April 8, 2015

Torus: the antenna to significantly increase satellite interception

(Updated: April 15, 2015)

At three satellite facilities, in Britain, Cyprus and New Zealand, there's a special antenna that allows NSA's partner agencies a significant increase in their capability to collect satellite communications.

This antenna is called Torus, and while conventional parabolic dish antennas can only view one satellite at a time, one single Torus antenna is able to receive the signals from up to 35 communications satellites.

These rare and expensive Torus antennas are used by some television networks, but a close look at photos of the Five Eyes satellite stations has now revealed the locations where Torus antennas are also used for gathering signals intelligence.



A General Dynamics Satcom Technologies Torus antenna
with the array of receiver heads clearly visible



The Torus antenna is rectangular, instead of circular like the conventional satellite dishes. Its quasi-parabolic shape is actually a section of a geometrical shape called torus, which it gave its name. Where a conventional satellite antenna only has one receiving head, called a Low-Noise Block (LNB) downconverter, a Torus antenna has many of them, placed in an array.



How one Torus antenna (brand name Simulsat) is able
to receive the signals of up to 35 satellites
(Source: Evertz.com - Click to enlarge)


With a focal arc instead of a single focus point, the Torus antenna can pick up the signals from a range of satellites which are in a GeoStationary Orbit (GSO), a fixed position above the equator. This is the case for most of the more than 100 communications satellites. Because a Torus antenna has to be aligned with the position of multiple satellites, it has to be adjusted to a specific position and therefore cannot be turned or spin around like circular satellite dishes.


Satellite collection

The usage of Torus antennas for signals intelligence first became clear from a slide that was part of a 2011 presentation for the annual Five Eyes conference. It was published in May 2014 in Glenn Greenwald's book No Place To Hide.

The slide is titled "New Collection Posture" and contains a diagram showing the various steps in the process of satellite collection. Greenwald saw this as evidence that NSA wants to "Collect it All", although the diagram clearly shows this refers to just one particular stage:




For the first step of this process it's said that "Torus increases physical access" - a clear description of the fact that one such antenna can receive the signals from many satellites. With one satellite having between 24 and 32 transponders to relay a signal, one Torus antenna, under the right circumstances, could in theory receive nearly 1,000 communications channels simultaneously.

This doesn't necessarily means that with Torus antennas, the Five Eyes agencies are now "collecting everything". The new antenna allows them access to much more satellites, but in the next stage (dubbed "Know it All") they look for and pick out the channels that have the best chances for useful information.


More access also means the need for more capacity to process these incoming signals, because they have to be converted, demodulated and demultiplexed before something can be done with them. And for internet communications, also more XKEYSCORE (XKS) servers would be needed for buffering, so analysts can sort out data of interest.

Torus antennas are useful to "increase the haystack", which doesn't mean that the whole haystack is stored - only those tufts that are likely to contain "needles".



Torus interception antennas

Now knowing what to look for, it was quite easy to "spy back" on the satellite intercept stations through the aerial images of Google Maps. By doing so, we can recognize Torus antennas in Britain, Cyprus and New Zealand.


Waihopai, New Zealand

Most information about the use of a Torus antenna for signals intelligence is available for the one at the Waihopai satellite intercept station in New Zealand, which is codenamed IRONSAND.

According to an article that was originally published in The Marlborough Express in July 2007, the Torus at Waihopai was built the month before and was expected to be operational later that year. Then GCSB director Bruce Ferguson said that this new dish would enable satellites to be tracked more efficiently, and with a cost of under 1 million dollars, it was very good value for money, he said.



The Waihopai station in 2012, with the Torus antenna at the far left
(Photo: Gilbert van Reenen/Vital Images - Click to enlarge)


The new Torus antenna joined the existing satellite dishes, the first of which was built in 1989, and the second in 1998. These dishes are covered by domes, which make them look like giant golf balls. According to the GCSB director this was to ward off the weather, but it is generally considered that it is actually to prevent seeing which direction the dishes face.

The Torus didn't get such a covering, maybe because it only has limited ability to manoeuvre on a fixed pad. But had the Torus antenna been covered like the old dishes, we wouldn't have known about this new and increased satellite interception capability.



The GCSB satellite station Waihopai, before (2005) and
after (2008) the Torus antenna was installed


The Torus at Waihopai is also mentioned in a recently disclosed GCSB presentation from April 2010, which says: "TORUS now enabling an increase of COMSAT/FORNSAT collection". This sounds like this antenna became operational not long before, although it was already installed in 2007. Maybe it took a few years before the necessary processing capacity became fully functional.


Bude, United Kingdom

A second Torus antenna used for satellite interception is at GCHQ Bude, in the west of Cornwall, in the United Kingdom. Bude, codenamed CARBOY, is a large station where GCHQ and NSA cooperate in the interception of both satellite and submarine cable communications.

Here, satellite interception started in the late 1960s with two giant dishes with a diameter of 27 meters. Nowadays there are 21 satellite antennas of various sizes that can cover all the main frequency bands and seem generally orientated towards the INTELSAT, Intersputnik and INMARSAT communication satellites.

The Torus antenna at GCHQ Bude must have been installed somewhere between January 2011 and June 2013: on the current Google Maps image, which is from December 30, 2010, the Torus antenna isn't yet present, but in the picture below, which is from June 23, 2013, the distinctively shaped antenna is clearly visible:



Satellite dishes at GCHQ Bude in Cornwall, with the Torus
antenna just right of the big radome in the center
(Photo: Reuters/Kieran Doherty - Click to enlarge)



Ayios Nikolaos, Cyprus

A third Torus antenna is installed at the GCHQ listening station Ayios Nikolaos, which is part of the British Sovereign Base Area of Dhekelia in Cyprus, where British signals intelligence has already been present since the late 1940s.

This listening station is codenamed SOUNDER and is part of the Five Eyes satellite interception network that became known as ECHELON. A Google Maps satellite photo shows that there are several large and small satellite dishes, including one that can be recognized as a Torus antenna:



Satellite dishes at GCHQ Ayios Nikolaos in Cyprus with
the one at the left recognizable as a Torus antenna
(Photo: Google Maps - Click to enlarge)


This satellite image is from April 12, 2014, but because for this location no earlier images are available, it's not possible to say in which year this Torus antenna was installed. This makes that for now, the oldest reference to a Torus antenna used for signals intelligence is for Waihopai in New Zealand (2007).

Update:
As a reader noticed in a comment below, images from Google Earth show that the Torus antenna at Ayios Nikolaos must have been built somewhere between May 2008 and April 2011, according to the images available for those dates.
So for signals intelligence, Torus antennas were subsequently set up in Waihopai (2007), in Ayios Nikolaos (between 2008 and 2011) and in Bude (between 2011 and 2013).

No Torus dishes were visible at the other major satellite stations of the Five Eyes countries, like Yakima and Sugar Grove in the US, Menwith Hill in the UK, Misawa in Japan, and Geraldton in Australia. Torus antennas can also not be seen in aerial photos of the satellite intercept facilities in allied countries like The Netherlands, Denmark, Germany, and Austria.



Development

The Torus antenna was developed in 1973 by COMSAT Laboratories in Clarksburg, Maryland, where it operated an experimental installation that communicated with Intelsat satellites.

The original version of the Torus antenna was able to receive the signals of up to 7 satellites simultaneously and costed 1,1 million US dollars. At that time, the price of a conventional dish, that was much larger than those used nowadays, was around 800,000 dollars.


Probably the first experimental Torus antenna of Comsat,
here being disassembled in August 2007
(Photo: Dennis Boiter/Comara.org - Click to enlarge)


In 1979, COMSAT applied for the Federal Communications Commission (FCC) to build three Torus antennas for commercial use: in Etam (West Virginia), Andover (Maine) and Jamesburg (California). Each of them had to communicate simultaneously with three American domestic satellites which were in a geostationary orbit at 4° degrees apart from eachother.

After the presentation of the first commercial Torus antenna in 1981, the system didn't become very popular, apparently because the efficiency of this antenna type was less than the parabolic satellite dishes and also had increased sidelobe levels.


Manufacturers

The largest and custom made Torus antennas appear to be manufactured by General Dynamics Satcom Technologies. Smaller, standard Torus antennas are available from General Dynamics' subsidiary Antenna Technology Communications Inc (ATCi), which produces three types under the brand name Simulsat. The width of these dishes is between 8 and 13 meters.

Reportedly there are only about 20 Torus antennas in the world, but it's not clear whether this number is only about the largest ones made by GD Satcom Technologies, or that it also includes that smaller dishes from ATCi. Main customers are the US federal government and television stations that feed their cable networks with a large number of satellite channels.



Simulsat antenna at the Microsoft campus in Silicon Valley


Television networks

An example of a Torus used by television networks is the American sports broadcaster ESPN, which had a 24-meter Torus antenna installed at its headquarters in Bristol, Connecticut, in 2007. DIRECTV has three Torus dishes, including one at its Los Angeles Broadcast Center (LABC), which receives signals from 32 satellites.

It's not known what the price of a Torus antenna is, but it comes probably near 1 million dollars. This can be worth it as one single Torus eliminates the need to install multiple conventional parabolic dishes, that can cost up to several hundred thousand dollars each.
 

Update:
After this article had been published, a number of other Torus-antennas were found by Cryptome, @sigwinch and other people. Most of them are at the dish farms of television networks and commercial satellite companies. Until now, 17 additional Torus antennas can be seen at:

- CIA headquarters (present already in 2000)
- Schriever Air Force Base in Colorado
- An Intelsat ground station near Napa, California (2)
- An Intelsat ground station in Nuevo, California
- An Intelsat ground station near Atlanta, Georgia
- An RRsat America ground station near Hawley, Pennsylvania
- An Intelsat dish farm in Long Beach, California
- An Echostar satellite downlink facility in Chandler, Arizona
- The Intelsat Teleport near Castle Rock, Colorado
- An Echostar Broadcast Center in Cheyenne, Wyoming
- A satellite station near Lake Pochung, New Yersey
- A satellite ground station in Vernon county, New Yersey
- The HBO Communication Center in Hauppage, New York
- The roof of HBO Studio Productions in New York City (2)
- The Inmarsat access station in Nemea, Greece



Links and sources
- Stuff.co.nz: Snowden Files: Inside Waihopai Domes
- Business sheet: General Dynamics SATCOM Technologies Business Overview (pdf)
- Product sheet: General Dynamics 7.0 Meter Torus (pdf)

March 25, 2015

New Zealand and XKEYSCORE: not much evidence for mass surveillance



Since March 5, The New Zealand Herald and the website The Intercept published a number of stories based on top secret documents regarding New Zealand. These stories followed last year's claims by Edward Snowden saying that the New Zealand signals intelligence agency GCSB is involved in indiscriminate and illegal mass surveillance of ordinary citizens.

Here we will take a close look at the original documentes that accompanied these reportings and put them in a broader context in order to see whether they support these claims or not. Attention will also be paid to the notorious XKEYSCORE system.




The listening station at Waihopai (SIGAD: NZC-333) in New Zealand
after activists deflated one of the kevlar radomes in April 2008
(Source: GCSB presentation - Click to enlarge)
 

GCSB satellite collection

In the first story from March 5, it was claimed that New Zealand's signals intelligence agency GCSB conducted "mass spying on friendly nations" in the South Pacific on behalf of the Five Eyes partnership, which consists of the United States, the United Kingdom, Canada, Australia and New Zealand.

The allegation of "mass spying" seems to be based upon an excerpt from an GCHQ wiki page from about 2011, which talks about "full-take collection" at New Zealand's satellite intercept station in Waihopai (codenamed IRONSAND):



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)


A GCSB report from July 2009 says that GCSB users were trained by NSA XKEYSCORE trainers "in anticipation of full-take collection and 2nd party sharing" with the full-take collection expected to be running by October 2009.


"Full-take" collection

The New Zealand Herald explained that "full-take collection means the base now collects and retains everything it intercepts: both the content of all the messages and the metadata". If that would be true, then one could probably speak of "mass surveillance".

But later on, the report quotes the German magazine Der Spiegel, which reported already in 2013 that XKEYSCORE "enables 'full-take' of all unfiltered data over a period of several days". The latter is an important detail, but neither The New Zealand Herald, nor The Intercept paid any further attention to it.

When New Zealand's prime minister John Key was asked about the "full-take" at a press conference, he told a reporter: "With the greatest of respect, I don't actually think you understand the technical term and it's not my job to explain it to you". This is the standard response governments give in these matters, rather letting citizens think they are under massive surveillance than explaining what really happens...
 

XKEYSCORE

In the GCHQ wiki entry we also see two check boxes with next to them the Waihopai station mentioned as "GCSB_IRONSAND_WC2_FULL_TAKE". The abbreviation WC2 stands for WEALTHYCLUSTER 2, which is apparently the second generation of a system that is used to process low data rate signals: it sessionizes all of them and then forwards them to XKEYSCORE.

Using WEALTHYCLUSTER processing is called the traditional version of XKEYSCORE, which is used for satellite and terrestrial radio signals. For higher data rates, like on fiber-optic cables, it was/is not possible to forward all data to XKEYSCORE.

These yet unfiltered internet communication sessions forwarded to XKEYSCORE are called the 'full-take'. They are only stored for a short period of time: content is buffered for 3 to 5 days (sometimes shorter or sometimes longer, depending on the amount of traffic), and metadata for up to 30 days. In other words, XKEYSCORE creates a rolling buffer which is continually being rewritten:



Slide with some main characteristisc of the XKEYSCORE system
See also another, similar NSA presentation about XKEYSCORE


This buffering enables analysts to perform federated queries using so-called "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents, spreadsheets in English, as well as in Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just filtering out known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new "strong selectors", which can then be used for starting a traditional search.


XKEYSCORE Fingerprints

To use XKEYSCORE more efficient, analysts can create so-called 'fingerprints', which are rules that contain search terms (especially all the correlated identities of a certain target) that are automatically executed by the system. Some examples of XKEYSCORE fingerprints were disclosed by German regional television on July 3, 2014, who presented them as excerpts of XKEYSCORE's source code.

Until now, The New Zealand Herald has published two XKEYSCORE fingerprints that define GCSB targets: one related to candidates for the job of director-general of the World Trade Organisation (WTO), and another one related to the Solomon Islands, for which the fingerprints show that GCSB (and/or NSA) was interested in documents from the government of this island state, as well as in the Truth and Reconciliation Commission and former militia groups.


GCSB targets

Another document disclosed by The New Zealand Herald and The Intercept shows that GCSB also spies on China, Pakistan, India, Iran, South Pacific Island nations (like Tuvalu, Nauru, Kiribati and Samoa, Vanuatu, New Caledonia, Fiji, Tonga and French Polynesia), the diplomatic communications of Japan, North Korea, Vietnam, and South America, as well as French police and nuclear testing activities in New Caledonia, and even on Antarctica.

A number of these targets, and some others, were already listed in a 1985-86 annual report of GCSB (classified as TOP SECRET UMBRA), which was accidently released in 2006. So although it might be embarrassing for the New Zealand government that the spying on nearby friendly island states was exposed, it is nothing new and nothing what is very far out of the range of what intelligence agencies usually do.
 

"Collect it All"

In a GCSB presentation (pdf) about the Waihopai satellite station from April 2010 we read: "To brief IS on the MHS ‘Collect It All’ initiative" - with IS being the abbreviation for IRONSAND, the codename for Waihopai; and MHS for Menwith Hill Station, NSA's large satellite facility in England.

This seems to confirm that "Collect It All" was initially a project for the Menwith Hill Station, maybe meant to be extended to other satellite collection facilities, but not the primary aspiration for NSA's collection efforts in general, as Glenn Greenwald claimed in his book No Place To Hide.*

As evidence, Greenwald presented a slide from a 2011 presentation for the annual Five Eyes conference, but that shows that "Collect it All" actually refers to just one particular stage of the collection process for satellite traffic:




- On top of the diagram, the process starts with receiving the satellite signals ("Sniff it All") and this is followed by "Know it All", which is about detecting (survey) what kind of traffic certain communication channels contain.

- The stage for which they aim "Collect it All" is when signals are processed into usable data by conversion, demodulation and demultiplexing. This is done through systems codenamed ASPHALT and ASPHALT PLUS, but no further information on these system has been published. Apparently "Collect it All" is about increasing the capability to process signals.

- The next stage is "Process it All" where, after a Massive Volume Reduction (MVR) to get rid of useless data, XKEYSCORE (XKS) is used to search for things that are of interest. The last two stages are about analysing data at a large scale and share them with GCHQ and NSA's satellite intercept station in Misawa, Japan.



Photo of what might be XKEYSCORE equipment at the NSA's
European Cryptologic Center (ECC) in Griesheim, Germany
(Source: ECC presentation (pdf) - Click to enlarge)


Targeted collection

Combining the earlier disclosed information about XKEYSCORE shows that neither "full-take", nor "Collect it All" means that "everything" ends up in some NSA database (typically PINWALE for content and MARINA for metadata). This only happens with data that is extracted based upon 'strong selectors', 'fingerprints', or manual searches by analysts when they think it contains valuable foreign intelligence information.

A 2012 NSA document about a training course for XKEYSCORE, published by Der Spiegel in June 2014, says that this system helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

This suggests that XKEYSCORE is able to sort out data in a way that is even more targeted than the traditional method, in which communications are filtered out by internet addresses. This would make XKEYSCORE even less the "mass surveillance tool" as it is called by Snowden.
 


GCSB cable access

Besides the satellite station in Waihopai and the High-Frequency radio intercept facility near Tangimoana, some snippets disclosed in September 2014, show that GCSB also started a cable access program codenamed SPEARGUN, for which the first metadata probe was expected mid-2013. According to The Intercept, this program might be about tapping the Southern Cross cable, which carries "the vast majority of internet traffic between New Zealand and the rest of the world".

A bit confusing is that in a 2012 GCSB presentation (pdf), project SPEARGUN is listed among topics related to the "IRONSAND Mission", but maybe this means that the mission of this satellite intercept station in Waihopai was extended to include cable operations too.

IRONSAND is in the north east of the South Island of New Zealand, while the landing points for the Southern Cross cable are in the north of the North Island, a distance of more than 500 kilometers. It's possible that from the Waihopai station the actual cable intercept facilities are remotely controlled, maybe through a secure Virtual Private Network (VPN) connection over the domestic Aqualink cable:




The access points to the Southern Cross cable could then be identical with the "NSA facilities" in Auckland and "in the north" of the country, which Edward Snowden hinted to in his speech on the "Moment of Truth" meeting in Auckland on September 15, 2014.


Snowden's claims

The Intercept presented this cable access as a "mass metadata surveillance system" capable of "illegal domestic spying" on the communications of New Zealanders. These claims seem to be based upon a rather pathetic statement from Edward Snowden himself:

"If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called “XKEYSCORE.” It allows total, granular access to the database of communications collected in the course of mass surveillance. It is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic".

Snowden pretends that XKEYSCORE is primarily used to snoop on the communications of private citizens, as if GCSB, NSA and the other partner agencies don't have way too many other targets (see for example the long list of countries targeted by GCSB) and waste their time on ordinary civilians. Snowden however continues:

"The GCSB provides mass surveillance data into XKEYSCORE. They also provide access to the communications of millions of New Zealanders to the NSA at facilities such as the GCSB station at Waihopai"
"It means they have the ability see every website you visit, every text message you send, every call you make, every ticket you purchase, every donation you make, and every book you order online
"

This is also misleading, because, as we have already seen, GCSB isn't very much interested in "your" private communications. In his "Moment of Truth" speech, Snowden claimed that he would have been able to enter for example the e-mail address of prime minister John Key in XKEYSCORE to get access to all content and metadata of his internet activities.

What Snowden briefly acknowledged in this speech, but left out in his statement for The Intercept, is that such searches are constrained by policy restrictions. Indeed, every analyst who works with XKEYSCORE and wants to query data collected in New Zealand, has to do a training on the New Zealand Signals Intelligence Directive 7 (NZSID7), which contains the rules about what GCSB is allowed to do.

As GCSB is not allowed to collect communications of New Zealanders (except for when there's a warrant to assist domestic agencies), this means that the other Five Eyes agencies aren't allowed to do that either. Snowden would therefore not have been allowed to look at the communications of prime minister Key.


Not only must all queries against data from New Zealand sources be compliant with both the NZSID7 and the Human Rights Act (HRA), they will also be audited by GCSB:



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)

Snowden however considers these policy restrictions not sufficient because analysts "aren't really overseen". For GCSB, a 2013 review report found that there were indeed problems with oversight, but the new GCSB law, which is opposed by many people because it would supposedly enable "mass surveillance", actually also strengthens oversight. NSA noticed this too.


The government's response

New Zealand's prime minister John Key rejected the reportings by The New Zealand Herald, saying that "Some of the information was incorrect, some of the information was out of date, some of the assumptions made were just plain wrong". He strongly denied that GCSB collects mass metadata on New Zealanders, but he acknowledged that the agency had tapped into the cable, but only for the purposes of a cybersecurity program codenamed CORTEX.

As a proof, several secret government documents were declassified, but from them it doesn't become clear whether CORTEX really is the same program as the cable access which is codenamed SPEARGUN in the NSA and GCSB documents. According to Key, the CORTEX cybersecurity system was eventually scaled back and now only protects specific entities in the public sector and some private companies.

A snippet from an NSA document says that the implementation of the cable access project SPEARGUN was awaiting the new 2013 GCSB Act. It was said this was because the new law would enable "mass surveillance", but the proposed law also authorizes GCSB to ensure cybersecurity, which would support the statement of the government.

 

Conclusion

As the disclosed documents only contain a few lines and no further details about the cable acces codenamed SPEARGUN, it is not possible to say for sure whether this is about intercepting communications from the Southern Cross cable, like the Snowden-related media claim, or that it is actually a cybersecurity program, like the government says.

What did become clear is that XKEYSCORE isn't really a "mass surveillance tool", but is actually used to collect data in a way that is at least just as targeted as traditional methods. Many of GCSB's targets came out as legitimate, some are more questionable, but none of them included the bulk collection of communications from ordinary citizens, whether domestic or abroad.

Snowden also said that there are "large amounts of indiscriminate metadata about the communication and other online events of citizens" from all Five Eyes countries. But apart from the domestic phone records collected by the NSA, no evidence has yet been presented for such collection in the other countries.



Links and Sources
- EmptyWheel.net: What an XKeyscore Fingerprint Looks Like
- The New Zealand Herald: Bryce Edwards: The ramifications of the spying scandal
- The Press: We're snooping on the Pacific...so what?
- Report: Review of Compliance at the Government Communications Security Bureau (pdf) (2013)
- ArsTechnica.com: Building a panopticon: The evolution of the NSA’s XKeyscore

March 11, 2015

US military and intelligence computer networks



From the Snowden revelations we learned not only about NSA data collection projects, but also about many software tools that are used to analyze and search those data. These programs run on secure computer networks, isolated from the public internet. Here we will provide an overview of these networks that are used by the US military and US intelligence agencies.

Besides computer networks, they also use a number of dedicated telephone networks, but gradually these are transferred from traditional circuit-switched networks to Voice over IP (VoIP). This makes it possible to have only one IP packet-switched network for both computer and phone services. It seems that for example NSA's NSTS phone system is now fully IP-based.



An old NSTS telephone and a KVM-switch which enables switching between physically
separated networks, in this case two Unclassified (green labels), one Secret
(red label) and one Top Secret/SCI (orange and yellow label) network
(National Security Operations Center, 2006 - Click to enlarge)


US national networks

The main US military and intelligence computer networks are (of course) only accessible for authorized personnel from the United States. Special security measures are in place to prevent interception by foreign intelligence agencies. Most of the tools and programs used by NSA run on JWICS and NSANet, but here we only mention them when this is confirmed by documents.


DNI-U (Director National Intelligence-Unclassified)
- Until 2006: Open Source Information System (OSIS)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Access: US intelligence users
- Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
- Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
- Computer applications: Intelink-U, Intellipedia, etc.



Page of the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


NIPRNet (Non-secure Internet Protocol Router Network)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at gateways
- Address format: http://subdomains.domain.mil
- Access: US military users, via Common Access Card smart card *
- Number of users: ca. 4,000,000
- Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
- Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
- Video Teleconferencing (VTC)



Cyber security officers in an operations center room at Barksdale Air Force Base
There are screens connected to NIPRNet (green background/border)
and SIPRNet (red background/border)
(Photo: U.S. Air Force/Tech. Sgt. Cecilio Ricardo - Click to enlarge)
More about this photo on SecurityCritics.org



SIPRNet (Secret Internet Protocol Router Network)
- Classification level: SECRET (color code: red)
- Secured by: TACLANE (KG-175A/D) network encryptors
- Address format: http://subdomains.domain.smil.mil
- Access: US (and some foreign partners)* military and intelligence users, via SIPRNet Token smart card
- Number of users: ca. 500,000 *
- Controlled by: JCS, NSA, DIA and DISA *
- Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
- Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, etc.
- Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
- Secure Video Teleconferencing (VTC)



Computers in the White House Situation Room, with a yellow screensaver,
indicating they are connected to a TOP SECRET/SCI computer network
(Screenshot from a White House video)


JWICS (Joint Worldwide Intelligence Communications System)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE (KG-175A/D) network encryptors *
- Address format: http://subdomains.domain.ic.gov
- Access: US intelligence users
- Controlled by: DIA, with management delegated to AFISR
- Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
- Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
- Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
- Secure Video Teleconferencing (VTC)



Web-browser with a JWICS address for the ROYALNET tool


These various military and intelligence networks run on a world-wide physical infrastructure that is called the Defense Information Systems Network (DISN), which is maintained by the Defense Information Systems Agency (DISA) and consists of landline, mobile, radio and satellite communication links

Most of these communication links are not connected to the public internet, but because radio and satellite transmissions can easily be intercepted by foreign countries, the security of these networks is assured by encryption. This encryption can also be used to run higher classified traffic over communication links with a lower classification level through Virtual Private Network (VPN) tunnels.

Classified communications have to be protected by Suite A Cryptography, which contains very strong and classified encryption algorithms. On most networks this is implemented by using Type 1 certified TACLANE (KG-175A/D) in-line network encryptors made by General Dynamics:



(Diagram: General Dynamics)


As long there's the appropriate strong link encryption, only the end points with the computer terminals (where data are processed before they are encrypted) need strict physical and digital security requirements in order to prevent any kind of eavesdropping or interception by foreign adversaries.

Most American military bases are connected to the SIPRNET backbone, but for tactical users in the field, the SIPRNet and JWICS networks can extend to mobile sites through Satellite Communications (SATCOM) links, like for example TROJAN SPIRIT and TROJAN SPIRIT LITE, which consist of a satellite terminal that can be on a pallet, in a shelter, on a trailer or even connected to a transit case.


Other US goverment departments and intelligenc agencies also have their own computer networks at different classification levels:

FBI
- LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
- FBINet (Federal Bureau of Investigation Network; Secret)
- SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)


DHS
- HSIN (Homeland Security Information Network; Unclassified)
- HSDN (Homeland Secure Data Network; Secret)


State Department
- OpenNet (Unclassified)
- ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
- INRISS (INR Intelligence Support System; Top Secret/SCI)


CIA
- AIN (Agency InterNet; Unclassified)
- ADN (Agency Data Network?; Top Secret/SCI)


NRO
- GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
- CWAN (Contractor Wide Area Network; Top Secret)


NGA
- NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)


Finally, there's the Capitol Network (CapNet, formerly known as Intelink-P), which provides Congressional intelligence consumers with connectivity to Intelink-TS and CIASource, the latter being the CIA's primary dissemination vehicle for both finished and unfinished intelligence reports.



US multinational networks

Besides the aforementioned networks that are only accessible for authorized military and intelligence personnel from the United States, there are also computer networks set up by the US for multinational coalitions, and which therefore can also be used by officials from partner countries.

The group of countries that have access to such coalition networks is often denoted by a number of "Eyes" corresponding with the number of countries that participate.


NSANet (National Security Agency Network)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE network encryptors *
- Address format: http://subdomain.domain.nsa
- Access: US, UK, CAN, AUS, NZL signals intelligence users
- Controlled by: NSA, with management delegated to CSS Texas
- Purpose: Sharing intelligence data among the 5 Eyes partners
- Computer applications: SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, World Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
- Phone service: NSTS (National Secure Telephone System)



Web-browser with NSANet address for the INTERQUAKE tool, used by NSA's
Special Collection Service (SCS, organizational code: F6) units
(Click for the full presentation)


Besides NSANet as its general purpose intranet, NSA also operates several other computer networks, for example for hacking operations conducted by the TAO-division. We can see some of these networks in the following diagram, which shows how data go (counter-clockwise) from a bot in a victim's computer on the internet, through a network codenamed WAITAUTO to TAONet and from there through a TAONet/NSANet DeMilitarized Zone (DMZ) to data repositories and analysing tools on NSANet:



Diagram showing the data flow for TAO botnet hacking operations
(Source: NSA presentation - Click to enlarge)


PEGASUS
- Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
- Classification level: SECRET//REL FVEY
- Access: US, UK, CAN, AUS, NZL military users
- Controlled by: DIA(?)
- Purpose: Information sharing and supporting command and control systems
- Applications: Secure e-mail, chat and VoSIP communications


STONEGHOST (Quad-Link or Q-Lat)
- Classification level: TOP SECRET//SCI
- Access: US, UK, CAN, AUS, NZL(?) military intelligence users
- Controlled by: DIA
- Purpose: Sharing of military intelligence information
- Applications: Intelink-C, etc.


CFBLNet (Combined Federated Battle Laboratories Network)
- Classification level: Unclassified and SECRET
- Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
- Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
- Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
- Applications: Communications, analytic tools, and other applications



The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)


For communications among the members of multinational coalitions, the United States provides computer networks called Combined Enterprise Regional Information eXchange System (CENTRIXS). These are secure wide area network (WAN) architectures which are established according to the specific demands of a particular coalition exercise or operation.

CENTRIXS enables the secure sharing of intelligence and operational information at the level of "SECRET REL TO [country/coalition designator]" and also provides selected centralized services, like Active Directory/DNS Roots, VoIP telephony, Windows Server Update Services (WSUS) and Anti-Virus Definitions.

There are more than 40 CENTRIXS networks and communities of interest (COIs) in which the 28 NATO members and some 80 other countries participate. The best-known CENTRIXS networks are:


CENTRIXS Four Eyes (CFE or X-Net)
- Classification level: TOP SECRET//ACGU
- Address format: http://subdomains.domain.xnet.mnf
- Access: US, UK, CAN, AUS military users
- Controlled by: DIA
- Purpose: Operational coordination through sharing and exchange of intelligence products
- Applications: Various services


CENTRIXS-ISAF (CX-I)
- Classification level: TOP SECRET//ISAF
- Access: ca. 50 coalition partners
- Controlled by: ?
- Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
- Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
- Voice over IP


CENTRIXS-M (Maritime)
- Classification level: TOP SECRET ?
- Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
- Computer applications: E-mail, Chat messaging, Webpages, etc.


Some other CENTRIXS networks are:

CENTRIXS-GCTF
- For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)

CENTRIXS-CMFC
- For the Combined Maritime Forces, Central Command (CMFC)

CENTRIXS-CMFP
- For the Combined Maritime Forces, Pacific (CMFP)

CENTRIXS-J
- For the United States and Japan

CENTRIXS-K
- For the United States and South-Korea



Links and Sources
- US National Intelligence: A Consumer's Guide (pdf) (2009)
- Paper about How to Use FASTLANEs to Protect IP Networks (pdf) (2006)

February 23, 2015

NSA and GCHQ stealing SIM card keys: a few things you should know

(Updated: February 27, 2015)

Last Thursday, February 19, the website The Intercept broke a big story about how NSA and GCHQ hacked the security company Gemalto in order to acquire large numbers of keys used in the SIM cards of mobile phones.

The story has quite some background information about how these keys are used and how NSA and GCHQ conducted this operation. But as we have often seen with revelations based upon the Snowden-documents, media once again came with headlines like "Sim card database hack gave US and UK spies access to billions of cellphones", which is so exaggerated that it is almost a scandal in itself.

Instead, analysing The Intercept's article and the original documents leads to the conclusion that the goals of this operation were most likely limited to tactical military operations - something that was completely ignored in most press reports. Also there is no evidence that Gemalto was more involved in this than other SIM card suppliers.



To what extent was Gemalto involved?

According to The Intercept, NSA and GCHQ planned hacking several large SIM card manufacturers, but in the documents we find only one for which this was apparently successful: Gemalto. Other documents merely show that GCHQ wanted to "investigate Gemalto" "for access to Gemalto employees" "to get presence for when they would be needed".

An internal GCHQ wiki page from May 2011 lists Gemalto facilites in more than a dozen countries, like Germany, Maxico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore, but also without explicitly saying whether or not these were successfully hacked.

One report and a few slides from a presentation that was not fully disclosed mention large numbers of SIM card keys that had been collected, but this is not specifically linked to Gemalto. Although Gemalto is the largest manufacturer, it seems likely these data were also collected from other companies, like Bluefish, Giesecke & Devrient, Oberthur, Oasis, Infineon, STMicroelectronics, and Morpho.

Therefore, we actually don't know to what extent NSA and GCHQ used the access they apparently had to Gemalto's network, and it is definitely not correct to say that all 2 billion SIM cards that Gemalto produces every year were compromised by this hack.

And given the fact that other SIM card suppliers were targeted and/or hacked too, one wonders why The Intercept didn't left out the name of Gemalto. Because now its competitors profit from not being named, while Gemalto shares already had a huge drop on the stock market.

Update:
On February 25, Gemalto came with a press release in which results of its investigation into the alleged hack were presented. Gemalto concluded that NSA and GCHQ probably "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys". The report also says Gemalto never sold SIM cards to four of the twelve operators listed in the GCHQ documents, in particular to the Somali carrier, and that in 2010-2011, most operators in the targeted countries were using the vulnarable 2G networks, mostly with prepaid cards which have a very short life cycle, typically between 3 and 6 months.

The Netherlands

Gemalto is a digital security company providing software applications, secure smart cards and tokens and is also the world’s biggest manufacturer of SIM cards. It's essentially a French company, but it has some 12.000 employees in 44 countries all over the world.

The Gemalto headquarters are officially in Amsterdam in the Netherlands, which made Dutch media claiming that "NSA hacked a company in the Netherlands". This was rather premature, since the two Dutch locations of Gemalto seem not to be likely targets in this case.

The Amsterdam headquarters is very small, consisting of only some 30 people. The reason they are in Amsterdam is apparently mainly because the Dutch capital was already the seat of Axalto, one of Gemalto's predecessors, and because the company wanted access to the Amsterdam stock exchange.

Unnoticed by Dutch national media is the fact that Gemalto also has a plant in the city of Breda, where, according to an unrelated press report from last year, (only) bank cards are personalised. This plant also has a customer service team, but strangely enough Breda isn't in the list of locations on Gemalto's website.



The plant of Gemalto in the southern Dutch city Breda
(photo: Tom van der Put/MaRicMedia)


Also interesting is that last month, Gemalto acquired the US manufacturer of security products SafeNet. This company, founded in the late 1980s by former NSA officials, not only makes encryption devices used by commercial companies and banks all over the world, but also the KIV-7 link encryptor, which is used by the US Army, as well as the Enhanced Crypto Card (KSV-21), which provides the encryption functions for the US government's STE secure telephone.



How does the SIM card key work?

SIM cards, produced by companies like Gemalto, have a microchip which among other data includes a unique 128 bit Authentication Key, also known as "Ki". A copy of this key is given to the phone provider, so when a phone call is made, this key number can be used to make sure the handset connects to a valid provider, and the provider knows it connects to a handset that belongs to a known customer.

The Intercept's report suggests that this Ki number is also used as the encryption key to protect the subsequent communications, but in reality this is a bit more complex. Here's how it works for 3rd Generation (UMTS) networks:

1. After a handset connects to the base station, the latter sends the handset a 128 bit random number, a 48 bit sequence number and an authentication token.

2. The chip in the SIM card combines the Ki number with the random number and the sequence number to also calculate an authentication token and a response number, which are used to authenticate the network and the handset, respectively.

3. By combining the Ki number with the random number, the SIM card chip also calculates the:
- 128 bit Confidentiality Key (CK) for encrypting messages
- 128 bit Integrity Key (IK) for checking the integrity of messages
4. The actual (voice) data are then encrypted through the f8 algorithm (which is based upon the KASUMI block cipher) using the Confidentiality Key.

5. For additional security, both the Confidentiality Key and the Integrity Key have a limited lifetime. The expiration time is variable and send to the handset after establishing a connection.

Although for the actual encryption key CK, the Ki number from the SIM card is mixed with a random number, this provides no extra security: the base station sends this random number to the handset over the air unencrypted, so it can be intercepted easily by anyone.

Eavesdroppers would therefore only need the SIM card Ki to recreate the encryption key and use that to decrypt the conversation (see also this US Patent for a "Method of lawful interception for UMTS").



Why were these SIM card keys collected?

The press reports, speaking in general terms of "unfettered access to billions of cellphones around the globe", suggest that everyone's mobile phone could now be at risk of being intercepted by NSA or GCHQ.

One important thing they forgot, is that one only needs to steal SIM card keys when you are trying to intercept mobile phone traffic when it travels by radio between the handset and the cell tower. Only that path is encrypted.

Once the communications arrive at the provider's network, they are decrypted and sent over telephone backbone networks to the cell tower near the receiving end as plain text. It's then encrypted again for the radio transmission between the cell tower and the receiving handset.





As we know from previous Snowden-leaks, NSA and GCHQ have vast capabilities of filtering fiber-optic backbone cables that are likely to contain communications that are of interest for military or foreign intelligence purposes. The big advantage here is that on those backbone cables there's no encryption (although people can use end-to-end encryption methods themselves).

Therefore, the SIM card keys are only needed when NSA and GCHQ want to listen in or read traffic that is or has been intercepted from the wireless transmission between a handset and a cell tower. This narrows down the field where these keys can be useful substantially.


Tactical military operations

Intercepting the radio signal of mobile phones needs to be done from rather close proximity. To do this, the NSA uses StingRay and DRT devices, which are highly sophisticated boxes that in a passive mode are capable of detecting and intercepting the radio transmissions of multiple cell phones. In an active mode they can mimic a cell tower in order to catch individual phone calls and as such they are better known as IMSI-catchers.

These devices are widely used by the NSA and the US military in tactical ground operations, like in Afghanistan and previously in Iraq, as well as in other crisis regions. StingRays and DRT boxes can be used as a manpack, in military vehicles, but also aboard small signals intelligence aircraft like the C-12 Huron. Surveillance drones also have similar capabilities.




A Prophet Spiral Humvee which uses DRT devices
for collecting radio and cell phone signals


This military, or at least anti-terrorism purpose is confirmed by a disclosed slide which shows that Kis for mobile networks from Somalia, Kuwait, Saudi Arabia, Afghanistan, Iran and Bahrain were found among collected data.

A GCHQ report that was also published as part of The Intercept's story says that key files from "Somali providers are not on GCHQ's list of interest, [...] however this was usefully shared with NSA", which clearly shows that both agencies were looking for keys from specific countries.

The report also says that during a three month trial in the first quarter of 2010, significant numbers of Kis were found for cell phone providers from Serbia, Iceland, India, Afghanistan, Yemen, Iran, Tajikistan and Somalia, which is shown in this chart:



According to the report, this chart reflects "a steady rate of activity from several networks of interest", which again indicates that GCHQ is specifically looking for keys for countries where the US and the UK are involved in military operations.

The same reports says that Iceland appearing in this list was unexpected, but Dutch newspapers guessed this could be explained by the fact that in 2010, Julian Assange and other people related to WikiLeaks were staying there.

One also wonders why The Intercept didn't trace the companies that in 2010 and 2011 provided the SIM cards to the countries mentioned in the GCHQ report. The fact that SIM keys for those countries were collected, seems a strong indication that the security of those suppliers was apparently weak.


Eavesdropping in foreign capitals

Remarkably, the use of SIM card keys for tactical military operations is completely ignored by The Intercept, even though this is probably the main purpose (which was also expressed by at least two security experts). The Intercept does however claims that such keys would be useful to eavesdrop on mobile phone traffic somewhere else:

The joint NSA/CIA Special Collection Service (SCS) has eavesdropping installations in many US embassies, and because these are often situated in the city center and therefore near a parliament or government agencies, they could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials.

With the current UMTS (3G) and LTE (4G) mobile networks using encryption that is much harder to crack than that of the older GSM network, having the SIM card keys would make it easy to decrypt already collected mobile communications, as well as listing in to them in real-time.



A 16 port IMSI catcher from the Chinese manufacturer Ejoin Technology


As easy it may be to decrypt conversations when having the key, the more difficult it seems to get hold of keys that are useful for this purpose. SIM cards are shipped in large batches of up to several hundred thousand cards and while it is known to which provider in which country they go, one cannot predict in whose phone the individual cards will eventually end up.

So when NSA and GCHQ are stealing large numbers of keys, they have to wait for some of them ending up by people that are on their target lists - which really seems a very small chance. This method is also useless against people using an old SIM card, which could be the case for German chancellor Merkel, who has a phone number that was already used in 1999. For these kind of targets it would be much more efficient to hack or tap into local telephone switches.

The way to make it work would be to "collect them all" and create a database of keys that will eventually cover every newly assigned phone number. But in one of the documents, GCHQ notices that large SIM suppliers increasingly use strong encryption for their key files, which will make it hard to achieve such a full coverage.

This is another reason, why stealing SIM card keys is most likely focussed on war zones: over there, very large amounts of phone calls and metadata are collected, which, given the large number of suspects and targets over there too, makes much better chances of finding keys that are actually useful. But still, stealing these keys looks not like a very efficient method.



Could these hacking operations be justified?

This brings us to the question of how justified this method of stealing SIM card keys could be. The fact that NSA and GCHQ are hacking commercial telecommunication and security companies is seen as one of the biggest scandals that have been revealed during the Snowden-revelations.

It's not only because of breaking into their networks, but also because for this, the communications of specific employees like system administrators are intercepted to acquire the passwords and usernames for their Facebook-accounts, despite the fact that they themselves aren't a threat to the US or the UK.

They are targeted not as an end, but as means in order to get access to the communications of other targets elsewhere. These ultimate targets could maybe justify these means, but without knowing what the actual goals are, it's difficult to come with a final judgement.

Although this kind of hacking affects innocent civilians, it's still very focussed. According to The Intercept, "In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization" - which is a rather small number given that Gemalto alone has some 12.000 employees.

Targeting companies and organizations like Swift, Belgacom and Gemalto should not have come as a complete surprise. Nowadays internet and telecommunication providers have become similar of interest for national security as military contractors and top technological research institutions have always been.

This is also reflected by the last of the 16 Topical Missions in the NSA's Strategic Mission List from 2007:

"Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."



Links and Sources
- Motherboard.vice.com: Did the NSA Hack Other Sim Card Makers, Too?
- NRC.nl: Simkaartsleutels vooral van belang bij afluisteren in Midden-Oosten
- Tweakers.net: Gemalto: geen sim-sleutels buitgemaakt bij aanval geheime diensten
- Reuters.com: Hack gave U.S. and British spies access to billions of phones: Intercept
- Crypto.com: How Law Enforcement Tracks Cellular Phones
- Presentation about Network Security: GSM and 3G Security (pdf)
- Matthew Green: On cellular encryption
- GCHQ's aspirations for mobile phone interception: 4 slides + 2 slides
- This article appeared also on the weblog of Matthew Aid

February 12, 2015

Snowden would not have been able to legally "wiretap anyone"

(UPDATED March 28, 2015)

During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".

Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.


> This article is still subject to additions and corrections


Targeting US citizens under FISA authority

The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:



Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)


In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.

If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.


Acquiring an individual FISA warrant

So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.

For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.

Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*



Collection under section 702 FAA

Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?

The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.

But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.

The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, the so-called Upstream collection.




Section 702 FAA certifications

What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.

For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.

Until now, we know of section 702 FAA certifications for three topics:
- Foreign Governments (FG, Certification 2008-A, including cyber threats?)
- Counter-Terrorism (CT, Certification 2008-B)
- Counter-Proliferation (CP, Certification 2009-C)

These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are always allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.


Dual authorities

In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which reportedly refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).

Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.

So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.

This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. The common way to start new surveillances (tasking) is through the Unified Targeting Tool (UTT, see below).


Back door searches

Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:


This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data in this way.

In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and for persons considered to be agents of a foreign power.


Back door search approvals

Clapper explained that "back door" queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.

The PCLOB report (pdf) about 702 FAA operations says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".

The NSA's Minimization Procedures from October 2011 also say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333).

For such searches, NSA for example approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.


Circumventing official procedures

In an interview, Glenn Greenwald was also asked about this issue and he explained that the "authority" Snowden was talking about, was not an authority in a legal sense.

According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".

So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.

In that interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, although somewhat earlier in the interview he was speaking about the whole agency that "targets the communications of everyone" and ingests, filters, analyses and stores them.


Unified Targeting Tool

Circumventing official procedures and legal authorities could be done by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.

A rogue analyst could for example confirm that there's a FISA warrant, when there's no warrant present, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.



A rare screenshot of the Unified Targeting Tool (UTT), which shows some of the
fields that have to be filled in. We see that data about a "FAA Foreign
Governments Cert." is missing and therefore not valid to task (see below),
and also a drop down menu with various Foreigness Factors.


Unfortunately no manual for this tool has been disclosed so far, although that would have been useful to learn more about such internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.


Targeting procedures

We have no details about the procedure for targeting US citizens, but we do know about the process for collection under the PRISM program. As PRISM is used for gathering data about foreigners, it can be considered to be less sensitive than collecting data about US persons, for which there are maybe some extra safeguards and checks. The PRISM tasking process is shown in this slide:



Slide that shows the PRISM tasking process
(Click to enlarge)


We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.

A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released to be "tasked" on the various collection systems.

For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.


Incidents

Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.

It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.


Conclusion

The details Edward Snowden told to The Washington Post seem to confirm that he wasn't authorized to target US persons, but apparently did had the authority to use US persons identifiers for querying data that were already collected. But contrary to what Snowden said, this is only allowed after prior approval. This makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.


(Edited after adding Greenwald's interpretation of Snowden's words and adding something about the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a report by The Washington Post, and added some explanation about the back-door searches)


Links and Sources
- Privacy and Civil Liberties Oversight Board: Section 702 Program Report (pdf)
- Stanford Law Review: Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?
- The Guardian: The top secret rules that allow NSA to use US data without a warrant
- EmptyWheel.net: Postings about section 702 FAA
- Robert S. Litt, ODNI General Counsel: An Overview of Intelligence Collection
- Related documents:
  - President Policy Direction (PPD) 28 Section 4 Procedures (pdf) (2015)
  - Foreign Intelligence Surveillance Act - Summary Document (2008)