January 26, 2015

How GCHQ prepares for interception of phone calls from satellite links

Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.

What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.

These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.

Here we will analyse what's in these reports, to get an impression of the steps that have to be taken before telephone communications from satellite links are intercepted.

Satellite dishes at the GCHQ intercept station near Bude, Cornwall, UK

Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.

Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.

The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.

Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.

Technical report nr. 35

The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.

Multiplexing and compression

By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:

This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical equipment as possible, making it more difficult for intelligence engineers to unpack it.

Signaling System No. 7

Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.

In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.

Analysis of the link

In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.

All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:

On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.

The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.

After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.

Intelsat communications satellite from the 900-series,
nine of which were launched in June 2001.

The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.


The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."

Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.

Technical report nr. 44

The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).

The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.

The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 telephone calls (voice circuits) simultaneously.

The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.

The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) in Cyprus

Analysis of the link's metadata

The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.

It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.

From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.

On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.

For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.

GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.

Screenshot of the page from an NSA tool titled "SS7 Summary" which lists
the number of OPC/DPC pairs accessible by various NSA fiber-optic cable
interception programs, identified by their SIGAD number.
(From a presentation published in December 2013 - Click to enlarge)

Mapping the link

The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.

The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.

Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.

In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.


The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".

According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.

DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.

For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.

Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":

The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.

That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.

Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".

Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.


All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.

SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and UMBRA are still used.

Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.

Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security

January 13, 2015

German investigation of the cooperation between NSA and BND (III)

(Updated: January 16, 2015)

This is part III about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

The hearings of a number of BND employees which are summarized below, provided many interesting details about BND cable and satellite collection and how these data are selected and filtered and how privacy rights are implemented. This was especially of concern for the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

The witnesses also stated that contrary to the initial press report, under the joint operation Eikonal not a single German communication was passed on to NSA.

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

The room where the hearings of the parliamentary committee take place
(photo: DPA)

20th Meeting, November 6, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, head of the JSA unit from 2003-2007):

In Bad Aibling, the BND has dishes to intercept satellite communications. When satellite links are intercepted, the following things have to be done: first a specific frequency has to be selected, and as one frequency often contains multiple channels, these have to be broken down (de-multiplexed) into single data streams. Based upon metadata it can be decided that certain types of communications are not of interest for BND.

The next step is to separate the various content encodings, like for IP-traffic, telephony, fax, etc. This also needs error correction, which sometimes is a bit more difficult because some communication systems use proprietary methods. This results in data in a readable or audible format (like an e-mail or a phone call), which can be used to prepare an intelligence report. The witness estimates that BND produces around 20 reports a day.

For processing, filtering and selecting commercial computer systems were used, as wel as systems that were custom made by NSA. The Americans were ahead of BND in this, not necessarily better, but often just in doing more, or faster, like in analysing signals.

Compare: the data flow at NSA, according to a presentation
from the NSA's European Cryptologic Center (ECC)
(Click to enlarge)

Mass surveillance?

The witness stated that there was and is no mass surveillance by BND. Mass surveillance is even more difficult for fiber optic cables than for satellite links. If there would be any mass surveillance for the latter, then this should involve some 300 communications satellites, for which there should be ground stations at at least three places around the world.

There you would need 250 satellite dishes of 10 million euros each to receive the up to 500 frequencies per satellite. For each frequency two modems and converters were needed, and with the necessary processing capacity, this would require a nuclear power plant for electricity.

Mass surveillance on cable traffic could probably only be done with the capacity of the American, Russian and Chinese intelligence agencies combined. For BND, mass surveillance would drown the agency in data. The witness had never witnessed any kind of economical espionage by NSA in Germany. But he had to admit that not everything was talked about.

Joint SIGINT Activity (JSA)

NSA's Bad Aibling Station was scheduled for closure in 2002, but after 9/11 this was postponed to 2004, and maybe this led to the creation of the JSA. In the Joint SIGINT Activity, NSA and BND cooperated in collecting both satellite and cable communications.

The JSA was located at the Mangfall Barracks in Bad Aibling. In 2002, this military complex still had a compound of the Bundeswehr, where you had to go through to reach the BND section. The Bundeswehr left these barracks by the end of 2002, and NSA went to a new building nicknamed the Tin Can (Blechdose).

The compound had three sections: one for Germans only, one for US persons only and one common section. The collection of data took place in the common section, and the exits were strictly monitored, so NSA had no access to German sources on its own, although there weren't every day checks on people carrying thumb drives.

BND personnel had no access to NSA databases and vice versa, but both had access to joint databases. NSA had also some contractors working there. JSA was connected to NSANet, just like NSA's European Security Operations Center (ESOC) near Darmstadt.

Until 2007 only cable traffic from Frankfurt was passed on to JSA, not from other internet cables. Satellite traffic intercepted by the BND antennas in Bad Aibling was probably also transferred to JSA, where it was processed and analysed in the interest of both NSA and BND.

After the Joint SIGINT Activity (JSA) was closed in 2012, the logical path over the physical cables between BND headquarters and Bad Aibling was probably cut off. After 2012, BND continued to cooperate with NSA in the field of satellite interception and operations in Afghanistan.

Google Maps view of the Mangfall Barracks in Bad Aibling, Germany.
The building in the upper left corner could be the BND facility,
and the one with the white roof the NSA's "Tin Can".

Protection of German data

BND did everything to prevent that communications of German citizens or corporations were collected and/or passed on to NSA. Initially, 4 out of 5 selectors came from the Americans, the rest were German. The witness did not know the total number of selectors. These selectors were checked before they were fed into the collection system, and what came out was again checked whether it contained German communications.

The selectors from NSA were first checked by the Americans in the Tin Can at the Mangfall Barracks and then passed on to a unit of the technical division (which included lawyers) of BND at its then headquarters in Pullach. A final check was conducted by BND personnel in Bad Aibling. Only about one permille of the selectors were rejected because they were related to Germans or contrary to German interests.

Filtering out German data

This filtering works fine, but experience in Bad Aibling has learned that it is not possible to do this fully automated. Therefore, there was no automatic forwarding to NSA. A 100% accurate filtering was only possible with a final selection by hand. As far as the witness was aware of, not a single German communication was passed on to NSA.

In the press report about operation Eikonal it was said that the filter system could only filter out 95% of German communications, but according to the witness, this was only during the test period. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.

Especially e-mail addresses have to be checked by hand, because nowadays it's much more difficult to attribute such internet communications to specific countries. During the test period, about 3000 communications had to be checked by hand, 300 of which were e-mails. BND didn't collect data from US citizens or passed these on to NSA, so NSA did not use BND to get data that it wasn't allowed to collect by itself (Ringtausch).

The witness suggested that Süddeutsche Zeitung (the media that claimed that the BND filters wouldn't work and German data was forwarded to the NSA) had documents of conversations between BND and NSA, in which maybe BND made "political statements" about the efficiency of the filters.

(This could explain the discrepancy between the press reports and the BND witnesses, who all assured that the filter worked, and with additionally manual checks not a single German data was forwarded to NSA)

The witness clearly stated that German G-10 Act only protects Germans and people living in Germany. The privacy of foreigners living abroad is not protected by German law.

Operations center room in the former BND headquarters in Pullach
(Screenshot from ARD television - Click to enlarge)

- Hearing of Ms. G. L. (BND, head of IT development and operations at JSA from 2007-2008):

This witness is responsible for databases that store data after having been collected and filtered. These databases are at various locations. Currently, between 8.000 and 10.000 pieces of content with some additional information (Meldungen) come in each month, often but not always accompanied by metadata.

Joint SIGINT Activity (JSA)

Each unit of BND's analysis division (Auswertung) could request intelligence information from the JSA. They could suggest specific selectors to be tasked or articulate what their information needs were. Ultimate goal was to present relevant information for the federal government. BND sees itself as a service provider for customers in the government.

In 2005/2006 the selection process was fully automated. The witness couldn't remember how many selectors were used in her period at JSA. These numbers were also not registered. NSA was not able to get any German communications before these were thoroughly filtered and checked by BND. An e-mail that was selected, could be forwarded to NSA through a secured gateway. There was only access to local databases, not to those of NSA.

NSA employees working for JSA were not recognizable as such, they just had ID cards for the compound, issued by the security unit that was responsible for access control of the premises. The Tin Can building also housed SUSLAG (Special US Liaison Activity, Germany), which was a separate unit, different from JSA.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Operation Eikonal

The witness confirmed that in Frankfurt fiber optic cables were intercepted (operation Eikonal), although without mentioning whether this was at DE-CIX or somewhere else. She wouldn't answer the question whether BND is still doing this.

The data collected in Frankfurt were first sent to BND headquarters and then to Bad Aibling, where they were filtered by selectors from both NSA and BND. After the cooperation with NSA was ended, the transmission to Bad Aibling was cut off.

Legal issues

The witness was responsible for the implementation of the Federal Intelligence Service Act (BND Gesetz), which governs the activities of this agency. As such, she had the opinion that satellite interception conducted in Bad Aibling also took place under this act, but the Director of BND overruled her, saying this was not the case.

The BND management said: this kind of collection takes place in outer space, and therefore German law doesn't apply. But apart from that, employees should always apply with law and order. Once data collected from satellite links had been stored in BND databases, they fall under the German Data Protection Act (Bundesdatenschutzgesetz) though.

(In general, most of these witnesses didn't knew much about topics that are not related to their own duties. They also showed very little interest in the Snowden-revelations. This might be from a common attitude in the intelligence world: the less you know, the less you can (accidently) give away)

- . - . - . - . -

22th Meeting, November 13, 2014 (Transcript)

- Hearing of the witness Mr. W. K. (BND, sub-division manager in the Signals Intelligence division):

The witness stated that BND is definitely not comparable with the former East German Stasi and that BND only collects what is necessary for fulfilling the information need of the federal government.

Today, mainly fiber optic cables are intercepted, but not everything that flows through, only specific data channels are selected, or in case of satellite links: specific frequencies. Asked about the Snowden-revelations, the witness said that he was surprised by how close the Five Eyes partners are cooperating.

Tapping internet cables

There are search profiles and criteria according to which specific data flows are selected in a very focussed way. The first selection is of a route between two places (like from Afghanistan to Pakistan), then a specific fiber optic cable is chosen.

These are human decisions, based upon where a cable is located, by which company it is operated and where it's most useful to tap it. Picking a specific cable is also discussed with the provider, with some of them this is easier than with others.

Because internet traffic travels over many different routes, picking specific cables, means that a lot of communications cannot be collected. This is taken for granted as BND doesn't want to collect everything. Sometimes multiple routes are selected for interception, but not always.

According to the witness, BND doesn't provide foreign intelligence agencies access to cables. No raw data are transferred to foreign agencies, only end reports.

In some cases, internet data have to be converted into a readable format. This sometimes means cracking encryption, consisting either of complex algorithms or proprietary methods. This can be done on the traffic as it flows past, or with data after having been stored in databases.


The next step is filtering the data through selectors. This is done by a computer system, for which the data stream may be buffered for a few milliseconds. The amount of data flowing through these filter systems isn't counted by BND. Filtering by selectors is done as close to the actual tapping point as possible.

The selectors are chosen based upon the information needs and a set of criteria, which in combination prevent that communications of innocent people are touched. The results went to the (then) BND headquarters in Pullach over leased cables. The number of data forwarded to Pullach is not registered, it depends upon the costs of the capacity for transmission.

The constitutionally guaranteed Privacy of Correspondence can have effect on each of these selection stages: for example no cables are chosen that start and end in Germany, and no selectors belonging to Germans are used.

Data of Germans are currently filtered out by a system called DAFIS, which succeeded a BSI-certified filter system that was used since the 1990s. Data from German citizens and German companies (Grundrechtsträgern) are deleted.

After data have been selected, they are pulled out based upon their relevance and finally analysts can use them at a certain moment to write an intelligence report, of which approximately 20 a day are produced.

Operation Eikonal

Regarding the joint NSA-BND operation Eikonal, the witness said that there was no massive scale surveillance of German citizens with data forwarded to NSA. Under Eikonal, which was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The witness would give more details only behind closed doors, because BND is still using these methods. The internal codename for Eikonal was Karat, but that name wasn't shared with NSA. There was even a third codename. Eikonal was tested during a few months (early 2006?), during which period no data were shared with NSA.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

What was collected under Eikonal was far less than the 500 million metadata a month as shown in the German BOUNDLESSINFORMANT chart. Actual collection only led to a few hundred selected contents (in German: Daten, like phone calls or e-mails) a year, which was a huge disappointment for NSA. Nothing that was worth while came out anymore, contrary to the expectations when the operation was set up.

This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program. As a "compensation" for NSA, a joint project in a country outside Europe was planned. In crisis regions, the BND is still cooperating with NSA, which provides "huge benefits" for the Germans, according to the witness.

The witness wouldn't say anything about whether BND was tapping into the Frankfurt internet exchange DE-CIX, but later on he said that operation Eikonal involved just one telecommunications provider.

(These kind of indications by some of the witnesses eventually led the Committee to conclude that operation Eikonal was actually about tapping one single cable of Deutsche Telekom, instead of the DE-CIX exchange as a whole, as the initial report by Süddeutsche Zeitung said. More about this later)

Things the BND learned from the Eikonal-cooperation were:
1. How the technique worked, which is now used for own operations outside, and collection efforts inside Germany
2. It is not possible to conduct 100% automated filtering. This wouldn't be done anymore.

Filtering through selectors

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. A BND unit which included lawyers checked for every selector from the NSA whether it was legal and according to the goals of the cooperation. Besides German interests, also the interests of friendly countries were taken into account. Only a few selectors were rejected, but it wasn't told to NSA which ones. They were just not entered into the filtering system.

Selectors include not just phone numbers and e-mail addresses, but also MAC addresses, which have no country identifier. Although there may have been up to several hundred thoused selectors, BND was still able to check whether every single one was appropriate, this by using special criteria. Only selectors that can be checked are used.

Besides Eikonal, BND also taps into cables of multiple other communication providers, but this is within the proper legal framework, approved by the G-10 Committee. For this, there is dedicated hardware equipment in the building of the provider, in accordance with the regulations of the federal communications authority (Bundesnetzagentur). This hardware is installed at the point where the cable is tapped.

Screenshot from NSA's BOUNDLESSINFORMANT tool, showing the number of foreign
metadata that BND collected in crisis regions and shared with NSA
(Click to enlarge)

Telephony metadata

According to the witness, one phone call creates between 30 and 50 metadata, which includes not only time and number but also a lot more technical data. With the given number of users in a crisis zone, this easily adds up to billions of metadata. But not all these have to be collected (erfasst); less than one percent can actually be pulled in. This is no mass surveillance without a reasonable ground (anlasslose Massenüberwachung). The witness assumes that NSA and GCHQ operate in a similar way as the BND.

The over 500 million metadata records from the Germen BOUNDLESSINFORMANT chart were most certainly from Afghanistan, more precisely from satellite communication links between two foreign countries in crisis regions. According to the witness this huge number of metadata for a single month is quite normal.

It could be that these numbers are collected up to today, although he isn't sure about that. BND isn't counting every single part of metadata, as NSA is apparently doing and which leads to those huge numbers.


BND got the XKeyscore program from NSA, which is only used to analyse data that are already collected. BND didn't had such a tool before. Unlike NSA, which uses Xkeyscore as federated query system, BND uses it as a stand-alone system for analysis. The actual collection systems of BND are antennas and outposts (Aussenstellen).

The witness doesn't know how many servers BND purchased for XKeyscore. Presently, BND uses XKeyscore only for traffic that is intercepted from satellite links, apparently because the system isn't (yet) certified for filtering out communications of German citizens. BND got no software programs from NSA for profiling or for decrypting data.


Personal data are only those data that can be related to specific persons. For German data it is easy to retrieve the identity behind certain metadata, but for foreign metadata this is much more difficult and hence those metadata are not seen as personal data.

The witness said multiple times that he isn't a lawyer and he therefore had no opinion of his own about the legality of certain decisions. He also didn't knew whether data collected in foreign countries had been acquired with or without the consent of the provider. He just assumed that the data collection takes place in a legal way. Foreign partner agencies don't provide BND with data they are not allowed to collect themselves.

- Because of time shortage, the BND employees L. and W. P. couldn't be heard in this meeting.

> Next time: More hearings of BND employees

Meanwhile, the following numbers about government eavesdropping operations in 2013 have been made public. These numbers are only about the interception of communcations with at least one-end-German, so traffic with both-ends-foreign are not included:
- The G10 Committee approved 212 eavesdropping operations, most of them were conducted by the domestic security service BfV (up from 157 in 2012). This involved some 350 people, most of them suspected of islam fundamentalism.

- In 26 cases, the domestic security service BfV used an IMSI-catcher to trace or intercept the mobile phone of 29 persons (more as twice as often as in 2012)

- BND is allowed to filter communications by using selectors. If Germans could be involved, it is not allowed to use selectors that identify specific targets (like phone numbers and e-mail adresses), so in that case, only generic search terms (keywords) may be used.

- The official report (pdf) provided the following numbers of approved search terms, of what was filtered out and of what was marked as relevant for foreign intelligence purposes:

SubjectSearch termsFiltered outRelevant
Ca. 800
Content: 906
Metadata: 639
Ca. 11.700Content: 14.411
Metadata: 1
Ca. 28Content: 84
Metadata: 76

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA
- Reports with numbers for 2013:
   - Gemäss Terrorismusbekämpfungsgesetz (pdf)
   - Gemäss Artikel 10-Gesetz (pdf)

> See also: BND Codewords and Abbreviations

December 16, 2014

German investigation of the cooperation between NSA and BND (II)

This is part II about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

Here we provide summaries of the hearings of a number of BND employees, who provided some interesting details about satellite interception at the Bad Aibling station, the subsequent processing and storage of data and also about the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

The room where the hearings of the parliamentary committee take place
(photo: DPA)

14th Meeting, September 25, 2014 (Transcript)

- Hearing of the witness Mr. R. U. (BND, head of the site in Bad Aibling):

The BND site in Bad Aibling is for satellite interception. In Bad Aibling there's no interception of point-to-point microwave transmissions, which is done by putting an antenna in between the two microwave antennas that transmit the signals that have to be intercepted.

(This BND satellite station is part of the former NSA Bad Aibling Station that was codenamed GARLICK, from which BND took over most of the facilities in 2004, including nine of the large satellite dishes hidden under white radomes)

When the Bad Aibling site was led by the witness, it had 120 personnel and was divided into three sections:
- Management
- Technical (operation of the antennas, network security, script programming, installation of computers)
- Analysis (analysing the collected data, language translating capabilities)

An important goal was protection of German troops deployed in countries like Afghanistan. BND was also able to prevent attacks on ISAF forces. Other goals for the satellite interception were anti-terrorism and rescuing people who have been kidnapped.

Satellite interception

In remote countries, domestic communications also use satellite links, which can also be intercepted from inside Germany. This collection is restricted by technical limits, which make that there's access to only a small number of satellites, and from them, only part of the communications can be intercepted. Also, not everything can be analysed, because much of it is in local languages. Therefore, there's no mass surveillance. BND only collects promilles of what would be theoretically possible.

Nonetheless, the amount of satellite traffic from Afghanistan that can be intercepted from Bad Aibling is rather high. Asked about media reports quoting former NSA and CIA director Michael Hayden "We kill people based on metadata", the witness replied that metadata are not specific enough for pinpointing drone attacks on specific people. Metadata like cell-IDs define areas of 50-60 square kilometers, which is not precise enough for bombarding a house.

(Hayden's "we kill people based on metadata" was followed by "but that's not what we do with this metadata", referring to the 215 (domestic metadata) database. How Hayden meant the first part of this statement isn't clear. There was also a report by The Intercept, in which a former JSOC drone operator said that some targets were tracked by metadata and then killed based upon the SIM card they use.)

The former NSA satellite intercept station in Bad Aibling,
parts of which are now used by the BND
(Click to enlarge)

The Joint SIGINT Activity (JSA)

Since 2004, NSA and BND cooperated in the Joint SIGINT Activity (JSA), which was located at the Mangfall Barracks, also in Bad Aibling. The JSA consisted of both German and American personnel. Most of the equipment was provided by NSA. Management was in the hands of BND, and in turn, NSA got access to the German satellite collection.

For this satellite interception, NSA provided BND with selectors, like phone numbers and e-mail addresses, most of them belonging to targets in Afghanistan. These selectors are on an American server, from which BND personnel can pick them up 2, 3 or 4 times a day. Then these selectors were checked at the headquarters in Pullach for whether they included German citizens or companies. These were taken out, just like the ones that contradicted German national interests.

The cooperation between NSA and BND declined since 2004. Since the JSA was closed in 2012, there's only an NSA liaison office and some technical support left in Bad Aibling. Both are located in a building that is nicknamed Tin Can (Blechdose), because of its windowless exterior of black-painted metal. Here, BND personnel has to ring a door bell when they want in, and there's a similar procedure for when US personnel wants to visit BND buildings.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Tools and databases used by BND

After selectors have been cleared and entered into the collection system, it results in for example a phone call that appears in the dataprocessing tool of an analyst. This is not a random phone call, but one that has been filtered out based upon the selector. The analyst can then listen to this phone call, maybe has to translate it, and decides whether it is relevant or not. If not, it is deleted, otherwise he writes a report (Meldung), which is sent back to headquarters.

XKeyscore is an analysis tool that is used to look whether internet data that have been collected contain relevant information. BND uses XKeyscore on their own computers and servers. NSA only provides (software) updates and has no access to BND networks through XKeyscore. For sharing data, there was only one-way traffic from BND to NSA through highly secured firewalls.

Collected internet content is stored for only a few days, other (meta)data for a few days up to a few weeks. When there's a match, the selected data are stored for 1 or 2 years at most, not in Bad Aibling, but at the BND headquarters. In Bad Aibling there was no real-time collection. Quasi real-time means many many minutes, and until something shows up on the monitor it takes hours.

Besides XKeyscore, BND uses, among others, the programs MIRA4 und VERAS, which are classified analysis tools. The first one is used to listen in to phone calls, the latter one for visualising metadata and showing who has called who. Metadata are data that contain no content. When for example a website like Amazon.com is viewed from a computer, this creates more than 100 pieces of metadata.

- Hearing of the witness Mr. J. Z. (BND official, since 2008 head of the technical unit of the JSA, which uses XKeyscore). This hearing was entirely behind closed doors.

- . - . - . - . -

16th Meeting, October 9, 2014 (Transcript)

- Hearing of the witness Ms. H. F. (BND, legal counsel for data protection):

This witness is responsible for data protection regulations, but not for the implementation of the so-called G-10 Act, which protects the communications privacy of German citizens and corporations under article 10 of the constitution (Grundgesetz).

The witness has set up educational programs for BND employees and is regularly auditing the various systems and databases used by BND, especially in the SIGINT division, where not all databases have formal data protection procedures (like for access control) yet. All BND databases, regardless of where their data come from, fall under the German Data Protection Act (BundesDatenSchutzGesetz).

The witness audited many databases, like for example:
- INBE (INhaltliche BEarbeitung)
- VERAS (VERkehrsAnalyseSystem)
- PBDB (PersonenBezogene DatenBestände)
In total, there are about 25 databases (Auftragsdatenbanken) which serve the SIGINT collection process. Besides these databases, BND uses about 20 programs provided by NSA, most of them are technical tools, like for language translation.

In Bad Aibling, only satellite communications are intercepted. After German communications have been filtered out, they are stored in databases according to their type: metadata go to VERAS and content goes to INBE. The latter database succeeded MIRA4 in 2010 and currently contains several hundred thousand data sets, including data from German citizens. Both VERAS and INBE were developed by BND.

The witness couldn't estimate how many data are in VERAS (which was set up in 2002), which contains mainly metadata from telephone communications, with the purpose of call chaining for creating contact graphs. BND uses this tool for connecting phone numbers as far as 4 or 5 hops from a known target. This doesn't mean that it always goes that far, because the further away from the initial known target, the more difficult it is to discover the connections.

In several cases, like for example with INBE and VERAS, BND failed to comply with the formal requirement from the Data Protection Act for a so-called "Dateianordnungsverfahren", even for several years. After the witness recognized this, she forced to fulfill these legal requirements, although it was more a bureaucratic formality than a big shortcoming.

There's still discussion at BND about whether metadata are always personal data. Metadata like German telephone numbers are considered to be personal data, because it is easy to look up to whom such a number belongs. In foreign countries, like Afghanistan and Pakistan, that's not so easy. Phone numbers are also used by a whole clan for example.

The president of the BND has decided that collection in Bad Aibling is not subject to the provisions of the BND Act (BND-Gesetz), because only foreign satellite communications are intercepted. The witness disagrees, but was overruled by the president.

- The planned hearing of the witness A. F. (also a BND employee) was postponed to November 13.

- . - . - . - . -

18th Meeting, October 16, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, at Bad Aibling from 2002-2007):

The witness explained that one phone call creates between 20 and 30 pieces of metadata. Not all of them are usefull for targeting because they are not specific enough, like for example a mobile phone cell-ID. Metadata include the number that was called, the cell-ID, the provider, the duration of the call, etc.

Raw data are signals (like radio frequencies) that have been processed. Raw data on their turn can be processed into metadata and content. These are then automatically filtered and selected, and when finally a human takes a look at them, this can result in a report (Meldung).

Raw data were not counted by BND, only the reports, of which only a handful were produced at Bad Aibling. This low number was also due to the fact that only a small part of the collected communications was actually translated.

XKeyscore was first used by BND in 2007, but back then this tool wasn't by far as sophisticated as in 2013.

- After just a short while, this hearing was ended after it became clear that the witness had read internal BND documents that had not yet been fully handed over to the committee.

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA

> See also: BND Codewords and Abbreviations

December 13, 2014

Update on tapping German chancellor Merkel's phone

Over the last days, there were some new developments regarding the eavesdropping on the mobile phone of the German chancellor Angela Merkel, which was revealed in October last year. It was clarified that the record from an NSA database that was presented as evidence for this tapping, wasn't actually an original NSA document, but just a transcription.

Also, this database record wasn't among the Snowden-documents. This means the information about monitoring Merkel's phone was not provided by Edward Snowden, but by another leaker, something that many people may not have been aware of.

Criminal investigation

In June of this year, the highest German public prosecutor (Generalbundesanwalt) started a criminal investigation against NSA regarding the alleged eavesdropping on chancellor Merkel. Last month it was reported that this case had been closed as no sufficient evidence had been found, but this was not fully correct.

In his annual press conference on December 11, prosecutor Harald Range said that the investigation of the eavesdropping on chancellor Merkel is still going on:

Annual press conference of the federal public prosecutor Harald Range
(information about the Merkel eavesdropping starts at 23:20)

Regarding the eavesdropping case, prosecutor Range said the following things:

- The phone number which is at stake is not registered by the German Chancellery, but it's a number that has been used since 1999 by the headquarters of Merkel's party CDU. Therefore the number wasn't used by Gerhard Schröder (chancellor from the SPD party from 1998-2005).

- The document (see below) that was publicly presented as a proof of this eavesdropping is not an authentic NSA interception order, nor is it from an NSA database. Actually, it was made by a reporter of Der Spiegel, based upon an NSA document he had seen.

- The prosecutor asked the editors of Der Spiegel to hand over the original document or to be questioned about it, but this was refused pointing to the journalist's privilege to protect their sources. NSA was asked for a statement through the BND, but also refused to comment.

- This makes that under these circumstances, a serious evaluation of the authenticity of the document is not possible.

- Through his German lawyer, Edward Snowden was also given the opportunity to provide a written statement, but until now there was no reaction.

- Presently, there is no sufficient evidence that could lead to an indictment, but the case is not yet closed. The investigation continues, and this will also include the results of the parliamentary committee that is currently investigating NSA spying activities.

- Based upon the Snowden revelations and other media reports it can be assumed that in general, foreign intelligence agencies are trying to spy on German targets by electronic means. But according to German law, that is not enough to open a criminal case, because that would be investigating without reasonable suspicion, which the public prosecutor isn't allowed to do under the rule of law. Where neccessary, such investigations are the responsibility of the security services.


Parts of what prosecutor Range said was misinterpreted by a number of foreign news websites, like Business Insider UK and Vox.com, which said that the NSA document might not be authentic or even faked by Der Spiegel.

It seems these media only took the first part of Range's statement that the document "was made by a reporter of Der Spiegel, based upon an NSA document he had seen" and overlooked/left out the last part.

Although the German public prosecutor's office couldn't find any concrete evidence for the eavesdropping by NSA, Der Spiegel stresses that neither NSA nor the US government has denied that phone calls of chancellor Merkel had been monitored.

A second leaker

After the public prosecutor's press conference, Der Spiegel provided a statement saying that prior to their reporting about the eavesdropping on chancellor Merkel, they had access to information from an NSA database, which it copied.

This sounds like Der Spiegel got access to the content of an NSA database from which it selected and copied the information related to chancellor Merkel. But in the book "Der NSA Komplex" written by Spiegel reporters Marcel Rosenbach and Holger Stark, it is said that early October 2013, "we received the excerpt from an NSA database about Merkel's cell phone".*

That phrase suggests that someone from outside, and also someone not being Edward Snowden, provided Der Spiegel with just that one particular record which includes Merkel's phone number. How and in what form is not said. Greenwald confirms that this information didn't came from Snowden, and earlier on, also Bruce Schneier was convinced that this came from a second leaker.

Just a transcription

After having obtained the database record, Der Spiegel presented it to the Chancellery, so they could verify it. According to their statement, Der Spiegel made it very clear that this information was not an original document, but just a transcription. Apparently for this reason, the magazine never published the database record, but only reported about its contents.

However, some other German newspapers somehow managed to get a copy of the letter that was sent to the Chancellery and published it in their print editions. One of them was the tabloid paper BILD, from which this scan was made:

So what we see here is a printed copy of a copy (either by xerox, a scanner or a (mobile phone) camera, which explains the fuzzyness) of the print on a DIN A4-sheet of paper that was sent to Merkel's Chancellary.

Maybe this was a xerox copy of the excerpt which the mysterious source handed over to Der Spiegel, but more likely (else it could be used to trace the source) is that a reporter copied the original text by hand. Probably he used an Apple computer, as the result is in the Ayuthaya font, which comes with Apple's OS X.

For a detailed explanation of the record: How NSA targeted chancellor Merkel's mobile phone

Right after this "document" was first published, some people wondered why it looks like a piece of paper, whereas all other leaked NSA documents are digital files (with a few similar exceptions though). This has now been cleared, but again we see that it can take some time and some pressure before such questions are answered.

From which database?

Initially, Der Spiegel reported that the record that mentions Merkel's phone number comes from an NSA database in which the agency records its targets.* My suggestion was that this could have been a database codenamed OCTAVE, which was used for tasking telephony targets, but which reportedly was replaced by the Unified Targeting Tool (UTT) in 2011.

But a more recent Spiegel article from early June 2014, seems to say that it's an entry from the NYMROD database. A slide in which Merkel was listed among 122 other heads of state in the NYMROD database was published by Der Spiegel on March 29, 2014. This slide was from an NSA presentation about content extraction analytics that was fully published in June.

However, in another NSA document it is explained that NYMROD is a name-matching system that is used for finding "garbled or misspelled names" of targets. It contains names taken from CREST (a translating database) and from intelligence reports from NSA, CIA and DoD databases.

If we compare that function with the data in the record that was published, it seems not very likely that the entry is from NYMROD. A tasking database still seems the best option.

Links and Sources
- Spiegel.de: When Germany's federal prosecutor appeared to discredit SPIEGEL
- Golem.de: Spiegel soll NSA-Dokument zu Merkel-Handy hergestellt haben
- LittleGreenFootballs.com: Did a German Prosecutor Really Claim That Der Spiegel’s NSA Document Was a Fake?

November 29, 2014

INCENSER, or how NSA and GCHQ are tapping internet cables

(Last edited: January 5, 2015)

Recently disclosed documents show that the NSA's fourth-largest cable tapping program, codenamed INCENSER, pulls its data from just one single source: a submarine fiber optic cable linking Asia with Europe.

Until now, it was only known that INCENSER was a sub-program of WINDSTOP and that it collected some 14 billion pieces of internet data a month. The latest revelations now say that these data were collected with the help of the British company Cable & Wireless (codenamed GERONTIC, now part of Vodafone) at a location in Cornwall in the UK, codenamed NIGELLA.

For the first time, this gives us a view on the whole interception chain, from the parent program all the way down to the physical interception facility. Here we will piece together what is known about these different stages and programs from recent and earlier publications.

The cables tapped at NIGELLA by GERONTIC under the INCENSER and WINDSTOP programs
(Map: ARD.de - Text: Electrospaces.net - Click to enlarge)



Last week's joint reporting by the British broadcaster Channel 4, the German regional broadcasters WDR and NDR and the German newspaper Süddeutsche Zeitung, identified NIGELLA as an interception facility at the intersection of Cable & Wireless and Reliance cables at Skewjack Farm.

There, just north-west of Polgigga Cottage in Cornwall, is a large building that was constructed in 2001 for FLAG Telecom UK Ltd for 5.3 million pounds. It serves as a terminus for the two ends of a submarine optical cable: one from across the Atlantic which lands at the beach of nearby Sennen, and one that crosses the Channel to Brittany in France:

- FLAG Atlantic 1 (FA1)
Connecting the east coast of North America to the United Kingdom and France (6.000 kilometers)

The FLAG Atlantic 1 cable to America consists of 6 fibre pairs, each capable of carrying 40 (eventually up to 52) separate light wavelengths, and each wavelength can carry 10 Gigabit/s of traffic. This gives a potential capacity of 2.4 terabit/s per cable. However, in 2009, only 640 gigabit/s were actually used, which went apparently up to 921 gigabit/s in 2011.

The FLAG terminus station in Skewjack Farm, Cornwall
(photo: Sheila Russell - Click to enlarge)

The cable was initially owned by FLAG Telecom, where FLAG stands for Fiber-optic Link Around the Globe. This company was renamed into Reliance Globalcom when it became a fully owned subsidiary of the Indian company Reliance Communications (RCOM). In March 2014, Reliance Globalcom was again renamed, now into Global Cloud Xchange (GCX).

More important is another, much longer submarine cable, which was also owned by this company, and which has its landing point on the shore of Porthcurno, a few miles south-west of Skewjack Farm:

- FLAG Europe-Asia (FEA)
Connecting the United Kingdom to Japan through the Mediterranean, with landing points in Egypt, the Saudi Peninsula, India, Malaysia, Thailand, Hong Kong, China, Taiwan, South Korea and Japan (28.000 kilometers)

This cable has 2 fibre pairs, each capable of carrying up to 40 separate light wavelengths, and each wavelength can again carry 10 gigabit/s of traffic. This gives a potential capacity of 800 gigabit/s, but in 2009 only 70 gigabit/s were used, which went up to 130 gigabit/s in 2011 - still an unimaginable bits per second.

The FLAG Atlantic 1 and FLAG Europe-Asia landing points
and the Skewjack Farm terminus station
(Map: Channel 4 - Click to enlarge)

The backhaul connection between the FLAG Atlantic 1 (FA1) and the FLAG Europe-Asia (FEA) is provided by a local area network of Cable & Wireless, which also connects both submarine cables to its terrestrial internet backbone network.

According to the newly disclosed GHCQ Cable Master List from 2009, the interception of the FA1 and the FEA cables takes place at the intersection with this backhaul connection:

This list also shows that the interception of these two cables is accompanied by a Computer Network Exploitation (CNE) or hacking operation codenamed PFENNING ALPHA.

Because the owner of the cables (Reliance Globalcom, now Global Cloud Xchange) is not a cooperating partner of GCHQ, they hacked into their network for getting additional "router monitoring webpages" and "performance statistics for GTE [Global Telecoms Exploitation]".

Interception equipment

How the actual interception takes place, can be learned from an article in The Guardian from June 2013, which provides some details about the highly sophisticated computer equipment at cable tapping points.

First, the data stream is filtered through what is known as MVR (Massive Volume Reduction), which immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads. This reduces the volume by about 30%.


The next step is to pull out packets of information that contain selectors like phone numbers and e-mail, IP and MAC addresses of interest. In 2011, some 40,000 of these were chosen by GCHQ and 31,000 by the NSA, according to The Guardian. This filtering is most likely done by devices from Boeing-subsidiary Narus, which can analyse high-volume internet traffic in real-time.

A single NarusInsight machine can monitor traffic up to 10 Gigabit/second, which means there have to be up to a dozen of them to filter the relevant traffic from the FA1 and FEA submarine cables. Most of the information extracted in this way is internet content, such as the substance of e-mail messages.

Full sessions

Besides the filtering by using specific selectors, the data are also sessionized, which means all types of IP traffic, like VoIP, e-mail, web mail and instant messages are reconstructed. This is something the Narus devices are also capable of.

These "full take" sessions are stored as a rolling buffer on XKEYSCORE servers: content data for only three to five days, and metadata for up to 30 days. But "at some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours" according to an NSA document from 2008.

The aim is to extract the best 7,5% of the traffic that flows past the access, which is then "backhauled" from the tapping point to GCHQ Bude through two 10 gigabit/s channels (the "egress" capacity). This might be a dedicated cable, or a secure VPN path over the regular Cable & Wireless backbone that connects Bude with the south-west of Cornwall:

The Cable & Wireless internet backbone (yellow) in Cornwall
and the connections to submarine fiber-optic cables (red)
(Map from before 2006 - Click for the full verion)


GERONTIC (Cable & Wireless)

The secret GCHQ documents about these cable tapping operations only refer to the cooperating telecommunications provider with the cover name GERONTIC. The real name is protected by STRAP 2 dissemination restrictions. But nonetheless, German media already revealed that GERONTIC is Cable & Wireless last year.

In july 2012, Cable & Wireless Worldwide was taken over by Vodafone for 1.04 billion pounds, but according to the GCHQ documents, the covername GERONTIC was continued, and was seen active until at least April 2013.

According to the press reports, GCHQ had access to 63 undersea internet cables, 29 of which with the help of GERONTIC. This accounted for about 70% of the total amount of internet data that GCHQ had access to in 2009.

Cable & Wireless was involved in these 29 cables, either because it had Direct Cable Ownership (DCO), an Indefeasible Right of Use (IRU) or Leased Capacity (LC). Besides that, the GCHQ Cable Master List from 2009 lists GERONTIC also as a landing partner for the following nine cables:
- FLAG Atlantic 1 (FA1)
- FLAG Europe-Asia (FEA)
- Apollo North
- Apollo South
- Solas
- UK-Netherlands 14
- UK-France 3
- Europe India Gateway (EIG)
- GLO-1

Disclosed excerpts from internal GCHQ wiki pages show that Cable & Wireless held regular meetings with GCHQ from 2008 until at least 2010, in order to improve the access possibilites, like selecting which cables and wavelenghts would provide the best opportunities for catching the communications GCHQ wanted.

GCHQ also paid Cable & Wireless tens of millions of pounds for the expenses. For example, in February 2009 6 million pound was paid and a 2010 budget references a 20.3 million pound payment to the company. By comparison, NSA paid all its cooperating telecommunications companies a total of 278 million dollars in 2013.

The intensive cooperation between Cable & Wireless and GCHQ may not come as a surprise for those knowing a bit more of British intelligence history. The company already worked with predecessors of GHCQ during World War I: all international telegrams were handed over so they could be copied before being sent on their way, a practice that continued for over 50 years.*



Among the documents about the GCHQ cable tapping is also a small part of an internal glossary. It contains an entry about INCENSER, which says that this is a special source collection system at Bude. This is further specified as the GERONTIC delivery from the NIGELLA access, which can be viewed in XKEYSCORE (XKS):

This entry was also shown in the German television magazine Monitor, although not fully, but without the redactions, so from this source we know the few extra words that were redacted for some reason.

The entry also says that INCENSER traffic is labeled TICKETWINDOW with the SIGINT Activity Designator (Sigad) DS-300. From another source we know that TICKETWINDOW is a system that makes cable tapping collection available to 2nd Party partners. The exact meaning of Sigads starting with DS is still not clear, but probably also denotes 2nd Party collection.


In Bude, GCHQ has its Regional Processing Center (RPC), which in 2012 had a so-called "Deep Dive" processing capability for 23 channels of 10 gigabit/second each under the TEMPORA program.

TEMPORA comprises different components, like the actual access points to fiber-optic cables, a Massive Volume Reduction (MVR) capability, a sanitisation program codenamed POKERFACE, and the XKEYSCORE system. As we have seen, most of the hardware components are located at the interception point, in this case the facility in Skewjack (NIGELLA).


These collection systems can be remotely instructed ("tasked") from Bude, or maybe even also from NSA headquarters. For one part that involves entering the "strong selectors" like phone numbers and internet addresses. For another part, that is by using the additional capabilities of XKEYSCORE.

Because the latter system buffers full take sessions, analysts can also perform queries using "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents and spreadsheets in English, Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just looking for the known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new strong selectors, which can then be used for starting a traditional search.

Hacking operations

According to a 2010 NSA presentation that was published by The Intercept in December 2014, the INCENSER access is also capable of supporting the QUANTUMBOT (IRC botnet hijacking), QUANTUMBISQUIT (for targets who are behind large proxies), and QUANTUMINSERT (HTML web page redirection) hacking techniques.

Two other components of the QUANTUMTHEORY computer network exploitation framework, QUANTUMSQUEEL (for injection of MySQL databases) and QUANTUMSPIM (for instant messaging), had been tested, but weren't yet operational:

This means that at the INCENSER collection site NIGELLA, there are also TURMOIL sensors which detect when targeted user’s packets are among the traffic that flows past. TURMOIL tips off the central automated command & control system codenamed TURBINE, which then launches one or more QUANTUM attacks, as directed by NSA's hacking division Tailored Access Operations (TAO). An explanation of this method is on the weblog of Robert Sesek and the website of Wired.

Possible targets

The disclosed GCHQ documents contain no specific targets or goals for the INCENSER program, which provided Channel 4 the opportunity to claim that this Cable & Wireless/Vodafone access allows "Britain's spies to gather the private communications of millions of internet users worldwide". Vodafone, which also has a large share of the telecommuncations market in Germany, was even linked to the eavesdropping on chancellor Merkel.

Both claims are rather sensationalistic. Merkel's phone was probably tapped by other means, and both GCHQ and NSA aren't interested in the private communications of ordinary internet users. On the contrary, by tapping into a submarine cable that connects to Asia and the Middle East, INCENSER looks rather focussed at high-priority targets in the latter region.


Despite INCENSER being NSA's fourth-largest cable tapping program regarding to the volume which is collected, the intelligence reports analysts are able to write based upon this only made it to the 11th position of contributors to the President's Daily Brief - according to a slide from a 2010 presentation about Special Source Collection, published by The Washington Post in October last year:


WINDSTOP (2nd Party)

Data collected under the INCENSER program are not only used by GHCQ, but also by NSA, which groups such 2nd Party sources under the codename WINDSTOP. As such, INCENSER was first mentioned in a slide that was published by the Washington Post on in October 2013 for a story about the MUSCULAR program:

According to NSA's Foreign Partner Access budget for 2013, which was published by Information and The Intercept last June, WINDSTOP involves all 2nd Party countries (primarily Britain, but also Canada, Australia and New Zealand) and focusses on access to (mainly internet) "communications into and out of Europe and the Middle East" through an integrated and overarching collection system.

MUSCULAR is a program under which cables linking big data centers of Google and Yahoo are tapped. The intercept facility is also located somewhere in the United Kingdom and the data are processed by GCHQ and NSA in a Joint Processing Centre (JPC) using the Stage 2 version of XKEYSCORE.

A new slide from this presentation about WINDSTOP was published by Süddeutsche Zeitung on November 25, which reveals that a third program is codenamed TRANSIENT THURIBLE. About this program The Guardian reported once in June 2013, saying that it is an XKeyscore Deep Dive capability managed by GHCQ, with metadata flowing into NSA repositories since August 2012.

In November 2013, the Washington Post published a screenshot from BOUNDLESSINFORMANT with numbers about data collection under the WINDSTOP program. Between December 10, 2012 and January 8, 2013, more than 14 billion metadata records were collected:

The bar chart in the top part shows the numbers by date, with DNR (telephony) in green and DNI (internet) in blue. The section in the center of the lower part shows these data were collected by the following programs:

- DS-300 (INCENSER): 14100 million records
- DS-200B (MUSCULAR): 181 million records

XKEYSCORE, which is used to index and search the data collected under the INCENSER program, can be seen in the bottom right section of the chart.

With just over 14 billion pieces of internet data a month, INCENSER is the NSA's fourth-largest cable tapping program, accounting for 9 % of the total amount collected by Special Source Operations (SSO), the division responsible for collecting data from internet cables. According to another BOUNDLESSINFORMANT chart, the NSA's Top 5 of cable tapping programs is:

SSO worldwide total:

Other programs: (100%)

57.788.148.908  (36%)
23.003.996.216  (14%)
15.237.950.124   (9%)
14.100.359.119   (9%)
13.255.960.192   (8%)
... (24%)

It's remarkable that just one single cable access (NIGELLA in Cornwall) provides almost one tenth of everything NSA collects from internet cables. This also means that besides a large number of small cables accesses, NSA seems to rely on just a few important cables for about 2/3 of it's collection from this type of source.

Links and Sources
- Golem.de: Die Abhörkette der Geheimdienste
- The recently disclosed documents about GCHQ cable tapping:
   - NetzPolitik.org: Cable Master List: Wir spiegeln die Snowden-Dokumente über angezapfte Glasfasern, auch von Vodafone
   - Sueddeutsche.de: Snowden-Leaks: How Vodafone-Subsidiary Cable & Wireless Aided GCHQ’s Spying Efforts
- ArsTechnica.com: New Snowden docs: GCHQ’s ties to telco gave spies global surveillance reach
- Sueddeutsche.de: Vodafone-Firma soll GCHQ und NSA beim Spähen geholfen haben
- WDR.de: Neue Snowden-Dokumente enthüllen Ausmaß der Zusammenarbeit von Geheimdiensten und Telekommunikationsunternehmen
- Weblog about Uk Submarine Cable Landings & Cable Stations
- Article about Explaining submarine system terminology – Part 1

- Thanks also to Henrik Moltke, who did most of the research for the German press reports

More reactions on Hacker News and Schneier's Blog