosed as part of the Snowden-leaks is also one of the least-known: the Strategic Mission List from January 2007, which provides a detailed list of the goals and priorities for the National Security Agency (NSA).

This Strategic Mission List was published by The New York Times on November 2, 2013, as one of three original NSA documents that accompanied a long report about the how NSA spies on both enemies and allies.




About the publication

On the website of The New York Times (NYT), the Strategic Mission List was published as a series of images in png-format, which made it impossible to copy or search the text. It was also difficult to print the document in a readable way. For reasons unknown, NYT is the only media-outlet that published Snowden-documents in this not very user-friendly way.

Hence I asked The New York Times whether they could provide the Strategic Mission List in the standard pdf-format, but the paper didn't reply. I also asked the author of the report, Scott Shane, but he answered that he had no access to the document anymore.

Eventually I used an Optical Character Recognition (OCR) tool to convert the images from the NYT website into a text document, conducted the necessary corrections by hand and then converted the result into the pdf-document, that is now published here and on the Cryptome website.


The Strategic Mission List

Edward Snowden and Glenn Greenwald claim that NSA has just one single goal: collect all digital communications from all over the world: "Collect it All". But this is not mentioned in the Strategic Mission List, which instead lists a range of far more specific goals, many of which are of a military nature, which is also something that lacks in the media-coverage of the Snowden-leaks.

The document describes the priorities and risks for the United States SIGINT System (USSS) for a period of 12 to 18 months and is reviewed, and where necessary updated bi-annually. The topics are derived from a number of other strategic planning documents, including the National Intelligence Priorities Framework (NIPF), which sets the priorities for the US Intelligence Community as a whole.

Note that according to the classification marking, the Strategic Mission List is only authorized for release to the US, the UK, Canada and Australia, which leaves New Zealand excluded.


Structure

The Strategic Mission List is divided into two parts. The first part includes 16 Topical Missions, which represent missions discerned to be areas of highest priority for the USSS, where SIGINT can make key contributions. The second part includes 6 Enduring Targets, which are countries that need to be treated holistically because of their strategic importance.

For both of these sections, the Strategic Mission List includes Focus Areas, the most critical important targets which are a "must do", as well as Accepted Risks, which are significant targets for which SIGINT should not be relied upon as a primary source.


Enduring Targets

The 6 countries that are listed in the Strategic Mission List as being Enduring Targets for NSA and the tactical SIGINT collecting components of the US Armed Forces are:

- China
- North-Korea
- Iraq
- Iran
- Russia
- Venezuela

Topical Missions

Besides the 6 countries listed as Enduring Targets, the Strategic Mission List also includes the following 16 Topical Missions:

- Winning the Global War on Terrorism
- Protecting the U.S. Homeland
- Combating Proliferation of Weapons of Mass Destruction
- Protecting U.S. Military Forces Deployed Overseas
- Providing Warning of Impending State Instability
- Providing Warning of a Strategic Nuclear Missile Attack
- Monitoring Regional Tensions that Could Escalate
- Preventing an Attack on U.S. Critical Information Systems
- Early Detection of Critical Foreign Military Developments
- Preventing Technological Surprise
- Ensuring Diplomatic Advantage for the U.S.
- Ensuring a Steady and Reliable Energy Supply for the U.S.
- Countering Foreign Intelligence Threats
- Countering Narcotics and Transnational Criminal Networks
- Mapping Foreign Military and Civil Communications Infrastructure

We see that many of these topics are of a military nature and that also the more civilian areas of interest are quite common goals for a large (signal) intelligence agency. Although communications of ordinary civilians are accidently caught up in NSA's collection efforts, they are clearly not of interest let alone given priority.

Just over a week ago, the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR came with a story saying that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA. As not all communications of German citizens could be filtered out, this is considered a violation of the constitution.

Here we will give a summary of what is currently known about this BND operation and we will combine this with information from earlier reports. This will show that it was most likely part of the RAMPART-A program of the NSA, which includes similar interception efforts by foreign partner agencies. Finally, we will look at where exactly the BND interception might have taken place.



The German operation Eikonal

The codename for the BND operation was Eikonal, which is a scientific German word, derived from Greek, meaning likeness, icon or image. Details about it were found in BND documents marked Streng Geheim (Top Secret), which were handed over to a committee of the German parliament that investigates NSA spying activities (NSA Untersuchungsausschuss). It's not clear whether journalists were able to read these documents themselves, or were just told about their contents.

The operation was set up in 2003 as a cooperation between BND and NSA, whith the BND providing access to the Frankfurt internet exchange DE-CIX, and NSA providing sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

For this, NSA provided BND with lists of selectors like phone numbers and e-mail addresses. According to the testimony of an BND employee at a committee hearing last month, his co-workers pull these selectors from an American server 2, 3 or 4 times a day and enter them into the system that does the actual interception.

The article in Süddeutsche Zeitung says that from DE-CIX, the data first went to BND headquarters in Pullach, and then to the Mangfall barracks in Bad Aibling, where BND and NSA analysts secretly worked together as the Joint SIGINT Activity (JSA, terminated in 2012). From there, there was a secure line back to NSA headquarters.




To prevent communications of German citizens being passed on to NSA, BND installed a special program (codenamed DAFIS) to filter these out these. But according to the documents, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out.

A review of operation Eikonal reported that a "complete and accurate" separation between German and foreign telecommunications was impossible. Also BND wasn't able to fully check this because of a lack of technical expertise.

The documents also suggest that the intelligence oversight committees of the Bundestag were not properly informed. The BND noticed at some point that the NSA searched for information about the European defence contractor EADS (now Airbus Group), the Eurocopter and French government agencies. Together with doubts about the legality of the Eikonal operation, this resulted in ending the cooperation with NSA in 2008.

Reportedly, NSA wasn't happy with that and sent its deputy director John Inglis to Berlin in order to demand some kind of "compensation": if not Frankfurt, then BND should offer access to another European fiber-optic cable. Süddeutsche Zeitung says that at that time, BND got access to a cable of "global importance", where NSA did not have access to. NSA then became a "silent partner" receiving data from this new BND interception effort.


Meanwhile, two members of the German parliamentary investigation committee who are cleared for the BND documents about Eikonal said that the aforementioned press reports were not always correct. According to one member, it actually wasn't BND, but NSA that ended the cooperation, apparently because the Germans were so heavily filtering the data, that the outcome wasn't of much interest for NSA anymore.



The RAMPART-A program of NSA

Those who have followed the Snowden-leaks, may have recognized that operation Eikonal is identical to cable tapping operations which are conducted under the RAMPART-A program of NSA. According to some of the Snowden-documents, this is an umbrella program under which NSA cooperates with 3rd Party countries, who "provide access to cables and host U.S. equipment".

The slide below clearly shows that such a partner country taps an international cable at an access point (A) somewhere in that country and then forwards the data to a processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C) before they are forwarded to an NSA site in the US (D):




Details about NSA's RAMPART-A program were published by the Danish website Information.dk in collaboration with Greenwald's website The Intercept on June 19, 2014. The program reportedly involved five countries, and cooperation two others was being tested. In total, all RAMPART-A interception facilities gave access to 3 terabits of data every second.

The disclosed documents list 13 RAMPART-A sites, nine of which were active in 2013. The three largest are codenamed SPINNERET, MOONLIGHTPATH and AZUREPHOENIX, which by the number of records are NSA's second, third and fifth most productive cable tapping programs.




The exact locations of these access points are protected under the Exceptionally Controlled Information (ECI) compartment REDHARVEST (RDV). Therefore we don't know which countries are participating in the RAMPART-A program, although some of the documents contain leads pointing to Denmark and Germany.

These foreign partnerships operate on the condition that the host country will not use the NSA’s technology to collect any data on US citizens. The NSA agrees that it will not use the access it has been granted to collect data on the host countries’ citizens, but one NSA presentation slide (marked NOFORN: Not for Foreign Nationals) notes that "there ARE exceptions" to this rule:




According to a 2010 briefing, intelligence collected via RAMPART-A yielded over 9000 intelligence reports the previous year, out of which half was based solely on intelligence intercepted through RAMPART-A.


More about RAMPART-A

What the reports on both websites (deliberately?) didn't mention is that RAMPART-A is apparently focussed on collecting information about Russia, the Middle East and North Africa. This comes from Der NSA Komplex, a book about the Snowden-revelations written by two journalists from Der Spiegel. Unfortunately this book, which is much more informative than the one by Glenn Greenwald, is only available in German.

Besides 3rd Party partners giving access to cables in their own country, there's also a construction in which such a partner agency cooperates with yet another country that secretly provides access to data traffic, which is also shared with NSA. In recent years, BND and NSA conducted about half a dozen of such operations, three of which are mentioned in Der NSA Komplex:

- Tiamat (access to high-level international targets under risky circumstances. This operation had ended before 2013)*

- Hermos (in the Spring of 2012, BND got access to communication cables in a crisis zone country, but this operation had to be terminated by the end of the year when the situation almost went out of control)*

- Wharpdrive (this operation was still active in 2013, but in the Spring of that year, employees of the private company that operates the communication cables, accidently discovered the clandestine BND/NSA equipment, but the operation was rescued by providing a plausible cover story)*



Where did the tapping took place?

The best kept secret is the actual location where the BND tapping point was. Süddeutsche Zeitung reports that in the original documents the name of the provider is blacked out, but that according to insiders, it must have been Deutsche Telekom that assisted BND. The paper even says both parties signed an agreement in which the provider earned a payment of 6.000,- euros a month in return for the access.

This seems to correspond with a report broadcasted by the German television magazine Frontal 21 in July last year. The report said that BND had access to the Frankfurt internet exchange through its own cable since 2009. According to an insider, this cable access was under the cover of a major German telecom provider, and it was speculated this was Deutsche Telekom.

But as somepeople noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, although it might have provided hardware equipment and fiber-optic cables for the exchange system. The actual switchers/routers of DE-CIX are situated in a number of data centers from InterXion, TeleCity, Equinix, Level(3), ITENOS and e-shelter.



Another option is that the 6.000,- euros were for renting some equipment racks for pre-filtering (removing non-communication traffic) at the intercept location; or for the rent of a Deutsche Telekom cable from the tapping point to a BND site.

As reported by Der Spiegel, the BND was recently authorized to intercept the communications from 25 internet service providers (ISPs), with their cables being tapped at the DE-CIX internet exchange. These providers include foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

This would mean that BND isn't tapping the whole internet exchange, like media reports suggest, but only the cables from selected providers, which is of course much more efficient. Tapping the whole exchange would probably also exceed BND's technical capabilities, as nowadays DE-CIX connects some 550 ISPs from more than 55 countries, including broadband providers, content delivery networks, web hosters, and incumbent operators.




However, the German internet provider 1&1 said they never received a letter from BND and suggests that the interception takes place in cooperation with DE-CIX Management GmbH, the organisation that operates the Frankfurt internet exchange.

If that's the case, then the actual interception could take place at DE-CIX systems, maybe at the data centers, where the various ISPs are connected to the routers of exchange. This means, BND only needs the cooperation of the DE-CIX management and the indivual providers can honestly deny that their cables are being intercepted.

According to Der Spiegel, the BND copies the data stream and then searches it using keywords related to terrorism and weapon proliferation. A BND spokesman confirmed to the Wall Street Journal that purely domestic German traffic is neither gathered nor stored.


We don't know whether this current situation is somehow similar to the period when BND conducted operation Eikonal, but it shows that things are much more complex than just "tapping the Frankfurt internet exchange". Deutsche Telekom is often mentioned, but for now the only way this company could have played a role in this is when traffic between the various DE-CIX data centers went through their cables.

Also interesting is that at least one of the datacenters where DE-CIX has its hardware is operated by Level(3), a US company with which NSA most likely cooperates.




Conclusion

Although we have no positive confirmation that Eikonal was part of the RAMPART-A program, this German operation perfectly fits the way in which foreign parters of NSA get access to important internet cables and switches and share the results with their American counterparts. In this case, NSA apparently cooperated with BND in order to get access to communications from Russia and probably also from the Middle East and North Africa that traveled through Germany.

The best kept secret is how and where such interception takes place, and we have seen that tapping the Frankfurt internet exchange DE-CIX is far more complex than it seems. This makes it difficult to pinpoint the taps, but by combining earlier press reports with the structure of the DE-CIX exchange, we probably came a bit closer.



Links and Sources
- Sueddeutsche.de: Codewort Eikonal - der Albtraum der Bundesregierung (2014)
- Heise.de: NSA-Abhörskandal PRISM: Internet-Austauschknoten als Abhörziele (2013)
- Spiegel.de: BND lässt sich Abhören von Verbindungen deutscher Provider genehmigen (2013)
- NSA presentation: RAMPART-A Project Overview (pdf) (2010)


- More comments on Hacker News

With last year's news of NSA eavesdropping on the mobile phone of German chancellor Angela Merkel in mind, Dutch onlinemedia assumed it was big news that the Dutch prime minister Mark Rutte has a phone that cannot be intercepted.

As was the case with chancellor Merkel, most people do not seem aware of the fact that political leaders usually have two kind of phones: an ordinary one that is easy to intercept and a secure one, that is very difficult to tap.

That prime minister Rutte has a secure phone was said by the director for Cyber Security in a radio-interiew last week. Afterwards this was seen a slip of the tongue, because the government has the policy to never say anything about the security methods they use.

But from pictures and other sources we can still get a fairly good idea of which phones, both secure and non-secure, are used by the Dutch prime minister. As we will show here, he currently has three landline and two mobile phones at his disposal, only one being a highly secure one.




Since 1982, the office of the Dutch prime minister is on the second floor of a small tower that is part of the parliament buildings and which dates back to the 14th century. In Dutch this office is called Het Torentje.

From the left to the right we see the following telephones on the desk of the prime minister:

1. Ericsson DBC212 (black)
2. Sectra Tiger XS Office (silver)
3. Unidentified office phone (gray)

First we will discuss the two phones without encryption capability and then the secure phone:


1. The Ericsson DBC212

This is a common office telephone which has been part of the internal private branch exchange (PBX) network of the Department of General Affairs for over a decade. Other pictures from rooms in the same building also show the same and similar models of this telephone series, which was made by Ericsson, a Swedish company that manufactured many home and office phones used in The Netherlands. The prime minister can use this phone for every phone call he wants to make that doesn't require encryption.


3. The gray office phone

The make and type of this phone couldn't be identified yet, but it seems to be a common office telephone too. However, this phone is most likely connected to the Emergency Communications Provision (Dutch: NoodCommunicatieVoorziening or NCV).

This is an IP-based network which is completely separated from the public telephone network. Communications over this network are not encrypted, but the switches are in secure locations and connect redundantly.

The purpose of the NCV-network is to enable communications between government agencies and emergency services when during a disaster or a crisis situation (parts of) the regular communication networks collapse. This network replaced the former National Emergency Network (Nationaal Noodnet) as of January 1, 2012 (see below).


 

2. The Sectra Tiger XS Office

The silver-colored telephone which sits in between the two other ones is a Tiger XS Office (XO). This device is capable of highly secured phone calls and can therefore be used by the prime minister for conversations about things that are classified up to the level of Secret.

The Tiger XS Office is manufactured since 2005 by the communications division of the Swedish company Sectra AB, which was founded in 1978 by some cryptology researchers from Linköping University. Sectra, which is an acronym of Secure Transmission, also has a division in the Netherlands: Sectra Communications BV.

Tiger is the brand name for their high-end secure voice products, but with everyone assuming that this refers to the exotic animal, it's also Swedish for "keep silent" (see for example: En Svensk Tiger).


Tiger XS

Although the Tiger XS Office looks like a futuristic desktop phone, it actually consists of a small encryption device which is docked into a desktop cradle with a keypad and handset. The encryption device, the Tiger XS, was originally developed for securing mobile phone communications and has special protections against tampering and so-called TEMPEST attacks.




The desktop unit has no encryption capabilities, but with the Tiger XS inserted, it can encrypt landline phone calls and fax transmissions, so it turns into a secure desktop telephone. The Tiger XS enables secure communications on GSM, UMTS, ISDN and the Iridium, Inmarsat and Thuraya satellite networks. When inserted into the office unit, it also works on the standard Public Switched Telephone Network (PSTN).


Workings

On its own, the Tiger XS device can be used to secure certain types of cell phones. For this, the Tiger XS is connected in between a headset (consisting of an earpiece and a microphone) and a mobile phone, to which it connects via Bluetooth. A secure connection is set up by putting a personal SIM-sized access card into the Tiger XS, entering a PIN code and selecting the person to connect to from the phonebook.

What is said into the microphone of the headset is encrypted by the Tiger XS and then this encrypted voice data go to an ordinary mobile phone through the Bluetooth connection. The phone then sends it over the cell phone network to the receiving end, where another Tiger XS decrypts the data and makes it audible again.



Mobility

At first sight it seems to be a very flexible solution: connecting a separate encryption device to common cell phones. But in reality the Tiger XS can only connect to older mobile phones which suppport the original Circuit Switched Data (CSD) channel and a Bluetooth version that is fully tested and compatible with the way the Tiger XS has to use it. Because of this, the Tiger XS is rarely used for mobile phones anymore, but mostly in combination with the desktop unit.

To restore the intended mobility, Sectra introduced the Tiger 7401 as a replacement for the Tiger XS. The Tiger 7401 is a custom made mobile telephone with TEMPEST verified design that is capable of encrypting phone calls by itself. In 2014, this new device was ordered to replace the Tiger XS for high-level officials of the Dutch Ministery of Defense.


Encryption

The encryption algorithms used by the Sectra Tiger XS are secret, so we don't know whether public standard algorithms like AES and ECDH are used, or ones that are especially designed for the Dutch government, or a combination thereof. The algorithms and the encryption keys are created by the National Communications Security Bureau (Dutch: Nationaal Bureau voor Verbindingsbeveiliging or NBV), which is part of the General Intelligence and Security Service AIVD.

This bureau has approved the Tiger XS for communications up to and including the level Secret (in Dutch marked as Stg. Geheim) in 2007. In the Netherlands, there's no phone that is approved for communications at the level Top Secret (Stg. Zeer Geheim), so these matters cannot be discussed over phones that use public networks. This is different from the US, where there are secure telephones approved for Top Secret and even above.

Encrypted communications are only possible if both parties have the same key: the sender to encrypt the message and the receiver to decrypt it. This means that all people to which the prime minister needs a secure line, also have to have a Tiger XS. That's why we can see this device also on the desk of for example the Dutch foreign minister:




Management

Besides encrypting phone calls and text messages, the Tiger XS also provides user authentication, so one can be sure to talk to the right person. For the actual implementation of these features there are centrally managed user groups.

This remote management, which includes supplying up-to-date phonebooks and encryption keys for the Tiger XS devices is provided by Fox-IT, a Dutch cybersecurity company founded in 1999. Since Dutch state secrets are involved, it is considered essential that this remote management is in the hands of a trusted Dutch partner.

The partnership between Fox-IT for the management and Sectra as the supplier of the hardware was established in 2007 by the VECOM (Veilige Communicatie or Secure Communications) contract. Under this contract all Dutch cabinet members and high-level officials of their departments are provided with secure phones.


Usage

The Tiger XS has also been installed at all government departments in order to provide secure fax transmissions, for example to distribute the necessary documents for the weekly Council of Ministers meeting. Dutch embassies and military units deployed overseas probably also use the Tiger XS for securing satellite communications. For this, Sectra also developed a mobile Tiger XS manpack.

The fact that the Tiger XS uses highly sensitive technology and secret encryption methods, also means that it is not possible to use this device to make secure phone calls to for example foreign heads of state. That's the reason why, as we can see in the picture below, prime minister Rutte used his standard non-secure phone when he was called by US president Obama in 2010:





The mobile phones of prime minister Rutte

Besides the three landline telephones, current prime minister Mark Rutte also uses an iPhone 4 and a Blackberry. He is seen with these devices on several photos and Rutte also confirmed that he uses a Blackberry when he publicly admitted that it accidently fell into a toilet in January 2011.

The iPhone is probably his private phone, because the Blackberry is the device used by Rutte's own Department of General Affairs, as well as by other departments, including those of Foreign Affairs and Social Affairs. Blackberrys are preferred by many companies and governments because they provide standard end-to-end encryption for chat and e-mail messages through the Blackberry Enterprise Server (BES).




Blackberrys do not encrypt voice, but the Dutch computer security company Compumatica has developed a solution called CompuMobile, which consists of a MicroSD card that can be inserted into a Blackberry and then encrypts phone calls and text messages by using the AES 256 and ECDH algorithms. CompuMobile has been approved for communications at the lowest Dutch classification level (Departementaal Vertrouwelijk) in 2012, but whether government departments actually use it, is not known.

Without this security measure, phone calls from both the iPhone and the Blackberry of prime minister Rutte can rather easily be intercepted by foreign intelligence agencies, just like NSA apparently did with the non-secure cell phone of his German counterpart.




The prime minister's phones in 2006

The telephones that are currently installed in the office of prime minister Mark Rutte can be compared with those from his predecessor, prime minister Jan Peter Balkenende. From his office we have this picture, which gives a great view on the communication devices on his desk:




In this picture we see from the left to the right the following three phones, all of them provided by KPN, the former state owned landline operator of the Netherlands:

1. Ericsson DBC212 (black)
2. Siemens Vox 415 (gray)
3. Ericsson Vox 120 (white)

1. The Ericsson DBC212

This is the same telephone which is still in use today, as we could see in the pictures above. It's a common office telephone made by the Swedish company Ericsson and which is part of the internal private branch exchange (PBX) network of the Department of General Affairs.


2. The Siemens Vox 415

The dark gray Vox 415 was an ordinary telephone from a series that was manufactured by Siemens for both home and office use. For private customers this model was sold by KPN under the name Bari 10.

This phone has no security features whatsoever, but as it is in the same place where later the Sectra Tiger XS Office sits, it seems very likely the Vox 415 was also used for secure communications.

For that, it was probably connected to a separate encryption device, maybe one that was compatible with the PNVX, the secure phone which was manufactured by Philips and used by the Dutch government since the late 1980s.


3. The Ericsson Vox 120

The Vox 120 was the business version of a telephone developed by Ericsson around 1986 and that was sold for home use under the name Twintoon. Attached to the back is a separate speaker unit so a third person can listen in to a conversation.

In the bottom left corner the phone has a black label with its extension number for the National Emergency Network (Dutch: Nationaal Noodnet or NN). This was a separate network which enabled government agencies to communicate with emergency services when the public telephone network collapsed.

The National Emergency Network was established in 1991 and was operated by KPN. It had some 5500 connections for 2500 end users, like the departments of the national government, city halls, hospitals, and local police and firefighter headquarters. As of January 2012, it was replaced by the IP-based Emergency Communications Provision NCV (see above).



Links and sources
- Background article in Dutch: De wereld van staatsgeheim geheim (2007)
- Academic paper about Secure Text Communication for the Tiger XS (pdf) (2006)
- The first version: Tiger XS Mobile security terminal (2005)

In Germany, a parliamentary commission is currently investigating the relationship between the National Security Agency (NSA) and the German foreign intelligence service Bundesnachrichtendienst (BND).

Initially the hearings were about the main accusations made by Edward Snowden about NSA spying on countries like Germany and the experts only provided the usual statements that were already heard oftentimes since last year.

But recently the commission focussed on the cooperation between NSA and BND and a number of officials of the German agency were heard. Their statements provided very interesting details about how BND is operating and how they were cooperating with NSA. As all this is only in German, we will start providing summaries in English of the most interesting parts of these hearings.




The committee of inquiry (in German: NSA-Untersuchungsausschuss, twitter hashtag: #NSAUA) was installed on March 20, 2014. It consists of eight members of parliament and is now led by professor Patrick Sensburg from the christian democrat party CDU/CSU. He succeeded Christian Binninger, who resigned after just 6 days because the opposition parties seemed only interested in hearing Edward Snowden.

The goal of the committee is to investigate the extent and the backgrounds of espionage in Germany conducted by foreign agencies. A detailed listing of all the tasks of the committee in English is in this document (pdf)


Time path

The committee wants to hear over one hundred witnesses and experts, including CEOs of US internet companies like Mark Zuckerberg (Facebook), Eric Schmidt (Google) and Tim Cook (Apple). Also German chancellor Merkel, former and current federal ministers and the directors of German intelligence agencies are invited to appear before the committee.

Because of this, the hearings will last throughout the next year and the final report with the recommendations is expected late 2016. According to an explanation by chairman Sensburg, the current hearings about the NSA-BND cooperation will continue at least until early 2015, then the investigation will shift to the Five Eyes. The exact schedule will be decided upon by all committee members.

The witnesses are not under oath, but if they lie or give a false testimony, that's a criminal offence for which they can be prosecuted.


Edward Snowden

Right from the beginning, opposition members of the committee made a big point of inviting Edward Snowden for a hearing, but the German government refused to provide a visum and guarantees for his security.

Chairman Sensburg however was skeptical about how useful a hearing of Snowden could be, given the fact that he was never tasked with spying on Germany and so far hadn't provided any new information that was not already on the internet (he probably meant that Snowden only speaks about things as far as they have been published by media outlets and almost never goes beyond that on his own).

Then in June 2014, Snowden let his lawyer say that there was no opportunity for him to meet a delegation of the committee in Moscow.


Glenn Greenwald

A hearing of Glenn Greenwald was scheduled for September 11, 2014, but in August he refused the invitation, because he thinks the committee isn't interested in a serious investigation of NSA spying on German citizens. With Snowden not being heard, the whole inquiry became a ritual, according to Greenwald.

Greenwald's refusal might also have to do with his misinterpretation of the BOUNDLESSINFORMANT charts. Last year he published them as proof of NSA's spying on the citizens of various European countries, including Germany, but afterwards it came out that the charts were actually about data collected by European military intelligence agencies, who shared them with NSA.

Apparently the committee didn't asked access to the Snowden-documents itself, which is strange, as one full copy is in the hands of filmmaker Laura Poitras who lives in Berlin. It's not known whether Poitras was also invited for a hearing.


Security measures

Besides public hearings, the committee also conducts hearings behind closed doors, so witnesses can be questioned about sensitive and classified topics. These hearings take place in a highly secured room (Geheimschutzstelle), where the committee members can also access the over 800 file folders with both classified and unclassified documents provided by the government. When witnesses are heard, all attendants have to put their phones and tablets into a metal box, and classical music is played in order to prevent any kind of eavesdropping.*

Despite these security measures, some weird espionage cases happened already: early July 2014, a low-level employee of the BND was arrested, as he was suspected of collecting information about the investigation commission for the CIA. Also some members of parliament had indications that communications from their mobile phones had been intercepted. After this, the senior members of the committee were provided with secure mobile phones.




Public hearings

The public hearings of experts can be recorded, but when witnesses, like BND officials, are heard, it's not allowed to make video or audio recordings or take pictures. Therefore, some people from the visitor's bench reported via Twitter, and at every meeting there was also a volunteer from the German digital civil rights website Netzpolitik.org who kept a live blog.


Here we will start listing all the committee meetings with a public hearing, including a summary of the most interesting information from the testimonies:



5th Meeting, May 22, 2014 (Transcript):

- Hearing of experts in constitutional law: Wolfgang Hoffmann-Riem, Matthias Bäcker, Hans-Jürgen Papier

It was not the best choice to ask the opinion of these legal experts first, before all other witnesses, including BND-employees, were heard. They could therefore only testify in a very general way, based on the media stories, which, as we have seen in multiple cases, were often exaggerated and not always correct. Legal opinions only make sense when all the relevant facts are known, because every detail can make a difference.

The reason for this was apparently that the commission started quite unsystematic, in part because the members had to work into the complex topic, but also because they were divided and focussed only on Snowden. At some point they realized that this went to nowhere, and changed their method. They decided to first focus on BND, because here they had some power to demand witnesses and documents from the German government. And the hope was to "incidentally" get some insight into the foreign agencies as well.



7th Meeting, June 5, 2014 (Transcript - Video-stream):

- Hearing of experts in international law: Stefan Talmon, Helmut Philipp Aust, Douwe Korff, Russell A. Miller (Washington), Ian Brown (Oxford)



?th Meeting, June 26, 2014 (Transcript):

- Hearing of technical experts: Michael Waidner (Fraunhofer Institut), Sandro Gaycken, Christopher Soghoian (ACLU). The latter wasn't able to be there in time, so in his place Frank Rieger (Chaos Computer Club) was heard



11th Meeting, July 3, 2014 (Transcript):

- Hearing of former NSA whistleblowers: William Binney, Thomas Drake

Binney presented himself as a technical director at NSA, although other sources say he was just a crypto-mathematician. He left the agency in 2001, so about everything that happened after that year, he only speculates. It also seems that he mixed up some things. His main point was that NSA wants to collect everything, for example, NSA needed the huge Utah Data Center because they are eavesdropping on the "whole of humanity".

Thomas Drake said he worked as a security engineer for NSA from 2001 until 2008. He stated that we are standing before the abyss of a panoptical surveillance state. The BND has become a mere vermiform appendix of NSA and is also conducting mass surveillance, both nationally and internationally, Drake said.

As we will see later on, this accusation is strongly denied by BND officials, who, unlike Binney and Drake, also provided some relevant technical insights.


> Next time: Summary of the hearings of various BND employees


> Scheduled meetings with a public hearing:


December 4, 2014 (Transcript)

- Hearing of BND employee Mr. Breitfelder and of Kai-Uwe Ricke(CEO of Deutsche Telekom)



December 5, 2014 (Transcript)

- Hearing of BND employee Mr. Urmann



December 18, 2014 (Transcript)

- Hearing of BND employees Mr. Fechner and Mr. M. Bless



Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Wikipedia-article: NSA-Untersuchungsausschuss
- Internal NSA presentation: Structure of the BND (pdf)

> See also: BND Codewords and Abbreviations

Recently disclosed documents show that the NSA's fourth-largest cable tapping program, codenamed INCENSER, pulls its data from just one single source: a submarine fiber optic cable linking Asia with Europe.

Until now, it was only known that INCENSER was a sub-program of WINDSTOP and that it collected some 14 billion pieces of internet data a month. The latest revelations now say that these data are collected with the help of the British company Cable & Wireless (codenamed GERONTIC, now part of Vodafone) at a location in Cornwall in the UK, codenamed NIGELLA.

For the first time, this gives us a view on the whole interception chain, from the parent program all the way down to the physical interception facility. Here we will piece together what is known about these different stages and programs from recent and earlier publications.




 

NIGELLA

Last week's joint reporting by the British broadcaster Channel 4, the German regional broadcasters WDR and NDR and the German newspaper Süddeutsche Zeitung, identified NIGELLA as an interception facility at the intersection of Cable & Wireless and Reliance cables at Skewjack Farm.

There, just north-west of Polgigga Cottage in Cornwall, is a large building that was constructed in 2001 for FLAG Telecom UK Ltd for 5.3 million pounds. It serves as a terminus for the two ends of a submarine optical cable: one from across the Atlantic which lands at the beach of nearby Sennen, and one that crosses the Channel to Brittany in France:

- FLAG Atlantic 1 (FA1)
Connecting the east coast of North America to the United Kingdom and France (6.000 kilometers)

The FLAG Atlantic 1 cable to America consists of 6 fibre pairs, each capable of carrying 40 (eventually up to 52) separate light wavelengths, and each wavelength can carry 10 Gigabit/s of traffic. This gives a potential capacity of 2.4 terabit/s per cable. However, in 2009, only 640 gigabit/s were actually used, which went apparently up to 921 gigabit/s in 2011.




The cable was initially owned by FLAG Telecom, where FLAG stands for Fiber-optic Link Around the Globe. This company was renamed into Reliance Globalcom when it became a fully owned subsidiary of the Indian company Reliance Communications (RCOM). In March 2014, Reliance Globalcom was again renamed, now into Global Cloud Xchange (GCX).

More important is another, much longer submarine cable, which was also owned by this company, and which has its landing point on the shore of Porthcurno, a few miles south-west of Skewjack Farm:

- FLAG Europe-Asia (FEA)
Connecting the United Kingdom to Japan through the Mediterranean, with landing points in Egypt, the Saudi Peninsula, India, Malaysia, Thailand, Hong Kong, China, Taiwan, South Korea and Japan (28.000 kilometers)

This cable has 2 fibre pairs, each capable of carrying up to 40 separate light wavelengths, and each wavelength can again carry 10 gigabit/s of traffic. This gives a potential capacity of 800 gigabit/s, but in 2009 only 70 gigabit/s were used, which went up to 130 gigabit/s in 2011, which is still an unimaginable 130.000.000.000 bits per second.




The backhaul connection between the FLAG Atlantic 1 (FA1) and the FLAG Europe-Asia (FEA) is provided by a local area network of Cable & Wireless, which also connects both submarine cables to its terrestrial internet backbone network.

According to the newly disclosed GHCQ Cable Master List from 2009, the interception of the FA1 and the FEA cables takes place at the intersection with this backhaul connection:


This list also shows that the interception of these two cables is accompanied by a Computer Network Exploitation (CNE) or hacking operation codenamed PFENNING ALPHA. Because the owner of the cables (Reliance Globalcom, now Global Cloud Xchange) is not a cooperating partner of GCHQ, they hacked into their network for getting additional "router monitoring webpages" and "performance statistics for GTE [Global Telecoms Exploitation]".


Interception equipment

How the actual interception takes place, can be learned from an article in The Guardian from June 2013, which provides some details about the highly sophisticated computer equipment at cable tapping points.

First, the data stream is filtered through what is known as MVR (Massive Volume Reduction), which immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads. This reduces the volume by about 30%.


Selectors

The next step is to pull out packets of information that contain selectors like phone numbers and e-mail, IP and MAC addresses of interest. In 2011, some 40,000 of these were chosen by GCHQ and 31,000 by the NSA, according to The Guardian. This filtering is most likely done by devices from Boeing-subsidiary Narus, which can analyse high-volume internet traffic in real-time.

A single NarusInsight machine can monitor traffic up to 10 Gigabit/second, which means there have to be up to a dozen of them to filter the relevant traffic from the FA1 and FEA submarine cables. Most of the information extracted in this way is internet content, such as the substance of e-mail messages.


Full sessions

Besides the filtering by using specific selectors, the data are also sessionized, which means all types of IP traffic, like VoIP, e-mail, web mail and instant messages are reconstructed. This is something the Narus devices are also capable of.

These "full take" sessions are stored as a rolling buffer on XKEYSCORE servers: content data for only three to five days, and metadata for up to 30 days. But "at some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours"according to an NSA document from 2008.

The aim is to extract the best 7,5% of the traffic that flows past the access, which is then "backhauled" from the tapping point to GCHQ Bude through two 10 gigabit/s channels (the "egress" capacity). This might be a dedicated cable, or a secure VPN path over the regular Cable & Wireless backbone that connects Bude with the south-west of Cornwall:



 

GERONTIC (Cable & Wireless)

The secret GCHQ documents about these cable tapping operations only refer to the cooperating telecommunications provider with the cover name GERONTIC. The real name is protected by STRAP 2 dissemination restrictions. But nonetheless, German media already revealed that GERONTIC is Cable & Wireless last year.

In july 2012, Cable & Wireless Worldwide was taken over by Vodafone for 1.04 billion pounds, but according to the GCHQ documents, the covername GERONTIC was continued, and was seen active until at least April 2013.

According to the press reports, GCHQ had access to 63 undersea internet cables, 29 of which with the help of GERONTIC. This accounted for about 70% of the total amount of internet data that GCHQ had access to in 2009.

Cable & Wireless was involved in these 29 cables, either because it had Direct Cable Ownership (DCO), an Indefeasible Right of Use (IRU) or Leased Capacity (LC). Besides that, the GCHQ Cable Master List from 2009 lists GERONTIC also as a landing partner for the following nine cables:

- FLAG Atlantic 1 (FA1)
- FLAG Europe-Asia (FEA)
- Apollo North
- Apollo South
- Solas
- UK-Netherlands 14
- UK-France 3
- Europe India Gateway (EIG)
- GLO-1

Disclosed excerpts from internal GCHQ wiki pages show that Cable & Wireless held regular meetings with GCHQ from 2008 until at least 2010, in order to improve the access possibilites, like selecting which cables and wavelenghts would provide the best opportunities for catching the communications GCHQ wanted.

GCHQ also paid Cable & Wireless tens of millions of pounds for the expenses. For example, in February 2009 6 million pound was paid and a 2010 budget references a 20.3 million pound payment to the company. By comparison, NSA paid all its cooperating telecommunications companies a total of 278 million dollars in 2013.


The intensive cooperation between Cable & Wireless and GCHQ may not come as a surprise for those knowing a bit more of British intelligence history. The company already worked with predecessors of GHCQ during World War I: all international telegrams were handed over so they could be copied before being sent on their way, a practice that continued for over 50 years.*

 

INCENSER (DS-300)

Among the documents about the GCHQ cable tapping is also a small part of an internal glossary. It contains an entry about INCENSER, which says that this is a special source collection system at Bude. This is further specified as the GERONTIC delivery from the NIGELLA access, which can be viewed in XKEYSCORE (XKS):



This entry was also shown in the German television magazine Monitor, although not fully, but without the redactions, so from this source we know the few extra words that were redacted for some reason.

The entry also says that INCENSER traffic is labeled TICKETWINDOW with the SIGINT Activity Designator (Sigad) DS-300. From another source we know that TICKETWINDOW is a system that makes cable tapping collection available to 2nd Party partners. The exact meaning of Sigads starting with DS isn't clear, but probably also denotes 2nd Party collection.


TEMPORA

In Bude, GCHQ has its Regional Processing Center (RPC), which in 2012 had a so-called "Deep Dive" processing capability for 23 channels of 10 gigabit/second each under the TEMPORA program.

TEMPORA comprises different components, like the actual access points to fiber-optic cables, a Massive Volume Reduction (MVR) capability, a sanitisation program codenamed POKERFACE, and the XKEYSCORE system. As we have seen, most of the hardware components are located at the interception point, in this case the facility in Skewjack (NIGELLA).


Analysing

These collection systems can be remotely instructed ("tasked") from Bude, or maybe even also from NSA headquarters. For one part that involves entering the "strong selectors" like phone numbers and internet addresses. For another part, that is by using the additional capabilities of XKEYSCORE.

Because the latter system buffers full take sessions, analysts can also perform queries using "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents and spreadsheets in English, Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just looking for the known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new strong selectors, which can then be used for starting a traditional search.


Possible targets

The disclosed GCHQ documents contain no specific targets or goals for the INCENSER program, which provided Channel 4 the opportunity to claim that this Cable & Wireless/Vodafone access allows "Britain's spies to gather the private communications of millions of internet users worldwide". Vodafone, which also has a large share of the telecommuncations market in Germany, was even linked to the eavesdropping on chancellor Merkel.

Both claims are rather sensationalistic. Merkel's phone was probably tapped by other means, and both GCHQ and NSA aren't interested in the private communications of ordinary internet users. On the contrary, by tapping into a submarine cable that connects to Asia and the Middle East, INCENSER looks rather focussed at high-priority targets in the latter region.

Reporting

Despite INCENSER being NSA's fourth-largest cable tapping program regarding to the volume which is collected, the intelligence reports analysts are able to write based upon this only made it to the 11th position of contributors to the President's Daily Brief - according to a slide from a 2010 presentation about Special Source Collection, published by The Washington Post in October last year:



 

WINDSTOP (2nd Party)

Data collected under the INCENSER program are not only used by GHCQ, but also by NSA, which groups such 2nd Party sources under the codename WINDSTOP. As such, INCENSER was first mentioned in a slide that was published by the Washington Post on in October 2013 for a story about the MUSCULAR program:




According to NSA's Foreign Partner Access budget for 2013, which was published by Information and The Intercept last June, WINDSTOP involves all 2nd Party countries (primarily Britain, but also Canada, Australia and New Zealand) and focusses on access to (mainly internet) "communications into and out of Europe and the Middle East" through an integrated and overarching collection system.

MUSCULAR is a program under which cables linking big data centers of Google and Yahoo are tapped. The intercept facility is also located somewhere in the United Kingdom and the data are processed by GCHQ and NSA in a Joint Processing Centre (JPC) using the Stage 2 version of XKEYSCORE.


A new slide from this presentation about WINDSTOP was published by Süddeutsche Zeitung on November 25, which reveals that a third program is codenamed TRANSIENT THURIBLE. About this program The Guardian reported once in June 2013, saying that it is an XKeyscore Deep Dive capability managed by GHCQ, with metadata flowing into NSA repositories since August 2012.




In November 2013, the Washington Post published a screenshot from BOUNDLESSINFORMANT with numbers about data collection under the WINDSTOP program. Between December 10, 2012 and January 8, 2013, more than 14 billion metadata records were collected:




The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue. The section in the center of the lower part shows these data were collected by the following programs:

- DS-300 (INCENSER): 14100 million records
- DS-200B (MUSCULAR): 181 million records

XKEYSCORE, which is used to index and search the data collected under the INCENSER program, can be seen in the bottom right section of the chart.


With just over 14 billion pieces of internet data a month, INCENSER is the NSA's fourth-largest cable tapping program, accounting for 9% of the total amount collected by Special Source Operations (SSO), the division responsible for collecting data from internet cables. According to another BOUNDLESSINFORMANT chart, the NSA's Top 5 of cable tapping programs is:



It's remarkable that just one single cable access (NIGELLA in Cornwall) provides almost one tenth of everything NSA collects from internet cables. This also means that besides a large number of small cables accesses, NSA can only have access to just a few more cables with a similar high capacity as FA1 and FEA.





Links and Sources
- The recently disclosed documents about GCHQ cable tapping:
   - NetzPolitik.org: Cable Master List: Wir spiegeln die Snowden-Dokumente über angezapfte Glasfasern, auch von Vodafone
   - Sueddeutsche.de: Snowden-Leaks: How Vodafone-Subsidiary Cable & Wireless Aided GCHQ’s Spying Efforts
- ArsTechnica.com: New Snowden docs: GCHQ’s ties to telco gave spies global surveillance reach
- Sueddeutsche.de: Vodafone-Firma soll GCHQ und NSA beim Spähen geholfen haben
- WDR.de: Neue Snowden-Dokumente enthüllen Ausmaß der Zusammenarbeit von Geheimdiensten und Telekommunikationsunternehmen
- TheRegister.co.uk: REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE
- Weblog about Uk Submarine Cable Landings & Cable Stations
- Article about Explaining submarine system terminology – Part 1

Thanks also to Henrik Moltke

Over the last days, there were some new developments regarding the eavesdropping on the mobile phone of the German chancellor Angela Merkel, which was revealed in October last year. It was clarified that the record from an NSA database that was presented as evidence for this tapping, wasn't actually an original NSA document, but just a transcription.

Also, this database record wasn't among the Snowden-documents. This means the information about monitoring Merkel's phone was not provided by Edward Snowden, but by another leaker, something that many people may not have been aware of.


Criminal investigation

In June of this year, the highest German public prosecutor (Generalbundesanwalt) started a criminal investigation against NSA regarding the alleged eavesdropping on chancellor Merkel. Last month it was reported that this case had been closed as no sufficient evidence had been found, but this was not fully correct.

In his annual press conference on December 11, prosecutor Harald Range said that the investigation of the eavesdropping on chancellor Merkel is still going on:




Regarding the eavesdropping case, prosecutor Range said the following things:

- The phone number which is at stake is not registered by the German Chancellery, but it's a number that has been used since 1999 by the headquarters of Merkel's party CDU. Therefore the number wasn't used by Gerhard Schröder (chancellor from the SPD party from 1998-2005).

- The document (see below) that was publicly presented as a proof of this eavesdropping is not an authentic NSA interception order, nor is it from an NSA database. Actually, it was made by a reporter of Der Spiegel, based upon an NSA document he had seen.

- The prosecutor asked the editors of Der Spiegel to hand over the original document or to be questioned about it, but this was refused pointing to the journalist's privilege to protect their sources. NSA was asked for a statement through the BND, but also refused to comment.

- This makes that under these circumstances, a serious evaluation of the authenticity of the document is not possible.

- Through his German lawyer, Edward Snowden was also given the opportunity to provide a written statement, but until now there was no reaction.

- Presently, there is no sufficient evidence that could lead to an indictment, but the case is not yet closed. The investigation continues, and this will also include the results of the parliamentary committee that is currently investigating NSA spying activities.

- Based upon the Snowden revelations and other media reports it can be assumed that in general, foreign intelligence agencies are trying to spy on German targets by electronic means. But according to German law, that is not enough to open a criminal case, because that would be investigating without reasonable suspicion, which the public prosecutor isn't allowed to do under the rule of law. Where neccessary, such investigations are the responsibility of the security services.


Misinterpretation

Parts of what prosecutor Range said was misinterpreted by a number of foreign news websites, like Business Insider UK and Vox.com, which said that the NSA document might not be authentic or even faked by Der Spiegel.

It seems these media only took the first part of Range's statement that the document "was made by a reporter of Der Spiegel, based upon an NSA document he had seen" and overlooked/left out the last part.

Although the German public prosecutor's office couldn't find any concrete evidence for the eavesdropping by NSA, Der Spiegel stresses that neither NSA nor the US government has denied that phone calls of chancellor Merkel had been monitored.


A second leaker

After the public prosecutor's press conference, Der Spiegel provided a statement saying that prior to their reporting about the eavesdropping on chancellor Merkel, they had access to information from an NSA database, which it copied.

This sounds like Der Spiegel got access to the content of an NSA database from which it selected and copied the information related to chancellor Merkel. But in the book "Der NSA Komplex" written by Spiegel reporters Marcel Rosenbach and Holger Stark, it is said that early October 2013, "we received the excerpt from an NSA database about Merkel's cell phone".*

That phrase suggests that someone from outside, and also someone not being Edward Snowden, provided Der Spiegel with just that one particular record which includes Merkel's phone number. How and in what form is not said. Greenwald confirms that this information didn't came from Snowden, and earlier on, also Bruce Schneier was convinced that this came from a second leaker.


Just a transcription

After having obtained the database record, Der Spiegel presented it to the Chancellery, so they could verify it. According to their statement, Der Spiegel made it very clear that this information was not an original document, but just a transcription. Apparently for this reason, the magazine never published the database record, but only reported about its contents.

However, some other German newspapers somehow managed to get a copy of the letter that was sent to the Chancellery and published it in their print editions. One of them was the tabloid paper BILD, from which this scan was made:




So what we see here is a printed copy of a copy (either by xerox, a scanner or a (mobile phone) camera, which explains the fuzzyness) of the print on a DIN A4-sheet of paper that was sent to Merkel's Chancellary.

Maybe this was a xerox copy of the excerpt which the mysterious source handed over to Der Spiegel, but more likely (else it could be used to trace the source) is that a reporter copied the original text by hand. Probably he used an Apple computer, as the result is in the Ayuthaya font, which comes with Apple's OS X.

Right after this "document" was first published, some people wondered why it looks like a piece of paper, whereas all other leaked NSA documents are digital files (with a few similar exceptions though). This has now been cleared, but again we see that it can take some time and some pressure before such questions are answered.


From which database?

Initially, Der Spiegel reported that the record that mentions Merkel's phone number comes from an NSA database in which the agency records its targets.* My suggestion was that this could have been a database codenamed OCTAVE, which was used for tasking telephony targets, but which reportedly was replaced by the Unified Targeting Tool (UTT) in 2011.

But a more recent Spiegel article from early June 2014, seems to say that it's an entry from the NYMROD database. A slide in which Merkel was listed among 122 other heads of state in the NYMROD database was published by Der Spiegel on March 29, 2014. This slide was from an NSA presentation about content extraction analytics that was fully published in June.

However, in another NSA document it is explained that NYMROD is a name-matching system that is used for finding "garbled or misspelled names" of targets. It contains names taken from CREST (a translating database) and from intelligence reports from NSA, CIA and DoD databases.

If we compare that function with the data in the record that was published, it seems not very likely that the entry is from NYMROD. A tasking database still seems the best option.



Links and Sources
- Spiegel.de: When Germany's federal prosecutor appeared to discredit SPIEGEL
- Golem.de: Spiegel soll NSA-Dokument zu Merkel-Handy hergestellt haben
- LittleGreenFootballs.com: Did a German Prosecutor Really Claim That Der Spiegel’s NSA Document Was a Fake?

This is the second report about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

Here we provide summaries of the hearings of a number of BND employees, who provided some interesting details about satellite interception at the Bad Aibling station, the subsequent processing and storage of data and also about the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).





14th Meeting, September 25, 2014 (Transcript)

- Hearing of the witness Mr. R. U. (BND, head of the site in Bad Aibling):

The BND site in Bad Aibling (part of the former NSA Bad Aibling Station that was codenamed GARLICK) is for satellite interception. In Bad Aibling there's no interception of point-to-point microwave transmissions, which is done by putting an antenna in between the two microwave antennas that transmit the signals that have to be intercepted.

When the Bad Aibling site was led by the witness, it had 120 personnel and was divided into three sections:

- Management
- Technical (operation of the antennas, network security, script programming, installation of computers)
- Analysis (analysing the collected data, language translating capabilities)

An important goal was protection of German troops deployed in countries like Afghanistan. BND was also able to prevent attacks on ISAF forces. Other goals for the satellite interception were anti-terrorism and rescuing people who have been kidnapped.

Satellite interception

In remote countries, domestic communications also use satellite links, which can also be intercepted from inside Germany. This collection is restricted by technical limits, which make that there's access to only a small number of satellites, and from them, only part of the communications can be intercepted. Also, not everything can be analysed, because much of it is in local languages. Therefore, there's no mass surveillance. BND only collects promilles of what would be theoretically possible.

Nonetheless, the amount of satellite traffic from Afghanistan that can be intercepted from Bad Aibling is rather high. Asked about media reports quoting former NSA and CIA director Michael Hayden "We kill people based on metadata", the witness replied that metadata are not specific enough for pinpointing drone attacks on specific people. Metadata like cell-IDs define areas of 50-60 square kilometers, which is not precise enough for bombarding a house.

(Hayden's "we kill people based on metadata" was followed by "but that's not what we do with this metadata", referring to the 215 (domestic metadata) database. How Hayden meant the first part of this statement isn't clear. There was also a report by The Intercept, in which a former JSOC drone operator said that some targets were tracked by metadata and then killed based upon the SIM card they use.)



The Joint SIGINT Activity (JSA)

Since 2004, NSA and BND cooperated in the Joint SIGINT Activity (JSA), which was located at the Mangfall Barracks, also in Bad Aibling. The JSA consisted of both German and American personnel. Most of the equipment was provided by NSA. Management was in the hands of BND, and in turn, NSA got access to the German satellite collection.

For this satellite interception, NSA provided BND with selectors, like phone numbers and e-mail addresses, most of them belonging to targets in Afghanistan. These selectors are on an American server, from which BND personnel can pick them up 2, 3 or 4 times a day. Then these selectors were checked at the headquarters in Pullach for whether they included German citizens or companies. These were taken out, just like the ones that contradicted German national interests.

The cooperation between NSA and BND declined since 2004. Since the JSA was closed in 2012, there's only an NSA liaison office and some technical support left in Bad Aibling. Both are located in a building that is nicknamed Tin Can (Blechdose), because of its windowless exterior of black-painted metal. Here, BND personnel has to ring a door bell when they want in, and there's a similar procedure for when US personnel wants to visit BND buildings.



Tools and databases used by BND

After selectors have been cleared and entered into the collection system, it results in for example a phone call that appears in the dataprocessing tool of an analyst. This is not a random phone call, but one that has been filtered out based upon the selector. The analyst can then listen to this phone call, maybe has to translate it, and decides whether it is relevant or not. If not, it is deleted, otherwise he writes a report (Meldung), which is sent back to headquarters.

XKeyscore is an analysis tool that is used to look whether internet data that have been collected contain relevant information. BND uses XKeyscore on their own computers and servers. NSA only provides (software) updates and has no access to BND networks through XKeyscore. For sharing data, there was only one-way traffic from BND to NSA through highly secured firewalls.

Collected internet content is stored for only a few days, other (meta)data for a few days up to a few weeks. When there's a match, the selected data are stored for 1 or 2 years at most, not in Bad Aibling, but at the BND headquarters. In Bad Aibling there was no real-time collection. Quasi real-time means many many minutes, and until something shows up on the monitor it takes hours.

Besides XKeyscore, BND uses, among others, the programs MIRA4 und VERAS, which are classified analysis tools. The first one is used to listen in to phone calls, the latter one for visualising metadata and showing who has called who. Metadata are data that contain no content. When for example a website like Amazon.com is viewed from a computer, this creates more than 100 pieces of metadata.


- Hearing of the witness Mr. J. Z. (BND official, since 2008 head of the technical unit of the JSA, which uses XKeyscore). This hearing was entirely behind closed doors.



16th Meeting, October 9, 2014 (Transcript)

- Hearing of the witness Ms. H. F. (BND, legal counsel for data protection):

This witness is responsible for data protection regulations, but not for the implementation of the so-called G-10 Act, which protects the communications privacy of German citizens and corporations under article 10 of the constitution (Grundgesetz).

The witness has set up educational programs for BND employees and is regularly auditing the various systems and databases used by BND, especially in the SIGINT division, where not all databases have formal data protection procedures (like for access control) yet. All BND databases, regardless of where their data come from, fall under the German Data Protection Act (BundesDatenSchutzGesetz).

The witness audited many databases, like for example:

- INBE (INhaltliche BEarbeitung)
- VERAS (VERkehrsAnalyseSystem)
- PBDB (PersonenBezogene DatenBestände)

In total, there are about 25 databases (Auftragsdatenbanken) which serve the SIGINT collection process. Besides these databases, BND uses about 20 programs provided by NSA, most of them are technical tools, like for language translation.

In Bad Aibling, only satellite communications are intercepted. After German communications have been filtered out, they are stored in databases according to their type: metadata go to VERAS and content goes to INBE. The latter database succeeded MIRA4 in 2010 and currently contains several hundred thousand data sets, including data from German citizens. Both VERAS and INBE were developed by BND.

The witness couldn't estimate how many data are in VERAS (which was set up in 2002), which contains mainly metadata from telephone communications, with the purpose of call chaining for creating contact graphs. BND uses this tool for connecting phone numbers as far as 4 or 5 hops from a known target. This doesn't mean that it always goes that far, because the further away from the initial known target, the more difficult it is to discover the connections.


In several cases, like for example with INBE and VERAS, BND failed to comply with the formal requirement from the Data Protection Act for a so-called "Dateianordnungsverfahren", even for several years. After the witness recognized this, she forced to fulfill these legal requirements, although it was more a bureaucratic formality than a big shortcoming.

There's still discussion at BND about whether metadata are always personal data. Metadata like German telephone numbers are considered to be personal data, because it is easy to look up to whom such a number belongs. In foreign countries, like Afghanistan and Pakistan, that's not so easy. Phone numbers are also used by a whole clan for example.

The president of the BND has decided that collection in Bad Aibling is not subject to the provisions of the BND Act (BND-Gesetz), because only foreign satellite communications are intercepted. The witness disagrees, but was overruled by the president.


- The planned hearing of the witness A. F. (also a BND employee) was postponed to November 13.



18th Meeting, October 16, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, at Bad Aibling from 2002-2007):

The witness explained that one phone call creates between 20 and 30 pieces of metadata. Not all of them are usefull for targeting because they are not specific enough, like for example a mobile phone cell-ID. Metadata include the number that was called, the cell-ID, the provider, the duration of the call, etc.

Raw data are signals (like radio frequencies) that have been processed. Raw data on their turn can be processed into metadata and content. These are then automatically filtered and selected, and when finally a human takes a look at them, this can result in a report (Meldung).

Raw data were not counted by BND, only the reports, of which only a handful were produced at Bad Aibling. This low number was also due to the fact that only a small part of the collected communications was actually translated.

XKeyscore was first used by BND in 2007, but back then this tool wasn't by far as sophisticated as in 2013.

- After just a short while, this hearing was ended after it became clear that the witness had read internal BND documents that had not yet been fully handed over to the committee.




> Scheduled meetings with a public hearing:

December 18, 2014

- Hearing of the witnesses Mr. Breitfelder (BND) and N.N. (BND)



Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Wikipedia-article: NSA-Untersuchungsausschuss
- Internal NSA presentation: Structure of the BND (pdf)

> See also: BND Codewords and Abbreviations

This is part III about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

The hearings of a number of BND employees which are summarized below, provided many interesting details about BND cable and satellite collection and how these data are selected and filtered and how privacy rights are implemented. This was especially of concern for the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

The witnesses also stated that contrary to the initial press report, under the joint operation Eikonal not a single German communication was passed on to NSA.

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).





20th Meeting, November 6, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, head of the JSA unit from 2003-2007):

In Bad Aibling, the BND has dishes to intercept satellite communications. When satellite links are intercepted, the following things have to be done: first a specific frequency has to be selected, and as one frequency often contains multiple channels, these have to be broken down (de-multiplexed) into single data streams. Based upon metadata it can be decided that certain types of communications are not of interest for BND.

The next step is to separate the various content encodings, like for IP-traffic, telephony, fax, etc. This also needs error correction, which sometimes is a bit more difficult because some communication systems use proprietary methods. This results in data in a readable or audible format (like an e-mail or a phone call), which can be used to prepare an intelligence report. The witness estimates that BND produces around 20 reports a day.

For processing, filtering and selecting commercial computer systems were used, as wel as systems that were custom made by NSA. The Americans were ahead of BND in this, not necessarily better, but often just in doing more, or faster, like in analysing signals.




Mass surveillance?

The witness stated that there was and is no mass surveillance by BND. Mass surveillance is even more difficult for fiber optic cables than for satellite links. If there would be any mass surveillance for the latter, then this should involve some 300 communications satellites, for which there should be ground stations at at least three places around the world.

There you would need 250 satellite dishes of 10 million euros each to receive the up to 500 frequencies per satellite. For each frequency two modems and converters were needed, and with the necessary processing capacity, this would require a nuclear power plant for electricity.

Mass surveillance on cable traffic could probably only be done with the capacity of the American, Russian and Chinese intelligence agencies combined. For BND, mass surveillance would drown the agency in data. The witness had never witnessed any kind of economical espionage by NSA in Germany. But he had to admit that not everything was talked about.


Joint SIGINT Activity (JSA)

NSA's Bad Aibling Station was scheduled for closure in 2002, but after 9/11 this was postponed to 2004, and maybe this led to the creation of the JSA. In the Joint SIGINT Activity, NSA and BND cooperated in collecting both satellite and cable communications.

The JSA was located at the Mangfall Barracks in Bad Aibling. In 2002, this military complex still had a compound of the Bundeswehr, where you had to go through to reach the BND section. The Bundeswehr left these barracks by the end of 2002, and NSA went to a new building nicknamed the Tin Can (Blechdose).

The compound had three sections: one for Germans only, one for US persons only and one common section. The collection of data took place in the common section, and the exits were strictly monitored, so NSA had no access to German sources on its own, although there weren't every day checks on people carrying thumb drives.

BND personnel had no access to NSA databases and vice versa, but both had access to joint databases. NSA had also some contractors working there. JSA was connected to NSANet, just like NSA's European Security Operations Center (ESOC) near Darmstadt.

Until 2007 only cable traffic from Frankfurt was passed on to JSA, not from other internet cables. Satellite traffic intercepted by the BND antennas in Bad Aibling was probably also transferred to JSA, where it was processed and analysed in the interest of both NSA and BND.

After the Joint SIGINT Activity (JSA) was closed in 2012, the logical path over the physical cables between BND headquarters and Bad Aibling was probably cut off. After 2012, BND continued to cooperate with NSA in the field of satellite interception and operations in Afghanistan.




Protection of German data

BND did everything to prevent that communications of German citizens or corporations were collected and/or passed on to NSA. Initially, 4 out of 5 selectors came from the Americans, the rest were German. The witness did not know the total number of selectors. These selectors were checked before they were fed into the collection system, and what came out was again checked whether it contained German communications.

The selectors from NSA were first checked by the Americans in the Tin Can at the Mangfall Barracks and then passed on to a unit of the technical division (which included lawyers) of BND at its then headquarters in Pullach. A final check was conducted by BND personnel in Bad Aibling. Only about one permille of the selectors were rejected because they were related to Germans or contrary to German interests.


Filtering out German data

This filtering works fine, but experience in Bad Aibling has learned that it is not possible to do this fully automated. Therefore, there was no automatic forwarding to NSA. A 100% accurate filtering was only possible with a final selection by hand. As far as the witness was aware of, not a single German communication was passed on to NSA.

In the press report about operation Eikonal it was said that the filter system could only filter out 95% of German communications, but according to the witness, this was only during the test period. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.

Especially e-mail addresses have to be checked by hand, because nowadays it's much more difficult to attribute such internet communications to specific countries. During the test period, about 3000 communications had to be checked by hand, 300 of which were e-mails. BND didn't collect data from US citizens or passed these on to NSA, so NSA did not use BND to get data that it wasn't allowed to collect by itself (Ringtausch).

The witness suggested that Süddeutsche Zeitung (the media that claimed that the BND filters wouldn't work and German data was forwarded to the NSA) had documents of conversations between BND and NSA, in which maybe BND made "political statements" about the efficiency of the filters.

(This could explain the discrepancy between the press reports and the BND witnesses, who all assured that the filter worked, and with additionally manual checks not a single German data was forwarded to NSA)

The witness clearly stated that German G-10 Act only protects Germans and people living in Germany. The privacy of foreigners living abroad is not protected by German law.




- Hearing of Ms. G. L. (BND, head of IT development and operations at JSA from 2007-2008):

This witness is responsible for databases that store data after having been collected and filtered. These databases are at various locations. Currently, between 8.000 and 10.000 pieces of content with some additional information (Meldungen) come in each month, often but not always accompanied by metadata.


Joint SIGINT Activity (JSA)

Each unit of BND's analysis division (Auswertung) could request intelligence information from the JSA. They could suggest specific selectors to be tasked or articulate what their information needs were. Ultimate goal was to present relevant information for the federal government. BND sees itself as a service provider for customers in the government.

In 2005/2006 the selection process was fully automated. The witness couldn't remember how many selectors were used in her period at JSA. These numbers were also not registered. NSA was not able to get any German communications before these were thoroughly filtered and checked by BND. An e-mail that was selected, could be forwarded to NSA through a secured gateway. There was only access to local databases, not to those of NSA.

NSA employees working for JSA were not recognizable as such, they just had ID cards for the compound, issued by the security unit that was responsible for access control of the premises. The Tin Can building also housed SUSLAG (Special US Liaison Activity, Germany), which was a separate unit, different from JSA.




Operation Eikonal

The witness confirmed that in Frankfurt fiber optic cables were intercepted (operation Eikonal), although without mentioning whether this was at DE-CIX or somewhere else. She wouldn't answer the question whether BND is still doing this.

The data collected in Frankfurt were first sent to BND headquarters and then to Bad Aibling, where they were filtered by selectors from both NSA and BND. After the cooperation with NSA was ended, the transmission to Bad Aibling was cut off.


Legal issues

The witness was responsible for the implementation of the Federal Intelligence Service Act (BND Gesetz), which governs the activities of this agency. As such, she had the opinion that satellite interception conducted in Bad Aibling also took place under this act, but the Director of BND overruled her, saying this was not the case.

The BND management said: this kind of collection takes place in outer space, and therefore German law doesn't apply. But apart from that, employees should always apply with law and order. Once data collected from satellite links had been stored in BND databases, they fall under the German Data Protection Act (Bundesdatenschutzgesetz) though.

(In general, most of these witnesses didn't knew much about topics that are not related to their own duties. They also showed very little interest in the Snowden-revelations. This might be from a common attitude in the intelligence world: the less you know, the less you can (accidently) give away)




22th Meeting, November 13, 2014 (Transcript)

- Hearing of the witness Mr. W. K. (BND, sub-division manager in the Signals Intelligence division):

The witness stated that BND is definitely not comparable with the former East German Stasi and that BND only collects what is necessary for fulfilling the information need of the federal government.

Today, mainly fiber optic cables are intercepted, but not everything that flows through, only specific data channels are selected, or in case of satellite links: specific frequencies. Asked about the Snowden-revelations, the witness said that he was surprised by how close the Five Eyes partners are cooperating.


Tapping internet cables

There are search profiles and criteria according to which specific data flows are selected in a very focussed way. The first selection is of a route between two places (like from Afghanistan to Pakistan), then a specific fiber optic cable is chosen.

These are human decisions, based upon where a cable is located, by which company it is operated and where it's most useful to tap it. Picking a specific cable is also discussed with the provider, with some of them this is easier than with others.

Because internet traffic travels over many different routes, picking specific cables, means that a lot of communications cannot be collected. This is taken for granted as BND doesn't want to collect everything. Sometimes multiple routes are selected for interception, but not always.

According to the witness, BND doesn't provide foreign intelligence agencies access to cables. No raw data are transferred to foreign agencies, only end reports.

In some cases, internet data have to be converted into a readable format. This sometimes means cracking encryption, consisting either of complex algorithms or proprietary methods. This can be done on the traffic as it flows past, or with data after having been stored in databases.


Filtering

The next step is filtering the data through selectors. This is done by a computer system, for which the data stream may be buffered for a few milliseconds. The amount of data flowing through these filter systems isn't counted by BND. Filtering by selectors is done as close to the actual tapping point as possible.

The selectors are chosen based upon the information needs and a set of criteria, which in combination prevent that communications of innocent people are touched. The results went to the (then) BND headquarters in Pullach over leased cables. The number of data forwarded to Pullach is not registered, it depends upon the costs of the capacity for transmission.

The constitutionally guaranteed Privacy of Correspondence can have effect on each of these selection stages: for example no cables are chosen that start and end in Germany, and no selectors belonging to Germans are used.

Data of Germans are currently filtered out by a system called DAFIS, which succeeded a BSI-certified filter system that was used since the 1990s. Data from German citizens and German companies (Grundrechtsträgern) are deleted.

After data have been selected, they are pulled out based upon their relevance and finally analysts can use them at a certain moment to write an intelligence report, of which approximately 20 a day are produced.

 
Operation Eikonal

Regarding the joint NSA-BND operation Eikonal, the witness said that there was no massive scale surveillance of German citizens with data forwarded to NSA. Under Eikonal, which was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The witness would give more details only behind closed doors, because BND is still using these methods. The internal codename for Eikonal was Karat, but that name wasn't shared with NSA. There was even a third codename. Eikonal was tested during a few months (early 2006?), during which period no data were shared with NSA.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

What was collected under Eikonal was far less than the 500 million metadata a month as shown in the German BOUNDLESSINFORMANT chart. Actual collection only led to a few hundred selected contents (in German: Daten, like phone calls or e-mails) a year, which was a huge disappointment for NSA. Nothing that was worth while came out anymore, contrary to the expectations when the operation was set up.

This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program. As a "compensation" for NSA, a joint project in a country outside Europe was planned. In crisis regions, the BND is still cooperating with NSA, which provides "huge benefits" for the Germans, according to the witness.

The witness wouldn't say anything about whether BND was tapping into the Frankfurt internet exchange DE-CIX, but later on he said that operation Eikonal involved just one telecommunications provider.

(These kind of indications by some of the witnesses eventually led the Committee to conclude that operation Eikonal was actually about tapping one single cable of Deutsche Telekom, instead of the DE-CIX exchange as a whole, as the initial report by Süddeutsche Zeitung said. More about this later)

Things the BND learned from the Eikonal-cooperation were:

1. How the technique worked, which is now used for own operations outside, and collection efforts inside Germany
2. It is not possible to conduct 100% automated filtering. This wouldn't be done anymore.

Filtering through selectors

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. A BND unit which included lawyers checked for every selector from the NSA whether it was legal and according to the goals of the cooperation. Besides German interests, also the interests of friendly countries were taken into account. Only a few selectors were rejected, but it wasn't told to NSA which ones. They were just not entered into the filtering system.

Selectors include not just phone numbers and e-mail addresses, but also MAC addresses, which have no country identifier. Although there may have been up to several hundred thoused selectors, BND was still able to check whether every single one was appropriate, this by using special criteria. Only selectors that can be checked are used.

Besides Eikonal, BND also taps into cables of multiple other communication providers, but this is within the proper legal framework, approved by the G-10 Committee. For this, there is dedicated hardware equipment in the building of the provider, in accordance with the regulations of the federal communications authority (Bundesnetzagentur). This hardware is installed at the point where the cable is tapped.




Telephony metadata

According to the witness, one phone call creates between 30 and 50 metadata, which includes not only time and number but also a lot more technical data. With the given number of users in a crisis zone, this easily adds up to billions of metadata. But not all these have to be collected (erfasst); less than one percent can actually be pulled in. This is no mass surveillance without a reasonable ground (anlasslose Massenüberwachung). The witness assumes that NSA and GCHQ operate in a similar way as the BND.

The over 500 million metadata records from the Germen BOUNDLESSINFORMANT chart were most certainly from Afghanistan, more precisely from satellite communication links between two foreign countries in crisis regions. According to the witness this huge number of metadata for a single month is quite normal.

It could be that these numbers are collected up to today, although he isn't sure about that. BND isn't counting every single part of metadata, as NSA is apparently doing and which leads to those huge numbers.


XKeyscore

BND got the XKeyscore program from NSA, which is only used to analyse data that are already collected. BND didn't had such a tool before. Unlike NSA, which uses Xkeyscore as federated query system, BND uses it as a stand-alone system for analysis. The actual collection systems of BND are antennas and outposts (Aussenstellen).

The witness doesn't know how many servers BND purchased for XKeyscore. Presently, BND uses XKeyscore only for traffic that is intercepted from satellite links, apparently because the system isn't (yet) certified for filtering out communications of German citizens. BND got no software programs from NSA for profiling or for decrypting data.


Legality

Personal data are only those data that can be related to specific persons. For German data it is easy to retrieve the identity behind certain metadata, but for foreign metadata this is much more difficult and hence those metadata are not seen as personal data.

The witness said multiple times that he isn't a lawyer and he therefore had no opinion of his own about the legality of certain decisions. He also didn't knew whether data collected in foreign countries had been acquired with or without the consent of the provider. He just assumed that the data collection takes place in a legal way. Foreign partner agencies don't provide BND with data they are not allowed to collect themselves.


- Because of time shortage, the BND employees L. and W. P. couldn't be heard in this meeting.


 

UPDATE:
Meanwhile, the following numbers about government eavesdropping operations in 2013 have been made public. These numbers are only about the interception of communcations with at least one-end-German, so traffic with both-ends-foreign are not included:

- The G10 Committee approved 212 eavesdropping operations, most of them were conducted by the domestic security service BfV (up from 157 in 2012). This involved some 350 people, most of them suspected of islam fundamentalism.

- In 26 cases, the domestic security service BfV used an IMSI-catcher to trace or intercept the mobile phone of 29 persons (more as twice as often as in 2012)

- BND is allowed to filter communications by using selectors. If Germans could be involved, it is not allowed to use selectors that identify specific targets (like phone numbers and e-mail adresses), so in that case, only generic search terms (keywords) may be used.

- The official report (pdf) provided the following numbers of approved search terms, of what was filtered out and of what was marked as relevant for foreign intelligence purposes:

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA
- Reports with numbers for 2013:
   - Gemäss Terrorismusbekämpfungsgesetz (pdf)
   - Gemäss Artikel 10-Gesetz (pdf)

> See also: BND Codewords and Abbreviations

Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.

What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.

These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.

Here we will analyse what's in these reports, which give an interesting impression of the techniques used to transmit telephone communications over satellite links.




Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.

Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.

The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.


Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.




Technical report nr. 35

The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:

- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.




Multiplexing and compression

By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:




This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical equipment as possible, making it more difficult for intelligence engineers to unpack it.


Signaling System No. 7

Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.

In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.


Analysis of the link

In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.

All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:

On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.

The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.

After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.




The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.


Conclusion

The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."

Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.



Technical report nr. 44

The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).




The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.

The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 voice circuits (telephone calls) simultaneously.

The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.




Analysis of the link's metadata

The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.

It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.

From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.

On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.

For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.

GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.




Mapping the link

The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.

The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.

Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.

In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.


DRUMROLL hits

The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".

According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.

DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.

For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.

Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":




The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.

That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.

Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".

Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.



Classification

All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.

SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and UMBRA are still used.

Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.



Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security

The German foreign intelligence service Bundesnachrichtendienst (BND) is moving to a brand new headquarters in Berlin. Here we show some unique pictures from inside the former headquarters in the village of Pullach and also give an impression of what the new building looks like.

Unlike for example the United States and the United Kingdom, Germany has no separate agency for collecting Signals Intelligence (SIGINT) - this is done by the BND, and as such this agency is a 3rd Party partner of NSA since 1962 and also participates in the SIGINT Seniors Europe or 14-Eyes group.



The former Pullach headquarters

Since its formal creation in 1956, the Bundesnachrichtendienst had its headquarters at a 68-hectare compound in Pullach, a village near Munich in the southern province of Bavaria, which was initially build as a model village for staff members of the Nazi party in the years 1936-1938. On the eastern part of the compound there are nowadays also a number of modern office blocks:




As a farewell to this old headquarters, the German photographer Martin Schlüter was allowed to take pictures of almost every corner of the complex, but only at night, when there were no employees present. His pictures now available in a book called "Nachts schlafen die Spione" (at night the spies are sleeping), published by the Sieveking Verlag.

Pictures from the book were shown in the German television magazine TTT - Titel, Thesen, Temperamente, which made it possible to take the following screenshots of those that show some of the telecommunications equipment used by the BND (click the pictures to enlarge).


One picture shows a larger room which is used as an operations center with all the common stuff, like various computers, large video screens and teleconferencing equipment:




In the next picture we see a smaller operations center room with desks and a lot of computer screens:




We see that every monitor has its own keyboard and mouse, which seems not very practical. In the US for example, military and intelligence agencies use so-called KVM-switches, which allows users to work on multiple computers and/or terminals of physically separated networks with just one keyboard, video screen and mouse.


A close up of the previous picture gives a somewhat more detailed view of the equipment:




On the left there are computer screens which show content inside a red and with a blue border. This most likely indicates the classification level of the network they're connected to:

- Blue: VERSCHLUSSSACHE (which equals Confidential)
- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)

Content without such a border is apparently unclassified.

In the center we see two telephones: at the left a Cisco Unified IP Phone 7961 and at the right a rather common looking but yet unidentified office telephone, which can be seen in the other pictures too. The Cisco phone is for a Voice over IP (VoIP) network, where the other one is probably part of a traditional Private Branch eXchange (PBX) internal telephone system.

In these pictures we see no secure telephones, ones that are capable of encrypting calls by themself, like the ELCRODAT 5-4, made by the German manufacturer Rohde & Schwarz. Probably BND uses network encryptors to secure the calls before they leave the internal network.


That there's also some amount of crazyness, can be seen in this picture of an office room, used by a BND employee who cleary is a hardcore fan of Elvis Presley:






The new Berlin headquarters

The new BND headquarters is a huge office building at the Chausseestraße in the centre of Berlin. The construction started in 2006 and the overall costs for the building and moving the inventory of some 6000 employees are estimated at 1,3 billion Euro.

The architecture expert Niklas Maak points to a striking difference between the former and the new headquarters: in the past, the enemy was known, the communists from the Warsaw Pact, it was known where they came from, and hence the intelligence agency was hidden in the Bavarian woods. Nowadays, enemies like terrorists and hackers are unvisible and could be everywhere, but the BND is now as visible as it can be, almost as to scare them off.




In the new building each employee has a desk with two computers and a telephone, as can be seen in this picture:



There are two wide-screen monitors, each one with its own keybord and mouse connected to a computer device. Apparently the BND still doesn't want to use KVM switches.

Update:
Initially, the computer devices looked like thin clients, which just create a virtual desktop environment. All files are stored at centralized servers, which also makes it more easy to control and limit the access to sensitive and secret documents. But later, a reader recognized them as being Fujitsu ESPRIMO Q910 mini PC's, which are fully equipped personal computers in a small and stylish housing. They also have usb-ports, which would allow to connect thumb drives to them.

One of the thin clients mini PC's has a red and the other one a blue sticker, which probably once again denotes the classification level of the network to which it connects:

- Blue: VERSCHLUSSSACHE (which equals Confidential)
- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)

The telephone on the desk is a Alcatel-Lucent 4068 IP Phone or a smiliar model, which is a high end full-featured office telephone for Voice over IP networks. Alcatel was a major French telecommunications company which merged with the American telephone manufacturer Lucent Technologies in 2006.

It seems somewhat strange for an intelligence agency to use telephones that are made by a foreign company, as for example the German company Siemens manufactures telephony equipment for almost a century.



Links and sources
- Internal NSA presentation: Structure of the BND (pdf)
- More pictures of the Berlin headquarters: Eröffnung der BND-Zentrale
- A 2006 photobook about BND Standort Pullach
- Zeit.de: Der BND wird schlecht überwacht

During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".

Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.



Targeting US citizens under FISA authority

The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:




In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.

If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.


Acquiring an individual FISA warrant

So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.

For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.

Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*



Collection under section 702 FAA

Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?

The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.

But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.

The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, the so-called Upstream collection.




Section 702 FAA certifications

What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.

For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.

Until now, we know of section 702 FAA certifications for three topics:

- Foreign Governments (FG, Certification 2008-A, including cyber threats?)
- Counter-Terrorism (CT, Certification 2008-B)
- Counter-Proliferation (CP, Certification 2009-C)

These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are always allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.
 

Addendum:

In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).

Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.

So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.

This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. Starting new surveillances (tasking) is done through the Unified Targeting Tool (UTT, see below).

Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:

This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data.

Clapper explained that these queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.

In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and the person is considered an agent of a foreign power.

The PCLOB report (pdf) about 702 FAA operations from July 2014 says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".

For example, the NSA has approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.


The details Snowden told to the Post and the framework for "back-door" searches, confirm that he wasn't authorized to target US persons, but apparently did had the authority to use US persons identifiers for querying already collected PRISM data.

But contrary to what Snowden said, the NSA's Minimization Procedures from October 2011 say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333). That again makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.

But even without a prior approval, querying US persons without the intention of retreiving foreign intelligence information is illegal, which brings us to the next chapter.

Circumventing official procedures

In an interview, Glenn Greenwald was also asked about this issue and he explained that the "authority" Snowden was talking about, was not an authority in a legal sense.

According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".

So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.

In that interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, although somewhat earlier in the interview he was speaking about the whole agency that "targets the communications of everyone" and ingests, filters, analyses and stores them.


Unified Targeting Tool

Circumventing official procedures and legal authorities could be done by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.

A rogue analyst could for example confirm that there's a FISA warrant, when there's no warrant present, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.




Unfortunately no manual for this tool has been disclosed so far, although that would have been useful to learn more about such internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.


Targeting procedures

We have no details about the procedure for targeting US citizens, but we do know about the process for collection under the PRISM program. As PRISM is used for gathering data about foreigners, it can be considered to be less sensitive than collecting data about US persons, for which there are maybe some extra safeguards and checks. The PRISM tasking process is shown in this slide:




We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.

A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released to be "tasked" on the various collection systems.

For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.


Incidents

Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.

It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.

(Edited after adding Greenwald's interpretation of Snowden's words and adding something about the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a report by The Washington Post, and added some explanation about the back-door searches)


Links and Sources
- Privacy and Civil Liberties Oversight Board: Section 702 Program Report (pdf)
- Stanford Law Review: Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?
- The Guardian: The top secret rules that allow NSA to use US data without a warrant
- EmptyWheel.net: Postings about section 702 FAA
- Robert S. Litt, ODNI General Counsel: An Overview of Intelligence Collection
- Related documents:
  - President Policy Direction (PPD) 28 Section 4 Procedures (pdf) (2015)
  - Foreign Intelligence Surveillance Act - Summary Document (2008)

Last Thursday, February 19, the website The Intercept broke a big story about how NSA and GCHQ hacked the security company Gemalto in order to acquire large numbers of keys used in the SIM cards of mobile phones.

The story has quite some background information about how these keys are used and how NSA and GCHQ conducted this operation. But as we have often seen with revelations based upon the Snowden-documents, media once again came with headlines like "Sim card database hack gave US and UK spies access to billions of cellphones", which is so exaggerated that it is almost a scandal in itself.

Instead, analysing The Intercept's article and the original documents leads to the conclusion that the goals of this operation were most likely limited to tactical military operations - something that was completely ignored in most press reports. Also there is no evidence that Gemalto was more involved in this than other SIM card suppliers.



To what extent was Gemalto involved?

According to The Intercept, NSA and GCHQ planned hacking several large SIM card manufacturers, but in the documents we find only one for which this was apparently successful: Gemalto. Other documents merely show that GCHQ wanted to "investigate Gemalto""for access to Gemalto employees""to get presence for when they would be needed".

An internal GCHQ wiki page from May 2011 lists Gemalto facilites in more than a dozen countries, like Germany, Maxico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore, but also without explicitly saying whether or not these were successfully hacked.

One report and a fewslides from a presentation that was not fully disclosed mention large numbers of SIM card keys that had been collected, but this is not specifically linked to Gemalto. Although Gemalto is the largest manufacturer, it seems likely these data were also collected from other companies, like Bluefish, Giesecke & Devrient, Oberthur, Oasis, Infineon, STMicroelectronics, and Morpho.

Therefore, we actually don't know to what extent NSA and GCHQ used the access they apparently had to Gemalto's network, and it is definitely not correct to say that all 2 billion SIM cards that Gemalto produces every year were compromised by this hack.

And given the fact that other SIM card suppliers were targeted and/or hacked too, one wonders why The Intercept didn't left out the name of Gemalto. Because now its competitors profit from not being named, while Gemalto shares already had a huge drop on the stock market.

Update:
On February 25, Gemalto came with a press release in which results of its investigation into the alleged hack were presented. Gemalto concluded that NSA and GCHQ probably "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys". The report also says Gemalto never sold SIM cards to four of the twelve operators listed in the GCHQ documents, in particular to the Somali carrier, and that in 2010-2011, most operators in the targeted countries were using the vulnarable 2G networks, mostly with prepaid cards which have a very short life cycle, typically between 3 and 6 months.

The Netherlands

Gemalto is a digital security company providing software applications, secure smart cards and tokens and is also the world’s biggest manufacturer of SIM cards. It's essentially a French company, but it has some 12.000 employees in 44 countries all over the world.

The Gemalto headquarters are officially in Amsterdam in the Netherlands, which made Dutch media claiming that "NSA hacked a company in the Netherlands". This was rather premature, since the two Dutch locations of Gemalto seem not to be likely targets in this case.

The Amsterdam headquarters is very small, consisting of only some 30 people. The reason they are in Amsterdam is apparently mainly because the Dutch capital was already the seat of Axalto, one of Gemalto's predecessors, and because the company wanted access to the Amsterdam stock exchange.

Unnoticed by Dutch national media is the fact that Gemalto also has a plant in the city of Breda, where, according to an unrelated press report from last year, (only) bank cards are personalised. This plant also has a customer service team, but strangely enough Breda isn't in the list of locations on Gemalto's website.




Also interesting is that last month, Gemalto acquired the US manufacturer of security products SafeNet. This company, founded in the late 1980s by former NSA officials, not only makes encryption devices used by commercial companies and banks all over the world, but also the KIV-7 link encryptor, which is used by the US Army, as well as the Enhanced Crypto Card (KSV-21), which provides the encryption functions for the US government's STE secure telephone.



How does the SIM card key work?

SIM cards, produced by companies like Gemalto, have a microchip which among other data includes a unique 128 bit Authentication Key, also known as "Ki". A copy of this key is given to the phone provider, so when a phone call is made, this key number can be used to make sure the handset connects to a valid provider, and the provider knows it connects to a handset that belongs to a known customer.

The Intercept's report suggests that this Ki number is also used as the encryption key to protect the subsequent communications, but in reality this is a bit more complex. Here's how it works for 3rd Generation (UMTS) networks:

1. After a handset connects to the base station, the latter sends the handset a 128 bit random number, a 48 bit sequence number and an authentication token.

2. The chip in the SIM card combines the Ki number with the random number and the sequence number to also calculate an authentication token and a response number, which are used to authenticate the network and the handset, respectively.

3. By combining the Ki number with the random number, the SIM card chip also calculates the:

- 128 bit Confidentiality Key (CK) for encrypting messages
- 128 bit Integrity Key (IK) for checking the integrity of messages

4. The actual (voice) data are then encrypted through the f8 algorithm (which is based upon the KASUMI block cipher) using the Confidentiality Key.

5. For additional security, both the Confidentiality Key and the Integrity Key have a limited lifetime. The expiration time is variable and send to the handset after establishing a connection.

Although for the actual encryption key CK, the Ki number from the SIM card is mixed with a random number, this provides no extra security: the base station sends this random number to the handset over the air unencrypted, so it can be intercepted easily by anyone.

Eavesdroppers would therefore only need the SIM card Ki to recreate the encryption key and use that to decrypt the conversation (see also this US Patent for a "Method of lawful interception for UMTS").



Why were these SIM card keys collected?

The press reports, speaking in general terms of "unfettered access to billions of cellphones around the globe", suggest that everyone's mobile phone could now be at risk of being intercepted by NSA or GCHQ.

One important thing they forgot, is that one only needs to steal SIM card keys when you are trying to intercept mobile phone traffic when it travels by radio between the handset and the cell tower. Only that path is encrypted.

Once the communications arrive at the provider's network, they are decrypted and sent over telephone backbone networks to the cell tower near the receiving end as plain text. It's then encrypted again for the radio transmission between the cell tower and the receiving handset.





As we know from previous Snowden-leaks, NSA and GCHQ have vast capabilities of filtering fiber-optic backbone cables that are likely to contain communications that are of interest for military or foreign intelligence purposes. The big advantage here is that on those backbone cables there's no encryption (although people can use end-to-end encryption methods themselves).

Therefore, the SIM card keys are only needed when NSA and GCHQ want to listen in or read traffic that is or has been intercepted from the wireless transmission between a handset and a cell tower. This narrows down the field where these keys can be useful substantially.


Tactical military operations

Intercepting the radio signal of mobile phones needs to be done from rather close proximity. To do this, the NSA uses StingRay and DRT devices, which are highly sophisticated boxes that in a passive mode are capable of detecting and intercepting the radio transmissions of multiple cell phones. In an active mode they can mimic a cell tower in order to catch individual phone calls and as such they are better known as IMSI-catchers.

These devices are widely used by the NSA and the US military in tactical ground operations, like in Afghanistan and previously in Iraq, as well as in other crisis regions. StingRays and DRT boxes can be used as a manpack, in military vehicles, but also aboard small signals intelligence aircraft like the C-12 Huron. Surveillance drones also have similar capabilities.





This military, or at least anti-terrorism purpose is confirmed by a disclosed slide which shows that Kis for mobile networks from Somalia, Kuwait, Saudi Arabia, Afghanistan, Iran and Bahrain were found among collected data.

A GCHQ report that was also published as part of The Intercept's story says that key files from "Somali providers are not on GCHQ's list of interest, [...] however this was usefully shared with NSA", which clearly shows that both agencies were looking for keys from specific countries.

The report also says that during a three month trial in the first quarter of 2010, significant numbers of Kis were found for cell phone providers from Serbia, Iceland, India, Afghanistan, Yemen, Iran, Tajikistan and Somalia, which is shown in this chart:



According to the report, this chart reflects "a steady rate of activity from several networks of interest", which again indicates that GCHQ is specifically looking for keys for countries where the US and the UK are involved in military operations.

The same reports says that Iceland appearing in this list was unexpected, but Dutchnewspapers guessed this could be explained by the fact that in 2010, Julian Assange and other people related to WikiLeaks were staying there.

One also wonders why The Intercept didn't trace the companies that in 2010 and 2011 provided the SIM cards to the countries mentioned in the GCHQ report. The fact that SIM keys for those countries were collected, seems a strong indication that the security of those suppliers was apparently weak.


Eavesdropping in foreign capitals

Remarkably, the use of SIM card keys for tactical military operations is completely ignored by The Intercept, even though this is probably the main purpose (which was also expressed by at least two securityexperts). The Intercept does however claims that such keys would be useful to eavesdrop on mobile phone traffic somewhere else:

The joint NSA/CIA Special Collection Service (SCS) has eavesdropping installations in many US embassies, and because these are often situated in the city center and therefore near a parliament or government agencies, they could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials.

With the current UMTS (3G) and LTE (4G) mobile networks using encryption that is much harder to crack than that of the older GSM network, having the SIM card keys would make it easy to decrypt already collected mobile communications, as well as listing in to them in real-time.




As easy it may be to decrypt conversations when having the key, the more difficult it seems to get hold of keys that are useful for this purpose. SIM cards are shipped in large batches of up to several hundred thousand cards and while it is known to which provider in which country they go, one cannot predict in whose phone the individual cards will eventually end up.

So when NSA and GCHQ are stealing large numbers of keys, they have to wait for some of them ending up by people that are on their target lists - which really seems a very small chance. This method is also useless against people using an old SIM card, which could be the case for German chancellor Merkel, who has a phone number that was already used in 1999. For these kind of targets it would be much more efficient to hack or tap into local telephone switches.

The way to make it work would be to "collect them all" and create a database of keys that will eventually cover every newly assigned phone number. But in one of the documents, GCHQ notices that large SIM suppliers increasingly use strong encryption for their key files, which will make it hard to achieve such a full coverage.

This is another reason, why stealing SIM card keys is most likely focussed on war zones: over there, very large amounts of phone calls and metadata are collected, which, given the large number of suspects and targets over there too, makes much better chances of finding keys that are actually useful. But still, stealing these keys looks not like a very efficient method.



Could these hacking operations be justified?

This brings us to the question of how justified this method of stealing SIM card keys could be. The fact that NSA and GCHQ are hacking commercial telecommunication and security companies is seen as one of the biggest scandals that have been revealed during the Snowden-revelations.

It's not only because of breaking into their networks, but also because for this, the communications of specific employees like system administrators are intercepted to acquire the passwords and usernames for their Facebook-accounts, despite the fact that they themselves aren't a threat to the US or the UK.

They are targeted not as an end, but as means in order to get access to the communications of other targets elsewhere. These ultimate targets could maybe justify these means, but without knowing what the actual goals are, it's difficult to come with a final judgement.

Although this kind of hacking affects innocent civilians, it's still very focussed. According to The Intercept, "In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization" - which is a rather small number given that Gemalto alone has some 12.000 employees.

Targeting companies and organizations like Swift, Belgacom and Gemalto should not have come as a complete surprise. Nowadays internet and telecommunication providers have become similar of interest for national security as military contractors and top technological research institutions have always been.

This is also reflected by the last of the 16 Topical Missions in the NSA's Strategic Mission List from 2007:

"Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."

Links and Sources
- Motherboard.vice.com: Did the NSA Hack Other Sim Card Makers, Too?
- NRC.nl: Simkaartsleutels vooral van belang bij afluisteren in Midden-Oosten
- Tweakers.net: Gemalto: geen sim-sleutels buitgemaakt bij aanval geheime diensten
- Reuters.com: Hack gave U.S. and British spies access to billions of phones: Intercept
- Crypto.com: How Law Enforcement Tracks Cellular Phones
- Presentation about Network Security: GSM and 3G Security (pdf)
- Matthew Green: On cellular encryption
- GCHQ's aspirations for mobile phone interception: 4 slides + 2 slides
- This article appeared also on the weblog of Matthew Aid