December 24, 2013

The British classification marking STRAP

(Updated: November 26, 2014)

Most of the documents leaked by Edward Snowden are from the American signals intelligence agency NSA, but there are also quite a number from their British counterpart GCHQ. Documents from both countries are classified as TOP SECRET and often have additional markings to further restrict their dissemination.

Where on American documents we see markings like COMINT (Communications Intelligence) and NOFORN (No Foreign Nationals), the British have the mysterious term STRAP followed by a number.

Information about American classification and dissemination markings can rather easily be found on the internet (see also The US classification system on this weblog), but there are hardly any details about the British classification system.

But luckily, there's one source available which describes STRAP and other British classification practices in detail: the extensive Defence Manual of Security from 2001. Chapter 17 (page 1131-1135) of Volume 1 gives an overview of the STRAP Security Guidelines.



Compartmentalization

In the manual, STRAP is described as a set of nationally agreed principles and procedures to enhance the "need-to-know" protection of sensitive intelligence (and related operational information) produced by the British intelligence agencies, including military sources.

It adds additional procedures to the standard security measures employed for intelligence matters. STRAP is therefore comparable with the American system of protecting the most sensitive information by control systems with separate compartments, which are generally designated by codewords.

Although on some websites it's suggested that STRAP might stand for "STRategic Action Plan", the Defence Manual clearly states that STRAP is a codeword, not an acronym. The STRAP codeword itself is not classified.

Some intelligence information, handled within the STRAP System, require more stringent protection than others. To assure this, there are three levels of STRAP protection. These levels are designated, in ascending order of sensitivity and, hence, access control: STRAP 1, STRAP 2 and STRAP 3.



Examples of STRAP documents

An example of a document from the least sensitive category, marked STRAP 1, is a slide from a powerpoint presentation about the BULLRUN program aimed at breaking encryption methods used on the internet:




Information that is somewhat more sensitive is marked STRAP 2, like this presentation slide about operation SOCIALIST, which infiltrated the network of the Belgian telecommunications provider Belgacom:




From the category of most sensitive documents, marked STRAP 3, there are no actual examples available. STRAP 3 for example protects the precise locations where these interceptions takes place. The real names of the telecommunication companies that cooperate with GCHQ are classified one level below this, at STRAP 2.

As several of these real names have been published, Snowden must somehow got access even to STRAP 3 documents. Probably because they are so sensitive, Greenwald and the papers may have decided not to publish them, but only use some of the information they contain.



STRAP protection measures

The STRAP system is designed to protect information against threats that are specific for sensitive intelligence. A principal threat is when a target becomes aware of an intelligence attack against him, so he can initiate countermeasures. Therefore, the STRAP system aims to minimise the risk of leakage of sensitive intelligence operations and products into the public domain - whether by accidental exposure or deliberate intent. This is done through the following measures:

- Restricting access to sensitive intelligence material on a strict "need-to-know" basis;
- Agreeing the appropriate facilities for its protection in transit ("STRAP Channels") use, storage and disposal;
- Providing explicit briefings and guidance for individuals who handle this type of material.

Information that requires protection under the STRAP system has to be clearly defined and labelled with the appropriate STRAP level marking. It has to be carried by authorized couriers during transit, and signed receipts have to be obtained at all stages of handover.

Within the British Ministry of Defence, the implementation of the approved STRAP security measures is overseen by individually appointed STRAP Security Officers (STRAPSOs). The overall responsibility for the review and formulation of STRAP policy and guidelines is with the STRAP Management Board.



December 15, 2013

14-Eyes are 3rd Party partners forming the SIGINT Seniors Europe

(Updated: April 16, 2014)

On December 11, the Swedish public television channel SVT published a range of new NSA-documents from the Snowden-collection. One is a text which for the first time proves that intelligence agencies of nine European countries are 3rd Party partners of NSA.

These countries are: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Earlier, these nations were identified as forming the 14-Eyes group, for which we now also have a real name: SIGINT Seniors Europe or SSEUR.



(Click for a bigger version)


Unfortunately only this very small excerpt was published, so we don't know what the rest of the document is about. But as small as it is, it reveals some interesting new things, which will be explained in this article:
- The 3rd Party status of a number of European countries
- The existance of a group called SIGINT Seniors Europe
- More clarity about the mysterious 14-Eyes
+ UPDATE!



3rd Party countries

This is probably the first time that an official NSA document is published in which several 3rd Party countries are named. Until now, we only had documents proving this status for only a few separate countries, and we had a range of countries that were suggested to be 3rd Party partners by intelligence experts.

From the countries mentioned in the fragment published by Swedish television, only France, Germany, Norway, Italy, Belgium and probably Spain were supposed to be 3rd Party partners. Sweden, Denmark and especially The Netherlands were not listed as such, so with this new disclosure, we now know for sure that the intelligence agencies of all these nations have the 3rd Party status.

Being a 3rd Party means that there's a formal bilateral agreement between NSA and a foreign (signals) intelligence agency. Probably the main thing that distinguishes this from other, less formal ways of cooperating, is that among 3rd party partners, there's also exchange of raw data, and not just of finished intelligence reports or other kinds of support. Also both parties have a Special Liaison Officer (SLO) assigned at each others agency.

It's not quite clear what the initial 3rd Party agreements are called, but we know that later on specific points are often laid down in a Memorandum of Understanding (MoU). An example is the Memorandum of Understanding between NSA and the Israeli signals intelligence unit, which was published by The Guardian on September 11, 2013.



SIGINT Seniors Europe

As the newly published fragment starts with an asterisk, it seems to be a footnote in a document about intelligence training, explaining which countries are "SSEUR members": the Five Eyes (United States, Great Britain, Canada, Australia and New Zealand) and nine other European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden.

The abbreviation SSEUR is seen here for the first time, and luckily Swedish television also published another document which says that SSEUR stands for SIGINT Seniors Europe (SIGINT is an acronym for Signals Intelligence):



Fragment of an NSA document mentioning SIGINT Seniors Europe (SSEUR)
(Names whited out are replaced by black bars for better readability)


Apart from this, we have no further information about the SIGINT Seniors Europe. But there's an explanation, provided to this weblog by our French counterpart Zone d'Intérêt, which probably comes very close to what this group could be:

The term "SIGINT Senior" may designate the highest ranking SIGINT officer of a foreign (signals) intelligence agency, rather than a country as a whole. For example, in France, the Directeur Technique (DT) inside the foreign intelligence agency DGSE is called "le Senior SIGINT" exactly.

Intelligence agencies aren't organized the same way in each country. Some countries have intelligence agencies inside police forces, military intelligence in the field, defense agencies which collect both for military operations and counterterrorism, etc. Also the laws aren't the same in every country.

Therefore, it's obviously more convenient to have one single point of contact in each country, to discuss SIGINT-related issues, or even for actually passing signals intelligence, with maybe some pre-processing already done, instead of having to do this with different people from different agencies and units in each country.


This explanation fits the fact that the document mentions SSEUR together with the NATO Advisory Committee on Special Intelligence (NACSI), which is also a platform for discussing SIGINT-related issues.

From the nine European countries of SSEUR, only Sweden is not a member of NATO, but as mentioned earlier, Sweden is often cooperating with NATO countries. More interesting is that Belgium is part of this group too. Belgium is a small country and reportedly has hardly any SIGINT capabilities. That is to say: domestically, but maybe there's some more substantial SIGINT collection by Belgian troops participating in military operations abroad.

With SSEUR containing European 3rd Party partners, it's very well possible that there are also similar groups of partner agencies in other parts of the world, with the East-Asian/Pacific Rim region being the most likely.




The 14-Eyes

The SIGINT Seniors Europe comprise 14 countries, and when we look at their names, we see that they are identical to the nations of which The Guardian in November said they form a group called 14-Eyes.

As this latter group was also never heard of, we looked for some possible explanations in an article on this weblog last month. But by then we didn't know exactly and for sure which countries were 3rd Party partners, so it was hard to get things clarified.

Now that we know that all nine European countries, including Sweden, Denmark and The Netherlands, have 3rd Party status, it's clear that our option "A" came closest: 14-Eyes stands for a number of 3rd Party countries who have something in common - likely having a 'SIGINT Senior' officer as single point of contact for NSA and the Five Eyes.

As explained in our earlier article, an 'Eyes' designation is most often used as a handling instruction for restricting dissemination of sensitive information among a certain group of countries. In this case, 14-Eyes apparently serves as dissemination marking for information authorized for release to the 14 members of the SIGINT Seniors Europe group.
 

UPDATE:

An article from 2001 about the history of Dutch signals intelligence clarifies that SIGINT Senior Meetings (SSMs) are attended by the heads of agencies responsible for signals intelligence, like NSA, GCHQ, the German BND, the French DGSE, the Italian SISMI, and the military intelligence services of Norway, Denmark, Belgium and other countries.

The SIGINT Senior Meetings coordinate the military intelligence needs for the participating countries, resulting in the actual exchange of data and information through the Signals Intelligence Data System (SIGDASYS). Originally this was some kind of computer system that acted as a back-up in case one of the countries lost its own SIGINT capacity.

Later, SIGDASYS became a database in which all participating nations poured military SIGINT and other information, and, on a quid pro quo basis, could get out the intelligence they needed themselves. In this way, SIGDASYS decreased the overlap in data collection and played an important role during the 1990-1991 Gulf War. The system is managed by the multinational SIGDASYS Committee which reports to the SIGINT Seniors meeting.

The article says that for the Netherlands, it was the head of the former military intelligence agency MID (1988-2002) who participated in the SIGINT Seniors meetings, often accompanied by the director of TIVC, a unit which processed Dutch signals intelligence.

On Twitter, a Dutch journalist working on the Snowden-papers added that initially it was the head of the former Dutch navy intelligence agency MARID who attended the SIGINT Seniors meetings and nowadays it's a senior official of the Military Intelligence and Security Agency MIVD. He also said that membership of this 14-Eyes group is not fixed and can change over time.

According to the book 'The NSA Complex', which was published by Der Spiegel in March 2014, the Sigint Seniors Europe (SSEUR) group was established in 1982 for more efficiently monitoring the Soviet Union.*


Conclusion

All this makes clear that 14-Eyes is the designator for information that is restricted to the 14 nations participating in a group called SIGINT Seniors Europe (SSEUR), which apparently exists for some 30 years. SSEUR meetings are attended by the heads or senior officials of the signals intelligence agencies of the 14 countries, who coordinate the sharing of military intelligence. The actual data and information exchange takes place through a regional database of the Signals Intelligence Data System (SIGDASYS).



Links and Sources
- Cees Wiebes, "Dutch Sigint during the Cold War, 1945-94", in: Matthew M. Aid & Cees Wiebes, "Secrets of Signals Intelligence during the Cold War and Beyond", London, 2001, p. 276-277.
- DeCorrespondent.nl: Over Five Eyes en Third Parties - Met wie werkt de NSA samen (2013)
- SVT.se: Läs dokumenten om Sverige från Edward Snowden (2013)
- Heise.de: Paper 1: Echelon and its role in COMINT (2001)

December 8, 2013

The BOUNDLESSINFORMANT interface

(Updated: January 3, 2014)

A previous article on this website showed that the charts in the NSA's BOUNDLESSINFORMANT tool are not so easy to interpret as it may seem. Screenshots from this tool were published by a number of European newspapers saying that they are proving that NSA is intercepting phonecalls from these countries. This article will show and examine a new image which literally provides context to these screenshots.


In a less known follow-up article from November 4 on the website of the spanish paper El Mundo there are four slides from a powerpoint presentation about BOUNDLESSINFORMANT. Three of the slides were published earlier, but the fourth one was never shown before. This new slide shows a screenshot of an Internet Explorer browser window with the BOUNDLESSINFORMANT tool in it:




For the first time, this screenshot reveals what the actual BOUNDLESSINFORMANT interface looks like. It shows that the bar charts and the details below it, as published by the newspapers, appear in a pop-up window above the world map of the global overview.


The global overview window

The presentation slide shows that the main screen of this tool is the global overview, which was initially published by The Guardian in June and later by some other media too. Here's a high resolution version of this screen (click for a bigger version):




On the left side we see the overall numbers for DNI (internet), DNR (telephony), SIGADs, Case Notations and Processing Systems for the last 30 days. This time period can be changed, probably by using the slide button underneath this list, next to the dark grey box. It seems that 30 days is its maximum. In the slide screenshot this time period is 7 days, which can be seen in the pop-up window and explains the smaller numbers in the list at the left side of the map.

The lower part of the screen shows a Top 5 of countries and their total numbers of DNI and DNR records. These total amounts of data can be sorted in three different ways: Aggregate, DNI and DNR, which can be selected with the radio buttons above the map. Each option results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map. These three versions were published by the Indian paper The Hindu last September.

Next to these radio buttons is a search box with a button named "Country View", which is maybe for entering a country name. Finally, there are two buttons in the upper right corner to switch between the two main viewing modes of this tool:

- The Map View, which "allows users to select a country on a map and view the metadata volume and select details about the collection against that country".

- The Org View, which "allows users to view high level metrics by organization [NSA divisions] and then drill down to a more actionable level - down to the program and cover term".

According to a Frequently Asked Questions (FAQ) paper for BOUNDLESSINFORMANT from June 2012, this tool can graphically display information about collected metadata in a map view, bar chart and simple table. The map view can be seen in the main window with the global overview, the bar charts appear in a pop-up window. How the simple table view looks like is not known.


The Map View pop-up window

In the Map View, users can click on a country from the world map and then a pop-up window appears. According to the BOUNDLESSINFORMANT FAQ paper this window shows "the collection posture (record counts, type of collection, and contributing SIGADS or sites) against that particular country in addition to providing a graphical display of record count trends". These elements are in the screenshot of this window:



Unfortunately the resolution of the slide is too low to make everything readably, but still we can see that in this screen there's a lot more than in the images which were published by the various newspapers. For comparison, here's the screenshot that was shown in Norwegian media (click for a bigger version):




Comparing these two screenshots reveal that the images shown in the papers are just a part of the actual pop-up window. We recognize the four sections with the different charts, but there are also some minor differences. The slightly different layout may have been caused by the different time period: 30 days gives in a much wider bar chart than 7 days.

Apart from that, we see that in the screenshots from the newspapers the whole frame is missing. The example from the presentation has "SIGAD" with a symbol next to it in the upper left corner, but we don't know if that's standard, or that it indicates a specific view mode.

Below this are a search box and a scroll box with a relatively long list of options - unfortunately impossible to read, but it's not a list of SIGADs. The display section has two tabs, the active one white, the other one black, indicating that there are apparently two main options for presenting the information.

Left of the bar chart there's a section that could be titled "Active Summary" and seems to contain symbols and headers very similar to those below the bar chart. Probably one can select different kinds of details about the data collection to be shown. The images from the papers have "Top 5 Techs" in the lower section at the right side, but in the pop-up example something different is shown, ineligble again.

Another small difference is in the "Signal Profile" section: the pop-up screen shows four different types of communication systems (maybe DNI, DNR and two others), but the screenshots from the papers have seven. As the presentation is from July 2012 and the images in the papers are from early 2013, maybe during that period more options were added to the tool.



Screenshot from a Brazilian television report, showing some files opened in a TrueCrypt window on the laptop of Glenn Greenwald. In the upper left corner we see an unpublished screenshot from BOUNDLESSINFORMANT with three bar chart sections, apparently about Computer
Network Exploitation (CNE), which is computer hacking by the TAO division
(click to enlarge)



Multiple options

All this shows that in the Map View alone there are more options to select than just clicking a country and getting one standard overview of NSA's collection against that country - that's how Glenn Greenwald and the newspapers brought it.

The fact that there are more ways to select and present the information already became clear by analysing the screenshots published by the papers. For at least five countries (France, Spain, Norway, Afghanistan and Italy) the charts only show one technique, DRTBOX.

If NSA really spies on these countries, it's unlikely they use only one system and collect only telephone (meta)data. Therefore, it seems more as if in this case DRTBOX was used as the primary selector, resulting in charts showing how many data this system processed from different SIGADs and different countries.

A more complete overview of data collection against a country is given by the screenshot for Germany, which shows multiple systems collecting both internet and telephone data. Also interesting to see is that there are not only such charts about countries, but also about collection programs like WINDSTOP (which could be from the 'Org View' mode).


Conclusion

Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection.

The screenshots published in various European newspapers were cut out from their original pop-up windows, which makes that we are missing their context. We can't see what options there were and which selections were made to present the information as we see it.

We don't know who cut out the charts: was it Edward Snowden, or someone else at NSA (for preparing a presentation), or was it Glenn Greenwald? These questions are of some importance, because these screenshots are used as evidence for rather grave accusations.

Until now, neither Glenn Greenwald, nor editors of some of the involved newspapers were willing to answer any questions about the origins of these screenshots. Instead, Greenwald still sticks to his own initial interpretation and lets papers publish that over and over.



Links and Sources
- The Guardian: BOUNDLESSINFORMANT - Frequently Asked Questions
- Wikipedia: Boundless Informant

December 3, 2013

NSA's global interception network

(Updated: May 15, 2017)

On November 23, the Dutch newspaper NRC Handelsblad published a new slide from the Snowden documents. The slide is from a Top Secret NSA management presentation from 2012 and shows the agency's worldwide information collection capabilities.

As the slide is titled "Driver 1: Worldwide SIGINT/Defense Cryptologic Platform" there must be more slides with "Drivers", but unfortunately these were not published.

This article will take a close look at the map and tries to provide an explanation of the various interception locations of what is NSA's new ECHELON network for the internet age:



Click the map for a bigger version - it opens in a new tab or window,
so you can keep the map stand-by while reading this article


The slide shows five types of data collection, called "Classes of Accesses". These correspond to the organizational channels through which NSA gathers it's intelligence:
- 3rd PARTY/LIAISON - Intelligence sharing with foreign agencies
- REGIONAL - SCS units, a joint venture between NSA and CIA
- CNE - NSA's Tailored Access Operations (TAO) division
- LARGE CABLE - NSA's Special Source Operations (SSO) division
- FORNSAT - NSA's Global Access Operations (GAO) division

Besides the collection capabilities shown in this map, NSA also collects data through spy planes and satellites (called Overhead Collection) and a range of tactical collection systems used to support military operations.




3rd PARTY/LIAISON (Intelligence sharing)

As the first class of access, the slide lists the so-called 3rd Party liaisons with partner agencies in other countries with which NSA has formal agreements for the exchange of raw data and end product reports.

The legend designates 3rd Party Liaisons with a green dot, but there are no green dots on the map, which seems strange. One possible explanation could be that the different colored dots appear one by one after clicking the original powerpoint presentation, but according to a tweet of one of the NRC journalists, there were no green dots on the original map.

Another possible explanation is that 3rd Party stands for countries, whereas all other dots represent specific facilities. This however could have been solved by simply listing the nations just like the Regional and Fornsat lists at the top of the map.

With that not being the case, the most likely reason seems to be that NSA considers the names of these 3rd Party nations to be too sensitive to be mentioned in a TOP SECRET//COMINT document. Probably they may only be in documents classified within the Exceptionally Controlled Information (ECI) control system, just like the names of the telecommunication companies cooperating with NSA (the exact locations and even the codenames of the cable tapping facilities are also not mentioned in the map's legend).

This makes that it's still a big secret which 30 countries are NSA's 3rd party partners. Based upon the Snowden-documents, the German magazine Der Spiegel only published the names of these six European countries:
- Germany
- France
- Austria
- Denmark
- Belgium
- Poland
Some other sources also named the following countries as 3rd party partners:
- Norway
- Italy
- Greece
- Turkey
- Israel
- South-Africa
  - Thailand
- Malaysia
- Singapore
- Japan
- South-Korea
- Taiwan
NRC Handelsblad reported that The Netherlands is a 3rd party partner too, but presented no evidence for that. According to an article (pdf) by Dutch scolars it's not very likely that Dutch agencies are a formal 3rd party partner of NSA, as they have different political and cultural views. Nonetheless, the Netherlands has always been a loyal partner in military operations and so there is regular information sharing on that level.

Update:
An NSA slide published in May 2014 in Glenn Greenwald's book No Place To Hide revealed the names of all 33 Third Party countries for the very first time:


Slide from an NSA presentation titled 'Foreign Partner Review'
from 2013, showing the 2nd and 3rd Party partners


On October 30, 2013 the Spanish paper El Mundo published an undated document showing cooperation with various countries on four different levels. The first group is called "Tier A" which is "Comprehensive Cooperation" with the UK, Australia, Canada and New Zealand (the Five Eyes). The second group is "Tier B" and is about "Focused Cooperation" with some 20 countries. The third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan. Finally, the fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.


The general interpretation of this document is that is shows countries with which NSA is cooperating for Computer Network Operations (CNO), with the Tier B countries probably being a subset of the Third Party nations.

The list has no date, but it does have a declassification date (20291123), which minus 25 years (the standard classification period) would mean the document is from 2004. That opens up the possibility that Tier B might actually show that in 2004 there were just 20 Third Party countries, a number which then might have raised to 30 by 2012.
A strange thing about the list is that it's only classified as CONFIDENTIAL, where the text document itself is SECRET//COMINT.





REGIONAL (Special Collection Service)

Under "Regional" the map shows over 80 locations of the joint NSA-CIA Special Collection Service (SCS) units. These units are covertly based in US embassies and consulates all around the world and are charged with eavesdropping on high-level targets in difficult-to-reach places, such a foreign embassies, communications centers, and foreign government installations.

The names of 88 locations are listed at the top of the map, but 46 of them are blacked out. According to NRC Handelsblad, Glenn Greenwald asked them to do so, because of "protection of the source and the agreement we have with him: it's not really newsworthy". But Snowden apparently also insisted on this in order to protect his legal interests and therefore he provided Greenwald a "clear list" about categories of information that should not be published.

Earlier, a map showing SCS locations worldwide was published by the German magazine Der Spiegel. Initially an unredacted map was put online by accident, but before it was replaced, it was already copied onto several websites. This map showed 74 staffed SCS locations, 14 unmanned remote controlled locations and 8 other locations as of August 2010. Except for the SCS locations in Europe, the names of all other cities were blurred by Der Spiegel:




If we compare the European cities in this map from 2010 with those in the NRC map from 2012, we see that the latter doesn't show the following places: Baiku, Croughton, Kiev, Madrid, Moscow, and Tbilisi.

This could mean these SCS activities were terminated in the meantime, but also that their names were simply blacked out, which is definitely the case for Moscow and Madrid (having a dot on the map but not being mentioned in the legend) and seems likely for the technical SCS support facility at the US Air Force base in Croughton (or might this be "RESC" if it stands for something like Regional Exploitation Support Center?).
Update:
The latter option was confirmed in a slide showing a map of all SCS locations as of January 1, 2002, which was published by the Italian paper L'Espresso on December 6:



Also interesting is that the legend of the 2012 map reveals SCS locations in the US:
- Langley, Virginia, where the CIA headquarters is
- Reston, Virginia, where there's a small CIA facility too
These two locations are most likely not for eavesdropping, but rather serve as technical, training or support facilities. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.



CNE (Computer Network Exploitation)

The yellow dots on the map give some indication of where NSA has placed over 50.000 implants in computer networks as part of it's Computer Network Exploitation (CNE) operations. These operations are conducted by NSA's highly specialized and secretive Tailored Access Operations (TAO) division.

In 2004 NSA was managing a small network of only 100 to 150 implants. But over the next six to eight years, (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. Based on the secret budget of the American intelligence agencies, the Washington Post reported that NSA installed an estimated 20,000 computer implants as early as 2008.

Other reports indicate that meanwhile the agency has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

Compared to these numbers of implants, there's only a very small number of yellow dots on the map, so they probably provide only an indication of the regions where NSA placed most of them. As such we see India, China, Mexico, the northern part of South-America, north-east Africa, eastern Europe, the European part of Russia and the Middle-East.

It was probably TAO, maybe in collaboration with Israeli intelligence services, that developed the Stuxnet computer worm, which was discovered in 2010 and was supposedly created to attack Iranian nuclear facilities.

From the Snowden-leaks we know that Tailored Access Operations uses a wide variety of sophisticated hacking tools to gain access to foreign computer networks. For example, they operate a network of secret internet servers, codenamed FOXACID, which is used to attract the traffic of targets, in order to install spying software on their computers.

Under codenames like ERRONEOUSINGENUITY and EGOTISTICALGIRAFFE, TAO is also trying to get access to the TOR network, which enables full anonymity while using the internet.


Slide from a TAO presentation about exploiting the TOR network



LARGE CABLE (Access to the Internet Backbone)

The big blue dots represent 20 major "covert, clandestine, or cooperative large accesses" to "high speed optical cable" links which form the internet backbone. It's this way that the Special Source Operations (SSO) division collects the largest share of NSA's intelligence. Maybe therefore the blue dots are the biggest ones.

The map itself shows just 16 blue dots, but as the legend says "20 Access Programs" it's possible that there are 20 programs and only 16 actual intercept locations, or that not all locations are marked on the map (which is also the case for the FORNSAT locations).

The 16 Cable Access locations marked on the map seem to be in:
- Indonesia
- South Korea
- Guam
- one of the Caroline Islands?
- Hawaii
- 4 locations at the US West coast
- 2 locations at the US East coast
- Great Britain (Cornwall?)
- France (Marseille?)
- Djibouti
- Oman
- Afghanistan?

In most of these countries there's an American military base, which probably makes it easier to get covert and clandestine access to internet backbone cables. But as we know from earlier reports, NSA and GCHQ also have secret cooperation arrangements with major American, British and foreign telecommunication and internet providers, in order to get access to internet traffic.

One supposed cable tapping location that's missing on the map is the Ayios Nikolaos station, which is part of the British Sovereign Base Area of Dhekelia on Cyprus. This station was identified by the Italian paper L'Espresso as a major cable intercept facility run by GCHQ.

The main NSA programs for intercepting internet cables are:
- Through corporate partners inside the US:
- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- Through corporate partners outside the US:
- OAKSTAR (cooperation with 7 telecoms, since 2004)
- MONKEYROCKET
- SHIFTINGSHADOW
- ORANGECRUSH (through PRIMECANE partner)
- YACHTSHOP (through BLUEANCHOR partner)
- ORANGEBLOSSOM
- SILVERZEPHYR (through STEELKNIGHT partner)
- BLUEZEPHYR
- COBALTFALCON
Most of these OAKSTAR sub-programs are "foreign access points", so maybe they, or some of them are represented by the blue dots on the map.

Besides cable access through corporate partners, the SSO division also taps internet traffic in two other ways, which are shown in the presentation slide below:
- Through unilateral operations:
- RAMPART-M (undersea cables, since 1986)
- RAMPART-T (land-based cables, with CIA, since 1991)
- RAMPART-I/X (Iraq/Afghanistan, since 2001)
- DANCINGOASIS (since 2011)
- MYSTIC (since 2009)
- DUSKPALLET (GSM metadata from Kenya)
- EVENINGEASEL (GSM metadata from Mexico)
- VENATOR (GSM metadata from the Phiilippines)
- SOMALGET (audio content buffer)
- BASECOAT (Bahamas)
- SCALAWAG (Afghanistan)
- OILYRAG (Afghanistan)
- LOLLYGAG (Afghanistan)
- ACIDWASH (Afghanistan)
- Through foreign partners:
- WINDSTOP (2nd Party), which is an umbrella program for:
- MUSCULAR
- INCENSER
- Two undisclosed programs
- RAMPART-A (3rd Party), with at least 5 sites:
- AZUREPHOENIX
- MOONLIGHTPATH
- SPINNERET
- SMOKYSINK
- FIREBIRD

If we add up all these Corporate, Unilateral and Foreign cable access programs, we get a total of around 20 programs, which equals the number of 20 Major Accesses mentioned in the legend of the map.


A slide from a 2010 presentation of the Special Source Operations (SSO)
division about access to "high-capacity telecommunication systems"


Update:
Slides from more recent years reveal the names of the programs that were redacted in the slide above, as well as additional programs that subsequently became operational:

Slide about NSA's cable tapping programs from 2011 and 2013
(click to enlarge)



FORNSAT (Foreign Satellite interception)

Finally, the orange dots on the map represent locations where there are stations for intercepting the signals of foreign communication satellites. The orange dots are the second biggest ones, so maybe this indicates that FORNSAT collection provides the second largest share of intelligence.

The legend in the bottom right corner says there are "12 + 40 Regional" FORNSAT stations, but on the map there are only 6 dots and the list in the upper right corner lists only 10 codenames. The six locations on the map can be identified as:
- INDRA - Khon Kuen (Thailand)
- ? - (Philippines)
- LADYLOVE - Misawa (Japan)
- TIMBERLINE - Sugar Grove (US)
- CARBOY - Bude, on the map combined with:
- MOONPENNY - Menwith Hill (Great Britain)
- ? - Skibsbylejren (Denmark)

Five FORNSAT stations have their codename listed, but are, for reasons unknown, not marked on the map:
- STELLAR - Geraldton (Australia)
- IRONSAND - Waihopai (New Zealand)
- JACKKNIFE - Yakima (US)
- SOUNDER - Ayios Nikolaos (Cyprus)
- SNICK - near Seeb (Oman)

The locations in the map published by NRC Handelsblad can be compared to those on a map shown by Brazilian media, which is about Primary FORNSAT Collection:


In this map, which is said to be from 2002, we see the following satellite intercept stations:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, New Zealand



If we compare both maps, we see some notable differences. First of all, four stations from 2002 are not on the 2012 map, nor in its legend:
- CORALINE - Sabena Seca (Puerto Rico)
- GARLICK - Bad Aibling (Germany)
- SCAPEL - Nairobi (Kenya)
- SHOAL BAY - Darwin (Australia)

The station in Sabena Seca was closed down and the same has probably happened to the one in Nairobi.

NSA's large satellite intercept station Bad Aibling was closed in 2004, but most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to the German foreign intelligence agency BND. In return, BND had to share the results from the satellite collection with the NSA. For this cooperation, the Joint SIGINT Activity (JSA, 2004-2012) was set up, located in the nearby Mangfall Barracks.


The Australian intercept facility near Darwin, Shoal Bay Receiving Station, is not in the 2012 map, but as we can see in this picture, it seems to be still operational. The same applies to the big satellite station Pine Gap. Therefore we should be careful in treating information in presentation slides and maps like this as perfectly accurate.


Regional FORNSAT stations

The map from 2002 also shows two SCS locations: one in Brasilia and one in New Delhi. Apparently those Special Collection Service units also had a satellite intercept capability. This is most likely also the explanation for the number of "40 regional" FORNSAT stations mentioned in the legend of the 2012 map - which means that meanwhile half of all SCS units worldwide also conduct some kind of foreign satellite interception.

This could also explain the device shown in a slide published earlier by Der Spiegel: an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. Der Spiegel said this device may be used to intercept cell phone signals, but as a dish antenna, it actually looks more like a receiver for satellite signals (see the comments down below):



Unidentified stations

The map from 2012 as published by NRC Handelsblad also has orange dots for a FORNSAT station at the Philippines and in Scandinavia. These locations were not in the map of 10 years earlier, so it seems that these are new intercept stations build somewhere between 2002 and 2012. The Scandinavian station is probably the SIGINT facility in Skibsbylejren in Denmark, which was build in 2002 (there's also a smaller and older Danish satellite station in Aflandshage).

Unfortunately we don't have their codenames, because in the list in the upper right corner, there's no codename which was not already in the 2002 map. But as this list has only 10 names, and some don't fit on one line, it's possible that two names (coincidentally those of the new stations?!) dissappeared because of bad rendering.


The INDRA station

A final difference between the FORNSAT stations shown in the maps of 2002 and 2012 is the station in Thailand, which was codenamed LEMONWOOD in 2002. The location near the city of Khon Kaen was identified as being an intercept facility since 1979, but with a different codename: INDRA.

This facility fell into disrepair in the 1990s and seems to have been closed somewhere before 2002. In the years following 9/11, the old station apparantly has been reactivated and expanded to an important satellite intercept mission, and appeared again under its old codename INDRA in the 2012 map. Why this place (or another one?) was called LEMONWOOD in 2002 remains a mystery.



A recent Google Earth image of the INDRA
facility near Khon Kaen, Thailand



World map reconstruction

Analysing the NSA world map published by NRC Handelsblad has shown that some interception facilites and channels are missing in the map and/or the legend: most notable the 3rd party countries and some satellite stations. In order to see all additions and corrections at a glance, we modified the NSA original map, which results in this reconstruction:



Reconstruction of the NSA global interception network map
(click for a bigger version)



Links and Sources
- DeCorrespondent.nl: Hoe onderschept de NSA ons dataverkeer?
- NRC.nl: NSA infected 50,000 computer networks with malicious software
- DuncanCampbell.org: The embassy spy centre network (updated)
- BillHance.com: ECHELON Satellite stations
- NYTimes.com: N.S.A. Report Outlined Goals for More Power

November 27, 2013

DRTBOX and the DRT surveillance systems

(Updated: April 25, 2017)

In recently published charts from NSA's BOUNDLESSINFORMANT tool about France, Spain, Norway and Afghanistan we see the mysterious term DRTBOX. For example, the screenshot for Norway presents 33 million telephony metadata, which were collected from mobile phone networks by a facility designated US-987F and processed/analysed by DRTBOX:



(Click for a bigger version)


Unlike what it seems, DRTBOX is not a codename, but part of a wireless surveillance system, made by a company generally known as DRT. This article will show that this company manufactures a range of sophisticated surveillance and tracking devices, used by US law enforcement and signals intelligence agencies.





Digital Receiver Technology, Inc.

DRT is the abbreviation of Digital Receiver Technology, Inc. This company was formerly known as Utica Systems, Inc. and founded in 1980 in Frederick, Maryland, to produce devices for what was called the "Communications Surveillance Community". The company developed a solid reputation for communication equipment based on Digital Signal Processing (DSP).

In October 1997, the company adopted its current name and moved to a new plant in Germantown in April 1998. DRT was purchased by Boeing in December 2008 and is now a wholly-owned subsidiary of this major US military contractor. DRT continued its production of state-of-the-art DSP-based equipment and was described as a "key supplier in the growing SIGINT market" in 2009.

In 2010, Boeing also acquired Argon ST and combined with DRT this created a "SIGINT powerhouse", giving Boeing a competitive advantage in the SIGINT market, according to market analysts. In 2011, both acquisitions were consolidated into the new Electronic & Mission Systems (E&MS) division of the Boeing company.

In fall 2012, DRT moved to a new facility in the Milestone area of Germantown. This facility comprises 135,000 sq. ft. with approximately 50,000 sq. ft. dedicated to equipment manufacture, and the remainder dedicated to offices and engineering development laboratories:



The headquarters of Digital Receiver Technology, Inc. in Germantown, MD.
(photo: www.drti.com)


Currently, the company's homepage only advertises miniature multi-format wireless communications scanners to be used by the wireless industry for measurement and testing purposes. As an example, the website shows two products from the 4300-series.

But: "Due to the sensitive nature of our work, we are unable to publicly advertise many of our products". This is followed by contact information for commercial customers and for "all other" customers, which are obviously government agencies. Latter can contact DRT through a mail address and also by calling toll free: "(866) DIRTBOX" - a clear hint to the DRTBOX mentioned in the NSA screenshots.

Just like many other military contractors in recent years, DRT also removed information about national security related products from its website. Between 2003 to 2009, earlier versions of DRT's homepage frankly said:
"DRT designs and manufactures advanced electronic equipment to support the missions of the US Signals Intelligence (SIGINT) and law enforcement communities. The current product line includes a variety of portable and rack-mounted wireless communications receivers capable of processing a variety of modern wireless protocols. For more information about these products, please contact DRT."



Law enforcement

A good example of the devices which DRT manufatures and develops for use by law enforcement agencies is given by the company itself, in trying to open new markets.

In 2010, Boeing, on behalf of its subsidiary DRT, submitted a statement (pdf) before the National Telecommunications and Information Administration (NTIA) in reaction to an inquiry regarding contraband cell phone use in prisons. The statement says that:
"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use. During this registration process calls are not disrupted. All calls, including 911 calls, are released, including those made from the contraband cell phones. The DRT device identifies cell phones as “not of interest” or “of interest” (i.e., the contraband cell phones).

Cell phones not of interest, such as those belonging to prison personnel or commercial users in the area, are returned to their local network. Cell phones of interest are forced to transmit so that the DRT device can locate them by calculating a line of bearing.

In one mode of operation, the DRT device then returns the cell phone to its network, permitting it to send and receive calls. In another mode of operation designed for use by federal law enforcement entities, the cell phone can be locked onto the DRT device, preventing its contraband use."

Boeing wanted NTIA to recommend to Congress that the Communications Act of 1934 should be modified in order to allow prison officials and state and local law enforcement to use these kinds of cell phone management, prevention or location technologies. Currently, only federal agencies, like the FBI, are allowed to use devices that jam or block wireless communications. Federal Communications Commission (FCC) licensing should also apply, for which Boeing delivered a similar statement in 2012.


A similar device (also known as IMSI Catcher, Cell-site Simulator or Digital Analyzer) used by American law enforcement agencies for tracking and intercepting cell phones is called StingRay, which is manufactured by the Harris Corp. The price of a StingRay device is between 60.000,- and 175.000,- USD. Harris also provides related equipment under the nicknames AmberJack, KingFish, TriggerFish and LoggerHead.


Prison pilots

In December 2010, DRT participated in a pilot at the Maryland Correctional Institution-Jessup (MCIJ). After sensors were placed, DRT collected data showing when cell phones were turned off, turned on and registered with the nearest cell phone tower. Data were send to a laptop used to record the data and the company then analyzed the time and length of messages over the course of the pilot. A portable sensor was used to identify particular cells that had a high probability of cell phone usage within.

In 2012, DRT was selected to develop and implement a Managed Access System (MAS) for the California State Prison system. A MAS is used to allow authorized cell phones to connect to the standard carrier networks, while preventing unauthorized cell phones (like from inmates) from connecting to the carrier networks.


Other usage

The aforementioned Boeing statement claimed that DRT's cell phone management, prevention and location technologies could also provide important benefits in a wide variety of law enforcement situations outside the prison context. For example, Special Weapons and Tactics (SWAT) teams and other paramilitary tactical units could effectively control wireless communications by suspects in a building during a raid.

Boeing carefully described only those future applications for which regulations have to be changed - trying not to admit that DRT systems are already used at the federal level for decades. They provide agencies like FBI with some powerful tools (DRT devices can be used to perform a man-in-the-middle attack), although they are expensive and must be operated by highly trained law enforcement personnel.

At the FBI, the DRT systems are likely operated by the Data Intercept Technology Unit (DITU), which is a highly secretive division specialised in intercept technology. DITU is also responsible for collecting data from US internet companies under NSA's PRISM program. For these federal agencies, a presentation about DRT devices was given at the 10th FED TECH Interagency Technical Training Conference, held in San Diego in January 2010:



In this schedule we see "DRT Box" again, but apart from a LinkedIn-profile, this term is rarely found and therefore it's not really clear what it stands for. At first glance it seems that DRTBox simply refers to box-like surveillance devices, but if we look at the BOUNDLESSINFORMANT screenshots, we see that the actual data collection is done by facilities designated by SIGADs and that DRTBOX is in the same section as for example XKEYSCORE, which means DRTBOX is probably an integrated indexing and analysing system for wireless communications data, just like XKEYSCORE is for internet data.

Updates:
On November 13, 2014, the Wall Street Journal broke a story saying that since 2007, the Technical Operations Group of the US Marshals uses "dirtboxes" aboard Cessna aircraft operating from at least five metropolitan-area airports. The DRTBoxes mimic cell towers and trick cellphones to collect identity and location information on cell phone users, this in order to track and catch criminals like drug-traffickers.

The FBI is apparently using the similar Stingray devices only to collect phone metadata, not content, for which individual warrants would be required.


Signals Intelligence

Where the FBI uses systems from Digital Receiver Technology domestically, the NSA is most likely the main customer for use abroad. On a website for Signals Intelligence (SIGINT) and Electronic Warfare (EW), DRT is listed as a provider of:
- SIGINT Design Engineering Services
- SIGINT Consulting Services
- Communications ESM Systems
- COMINT Systems
- RF Receivers

DRT products for signals intelligence missions include high performance Software Definable Receiver (SDR) and transceiver products, including multi-channel platforms for man-portable, mobile and airborne applications, aboard RC-135 Rivet Joint, Combat Sent or Cobra Ball aircraft.

From various public job descriptions it becomes clear that DRT devices are widely used in tactical ground operations, where they are part of the equipment used by SIGINT/EW collection teams assigned to field deployed Special Forces Groups. These are so-called Low Level Voice Intercept (LLVI) devices.

DRT systems are also used as remote controlled collection systems, with the surveillance devices installed at fixed locations, like in areas where there's widespread hostile cell phone or radio use. The collected data go to ONEROOF, which is NSA's main tactical SIGINT database, containing raw and unfiltered intercepts.



Low Level Voice Intercept equipment being used during a field operation.
It's not clear whether the device in the video is from DRT,
but it's certainly very similar.


DRT SIGINT products

A job description for a SIGINT Systems Engineer (job location: Fort Meade) requires "experience working with SIGINT systems, especially on systems utilizing Digital Receiver Technology (DRT) Series 1000 and 2000 equipment" and also familiarity "with the software used to control the DRT systems". Software used for the 1000 series product line is called Alaska.

More specific designations of DRT devices from the 1000-series can be found in various other job resumes, reading like "SIGINT/EW collection and exploitation systems, to include the DRT-1101A/1301B/1501, MINI-EXPIATION, HIDRAH, LOGGERHEAD, Harris Suite (STINGRAY, KINGFISH, BLACKFIN, GOSSAMER), AR-8200, Explorer/Scout, and the PRD-13v2/ISSMS".

The DRT 1101A was a second generation wireless communications receiver developed by DRT around the year 2000. DRT's former website described the device as follows:
"The DRT 1101A provides a compact, yet powerful, test and measurement capability for a variety of first and second generation wireless standards. The system also possesses the capability to detect and extract cellular FAX signals. The system is based on an industry-standard bus format, and uses the latest in digital signal processing (DSP) and microprocessor technology."

Another device from the 1000-series is the DRT 1301C, which is used by Special Operations Forces:
"The DRT 1301C, manufactured by Digital Receiver Technology, Inc., is a portable, ruggedized radio designed for operations in tactical and/or harsh environments. It provides a miniature yet powerful surveillance capability. The radio has a frequency range of 20-3000 MHz and operates against a variety of analog and digital wireless standards. The transmitter has a power output range of <1 W (standby) to 75 W (48 channels, 3 tuners); it weighs 10.5 lb and measures 3 in. (H) by 8.5 in. (W) by 11.2 in. (D)."

An example of a DRT device from the 2000-series is the DRT 2101A, which was described as:
"a compact wideband tuner system consisting of up to eight wideband tuner modules, each covering the 0.5 MHz to 3 GHz frequency band. Each tuner module has a 30-MHz instantaneous bandwidth and can be operated in either an independently or coherently tuned mode under software control. The tuner module is factory configured to provide a high-level analog baseband output."
The Internet Archive also contains this picture of the DRT 2101A device as it looked in 2003:



A close look at the device shows that it consists of separate modules (here in a vertical position) which can be added depending on the specific needs. See for example this description of the Wireless Processor Module 2 (WPM2).


The Military Intelligence School's System Training Plan (pdf) from October 2013 about the Prophet Electronic Support System says that DRT devices are used in the Prophet Sensor vehicles, which are the ground-based tactical SIGINT collection components of the Prophet system:
- A DRT 1201B receiver is in the Prophet Spiral 1 Sensor (military designation: AN/MLQ-40(V)4), which is a M1102 tactical trailer, pulled by a M1165 B3 three-seat, fully armored High-Mobility Multipurpose Wheeled Vehicle (HMMWV or Humvee). Two Panasonic Toughbooks CF29 or CF30, running mission and communications software packages, control the DRT 1201B and enable the reporting and processing of intelligence. An AN/VRC-99 line-of-site radio provides data access to NSANET.

- A second DRT 1301C receiver-processor for man-packable operations is in the Prophet Enhanced Sensor.

- A DRT 1201 receiver is in the fixed-site version of the Prophet Enhanced Sensor, which also contains a BAT-1214 SATCOM terminal and a DF90/DF80/MS Antenna, among other equipment.

- A DRT 1301C is in the Mobile-At-the-Halt configuration, along with a DF90 antenna, and BAT-750 SATCOM terminal. Here, the DRT 1301C can also be reused in a man-packed configuration.

- A DRT 1201C replaces the DRT 1201B in a fourth variant of the Prophet Enhanced Sensor in stationary fixed-site configuration. The DRT 1201C device is described as a next generation receiver-processor that increases collection capability and enables future upgrades.

(similar SIGINT equipment for the Prophet system is developed by the Linkabit division of L-3 Communications)


A Prophet Spiral M1165 Humvee


The tactical deployed DRT systems are mainly used for operations in Iraq and Afghanistan, but it's very well possible that the equipment was also used at the joint NSA-CIA Special Collection Service (SCS) unit in the US embassy in Berlin, which intercepted the mobile phone of German chancellor Merkel.

Update I:
On May 5, 2015, the website The Intercept published a 2006 NSA presentation about the RT10 collection effort, which was part of the Real Time-Regional Gateway (RT-RG) for Iraq, and later also for Afghanistan. This presentation includes a slide which shows that DRT (like MATTERHORN and EXPIATION) is used for the tactical interception of wireless GSM traffic:


Diagram showing tactical and national interception efforts for GSM communications
In the bottom left corner DRT is mentioned as one of the tactical systems
(JUG = JUGGERNAUT, a cell phone network interception system)
(G-Box = GARUDA, an airborne geo-location system for GSM)
(Click to enlarge)

Update II:
On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment. Included are illustrated entries for six different DRT devices: DRT 1101B, 1183B, 1201C, 1301C, 1301B3 and 4411B. Some of them are able to intercept and record of up to 24 voice channels and support target lists of up to 10.000 entries. Their price ranges from 40.000,- to 100.000,- USD. According to The Intercept, these DRT boxes can "track more than 200 phones over a wider range than the Stingray".


The DRT 1101B device for direction-finding and interception and
recording of up to 16 voice channels (with modules in a horizontal position)
(photo from the surveillance catalogue)


Foreign usage

Of course not only American agencies are using this kind of interception equipment. The FBI reportedly removed from several cell phone towers in the Washington DC area transmitters that fed all data to wire rooms at foreign embassies.*

Updates:

On December 13, 2014, it was reported that DRT-like cell phone interception devices were found near important government offices and buildings in the city center of the Norwegian capital Oslo. In March 2015, it came out that these devices were actually placed by the Norwegian police and the Police Security Service PST, without properly informing the country’s National Communications Authority.

Besides by DRT and Harris, IMSI-catchers are also manufactured by some foreign companies, like for example the German high-tech firm Rohde & Schwarz (which patented such equipment in 2003), and the Israeli company Ability, which openly advertises their IMSI-catchers.

An internal NSA newsletter published in April 2017, revealed that NSA equipped its HOVER HAMMER steerable airship (blimp) with a DRT 1301 for intercepting international shipping data emanating from the Long Island, New York area.



Links
- Vice Motherboard: Here's a Picture of a Phone-Tracking Device That We've Never Seen in the Wild (2016)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- Gizmodo.com: Here Is the Spy Equipment That Powers the FBI's Secret Dragnet
- Harvard Law review article: Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy
- Heise.de: Solange keiner meckert - Wie IMSI-Catcher unauffällig legalisiert wurden
- Matt Blaze: How Law Enforcement Tracks Cellular Phones
- WaPo.com: New documents show how the NSA infers relationships based on mobile location data
- USAToday.com: NSA Phone Tracking
- Volkskrant.nl: De DRT2101A: het apparaat waarmee de NSA telefoons afluistert
- List of 217 part numbers from Digital Receiver Technology, Inc.
- Presentation about Digital receiver technology for RWR, ESM and ELINT applications (pdf)
- Washington Institute: Stabilizing Iraq: Intelligence Lessons for Afghanistan
- Journal of Electronic Defense: What's New in SIGINT software?
- Overview: Toward a Universal Radio Frequency System for Special Operations Forces (pdf)

November 23, 2013

Screenshots from BOUNDLESSINFORMANT can be misleading

(Updated: January 23, 2017)

Over the last months, a number of European newspapers published screenshots from an NSA tool codenamed BOUNDLESSINFORMANT, which were said to show the number of data that NSA collected from those countries.

Most recently, a dispute about the numbers mentioned in a screenshot about Norway urged Snowden-journalist Glenn Greenwald to publish a similar screenshot about Afghanistan. But as this article will show, Greenwald's interpretation of the latter was wrong, which also raises new questions about how to make sense out of the screenshots about other countries.


Norway vs Afghanistan

On November 19, the website of the Norwegian tabloid Dagbladet published a BOUNDLESSINFORMANT screenshot which, according to the paper, showed that NSA apparently monitored 33 million Norwegian phone calls (although actually, the NSA tool only presents metadata).

The report by Dagbladet was almost immediatly corrected by the Norwegian military intelligence agency Etteretningstjenesten (or E-tjenesten), which said that they collected the data "to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad" and that "this was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans".

Earlier, a very similar explanation was given about the data from France, Spain and Germany. They too were said to be collected by French, Spanish and German intelligence agencies outside their borders, like in war zones, and then shared with NSA. Director Alexander added that these data were from a system that contained phone records collected by the US and NATO countries "in defense of our countries and in support of military operations".

Glenn Greenwald strongly contradicted this explanation in an article written for Dagbladet on November 22. In trying to prove his argument, he also released a screenshot from BOUNDLESSINFORMANT about Afghanistan (shown down below) and explained it as follows:
"What it shows is that the NSA collects on average of 1.2-1.5 million calls per day from that country: a small subset of the total collected by the NSA for Spain (4 million/day) and Norway (1.2 million).

Clearly, the NSA counts the communications it collects from Afghanistan in the slide labeled «Afghanistan» — not the slides labeled «Spain» or «Norway». Moreover, it is impossible that the slide labeled «Spain» and the slide labeled «Norway» only show communications collected from Afghanistan because the total collected from Afghanistan is so much less than the total collected from Spain and Norway."


Global overview

But Greenwald apparently forgot some documents he released earlier:

Last September, the Indian paper The Hindu published three less known versions of the BOUNDLESSINFORMANT global overview page, showing the total amounts of data sorted in three different ways: Aggregate, DNI and DNR. Each results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map.

In the overall (aggregated) counting, Afghanistan is in the second place, with a total amount of over 2 billion internet records (DNI) and almost 22 billion telephony records (DNR) counted:




The screenshot about Afghanistan published by Greenwald only shows information about some 35 million telephony (DNR) records, collected by a facility only known by its SIGAD US-962A5 and processed or analysed by DRTBox. This number is just a tiny fraction of the billions of data from both internet and telephone communications from Afghanistan as listed in the global overview.


Differences

With these big differences, it's clear that this screenshot about Afghanistan is not showing all data which NSA collected from that country, not even all telephony data. The most likely option is that it only shows metadata from telephone communications intercepted by the facility designated US-962A5.

That fits the fact that this SIGAD denotes a sub- or even sub-sub-facility of US-962, which means there are more locations under this collection program. Afghanistan is undoubtedly being monitored by numerous SIGINT collection stations and facilities (like US-3217, codenamed SHIFTINGSHADOW which targets the MTN Afghanistan and Roshan GSM telecommunication companies), so seeing only one SIGAD in this screenshot proves that it can never show the whole collection from that country.

This makes that Greenwald's argument against the data being collected abroad is not valid anymore (although there maybe other arguments against it). Glenn Greenwald was asked via Twitter to comment on the findings of this article, but there was no reaction.


More questions

The new insight about the Afghanistan data means that the interpretation of the screenshots about other countries can be wrong too. Especially those showing only one collection facility, like France, Spain and Norway (and maybe also Italy and The Netherlands), might not be showing information about that specific country, but maybe only about the specific intercept location.

This also leads to other questions, like: are this really screenshots (why is there no classification marking)? Are they part of other documents or did Snowden himself made them? And how did he make the selection: by country, by facility, or otherwise?

There are many questions about NSA capabilities and operations which Snowden cannot answer, but he can answer how exactly he got to these documents and what their proper context is. Maybe Glenn Greenwald also knows more about this, and if so, it's about time to tell that part of the story too.

Update:
During a hearing of the German parliamentary investigation commission on January 19, 2017, former BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from training course material. This was said here for the first time and given the problems these charts caused for BND, it's possible that they asked NSA for more details after which this explanation came up. However, this still doesn't explains why the charts were interpreted incorrectly.


> See also: The BOUNDLESSINFORMANT interface


Links and Sources
- Le Monde/BugBrother: La NSA n’espionne pas tant la France que ça
- Volkskrant.nl: Bespioneerde de NSA ons of hebben wij zelf afgeluisterd?
- MatthewAid.com: Greenwald’s Interpretation of BOUNDLESSINFORMANT NSA Documents Is Oftentimes Wrong
- Dagbladet.no: NSA-files repeatedly show collection of data «against countries» - not «from»
- WSJ.com: Europeans Shared Spy Data With U.S.
- Cryptome.org: Some thoughts and explanations about the BOUNDLESSINFORMANT numbers