May 19, 2016

German journalists about working with the Snowden documents

Last Monday, the website The Intercept started publishing larger batches of documents from the Snowden trove, so they can now also be examined by the public. It's a new phase after previously documents were generally disclosed as part of journalistic reports, but the number of such publications steadily declined over the last two years.

For how it was to work with the Snowden documents can be learned from an interesting interview with two journalists from the German Magazine Der Spiegel. They not only published a whole range of articles based upon the Top Secret NSA documents, but also a book which is much more informative than that of Glenn Greenwald.

The interview with Marcel Rosenbach and Holger Stark from Der Spiegel, as well as with Svea Eckert from the German broadcaster NDR, was part of the Network Research (Netzwerk Recherche) annual conference, which was held on July 3 and 4, 2015:

Interview with Marcel Rosenbach, Holger Stark
and Svea Eckert, July 2015 (in German)

Because the interview is fully in German, here's an extensive summary in English, which also looks more closely at a few specific revelations:
- The Snowden documents
- The National Intelligence Priority Framework (NIPF)
- Eavesdropping on chancellor Merkel
- Some other issues

The Snowden documents

Journalists from Der Spiegel were provided with several ten thousand digital documents through the documentary film maker Laura Poitras, who had been in direct contact with Edward Snowden.

According to Holger Stark, it was clear that Snowden had sorted the documents, not very fine-grained, but he had put them in a few folders, according to topics that had his special interest, like operations of the NSA divisions TAO (hacking) and SSO (cable tapping). Rosenberg said that it looked like Snowden selected the documents based upon his concerns regarding civil liberties and that het didn't some "collect it all" scraping.

The journalists tried to search and filter the documents automatically, but a huge number of them had to be read and analysed manually, and read over and over again, in order to understand what was in them and what their importance could be. For that, they also consulted experts for cryptography and network architecture as well as former NSA employees like Binney and Drake (independent intelligence experts were not mentioned).

It was possible to ask Snowden, but not in a regular or easy way, also because he wanted to stay at a distance of the journalistic work. The journalists couldn't tell or estimate how many documents Snowden actually took. Der Spiegel got the documents unredacted but in the documents that were published, editors redacted most of the names.

Der Spiegel frequently asked NSA to review the documents they wanted to publish, in order to prevent that lives could become in danger. Sometimes NSA asked to remove things, but when it was obvious that that was for political reasons, the request was ignored. But in a few other cases Der Spiegel didn't publish or partly redacted the documents.


Despite all their efforts, there were still many gaps and questions. This resulted in for example a wrong interpretation of NSA's data visualisation tool BOUNDLESSINFORMANT. In August 2013, Der Spiegel published charts from this tool that were initially interpreted as showing how many data NSA collected from several European countries. Soon, BND and NSA denied this and explained that the charts show data that European agencies provided to the Americans.

Holger Stark admitted that their initial interpretation was apparently not correct, but that there are still many questions about this issue. One of the difficulties was that NSA and US government were not willing to respond to questions about this program, so they decided to publish their best guess. Rosenbach added that major foreign papers also shared their initial interpretation (maybe because the wrong interpretation came from Greenwald?).

BOUNDLESSINFORMANT screenshot showing metadata provided by BND
(click to enlarge)


The National Intelligence Priority Framework (NIPF)

One document that wasn't published, but only reported about is the National Intelligence Priority Framework (NIPF), which contains the priorities for the US intelligence community as set by the White House. During the interview a part of the original NIPF document was shown for the first time:

The NIPF consists of a large matrix with each cell indicating the intersection between a state or non-state actor and an intelligence topic. A readable reconstruction of the NIPF based upon this new piece and earlier sources, can be found here (pdf).

Over time, Rosenbach and Stark learned to interpret the Snowden documents by combining information from multiple documents. A separate document, an internal NSA newsletter from December 2009, for example provided additional information about the priorities of the NIPF chart:

This newsletter says that updated versions of the NIPF are released about twice a year, and that these are run against the National SIGINT Requirements Process (NSRP), which sets the priorities for acquiring Signals Intelligence (SIGINT). The 5 levels of NIPF priorities are then translated (by the SIGINT Committee or SIGCOM) to the 9 levels of SIGINT priorities, based upon the importance of the SIGINT contribution.

The first NIPF was issued in 2003 and at that time the matrix contained over 2300 cells! There were hundreds of issues with priority 1 and 2, way too many to be managable. So over the years the number of priorities, particularly the numbers of priority 1s and 2s had been reduced.

According to the journalists, the newsletter also explains that topics with priority 1 and 2 are meant for the president and the White House, while priority 3 is for cabinet ministers, the Chiefs of Staff and the Pentagon. For these highest priorities, covert intelligence methods are used. For priorities 4 and 5 open sources may be sufficient and their results are mainly used for political analysis.

For the Spiegel journalists this bureaucratic process illustrates that NSA isn't an agency that went rogue, but that they are directed by the political information needs from the White House (something that was usually conveniently ignored).



Svea Eckert, a documentary maker for the regional German broadcasster NDR, was also present at the interview, and she had brought with her the laptop they had used for working with the Snowden documents. The computer was newly bought for this purpose and was never connected to the internet.

At NDR, Eckert was doing research for a documentary about the internet as a battle space, when a colleague of her in the US was provided with a thumb drive containing Snowden documents that had been selected on their relevance for the topic of the documentary. It wasn't told who the middlemen for these documents were, and apparently different German news media got documents from different sources.

The source had said that for these documents only the external TAILS operating system should be used. The same system was used by other people who worked with Snowden documents, like Laura Poitras, Glenn Greenwald, and Barton Gellman. On the dedicated laptop, Eckert showed an example of what these documents look like:

In the window we see for example an internal NSA newsletter with an interview with a hacker from NSA's TAO division, a Cyber Warfare Lexicon and a powerpoint presentation. The latter has the filename "MONSTERMIND_presentation (copy).pptx", but when it was opened, it actually had the cover term CYBERCOP on the front slide and it was prepared by the "CyberCOP Product Manager".

Eckert explained that although most of these documents were very interesting, not everything was newsworthy enough or in the public interest to publish. Also the opinions of various experts had to be asked, because journalists were not always able to judge what the context or the importance of particular pieces of information was.


The CYBERCOP presentation is from April 11, 2013 and contains several screenshots of a graphical user interface in which NSA analysts can see where cyber attacks occur. The map part seems very similar to a well-known flashy visualisation on the website of the Norwegian cyber security company Norse:

It was decided not to publish the full MONSTERMIND/CYBERCOP presentation, but the documentary Schlachtfeld Internet ("Battlefield Internet") did contain several slides, which showed that NSA is apparently powerful enough to trace such attacks and that therefore the agency must be present at numerous points on the internet. This was considered newsworthy enough to report about.

In the documentary itself it was explained that an analysis tool called CYBERCOP makes it possible for NSA to monitor "cyber war" in real time. The presentation described at least one specific attack: on April 10, 2012, the US federal banking system in New York was succesfully attacked by Iran, not directly, but through thousands of computers around the world, controlled through internet servers in Germany.

Broadcaster NDR published three slides of the CYBERCOP presentation here (pdf). Two of them show the CYBERCOP interface in a high resolution:

(click to enlarge)


The MONSTERMIND system was first disclosed in a very long interview that James Bamford had with Edward Snowden in August 2014. There, Snowden said that MONSTERMIND is a frightening program that automated "the process of hunting for the beginnings of a foreign cyberattack".

It could also automatically prevent attacks from entering the country, but its unique capability is that "instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement" - with the risk of hitting the wrong one, as Snowden warned.

The "killing" capability was also described in Eckert's documentary, but without mentioning the codename MONSTERMIND. It didn't became clear whether this just came from Snowden's recollection or that it's mentioned in the CYBERCOP presentation (or other documents).


Eavesdropping on chancellor Merkel

The journalists from Der Spiegel also found interesting things purely by accident. The cache of documents for example contained an NSA presentation from the Center for Content Extraction (CCE, unit designator T1221) about a system to automatically sort out interesting and useful parts of intercepted phone calls.

One slide of this presentation shows an example list of some chiefs of state (cos), among which German chancellor Angela Merkel was listed. The presentation was not about actual interception operations, but did provide an indication that Merkel had been a target:

Der Spiegel published this slide on March 29, 2014 and the full presentation (pdf) was released online in June 2014. That chancellor Merkel had been a target of NSA had already been revealed in October 2013, based upon a database entry that allegedly did not came from the Snowden documents, but from another and yet unidentified second source.

So far, it seems that this example from the chiefs-of-state list is the only confirmation of NSA's targeting of chancellor Merkel that came from the Snowden documents. The intercepted content published by Wikileaks is also supposed to be from the second source.


Some other issues

During and after the interview, Stark, Rosenbach and Eckert were also asked about various aspects of working with Snowden Documents:

- Contrary to some claims made by the US government, there seemed to be little danger that these documents could endanger the lives of operatives or other people. The work that NSA does is highly technical and therefore the documents hardly contain any names. Most of the names they do contain are of authors, not of operative field agents.

- Eckert found it disappointing that the documents had almost no code or malware signatures in them, which could have been useful to identify hacking operations conducted by the NSA (Eckert said the XKEYSCORE rules were not included in the set she received). Again this was because the documents were often for management and training purposes and contained information on a meta level instead of actual operational details.

- The journalists were aware of the fact that these presentations had to be judged according to their intended purpose and audience and that the audio of these presentations was of course absent, although some presentations came with speaker's notes, which proved to be useful. Important was also to that presentations will often have presented things in a positive way.

Finally, when asked about the future of the Snowden documents, the journalists thought that it could be good to make them available for scientific research, but that it's not up to them to decide. They were not in favor of making all the documents publicly available, like in the way Wikileaks used to do.

March 30, 2016

The phones of US Director of National Intelligence James Clapper

One of the key players during the Snowden affair was Director of National Intelligence James Clapper. He is responsible for coordinating all 16 American intelligence agencies, a role which is reflected by the number and the types of telephone equipment in his office.

Clapper has six phones, more than for example the director of the NSA, or the Defense Secretary. Here we will take a close look at these telecommunication devices used by the US Director of National Intelligence.

The office of Director of National Intelligence (DNI) was created in 2004, after the 9/11 Commission Report recommended a stronger and separate leadership for the US intelligence community. Before, it was the director of the CIA who acted as Director of Central Intelligence (DCI) in order to coordinate the various intelligence agencies.

Australian foreign affairs minister Kevin Rudd (right) meeting DNI James Clapper (left)
(Photo: Australian Foreign Affairs Department - Click to enlarge)

The telecommunications equipment used by DNI James Clapper can be seen in a picture from September 17, 2010, which shows his office in the headquarters building of the Office of the Director of National Intelligence (ODNI) at the Liberty Crossing compound near Tyson’s Corner, Virginia, while he was visited by the Australian Minister for Foreign Affairs, Kevin Rudd.

When we take the high resolution version of the picture above, we can see that the displays and buttons of all the phones behind the DNI's desk are blurred by a censor. Apparently there's some rule for that, because from this distance it would be impossible to read anything.

Close-up of the telecommunications equipment behind the desk of DNI James Clapper.

IST-2 phone

The first phone on the left side is an Integrated Services Telephone version 2 (IST-2), which was designed by Raytheon and subsequently manufactured by Telecore, a small company that took over the production of these devices.

The IST is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Like previous red phones made by Electrospace Systems Inc. (ESI), the IST-2 allows to make both secure and non-secure calls through this one single device. The phone itself has no encryption capability: any secure calls are encrypted in bulk before leaving the secure building, enclave or compound.

As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons which are used to select the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority.

VoIP phones

Next, there are three Cisco 7975 unified IP phones, which belong to the most widely used high-end office phones. These phones have no encryption capability, but they can easily be used as part of dedicated and secure Voice-over-IP networks.

The first Cisco phone, next to the IST-2, seems to have a bright green label, indicating that it has to be used for unclassified phone calls. Probably this phone is part of the internal non-secure telephone network of the Office of the Director of National Intelligence (ODNI).

The second Cisco phone, right of the computer screen, has no recognizable label. It can be part of any secure or non-secure telephone network which DNI Clapper needs to have access to. One option could be the National Secure Telephone System (NSTS), which is used by the signals intelligence community (i.e. NSA).

The third Cisco phone has a distinctive bright yellow faceplate instead of the standard silver one. This indicates that it's part of the highly secure Executive Voice over Secure IP-network, which connects the President with senior cabinet members and some other high-level government officials.

This top-level telephone network was set up in 2007-2008. Before, the President was connected to the general military DRSN, but during the attacks of 9/11, this network appeared to be not reliable enough.

It's this bright yellow Cisco phone that shows that the Director of National Intelligence has direct access to the President. As we have seen earlier, even the director of NSA doesn't have this kind of telephone, and therefore lacks a direct line to the President.

STE phones

The last type of telephone we see in Clapper's office are two big black phones called Secure Terminal Equipment (STE). These are made by the American defense contractor L3 Communications and are highly secure devices capable of encrypting calls up to the level of Top Secret/SCI.

STE phones can be used to make secure calls to anyone with a similar or compatible device and there are an estimated 400.000 STE users. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

These STE phones can be used for secure communications with everyone working for the US government, the military, its contractors, and also foreign partners who can not be reached through a more select secure telephone network, like the DRSN or the NSTS.


Besides the six telephones, DNI Clapper also has two videoteleconferencing (VTC) screens behind his desk. In the first picture we saw a white videoconferencing screen at the far right, and another picture, from a different angle, shows another VTC screen standing at the far left side:

A black Tandberg Centric 1700 MXP VTC screen behind DNI James Clapper.
(Photo: ODNI)

Both these VTC screens have a high-definition camera and are made by the Norwegian manufacturer Tandberg. In 2010 this company was bought by Cisco Systems, so their equipment can be safely used for classified US videoconferencing purposes.

Maybe one of the sets in Clapper's office is used for unclassified, and the other for classified videoconferencing, but it's also possible that both are used for secure video connections but at different classification levels.

At least one of the VTC screens will be used for Top Secret/SCI Videoconferencing, which is for users within the intelligence community. From within secured locations (SCI enclaves), this video feed goes over the JWICS-network, which is secured by stream-based Type 1 bulk encryption devices.


Finally, there's also one computer screen standing in the midst of the telephones. Below is a keyboard and likely there's also a KVM-switch to enable access to multiple physically separated networks through a single "Keyboard, Video and Mouse" set.

For US intelligence officials, such a KVM-switch usually provides access to NIPRNet or DNI-U (Unclassified, for general purposes), SIPRNet (Secret, for military and intelligence purposes) and JWICS (Top Secret/SCI, for intelligence purposes).

March 15, 2016

Something about the use of selectors: correlations and equations

The Snowden revelations made people familiar with what NSA calls "selectors": phone numbers, e-mail addresses and a whole range of similar groups of characters that can be used to identify a particular target.

However, very little was revealed about how exactly these selectors are used in order to pick out communications of interest. But meanwhile, declassified documents about NSA, German parliamentary commission hearings and an intelligence oversight report from The Netherlands give some details about that.

It came out that the signals intelligence agencies of these three countries (and likely many other countries too) group all selectors that belong to a certain target into sets called correlations or equations.

Wrapping individual selectors into equations makes sense, as one of the most important requirements for signals intelligence is of course knowing which phone numbers, e-mail addresses etc. a particular target uses, as often they will use many of them and change them regularly.

United States

In two recent postings on this weblog, the NSA's storage and analysis of domestic phone records under the Section 215 (or BR FISA) program was analysed. Information about this program comes almost solely from a large number of documents that have been declassified by the US government.

Among those documents is a BR FISA Review (.pdf) from 2009, in which, probably for the first time, we find the term "correlation". The report says that NSA uses correlated selectors to query the BR FISA metadata. The function of such a set of selectors is described as follows:
"If there was a successful RAS determination made on any one of the selectors in the correlation, all were considered RAS-approved for purpose of the query because they were all associated with the same [target redacted]"

RAS stands for Reasonable Articulable Suspicion, which must be determined for a certain selector, before it can be used to query the domestic telephone metadata. So, when one selector was RAS-approved, the analyst was allowed to also use all other selectors that were correlated to the same target.

This practice of what can be described as "one approved selector approves the whole correlation set" was ended when on February 20, 2009, the Emphatic Access Restriction (EAR) tool was implemented. Since then, each selector has to be individually RAS-approved before it can be used to query the metadata database.

Note that this only applied to selectors used for querying domestic phone records. As we learned from the German situation described below, NSA continued to use correlations for its foreign collection efforts overseas.

Correlation database

According to the BR FISA Review, NSA has a database that holds correlations between selectors of interest and which provides automated correlation results to analysts. So when an analyst wants to know which (other) identifiers a certain target uses to communicate, he can look that up in this database.

The name of this database was redacted, but according to its position in the review's glossary, it starts with A. The correlation database is therefore different from the OCTAVE tasking tool, which is used to activate telephony selectors on the various collection systems. Analysts can therefore decide by themselves which of the correlated selectors they actually want to task.

It's not clear though whether these correlations include both phone and internet selectors, but obviously it's useful to collect and group all kinds of identifiers used by a particular target.

Glossary of the 2009 BR FISA Review report, with
in the 4th position the correlation database


The way NSA uses correlations immediatly reminds of a practice that was revealed during hearings of the German parliamentary commission that investigates NSA spying practices. On May 20, 2015, BND employee W.O. explained that until 2012, the NSA sent its selectors to BND in the form of a so-called "equation".

According to the witness, an equation was a record that could contain up to one hundred selectors used by or related to a particular target. This large number of selectors is because the equation contains all different ways of spelling and technical encoding permutations of a selector. For one e-mail address this could for example be:
mustermann%40internet%2Eorg (HTML-Hex)
mustermann\&\#37; (multiple encodings)
mustermann\\ (UTF-16)

The explanation given by witness W.O. of how BND managed these NSA equations was rather confusing, but an important element seemed to be that such a whole set of selectors could be prevented from being activated, when BND rejected just one selector when using it would violate German law or German interests.

Especially for internet identifiers (like chat handles or nicknames) it can be very difficult if not impossible to attribute them to a particular country. But when an equation contains just one identifier that is easier to attribute (like an e-mail address), the whole set of selectors can be either approved or disapproved based upon the identifyable selector.

Witness W.O. contradicted himself on whether an equation contains only internet selectors, or also telephone numbers (with wildcards and blanks), but on September 24, 2015, witness D.B. said that equations were only used NSA internet selectors.

Splitting up

W.O. also explained that until 2012, the NSA sent its selectors in the form of equations. When BND rejected one selector from such an equation set, BND employees in Bad Aibling had to ask NSA to remove that number from their equation, or else the other selectors in that equation were rejected too.

Since 2011, these equations were split up and phone and internet selectors were each put in separate databases, which apparently made it possible to reject individual selectors. Afterwards, the computer system reassembles the selectors into their proper equations again, which can now have for example a rejected phone number alongside an approved e-mail address. But if one of them is disapproved, the whole equation will not be forwarded to the collection system.

This explanation by witness W.O. is rather puzzling because the situation before and after 2011/2012, and before and after splitting up the equations seems to be the same: in both cases all selectors from an equation are rejected when just one of them was disapproved.

It seems therefore that splitting up the equations had another purpose, but that didn't become clear from the commission hearings. The commission members often had difficulties in understanding these technical issues and were then hardly able to ask the witnesses the questions that could bring clarity.

Maybe the splitting up only meant separating telephone and internet selectors, as from the report of a special independent government investigator it did became clear that NSA provided a description or a justification for every single telephone selector, but that justifications for internet selectors weren't available for BND personnel.


There's similar confusion about the internal BND investigation into the selectors provided by the NSA. Witness D.B. explained that when in August 2015, Dr. T. investigated suspicious NSA internet selectors, he was not given them in the form of equations, but as separate, individual ones.

Apparently D.B. suggested that this was the reason that Dr. T. found so many selectors that could not be identified: they were separated from correlated ones that could have made them easier to identify. But why separate these selectors when that rips them from elements that attributes them to a certain target and/or a particular country?

BND selectors

What is said before is only about the selectors that were provided by NSA, in order to be tasked on the satellite collection system operated by BND in Bad Aibling. Besides these, BND of course also has its own selectors.

During the hearing from January 28, 2016, witness D.B. was asked whether BND's own selectors were also grouped into equations. D.B. explained that BND doesn't use the term equation, but that in its central tasking database system PBDB, there are multiple selectors for a certain target (with for each selector (German: Telekommunikationsmerkmal or TKM) multiple permutations).

The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images)

The Netherlands

In the Netherlands, a report (.pdf) from last February by the intelligence oversight commission CTIVD advised the the General Intelligence and Security Service AIVD to consider using some kind of correlations or equations for its bulk collection efforts too.

The report reveals that currently, the AIVD uses a list (Dutch: kenmerkenlijst) containing all selectors, like phone numbers, e-mail addresses and keywords, used for specific operations. For most of these selectors, the list contains a short justification for why it was put on this list, with a reference to an underlying document. Earlier, the commission found that too often, these justifications were too short, not related enough to the target, or even absent.

According to the commission, it would be better when the AIVD would provide a justification for each targeted person or organisation, instead of for every single selector. Often, one target will use multiple phone numbers and e-mail addresses. Grouping them by target and providing a justification for that target would therefore also reduce the length of the list.

This approach is already used by AIVD when it comes to targeted interception.

February 26, 2016

A look at the latest French laws on intelligence collection

For the second time we have an article written in cooperation with the French weblog about intelligence and defence Zone d'Intérêt:


Over the last year, The French parliament passed new laws granting additional powers to intelligence services regarding interception of communications and data requests. This is part of a broader reform aimed at creating a legal framework for intelligence practices which were not formally authorized by law before 2015. In the press, it was said that these laws allowed sweeping new surveillance powers, legalizing highly intrusive methods without guarantees for individual freedom and privacy.

This article will focus on the provisions related to communications intelligence (COMINT), including targeted telephone tapping (lawful interception or LI), metadata collection and data requests to internet service providers (ISPs). Targeted interception of the content of internet communications is not regulated by these new laws, but only by older decrees which are still a bit unclear. The new laws are only about collection the metadata of internet communications.

In France, communications interception is authorized under two distinct frameworks:
- Judicial interceptions ordered by a judge of inquiry (juge d'instruction) during a criminal investigation. These interceptions can be done by the police, the gendarmerie (a military force charged with police duties) and by the security service DGSI.

- Administrative interceptions, also known as security interceptions, which are requested by both the domestic security and the foreign intelligence services.

Administrative interceptions are approved by the Prime Minister for various motives, such as defending and supporting major national interests including national defense, foreign policy interests, economical and industrial interests, or preventing terrorism and organized crime. Whereas the Unites States strongly denies conducting commercial espionage in the sense of stealing trade secrets for the benefit of individual companies, France is known for being less strict on this.

Diagram of the various interception capabilities of French intelligence
(Diagram: - Click to enlarge)

The main French security and intelligence services are:
Direction Générale de la Sécurité Intérieure (DGSI), which reports to the Interior Ministry and is responsible for domestic security. It has some 3500 employees and an annual budget of 300 million euros. DGSI was formed in 2008 through the merger of the Direction Centrale des Renseignements Généraux (RG) and the Direction de la Surveillance du Territoire (DST) of the French National Police.

Direction Générale de la Sécurité Extérieure (DGSE), which reports to the Minister of Defence and is responsible for collecting foreign intelligence on civilian issues and also performs paramilitary and counterintelligence operations abroad. DGSE is responsible for both HUMINT and SIGINT.

Direction du Renseignement Militaire (DRM), which reports directly to the Chief of Staff and to the President of France as supreme commander of the French military. DRM is responsible for collecting military intelligence in support of the French armed forces.

Direction de la Protection et de la Sécurité de la Défense (DPSD), which is also part of the Ministry of Defence. DPSD is responsible for the security of information, personnel, material and facilities of the armed forces as well as the defence industry.

Headquarters of the French foreign intelligence agency DGSE in Paris
(Click to enlarge)

A special advisory commission on intelligence activities

The French laws, such as Loi n° 2015-912 and Loi n° 2015-1556, from July and November 2015, grant the Prime Minister full authority to order and approve intelligence activities both domestic and foreign. Each collection request is sent by the intelligence service director to its parent ministry and to the Prime Minister, who gives final approval. An advisory commission known as the CNCTR (Commission Nationale de Contrôle des Techniques de Renseignement, or National Commission for the Control of Intelligence Techniques) is kept informed of all requests for oversight purposes.

In most cases, before the Prime Minister can approve a request, this control commission must receive information related to its approval, including the request justification, the identity and location of the targeted individual, or any other identifying information (occupation, username, etc.) when his identity is unknown.

The CNCTR consists of nine members: four from the Parliament, two from the Council of State, two from the Court of Cassation, and one appointed telecommunications expert. This commission is considered an "Independent administrative authority": it is neither part of the Parliament even though members of Parliament are among its members, nor part of the judicial branch, even though some its members are magistrates.

The CNCTR only holds advisory power as it can not stop any decision from the Prime Minister regarding data requests or intelligence collection. The commission can express disapproval of a collection request, but the Prime Minister can overrule this advice and still authorize intelligence collection.

The CNCTR can access all transcripts and logs from intelligence collected under the Prime Minister's authority, but it can not compel any intelligence service for documents or information, and it can not investigate any irregularity on its own. However, it can express recommendations regarding intelligence procedures and bring any irregularity to the Council of State. All debates inside the commission, as well as all its communications with the Prime Minister and intelligence services are classified.

A special status has been granted to journalists, lawyers and members of parliament, as when intelligence requests apply to them, the CNCTR must be informed just before collection starts so it can state whether the collection is necessary and proportionate. The CNCTR must also receive transcripts of the intercepted communications afterwards. The difference with regard to eavesdropping operations against regular citizens is that for them, CNCTR can access the transcripts if it asks for them, while for the privileged professions, CNCTR must receive and review them.

In theory, any individual living in France or abroad can ask the CNCTR to check if he has been placed under surveillance following proper procedure. The control commission must check for any irregularity, but can neither confirm nor deny to the individual that he has been placed under such surveillance. The commission only states that proper verification has been made, and if any irregularity is detected it can report it to the Council of State.

Headquarters of the French domestic security service DGSI in Paris
(Photo: Bertrand Guay/AFP - Click to enlarge)

New provisions for domestic intelligence collection

This section applies to all main intelligence services such as DGSI, DGSE and DRM. DGSE is a foreign intelligence service, which is not supposed to operate on French territory, but it is authorized to request data and intercept domestic communications. DGSE holds most technical capabilities for decryption and high-end communications collection and provides other agencies, such as DGSI or DRM, with technical means and expertise in this regard.

A recent decree provided authority to more than twenty police and gendarmerie services, some of which are not officially intelligence services, to intercept communications and request data, mostly for counterterrorism purposes. Allowing police services to collect communication intelligence is a shift from older French habits, which the French government justified by the ongoing terrorist threat.

As in most countries, French law provides higher privacy protection to its own citizens and to people communicating from France than to people communicating from abroad, who receive little legal protection against intelligence collection. Intelligence collection under the Prime Minister approval may apply to all electronic means of communication traced to a targeted individual, from mobile phones to landlines, to all metadata from his internet service provider, and even metadata from online services.

In France, telephone companies, ISPs and online services providers can be compelled to provide a wide range of metadata regarding a targeted user, including: technical data related to the identification of connection or subscription numbers (phone numbers, IP adresses, etc.), a list of all connection or subscription numbers linked to a targeted individual, location data of all devices traced to a targeted individual, and call detail records (CDR).

Under the Prime Minister’s authority, telephone companies can be compelled to cooperate with intelligence services conducting targeted phone calls interceptions. French intelligence services are not supposed to proceed to interceptions on their own, but have to go through a dedicated government technical agency called GIC (Groupement Interministériel de Contrôle or Interministerial Control Group).

The GIC operates under the Prime Minister direct authority, receiving approved requests and ordering telephone companies and ISPs to provide information or access to their networks for interception. Providers compelled to cooperate are forbidden to reveal any information related to interceptions or data requests, or to inform their users they have been targeted. Providers personnel refusing to cooperate could be sentenced to a 150,000 € fine and up to two years of imprisonment.

The parliament recently authorized intelligence services to use devices such as IMSI-catchers to identify and locate mobile phones or computers linked to targeted individuals. Intelligence services can only use IMSI-catchers to collect metadata, and all collected data unrelated to specified targets must be destroyed.

Regarding domestic communications, voice communication recordings must be destroyed 30 days after collection, but transcripts can be kept "as long as necessary" by intelligence services. Metadata requested from ISPs and Telcos can be stored up to 4 years. Intercepted communications that are encrypted can be stored up to 6 years.

The French satellite intercept station at the Tontouta naval air base
near Noumea on the main island of New Caledonia
(Photo: Google Earth - Click to enlarge)

A loose framework for the surveillance of foreign communications

Fewer restrictions apply to the surveillance of foreign communications, whether collected by the domestic security service DGSI, the foreign intelligence service DGSE or one of the military agencies.

The Prime Minister issues broad authorizations to intelligence services to monitor and collect communications, either for whole geographical regions, countries, organizations or individuals. The Prime Minister specifies which types of communication networks can be targeted for collection. These authorizations last for 4 months, but they can be renewed without restriction.

Foreign intercepted communications can be kept for 1 year after processing, or up to 4 years after collection. Collected metadata can be stored for 6 years. Encrypted data can be stored for up to 6 years after decryption, or up to 8 years after it has been collected. With these retention periods, the French law is more strict than for example American law, which allows NSA to store encrypted data for an unlimited period of time.

From French territory

The law on surveillance of foreign communications only applies to communications between users who are outside of France, but which are collected from French territory. Here it should be noted that many former French colonies spread around the globe are also considered part of French territory, and French law applies there, especially as this is stated in the latest intelligence laws.

This means that these laws not only apply to data collected from major fiber-optic cables and satellite intercept stations inside France, but also to those from the overseas satellite stations like those in French Guyana, on the island of New Caledonia in the South Pacific and on Mayotte in the Indian Ocean - providing French intelligence with a global SATCOM coverage probably second only to that of the Five Eyes partnership. After ECHELON, this French network was dubbed FRENCHELON.

If data is collected under the foreign communications status, but is then traced back to domestic communications (call number or subscription located in France), it can be processed only if approved under the domestic communications framework, or it must be destroyed under 6 months.

The DGSE satellite intercept station near Kourou in French Guyana,
which was built in cooperation with German BND
(Image: Google Maps)

Outside French territory

Intelligence collection conducted by French intelligence services outside of France is not restricted by law. Because the overseas satellite stations are considered to be on French territory, this situation only applies to for example covert eavesdropping operations in foreign countries, as well as to tactical SIGINT collected through land, sea and airborne platforms during military operations abroad. French armed force are based in countries such as Mali, Gabon, Djibouti and UAE. This will mainly result in communications for military purposes.

While this kind of collection is not regulated by law, it will be limited by the available resources and the specific goals set by the government in the annual PNOR (Plan National d’Orientation du Renseignement or National intelligence orientation plan), a classified document sent to the chiefs of intelligence services and to the parliamentary delegation for intelligence (DPR - Délégation Parlementaire au Renseignement), which only receives a redacted version of this document.

A French army vehicle for collecting tactical SIGINT and ELINT in Afghanistan
(Photo: - Click to enlarge)

Automated bulk metadata collection

In July 2015, a law introduced a new automated bulk metadata collection system against terrorism. The Prime Minister can order French internet service providers to add specified metadata collection and filtering systems to their networks. He can issue such orders for 2 months, and they can be renewed without restriction. Data collected on ISPs networks can be stored up to 60 days, and would be filtered and processed by government issued algorithms to detect terrorism related threats. If such a threat is detected, the Prime Minister can compel ISPs to identify related users.

The development of threat-detection algorithms, and their so-called "black boxes", should be done under supervision from the CNCTR. However, providing oversight at the hardware and software level could be very tricky and difficult, especially as algorithms would be updated and modified very regularly and it would also require specialized knowledge of such internet filter systems.

The scope and purpose of this metadata provision is largely a mystery. At first sight it may look similar to what NSA did by collecting domestic telephone records in order to find unknown terrorist associates by contact chaining. But if that was the purpose of this French law too, then it would have been much easier to order the ISPs to hand over their metadata in bulk, just like it happened in the US.

Actually, French telecommunications and internet service providers already have to store their customer's metadata for at least one year under the EU data retention directive. Moreover, a French legal decree even requires web hosting companies, like Facebook, Google and Amazon, to store their user data for at least one year and provide it to government authorities at their request. However, these metadata may only be used for targeted investigations, as intelligence services must provide specific requests to ISPs & web hosting companies with either the full name of a target, its user name, IP address or other identifying information.

It seems that installing "black boxes" at ISP networks serves the bulk collection of smaller sets of data: they filter traffic using specific threat-detection algorithms, so they will likely only pull in those metadata that match certain communication patterns and routines, based on digital forensics from counterterrorism investigations. The metadata would then be used to identify the users showing such patterns.

Given the very high data rates of traffic passing internet service providers, such filter systems are very expensive and ISP generally don’t like external systems to be plugged into their networks. That makes it surprising that the orders for installing them are valid for just 2 months, and although they are renewable without any limitations, it’s not clear whether these "black boxes" would be removed from ISPs networks at the end of each order, or if they would only be turned off until further notice.

Cyber defense

Interestingly, filtering internet traffic using threat-detection algorithms sounds very much like detecting and preventing malware and cyber attacks. But maybe except for a case when a terrorists group would conduct cyber attacks, the law precisely states that this "black box" metadata filtering and collection system can only be used to detect terrorist threats. It can not be used for any other purpose, including cybersecurity, counterintelligence or criminal investigations.

Nonetheless, the cyber domain did receive special attention from French lawmakers in the latest regulations on intelligence. All collected intelligence which is related to cyber attacks can be stored indefinitely for technical analysis. In addition, all penalties for computer hacking and cyber-related crimes have been doubled as part of the new Law on Intelligence passed in July 2015. This fits a general shift of intelligence agencies towards "cyber", as for example in the US, cyber threats replaced terrorism as top priority for the intelligence community since 2013.

Links and Sources
- The Guardian: France passes new surveillance law in wake of Charlie Hebdo attack
- Matthew Aid: French SIGINT: Part II
- Overview of French intercept sites: Comment on peut, en trois clics, découvrir la carte des stations d'écoute des espions de la DGSE