BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, can be read here!




The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:



Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network. This is the traditional telephone infrastructure, consisting of telephone lines, (undersea) fiber optic cables, microwave transmission links, cellular networks, and communications satellites, all interconnected by switching centers.

In this case, MIVD collected the metadata from PSTN traffic using their satellite station near Burum, which is operated by the signals intelligence unit NSO. This station is conveniently situated next to a big commercial ground station operated by Stratos Global, which provides access to Inmarsat, and Castor, providing access to Intelsat, Eutelsat, Gazprom, RSCC, SES (Astra), Telesat, and Arabsat satellites.

Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some less-developed countries like Afghanistan, Sudan, Somalia, Cuba and North-Korea, and remote regions in Russia, China and Africa apparently still use Intelsat satellite links for their international telecommunications. A number of these countries are also linked to Intersputnik satellites.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.




According to a reply from the Dutch government, the 1,8 million metadata were collected by the MIVD from phonecalls, including some sms and fax messages, that "originated and/or terminated" in foreign countries. After all communication data with a Dutch phone number were filtered out, the remaining data were "shared with partner agencies".

This means, these data weren't just shared with NSA on a bilateral basis, but also in multinational military intelligence sharing groups like the 9-Eyes and the 14-Eyes, which is actually called SIGINT Seniors Europe. Both groups consist of the Five Eyes plus a number of 3rd Party nations.


Most Volume

In the screenshot we can see that the metadata records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data could be derived from multiple collection platforms and not just from the satellite intercept station near Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch SIGINT unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile signals intelligence units which can be deployed during foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.




Top 5 Techs

This section of the screenshot mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense.

It was strange that there was no word for the letter F, but some research revealed that the F most likely stands for Format. In several jobvacancies CERF can be seen as listed among a number of other NSA data formats like CSDF and ASDF. We can assume now that CERF = Contact Event Record Format.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Maybe CERF is used for collected metadata in general and CALL specifies that for telephony metadata (although in NSA-speak, telephony is always designated as DNR). An additional codeword like MOSES1 could then be used to further specify these data sets.

Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.




We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts. Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.

(This article was updated with more details about the Burum satellite station and an explanation for the CERF abbreviation)


> More about the background: Dutch government tried to hide the truth about metadata collection


Links and Sources
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie