November 21, 2016

Data sharing systems used within the Five Eyes partnership

(Updated: November 28, 2016)

From the Snowden revelations, the general public learned about the Five Eyes partnership between the signals intelligence agencies of the United States, the United Kingdom, Canada, Australia and New Zealand, but details about this cooperation remained shrouded in secrecy.

Now, a batch of internal newsletters of the NSA's Signals Intelligence Directorate (SID), published last August by the website The Intercept, provides new information about various systems for sharing information, metadata, content and reports among the Five Eyes partners.

- From BRUSA to Five Eyes
- Joint Executive for SIGINT Interoperability (JESI)
- Information sharing: IWS
- Interoperable access control: PKI
- Sharing metadata: MAINWAY
- Federated metadata queries: GLOBALREACH
- Sharing content: TICKETWINDOW
- Sharing end reports: CATAPULT
- SIDtoday newsletters


From BRUSA to Five Eyes

The Five Eyes community grew out of the cooperation between Britain and the United States during World War II. On March 5, 1946 both countries signed the BRUSA (now known as UKUSA) Agreement on communications intelligence cooperation. This is not only about collecting signals intelligence, but also about security measures, like the use of codewords to restrict access to highly sensitive sources and reports.*

In June 1948 the UKUSA Agreement was established, which Canada, Australia and New Zealand signed on along with the UK as "Second Parties". A separate agreement between Canada and the USA (CANUSA) was signed in November 1949, followed by one with Australia in September 1953.*

Finally, in May 1954, the BRUSA Agreement was renamed UKUSA, which became also the name for the complex network created by these often overlapping agreements, appendices and memoranda of understanding.* Australia acted on behalf of New Zealand until the latter became a full member in 1955 or 1977.

The (signals) intelligence agencies that have less close bilateral relationships with NSA are called Third Party partners. Currently, there are over 30 Third Party partners, see: NSA's Foreign Partnerships

When the term Five Eyes (for classification purposes abbreviated as FVEY) came in use is not clear, but the SIDtoday newsletter from August 5, 2003 confirms that "Five Eyes" is derived "from the "US/UK/CAN/AUS/NZ EYES ONLY" caveat that limits the distribution of SIGINT reports to the listed Second Party countries."

The initial network of bilateral relationships between the five partner countries was eventually transformed into a "group partnership" in 1993 - as was revealed in a newsletter from August 25, 2003. It's not explained what this means, but it's sounds like a shift to a more multilateral framework for cooperation among eachother.


The British-U.S. Communication Intelligence Agreement from 1946
(the full text as pdf - click to enlarge)


Joint Executive for SIGINT Interoperability (JESI)

In 1998, the agencies of the Five Eyes group established the Joint Executive for SIGINT Interoperability (JESI, pronouncesd as "jessy"). In the newsletter from August 25, 2003, JESI is described as a "multi-national executive body responsible for ensuring continued interaction and interoperability among the five SIGINT partners". JESI doesn't have its own staff, it's just a collaboration platform.

Officials from the Five Eyes agencies also meet at an annual JESI conference. In July 2003 this meeting was held in the Australian capital Canberra and was focused on the mission objectives of the partner agencies and how they relate to the 5-EYES SIGINT Partnership Business Vision, which was published earlier that year. They addressed the following topics:
- Mission collaboration and knowledge sharing
- Enabling SIGINT operations through information assurance
- Exchange of finished intelligence
- Maintaining business continuity



For a more efficient cooperation among the Five Eyes partners, the following systems were created, most of them initiated by JESI in 2002-2003, as described in the SIDtoday newsletter from August 25, 2003:

Information sharing: IWS

A collaboration tool called InfoWorkSpace (IWS) was created to exchange information between NSA, the US military and partner countries during Operation Enduring Freedom in Afghanistan.

IWS is a software tool that provides chat communications as well as audio and video conferencing, file sharing, virtual whiteboards, and shared desktop views through desktop computers connected to a secure network.* As within the Five Eyes it's about signals intelligence, IWS most likely ran, and maybe still runs on NSANet.

According to a SIDtoday newsletter from September 10, 2003 IWS was already used by over 4000 NSA and their Second Party counterparts at the working levels. They collaborated on topics like Operation Enduring Freedom, international terrorism, real-time collection coordination, SIGINT development and multi-intelligence tasking.

This succesful use of IWS led JESI decide that the system should also be used at leadership-level. As of 2003, the SIGINT directors of the Five Eyes partners would use IWS to enhance their collaboration on subjects ranging from current intelligence objectives to future collection planning. They would get access to one of the IWS servers managed by NSA, codenamed VOTEDOOR.


InfoWorkSpace, here being used during the Joint
Expeditionary Force Experiment (JEFX) 2006
(photo: CHIPS Magazine)

In another newsletter from December 19, 2003, it is said that not long before, the SIGINT directors of NSA, the Canadian CSE, the Australian DSD and New Zealand's GCSB held their first virtual meeting using the InfoWorkSpace tool. However, their counterpart at "GCHQ was unable to attend due to a computer failure."

According to the newsletter, this first meeting lasted over an hour and was mainly about "efforts against terrorism, especially ways to extend cooperation across the SIGINT community, and to include the HUMINT [Human Intelligence] community". A next virtual meeting using IWS was scheduled for the middle of January 2004.

The tech website Motherboard found the following video presentation of the InfoWorkSpace (IWS) tool, which was developed by ezenia!, a small company from Salem, New Hampshire:





Interoperable access control: PKI

In order to give Second Party employees access to joint collaboration systems, JESI pushed the partner agencies to deploy interoparable Public Key Infrastructure (PKI). The NSA's PKI is a comprehensive encryption system to protect classified information against:

- Unauthorized disclosure and modification through digital signing
- Unauthorized access through access controls and authorization services
- False user idenfications

An SIDtoday newsletter from July 8, 2003 explains that the new PKI system would replace the ICARUS e-mail encryption system by October 2003. A valid PKI certificate was also needed to use applications like Peoplesoft and CONCERTO. The latter is NSA's internal personnel system, which has separate parts for human resource and security clearance information.

The new PKI certificates were first issued to NSA employees who were US citizens and held a blue, green, or gold badge. Later, PKI certificates would also be issued to employees of Second Party agencies and to non-US citizens. This PKI system seems to be a software solution without two-factor authentication with a token like the CAC-smartcard of the US military.


Sharing metadata: MAINWAY

Since 2006 it was thought that MAINWAY was a repository just for telephone metadata, but based upon recently leaked and declassified documents, it was explained on this weblog that MAINWAY also contains internet metadata as well as the domestic phone records NSA previously collected under the authority of Section 215 of the USA PATRIOT Act.

Rather unexpected, the SIDtoday newsletter from August 25, 2003 now also reveals that "MAINWAY, a system that uses phone call contact chaining to identify targets of interest, was provided to each of our partners. The partners now supply additional contact information to the database to enhance the joint ability to identify targets".

So MAINWAY is not only fed with the domestic US telephone records and the foreign telephone and internet metadata collected by NSA, but also with foreign metadata provided by GCHQ, CSE, DSD and GCSB. According to the quid pro quo rule for intelligence cooperation, all Five Eyes partners can apparently also query the MAINWAY database for their national security interests.

However, Second Party analysts have no access to the domestic US phone records, but so far there are no documents that mention this explicitly (recently published dataflow diagrams show that MAINWAY has separate BRF [BR FISA or Section 215 records] partitions though).

A GCHQ presentation from 2010, which was published earlier, shows the user interface of the IMMINGLE tool with check boxes for direct access to various metadata repositories, including MAINWAY II:


User interface of GCHQ's IMMINGLE tool for access to various metadata repositories
(the full presentation as pdf - click to enlarge)



Federated metadata queries: GLOBALREACH

Besides direct access to the metadata contained in MAINWAY, analysts from the Five Eyes partners can also use the GLOBALREACH system. In documents that were published earlier, this system is described as a "federated query service via accounts and access verified by PKI certificates" which probably runs on NSANet.

As a federated service, GLOBALREACH can be used to query multiple metadata databases with one single login. A 2005 document says that for example CIA would provide metadata "from non-SIGINT sources for inclusion in the dataset searched by GLOBALREACH" and it's likely that it can also search the foreign metadata from MAINWAY.

A pilot for a similar federated query tool codenamed ICREACH for the US Intelligence Community (IC) was started in 2007. After NSA "persuaded other US IC agencies to make almost 100 bn previously NOFORN records shareable with the 5-eyes via GLOBAL REACH", agreements were reached with the Second Party agencies, whereafter they started to provide ICREACH with telephony metadata, making them accessible to over 1000 analysts across 23 US intelligence agencies.

After establishing ICREACH, these analysts got access to more communication modes (including landline, mobile, satellite and VoiP call records), the types of metadata increased from 5 fields to 33 fields and the total volume rose from 50 billion to over 850 billion records - ca. 126 billion of which from Second Party partners. 1-2 billion records were said to be added daily, so by now, ICREACH may provide access to over 5 trillion metadata records.


Architecture of the ICREACH federated query system
(the full presentation as pdf - click to enlarge)



Sharing content: TICKETWINDOW

An older collaboration system for the Five Eyes partners is described in a SIDtoday newsletter from November 7, 2003: TICKETWINDOW. This system was established in 1999 by the NSA's Data Acquisition division to enable reciprocal data sharing with Second Party parters - without revealing sensitive sources and collection methods, which often restricted data sharing. Within TICKETWINDOW, NSA shares most data, but the other partners also contribute from their own collection.

In 2003, TICKETWINDOW was regarded a success story: new sources from the partner countries helped NSA to be more productive, while for the Australian DSD, more than 40% of their product reporting was from TICKETWINDOW collection, particularly from NSA collection. Both the British GCHQ and the Canadian CSE had doubled their output of TICKETWINDOW reports in 2002. Maybe this system is somehow related to the mysterious SIGADs starting with DS, which seem to denote collection by Second Party countries.

A similar data sharing system for the SIGINT Seniors Europe (SSEUR) group of Third Party partners is the Signals Intelligence Data System (SIGDASYS).


Sharing end reports: CATAPULT

Finally, there's also a system for sharing intelligence reports among the Five Eyes partners. According to a newsletter from May 8, 2003, NSA and the Canadian CSE set up a prototype portal to exchange SIGINT products between NSA and its Second Party partners under the codename CATAPULT.

The CATAPULT portal "contains all 2nd party viewable product shared with CSE to include multimedia reporting, CRITICOMM released product, and SIGINT on Demand (SOD) items", all of which is accessible from NSANet through a browser interface. CATAPULT is based on CSE's SLINGSHOT system, which delivers SIGINT reports to Canadian "customers" like policy and decision makers.

CATAPULT was brought under the JOURNEYMAN umbrella program for modernizing the way SIGINT analysts can write and disseminate their reports. As CATAPULT started as a prototype, it may have been replaced by a system that includes all Five Eyes partners.


Besides the systems described above, JESI also initiated the creation of several protected websites to allow employees of the Second Party agencies to securely share data within specific communities of interest.

As close as the cooperation between these agencies may have become, the sharing mechanisms are still meant to support each member's foreign intelligence tasks. The Five Eyes are not a body of its own with its own goals or targets, like for example a rather ridiculous target list on Wikipedia suggests.

Also, the data sharing system TICKETWINDOW isn't the successor of ECHELON, as Wayne Madsen wrote on the website Intrepid Report. ECHELON was (and under the name FORNSAT still is) a worldwide network of satellite intercept stations to provide in the information needs of each of the Second Party countries.


SIDtoday newsletters

In May 2016, The Intercept started publishing large batches of documents from the Snowden archive, to begin with the SIDtoday newsletters from 2003, all the way to the most recent available ones from 2012. A second batch came in August 2016 and so far, a total number of 429 SIDtoday newsletters have been published, from March 2003 to July 2005.

These newsletters are an interesting source for historical research as they add or confirm many details about NSA. Although some of them are about operations that could be controversial, taking away full nine years of SIDtoday newsletters isn't proportionate and forms an example of where Snowden wasn't very selective.



Links and sources
- The Intercept: All published editions of SIDtoday
- Lux ex Umbra: Releases of Canadian identities to Five Eyes partners
- About Canada and the Five Eyes Intelligence Community (pdf)
- Martin Ruder: Hunters and Gatherers: The Intelligence Coalition Against Islamic Terrorism
- NSA: UKUSA Agreement Release 1940-1956