February 27, 2014

NSA director Alexander's phones

(Updated: September 29, 2014)

After a range of articles about how NSA intercepts foreign communications, we now take a look at the equipment that NSA uses to secure their own telecommunications, more specific those of its director.

We can do this because last December, the CBS program 60 Minutes offered some unprecedented insights into the NSA headquarters. Of course very limited, but still interesting for those with a sharp eye. Perhaps the most revealing was that for the first time ever it was shown how the office of the director of NSA looks like:

The office of NSA director Alexander, December 2013
(click to enlarge)

The office of the director is at a corner on the eighth floor of the OPS 2B building, which is the wider and lower one of the two black mirrored glass structures of the NSA headquarters at Fort George G. Meade. Contrary to what many people would probably expect, the director's office is far from high tech. We see a rather traditional interior with a classic wooden desk, shelfs with books, picture frames and lots of memorabilia, a conference table and a group of old-fashioned seatings with a large plant in a shiny copper pot.

Most interesting for us is the telecommunications equipment used by the current director, Keith B. Alexander, which can be seen in the following screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment
(click to enlarge)

VTC Screen
In the corner at the left we see a video teleconferencing screen with a high-definition camera, made by the Norwegian manufacturer Tandberg. In 2010 this company was bought by Cisco Systems, so their equipment can be safely used for US Top Secret/SCI videoconferencing. From within secured locations (SCI enclaves), the video feed goes over the JWICS IP network for the intelligence community, which is secured by stream-based Type 1 bulk encryption devices.

STE Phone
At the left of general Alexander there's a large black telephone called Secure Terminal Equipment (STE), which is made by L3 Communications. The STE is a highly secure phone, which means that this device is capable of encrypting calls up to the level of Top Secret/SCI. This phone can be used to make secure calls to anyone with a similar or compatible device. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

With an estimated 400.000 users, STE is used for secure communications with everyone working for the US government, the military or its contractors, who can not be reached through a more select secure phone network for the US military (IST/DRSN) or the SIGINT community (NSTS).

IST Phone
At the far right we see a big white Integrated Services Telephone (IST), which was designed by Electrospace Systems Inc. and manufactured by Raytheon. This is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Although this IST phone looks very futuristic, it was gradually replaced by the newer IST-2 since 2003. Remarkable to see that notably the highest NSA official still uses the old model. The new IST-2 was also on the President's desk in the Oval Office, before it was replaced by a Cisco IP phone for the new Executive Voice over Secure IP-network in 2011, to provide a dedicated link between the President and his senior cabinet members.

It's revealing to see that there's no such new IP telephone in the office of the director of NSA, which means that he has no direct line to the President. Which is according to the fact that NSA actually falls under the Department of Defense and its intelligence gathering is coordinated by the Director of National Intelligence.

NSTS Phone
A third, white phone set is hidden right behind general Alexander's back, but we can see a glimpse of it in this screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment

This telephone is part of NSTS, which stands for National (or NSA/CSS) Secure Telephone System and is the NSA's internal telephone network for calls up to the level of Top Secret/SCI. Newer NSTS phones are connected by fiber optic modems to a fiber backplane that interfaces with an NSANet access point router. The voice traffic is then encrypted together with data traffic utilizing a Type 1 bulk encryption device.

As can be seen in other pictures from inside NSA, the devices used on the NSTS network are white Nortel M3904 executive phones - a very reliable high-end model which is also used at the offices of both the Israeli and the British prime minister. Nortel was a big Canadian telephone equipment manufacturer, but was dissolved in 2009. Thereafter, the Enterprise Voice and Data division of Nortel was bought by the US telecommications company Avaya (formerly Lucent)

A Nortel M3904 phone from the NSTS network as seen
elsewhere in the NSA headquarters building

From declassified NSA documents, we can learn that the NSTS phones have numbers like 963-5247s (with s for secure) and that the numbers of the STE phones are written like STE 6325 (no real examples).* The IST phones of the DRSN have four or five digit numbers.*

Predecessors of these three types of telephones (STE, IST and NSTS) were also present in the office of then NSA director Michael V. Hayden, when James Bamford described a meeting with him in his 2001 book Body of Secrets:
"There are also several telephones on the table. One for secure internal calls; another is a secure STU-III for secret external calls; and a "red line" with buttons that can put him through instantly to the secretary of defense, the Chairman of the Chiefs of Staff and other senior officials.
No phones, however, connect the director to the White House; indeed, during Hayden's first year in office, he never, once spoke directly to president Clinton".*

In a declassified interview (pdf) with NSA director Hayden from January 5th, 2000, he says:
"Behind my credenza, I have a gray phone, a STU-III, an STE, and a red phone. NSA has a gray phone because it was ahead of everybody else. But everyone else has caught up. So I actually made the note today to go back and see how much it costs us to sustain these systems."
Compared to the situation in 2001 as described above, we see that the (outdated) STU-III was removed shortly afterwards, and the term "gray phone" apparently refers to the telephone device connected to the NSTS.

In a separate program, called 60 Minutes Overtime, CBS showed 'The Making Of' their previous 60 Minutes report about NSA. It included some new video fragments, like one in which we get a better look at the computer equipment on the desk behind director Alexander's chair:

NSA director Alexander being interviewed by John Miller, December 2013
At the left side we see the director's computer equipment
(click to enlarge)

We see a common HP office keyboard, two computer screens and in between them there's a so-called KVM-switch with some colorful stickers on it.

The latter device is used to work on multiple computers or networks operating at different classification levels, all with one Keyboard, Video screen and Mouse, hence the abbreviation KVM. By pushing a button, the device can switch between four different connections, which is done by the hardware in order to keep them physically separated. The KVM Switch in this picture is the SwitchView SC4 from Avocent (formerly Cybex) with four secure channels.

From the stickers with the color codes, we learn that this device enables the director to switch between three separate computer networks at the following classification levels:
- Green: UNCLASSIFIED, which is the military NIPRNet
- Red: SECRET, which is the military SIPRNet
- Orange: TOP SECRET and Yellow: TOP SECRET/SCI

The latter connection is most often used for access to JWICS, the highly secure network used by the American intelligence community, but here it may also be used for NSANet. It's not clear whether the second compter screen is for one of these networks, or for a separate access to the common internet. Both screens have a blue label which might denote that the screens can be used for multiple classification levels.

60 Minutes

The CBS program Inside the NSA was broadcasted on December 15, 2013, but was immediatly heavily critized as being too less critical in approach to the NSA, some people even said it was NSA propaganda. This seems not quite fair, as Snowden reporter Glenn Greenwald had numourous occasions in media from all over the world to present his interpretation of what NSA is doing - which went almost unquestioned.

CBS reporter John Miller asked NSA director Alexander about all the major things that came up from the Snowden-leaks and he also got answers. NSA even showed an actual example of how the metadata contact chaining method works. Whether one is satisfied by these anwers is another thing, but we should keep in mind that Greenwald's version is not always the right one and NSA is not always lying.

CBS 60 Minutes: Inside the NSA (December 15, 2013)

NSA director Keith Alexander, who's a four-star general and a career Army intelligence officer, will retire on March 28. He was head of the National Security Agency and the Central Security Service since August 2005 and the US Cyber Command since May 2010. It's expected that he will be replaced by US Navy Vice Admiral Michael S. Rogers.

Links and Sources
- Premium.chosun.com: 미국 국방부 산하 정보기관 NSA(국가안보국) 국장, 극비통신장비 노출에 비상 [출처] 본 기사는 프리미엄조선에서 작성된 기사 입니다
- HuffingtonPost.com: '60 Minutes' Trashed For NSA Piece
- CBSNews.com: Inside the NSA - How did 60 Minutes get cameras into a spy agency

February 17, 2014

Dutch government tried to hide the truth about metadata collection

(Updated: November 16, 2015)

On February 4, the Dutch government admitted that it was not NSA that collected 1,8 million metadata from phone calls of Dutch citizens, but actually their own military intelligence service MIVD. They gathered those data from foreign communications and subsequently shared them with partner agencies like NSA.

Just like everyone else, the Dutch interior minister was mislead by how Glenn Greenwald erroneously interpreted the data shown in screenshots from the NSA tool BOUNDLESSINFORMANT. This let him misinform the Dutch public and parliament too, and only after being faced with a lawsuit, he finally disclosed the truth. Here's the full story.

How it started

The first charts from the BOUNDLESSINFORMANT tool were published by the German magazine Der Spiegel on July 29, 2013. Next to a bigger chart about Germany was a smaller one about the Netherlands, but this was completely overseen by Dutch media.

Only after the French paper Le Monde came with a big story about alleged NSA eavesdropping on French citizens on October 20, 2013, the Dutch IT website Tweakers.net published on October 21 about the screenshot that was in Der Spiegel several months before:

The report by Tweakers.net was correct in explaining that the chart only shows metadata, but the headline initially read "NSA intercepted 1.8 million phonecalls in the Netherlands". It was the first time a news medium correctly presented the BOUNDLESSINFORMANT chart as showing metadata instead of content.

But as the initial headline had immediatly been copied by other media, many people, including politicians, got the idea that NSA was actually eavesdropping on a vast number of Dutch phone calls. After discussing this on Twitter, Tweakers corrected the title by adding "metadata" and "per month".

> See also: BOUNDLESSINFORMANT only shows metadata

A talkative minister

On the night of October 22, the Dutch interior minister Ronald Plasterk was asked about these revelations in the late night talk show Pauw & Witteman. He gave a clear explanation about what metadata are used for, and guessed that with around 60.000 phone calls per day between the Netherlands and the United States, this would make 1,8 million calls per month - apperently assuming that numbers of metadata equals phone calls.

He said that he wasn't yet certain whether it was actually NSA that collected those metadata from Dutch phonecalls, but that a European group of experts was established to clarify this with the Americans. The minister said that it would not be acceptable if NSA was monitoring Dutch citizens without asking permission from the Dutch government before doing so.

According to a statement by the interior minister during the parliamentary debate on February 11, 2014, it was only by now that AIVD and MIVD started communicating with NSA about the exact origins of these particular data. It would last 4 weeks to get this clear - rather quick, according to the minister.
(286e minuut)

Before this bilateral investigation was initiated, it seems that the Dutch government was relying on the work of a multinational group of experts on behalf of 27 European countries. This ad hoc EU-US Working Group was established in July 2013 to examine the NSA spying programs. Their final report (pdf) was published on November 27.

Besides this group of experts, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament also started an inquiry in September 2013, presented preliminary conclusions on December 18 and a final report (pdf) on February 21.

Dutch interior minister Ronald Plasterk in the talk show Pauw & Witteman
(October 22, 2013 - in Dutch)

Almost one week later, on October 28, the Spanish paper El Mundo also published a screenshot from BOUNDLESSINFORMANT. The article, written by Glenn Greenwald and a Spanish journalist, once again said the chart proved that NSA had spied on 60 million phonecalls from Spain in one month.

This was the standard interpretation that Greenwald gave to BOUNDLESSINFORMANT charts for Germany, France, Spain, Norway, Afghanistan and Italy. He used them to demonstrate the claim made by Edward Snowden, that NSA is eavesdropping on innocent people everywhere in the world.

By framing the public debate in this way, most people, including politicians, assumed these claims were true, and therefore it was for example the Dutch interior minister, responsible for the civilian intelligence and security service AIVD, who was asked for explanation. Only people familiar with Dutch intelligence knew that SIGINT collection is actually done by the NSO, which is part of the military intelligence agency MIVD.

NSA strikes back

On October 29, NSA director Keith Alexander testified before a hearing of the House intelligence committee. He forcefully denied that NSA was collecting millions of phone calls from European countries by saying "Those screenshots that show or at least lead people to believe that we, NSA, or the US, collected that information is false".

Instead, data shown in charts from the Snowden document were collected not just by the NSA itself, but were also "provided to NSA by foreign partners," Alexander said. "This is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations". The next day, this statement was also sent to European partner agencies, including AIVD.

The same day, the Wall Street Journal reported that according to US officials, the metadata records for France and Spain were not collected by the NSA, but by French and Spanish intelligence services. The metadata were gathered outside their borders, like in war zones, and then shared with NSA.

Then, interior minister Plasterk was invited to appear in the Dutch television news magazine Nieuwsuur on October 30. According to a reconstruction by the newspaper NRC Handelsblad, he was advised by Defense minister Hennis-Plasschaert not to go, because her department, responsible for Dutch SIGINT collection through the MIVD, was irritated by Plasterk's willingness to talk about this issue.

Before going to Nieuwsuur, Plasterk had a meeting with Marc Kuipers, the deputy director of his own AIVD and asked him about the metadata. He was told that there was no hard evidence that the statement of NSA was correct, and Kuipers reportedly denied that the 1,8 million metadata were collected by Dutch agencies. As their research started just a week before, AIVD apparently wasn't sure yet about the exact origins of these data (it took the German BND only a week to find out that they collected the 'German' metadata *)

During the Nieuwsuur broadcast, minister Plasterk showed the letter (pdf) with the statement from general Alexander, but completely misinterpreted it as being a confirmation that the number of 1,8 million metadata were actually collected by NSA - something that was not acceptable for him. He also strongly denied that the 1,8 million were collected by Dutch agencies and subsequently shared with NSA.

Dutch interior minister Ronald Plasterk in the television
magazine Nieuwsuur, October 30, 2013

A few weeks later, NRC Handelsblad announced that they would soon start disclosing Snowden documents related to the Netherlands. NSA watchers expected that one of the first disclosures would be the complete BOUNDLESSINFORMANT screenshot, including the bottom part showing the technical specifications. But that didn't happen. NRC published two articles, on November 23 and November 30, but both contained more background information than spectacular new revelations about the Netherlands.

Most surprising was that the BOUNDLESSINFORMANT screenshot wasn't published. Maybe it had something to do with the fact that this weblog explained on November 23, that Greenwald's interpretation of these charts was not correct, which became clear after comparing two screenshots published by Greenwald in a Norwegian paper in the days before.

A few days later, on November 27, I published my research revealing that the DRTBox technique used to collect the metadata shown in the charts about France, Spain, Italy, Norway and Afghanistan is mainly used for short-range radio and cell phone interception during military operations.

Not NSA, but MIVD

These analysis not only support the official statement by NSA, but also confirm what the intelligence agencies from Germany and Norway had said earlier: that the metadata shown in the charts were collected by them as part of military operations abroad, and not by NSA (exactly the same was said by the Danish military intelligence service, anticipating on a chart about Denmark that never came).

After an investigation of exactly 4 weeks, experts from AIVD and MIVD, who compared actual data collected by the SIGINT unit NSO with data in the systems of their counterparts from NSA, concluded that there was a "perfect match". This was shared with defense minister Hennis and interior minister Plasterk on November 22. Prime minister Mark Rutte was informed during a regular meeting on December 10.

After it became clear that the metadata were not collected by NSA, but by the Dutch agency MIVD, the whole issue automatically became something that was not in the interest of the state to disclose (although not a formal state secret). The interior and the defense minister argued about whether to inform parliament and the public, like in Germany and Norway, but ultimately decided not to do so, following the standard practice to Never Say Anything about the modus operandi of the intelligence and security services.

This is a rather strange argumentation, as "collecting and sharing (meta)data" doesn't reveal any specific methods or operations. Both practices are regularly mentioned in the public reports of MIVD and the oversight committee CTIVD. But as almost no one reads these, the parliament and the people still thought it was NSA that monitored their phone calls.

Presently, it's still not clear whether or not the government informed the parliamentary intelligence oversight committee (CIVD or Commissie Stiekem), because ministers and members aren't even allowed to mention which topics were discussed during the committee meetings.
Update #1:
According to an article from February 18, 2014 by NRC Handelsblad, defense minister Hennis and the head of MIVD informed the parliamentary oversight committee on December 12, 2013 by saying that the telephony data were collected by Dutch services and shared with NSA. Apparently, this wasn't linked to minister Plasterk's statement from October 30, so most of the committee members weren't aware of the political impact.

Update #2:
In November 2015, it came out that already on March 13, 2014, the chairman of the CIVD had asked for a police investigation into which member leaked to NRC that the committee had actually been informed. As the police isn't authorised to charge members of parliament, they handed over the case to the presiding committee of the Lower House of Parliament, which started its own investigation into the leak on November 12, 2015.

Members of the intelligence oversight committee CIVD or Commissie Stiekem
leaving the conference room after a meeting on February 18, 2014
(still from the Nieuwsuur TV magazine)

Citizens against the State

But then there was a lawsuit on behalf of a coalition of citizens and organizations against the Dutch state, as represented by the interior minister. It aims at stopping Dutch intelligence agencies acquiring data from NSA that might be obtained illegally if Dutch and European law would apply. Furthermore, the coalition demands that the state informs the citizens whose illegally obtained data have been used.

Faced with the possibility of a court ruling that acquiring foreign intelligence might be illegal, which would de facto end the intelligence sharing relationships with foreign countries, the Dutch government was forced to reply. So on February 4, 2014, the state advocate came with a response (pdf), which contains two interesting points:
- The demands are mainly based upon press reports speaking of intercepted phone calls, which is incorrect, because in fact it's not about content, but about metadata. These are collected by the state, lawfully acquired in the context of international cooperation and subsequently passed on to other countries. (par. 6.2)

- Dutch intelligence services are using data derived from undirected interception of cablebound communications by foreign agencies. This method is (still) prohibited in the Netherlands, but legal in the US, and therefore the state sees this as lawful acquisitions. (par. 2.17 - revealing that this is apparently one of the things that the Dutch get in return for the metadata they share)

Misleading the parliament

Now that the state advocate had disclosed the true nature of the 1,8 million, the interior and the defense minister also had to inform the parliament and the public. This was done by a short official statement saying:
"The graph in question points out circa 1.8 million records of metadata that have been collected by the National Sigint Organization (NSO) in the context of counter-terrorism and military operations abroad. It is therefore expressly data collected in the context of statutory duties. The data are legitimately shared with the United States in the light of international cooperation on the issues mentioned above."

This was exact the opposite of what interior minister Plasterk had said during the Nieuwsuur broadcast on October 30 and subsequently to parliament. He was accused of lying or at least witholding crucial information and now had to fear for his position.

On Saturday, February 8, the newspaper NRC Handelsblad published out of the blue the long-awaited complete BOUNDLESSINFORMANT screenshot regarding the Netherlands, including the bottom part which was seen now for the first time since the initial publication by Der Spiegel in August 2013:

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

> See for all details about this chart: BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

On February 11, there was a parliamentary debate about the whole issue. Interior minister Plasterk sincerely apologized for his misleading statements on October 30, saying that he just wanted to make sure to the public that it was not his own AIVD that eavesdropped on Dutch citizens.

This statement was hardly convincing, and many parliament members were not satisfied with the fact that he didn't correct his statement after he was informed about the truth on November 22. Both the interior and the defense minister continuously replied that it was not in the interest of the state to provide any more information.

Given this overstretched secrecy, it almost seemed a slip of the tongue when minister Plasterk explained that because "under different programs, different types of metadata are shared" it was not so easy to attribute the 1,8 million to collection by MIVD.

After a debate of almost 8 hours, most opposition parties voted against the interior minister, but that wasn't enough to force a resignation. However, the whole affair weakened his position, he can't afford new mistakes anymore.


With claims made by Edward Snowden that NSA is monitoring innocent civilians all over the world being spread by media for months, it's understandable that the BOUNDLESSINFORMANT charts were seen as evidence for American spying on European countries. Glenn Greenwald presented them in that way to major European newspapers and supported his interpretation by a FAQ document saying that this tool shows "How many records (and what type) are collected against a particular country".

But now that it has become clear this interpretation was false, it also reveals that Greenwald apparently relied solely on these few documents, and was unaware of what the charts really show. I think we have to assume that Snowden also had no idea about their factual context, let alone any experience with the program - if he had, it would be even worse.

The whole story about BOUNDLESSINFORMANT not only backfired upon Snowden and Greenwald, but also upon several European governments, for example the Spanish and the French ones, who fiercly protested against the alleged US spying on their countries, and of course the Dutch one, where interior minister Plasterk was almost forced to resign because of the misinterpretation of the BOUNDLESSINFORMANT chart.

Links and Sources
- Le Monde/BugBrother: La NSA n’espionne pas tant la France que ça
- DeCorrespondent.nl: Cees Wiebes over de internationale gevolgen van Plasterkgate
- Jan Dirk Snel: De Tweede Kamer heeft zelf boter op het hoofd – Over de zogenaamde affaire-Plasterk
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie
- VoiceOfRussia.com: Denmark admits to tapping phones in conflict zones abroad

February 8, 2014

BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

(Updated: March 15, 2014)

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, can be read here!

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:

Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network. This is the traditional telephone infrastructure, consisting of telephone lines, (undersea) fiber optic cables, microwave transmission links, cellular networks, and communications satellites, all interconnected by switching centers.

In this case, MIVD collected the metadata from PSTN traffic using their satellite station near Burum, which is operated by the signals intelligence unit NSO. This station is conveniently situated next to a big commercial ground station operated by Stratos Global, which provides access to Inmarsat, and Castor, providing access to Intelsat, Eutelsat, Gazprom, RSCC, SES (Astra), Telesat, and Arabsat satellites.

Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some less-developed countries like Afghanistan, Sudan, Somalia, Cuba and North-Korea, and remote regions in Russia, China and Africa apparently still use Intelsat satellite links for their international telecommunications. A number of these countries are also linked to Intersputnik satellites.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.

The Burum teleport, with the NSO intercept station (left) and the
ground station operated by Stratos Global and Castor (right)
(photo: Castor - click to enlarge)

According to a reply from the Dutch government, the 1,8 million metadata were collected by the MIVD from phonecalls, including some sms and fax messages, that "originated and/or terminated" in foreign countries. After all communication data with a Dutch phone number were filtered out, the remaining data were "shared with partner agencies".

This means, these data weren't just shared with NSA on a bilateral basis, but also in multinational military intelligence sharing groups like the 9-Eyes and the 14-Eyes, which is actually called SIGINT Seniors Europe. Both groups consist of the Five Eyes plus a number of 3rd Party nations.

In response to parliamentary questions, the Dutch government seemed to suggest that the 1,8 million metadata equals 1,8 million "unique moments/types of communication". This contrary to earlier and widespread assumptions that 1 phone call creates multiple metadata records.

Most Volume

In the screenshot we can see that the metadata records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data could be derived from multiple collection platforms and not just from the satellite intercept station near Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch SIGINT unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile signals intelligence units which can be deployed during foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.

The headquarters of the Dutch military intelligence agency MIVD,
which is located in the Frederikkazerne in The Hague
(photo: GPD)

Top 5 Techs

This section of the screenshot mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense.

It was strange that there was no word for the letter F, but some research revealed that the F most likely stands for Format. In several job vacancies CERF can be seen as listed among a number of other NSA data formats like CSDF and ASDF. We can assume now that CERF = Contact Event Record Format.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Maybe CERF is used for collected metadata in general and CALL specifies that for telephony metadata (although in NSA-speak, telephony is always designated as DNR). An additional codeword like MOSES1 could then be used to further specify these data sets.

Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.

The satellite intercept station of MIVD near Burum
(photo: ANP)

We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts. Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.

> More background of this story: Dutch government tried to hide the truth about metadata collection


On March 5, 2014, the Dutch paper NRC Handelsblad came with a follow-up story, which provided more context to the Dutch collection of metadata.

It says the Netherlands has been sharing intercepted telecommunications with the US since 2006. This partnership accelerated after the Dutch started their ISAF mission in the Afghan province of Uruzgan in 2006 and it continued after this mission ended in 2011. According to NRC there is still a steady flow of millions of telephony metadata from MIVD to NSA.

The paper presents the following example: When in August 2012 the Dutch navy ship HMS Rotterdam was the flagship for the NATO anti-piracy operation OCEAN SHIELD, this vessel was also intercepting the communications of Somali pirates. This was made possible because NSA had provided the covert Dutch SIGINT team on the ship with a special interception system.

NSA's access to the pirates’ communication had collapsed after the latter switched to land-based communications, which couldn't be intercepted by the Americans. Therefore the metadata provided by the Dutch were very welcome. A combination of the interception of Somali pirate communications from aboard the Dutch ship and through the Dutch satellite intercept station in Burum lead to successful mapping of pirate networks:

Note that the grey text in the bottom right corner says that this slide originally was classified as TOP SECRET//SI//NOFORN, but apperently later this was lowered to SECRET//SI//REL TO USA, NLD, probably to share it with the Dutch.

The diagram from the slide is also shown in a larger version. Some connections and icons have Dutch labels, so this seems to be generated by a software tool used by the Dutch MIVD. Probably it's Sentinel Visualizer or Analyst's Notebook or a similar software program, but it also resembles the SYNAPSE data model used by NSA.

Links and Sources
- DeCorrespondent.nl: Op dit grasveldje in de Achterhoek luistert Nederland de Taliban af
- NRC.nl: The secret role of the Dutch in the American war on terror
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie

February 6, 2014

New interpretations of NSA monitoring the German chancellor

(UPDATED: March 30, 2014)

One of the biggest scandals among the revelations about NSA spying activities, was that NSA was monitoring a mobile phone used by the current German chancellor Angela Merkel (although not her secure government cell phone, but the unsecured one provided by her political party).

But on February 4th, the German newspaper Süddeutsche Zeitung and the regional television channel NDR came with a somewhat different interpretation of this story.

Both media presented the document which proofs the monitoring to NSA insiders, who explained that it shows that since 2002 NSA was targeting the German chancellor, and not specifically Angela Merkel, who became chancellor just by the end of 2005.

In 2002, this office was held by her predecessor Gerhard Schröder, who was chancellor from October 1998 to November 2005, leading an unprecedented coalition with the Green Party for two terms.

Citing a number of US government sources and NSA insiders, both media say that Schröder's opposition to the American invasion of Iraq - and fears of a split within NATO as a result - was the primary reason to start monitoring his communications (in those days, NSA and GCHQ also eavesdropped on UN Secretary-General Kofi Annan and members of the Security Council).

The NSA document mentioning the surveillance of the German chancellor was published in the print editions of several German newspapers:

NSA record mentioning the phone number of the German chancellor
(Source: FAZ newspaper website)

Apparently this document comes from an NSA database in which the agency records its targets. This could be a tasking database codenamed OCTAVE, which is used for starting telephony interceptions. An explanation of the various entries can be found in my earlier article How NSA targeted chancellor Merkel's mobile phone.

There, I already noticed that it's somewhat strange to see Merkel mentioned as 'GE CHANCELLOR', as she was still the opposition leader when the surveillance started in 2002. Therefore, either this particular entry or the whole record must have been updated somewhere after she became chancellor in November 2005.

That action has now been confirmed by Süddeutsche Zeitung and NDR, saying that NSA started monitoring the 'German chancellor' in 2002 - which by then was Gerhard Schröder. When he was succeeded by Angela Merkel in 2005, and she became the incumbent of the chancellor's office, her name was entered in the subscriber line of the targeting record.

The initial story by Der Spiegel from October 23, 2013, apparently ignored this discrepancy and concluded that "the NSA would have targeted Merkel's cellphone for more than a decade, first when she was just party chair, as well as later when she'd become chancellor".

In the new interpretation, NSA was not specifically looking for Angel Merkel, as the Spiegel story suggests, but rather trying to monitor the person holding the office of German chancellor.

A third interpretation was brought forward by 'hacktivist' Jacob Appelbaum, who contributes to the Snowden-stories in Der Spiegel, saying that the NSRL (National SIGINT Requirements List) code 2002-388 stands for "a set of people - under which Merkel has been monitored".

This could explain the asterisk in 2002-388* - as a placeholder for a fourth digit after 388, designating multiple sub-targets under that number. If that's the case, then probably also other high-ranking German cabinet members and government officials could have been monitored by NSA, maybe even including Angela Merkel when she was still opposition leader.

Another question is about the origin of the NSA tasking-record which appeared in German newspapers. It clearly looks like scanned or photographed from a piece of paper (showing dust or ink spots, wavy lines) and the text is in the rather unusual Ayuthaya font, which normally comes with Macintosh OS X, primarily to display Thai script. The phone number also seems to be blacked out by a marker, rather than digitally.

Could it be that Snowden printed this database record in order to smuggle it out of his NSA office and then digitalized it by making a picture of it? Another question is whether there are more such (hard copy) tasking records among the Snowden-documents, or how else could Appelbaum know that there were multiple people targeted under that particular NSRL number?

German chancellor Gerhard Schröder
using a mobile cell phone

Although there are pictures of chancellor Schröder using a mobile phone, it was said in German media that he actually hadn't one for himself, but used a cell phone from people in his entourage whenever that was necessary.

Other sources say that Schröder's communications appeared to have been hacked or intercepted in the late 1990s, after which he ordered a secure (mobile) phone system to be developed.

One of the very first highly secure mobile phones, called TopSec GSM, was made by Siemens (later Rohde & Schwarz) and became available in 2001. Another solution, the Enigma encryption system for GSM phones, was apparently developed by Deutsche Telekom and sold since 2002 by the Beaucom Group.

It's not clear whether Gerhard Schröder actually used one of these phones, but it's an interesting coincidence that they became available around the same time NSA started its monitoring of the German chancellor.


On March 29, 2014, Der Spiegel provided some additional details about NSA's monitoring of chancellor Merkel based upon a presentation from NSA's Center for Content Extraction (CCE, unit designator T1221), whose tasks apparently include the automated analysis of all types of text data. The magazine published just one slide from this presentation, which shows twelve names, including Merkel's, from a list of 122 heads of state and heads of government which are or were monitored by NSA:

The document indicates that Angela Merkel has been placed in the Target Knowledge Base (TKB), a central database of individual targets. According to an internal NSA description this database can be used analyze "complete profiles" of target persons. The responsible NSA unit praises the automated machine-driven administration of collected information about high-value targets.

The searchable sources cited in the document include, among others, the signals intelligence database MARINA, which contains metadata ingested from sources around the world. The unit also gives special attention to promoting a system for automated name recognition called "Nymrod". The document states that some 300 automatically generated "cites," or citations, are provided for Angela Merkel alone.

The citations in NYMROD are derived from intelligence agencies, transcripts of intercepted fax, voice and computer-to-computer communication. According to internal NSA documents, it is used to "find information relating to targets that would otherwise be tough to track down." Each of the names contained in NYMROD is considered a SIGINT target.

The manual maintenance of the database with high-ranking targets is a slow and painstaking process, the document notes, and fewer than 200,000 targets are managed through the system. Automated capture, by contrast, simplifies the saving of the data and makes it possible to manage more than 3 million entries, including names and the citations connected to them.

The table included in the document indicates the capture and maintenance of records pertaining to chancellor Merkel already appears to have been automated. In any case, the document indicates that a manual update was not available in May 2009.

Links and Sources
- The Intercept: Der Spiegel: NSA Put Merkel on List of 122 Targeted Leaders
- Der Spiegel: 'A' for Angela Merkel: GCHQ and NSA Targeted Private German Companies
- Deutsche Welle: Reports: NSA first targeted German Chancellor Schröder, then Merkel
- SuedDeutsche.de: NSA hatte auch Gerhard Schröder im Visier
- Spiegel.de: How NSA Spied on Merkel's Cell Phone

February 4, 2014

Did CSEC really track Canadian airport travellers?

(Updated: February 9, 2014)

On January 30, the Canadian television channel CBC broke a story written by Greg Weston, Glenn Greenwald and Ryan Gallagher, saying that the Communications Security Establishment Canada (CSEC), which is Canada's equivalent of NSA, used airport WiFi to track Canadian travellers - something which was claimed to be almost certainly illegal. This story was apperently based upon an internal CSEC presentation (pdf) from May 2012 which is titled "IP Profiling Analytics & Mission Impacts":

The CSEC presentation about "IP Profiling Analytics & Mission Impacts"
(click for the full presentation in PDF)

However, as is often the case with many of the stories based on the Snowden-documents, it seems that the original CSEC presentation was incorrectly interpreted and presented by Canadian television.

The presentation was analysed by a reader of this weblog, who wants to stay anonymous, but kindly allowed me to publish his interpretation, which follows here. Only some minor editorial changes were made.

The CSEC project was not surveillance of Canadian citizens per se but just a small research project closely allied with the previous Co-Traveller Analytics document. The report was written by a 'tradecraft developer' at the Network Analysis Centre. The method was not 'in production' at the time of the report though the developer concludes it is capable of scaling to production (real surveillance).

The Five Eyes countries are trying out various analytics that work on cloud-scale databases with trillions of files. Some analytics work well, others don't or are redundant and are discarded. This one worked well at scale on their Hadoop/MapReduce database setup, giving a 2 second response. However, we don't know which this or any other cloud analytics ever came into actual use.

In this case, CSEC was just running a pilot experiment here - they needed a real-world data set to play with. This document does not demonstrate any CSEC interest in the actual identities of Canadians going through this airport, nor in tracking particular individuals in the larger test town of 300,000 people. While they could probably de-anonymize user IDs captured from airport WiFi (the Five Eyes agencies ingest all airline and hotel reservation with personal ID tagging etc. into other databases) that was not within the scope of this experiment.

Technically however, CSEC does not have a legal mandate to do even faux-surveillance of Canadian citizens in Canada. So they could be in some trouble - it could morph into real surveillance at any time - because the document shows Canadian laws don't hold them back. They should have used UK airport data from GHCQ instead. But there they lacked the 'Canadian Special Source' access to Canadian telecommunication providers.

The pilot study monitored Canadian airports and hotels but the goal was foreign: slide 19 says "Targets/Enemies still target air travel and hotels airlines: shoe/underwear/printer bombs ... hotels: Mumbai, Kabul, Jakarta, Amman, Islamabad, Egyptian Sinai". However, this seems far-fetched: the printer bombs were UPS cargo, not passenger-carried. Would someone shipping cargo even go near the airport, much less check their gMail there? More convenient just to stop by the UPS office in town.

The role of the five companies mentioned in the presentation is not always clear:

The first company mentioned, Quova, does bulk IP geo-location lookup. CSEC passes that outcome on to their own ATLAS tool as we saw in the slides about the OLYMPIA program. Given an IP, Quova seems to return only five fields: latitude, longitude, city, country, network operator. The Quova latitude/longitude data shown is not very precise: only degrees and minutes. For comparison, iPhone 4S photo exif metadata provides seconds of GPS lat/long out to six decimal points even with poor tower coverage.

Bell Canada and its ISP portal division Sympatico are mentioned in regards to the unnecessarily redacted IP (a minor settlement west of Hudson Bay, probably just the Baker Lake mine in Nunavit).

Boingo is a post-start-up in the US which is the main WiFi provider to airports and hotels worldwide. Boingo is in some trouble financially, so NSA might have an entry point there, yet the CSEC document makes it sound like they are not especially cooperative.

Akamai is a very US large company that spreads corporate web site servers around the globe for faster response and DDoS resistance. So when you point your browser at ford.com the packet doesn't go or come back from Detroit, but rather Akamai intercepts the URL and sends you packets from a local mirror (i.e. Amsterdam) without disclosing that in the URL. CSEC seems to have found that frustrating and of little value.

It goes without saying that Bell Canada is the top suspect if a telecom ISP is providing backbone intercepts. Rogers Communications is the only (implausible) alternative. However all the document says is: "Data had limited aperture – Canadian Special Source ... major CDN ISPs team with US email majors, losing travel coverage" ... "Have two weeks worth of ID-IP data from Canadian Special Source"

At NSA, a Special Source Operation (SSO) refers to a corporate partner, so this is very likely the CSEC counterpart, by context a major Canadian ISP. Here 'aperture' means the corporate partner could only do so much - as soon as the Canadian ISP hands off to Google or Yahoo, CSEC cannot follow the trail any longer. So it is not a big US firm.

I found it odd that the name of the corporate partner was redacted in slide 8. The explanation: news media don't like to mention corporate names in a bad light. Not fear of lawsuits (it's not defamation, slander or libel to merely post a government document) but probably fear of advertising revenue loss.

How is CSEC getting their data? I think we can rule out direct radio frequency signal interception here - they have the capability to do this, but it does not scale, not even to a large airport. So it's most likely done through a corporate partner but which one, where along the internet does the intercept occur, and what data fields are recorded?

Let's think about scenarios for data travelling: Boingo receives the initial URL request, passes it off to their ISP Sympatico, who pass it along to the Bell Canada network, where it is routed to Akamai or the usual internet, until it is received by the requested website and all its associated ad and image servers, and the usual TCP/IP response occurs, loading the requested web page along with all the auxillary cookies, beacons, trackers, and widgets.

From "two weeks worth of ID-IP data" it sounds like they are not collecting establishment-of-connection events to the airport WiFi but only collecting when someone actually visits a web site. That's in contrast to cell phone metadata which also includes attempted and unanswered call events.

But what exactly does the presenter mean by ID-IP? Some people suggest it might be MAC address and IP address in combination. Or user agent device string (device, OS, browser version etc). Others say advertising cookies and cookie chaining or CSEC might be hacking WiFi to install FinFisher spyware for persistent access. NSA likely owns or partners with several advertising companies and/or buy tracking data wholesale from corporate data aggregators.

I think the analyst muddles terminology here in calling this contact-chaining across air gaps, trying to be trendy. The first has meant going out from an initial individual selector to circles of secondary and tertiary selectors thus finding different individuals or IPs linked to the first selector, as seen both in NSA use and in OLYMPIA DNI and DNR chaining. Here, nobody contacts anybody else; the person is fixed, CSEC is just assigning a few travel points to each individual.

The term 'air gap' originally meant an offline computer that could not be exfiltrated, here it just means intermitent online presence at a free WiFi spot, not even sequential because the traveller may not have always used free WiFi spots. Most US travellers would connect via a cell phone accessory to their laptop, i.e. use their cell data provider the minute they got free of the airport. They would be far easier to track with by passive cell phone tower than by sporadic WiFi internet usage.

The SIGINT collection downside: now everyone is alerted about geo-tracking of movements from global free WiFi site use. So collection now provides a gigantic haystack with no needles. Although these guys with the 4th grade madrassa educations, maybe they remain clueless about snooping techniques.


Security expert Bruce Schneier also concluded that the CSEC presentation is not about tracking Canadian travellers, but actually shows "a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using that data to identify individual users".

On his weblog, one of the journalists working on the story of the Canadian broadcaster CBC has now responded to the critical remarks expressed here.

Links and Sources
- Vice.com: How does CSEC work with the world's most connected telecom company?
- Schneier.com: CSEC Surveillance Analysis of IP and User Data
- ArsTechnica.com: New Snowden docs show Canadian spies tracked thousands of travelers
- Lux ex Umbra: More on the wi-fi spy guys
- TorontoSun.com: 'Too early' to tell if spy agency broke any laws, privacy commissioner says
- CBC.ca: CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents