May 12, 2015

German BND didn't care much about foreign NSA selectors

(UPDATED: May 25, 2015)

Over the last couple of weeks, the German foreign intelligence agency Bundesnachrichtendienst (BND) was accused of helping the NSA by carelessly or even deliberately entering selectors used for spying on foreign targets in the German satellite interception system at Bad Aibling.

Here, recent outcomes of the German parliamentary inquiry will be combined with information from the various press reportings, in order to provide a more integrated picture of what happened over the past years.

It becomes clear that BND did everything that seemed reasonable to prevent that German data were passed on to the Americans, but that they didn't really care about whether NSA collected communications from other European countries.

We also learned new things about the selectors that are used for filtering the communications traffic, but it's still not fully clear to what extent BND is able to prevent German internet data being collected.

Information from the parliamentary inquiry hearings is derived from the live blog provided by the German digital rights website Netzpolitik.org.





The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images - Click to enlarge)


 
The context

This latest affair started on April 23, when the German magazine Der Spiegel reported that NSA apparently spied upon European and German targets for years, with the knowledge of the German foreign intelligence agency BND.

Other news reports inflated this to BND deliberately helping NSA in spying on these targets illegally, which led opposition leaders accusing the German government of treason. This although by then there was no clear evidence, only sometimes confusing and not always very accurate press reports.


Committee hearings

Meanwhile there's somewhat more clarity, also because last Thursday, May 7, the parliamentary committee investigating NSA spying and cooperation with BND (German: NSA UntersuchungsAusschuss, NSAUA) questioned the BND employees R.U., D.B. and Dr. M.T. (initials not of their real names, but of cover names!) who were involved in this issue.

The day before, May 6, the regular parliamentary intelligence oversight committee (Parlamentarisches KontrollGremium, PKGr) heard in a classified meeting BND president Gerhard Schindler and Thomas de Maizière, currently the Interior Ministor, but previously responsible for intelligence affairs at the Chancellery.

Update:
On May 20, the NSAUA committee heard three additional BND employees, and on May 21, also Hartmut Pauland, the former head of BND's SIGINT directorate, and BND president Gerhard Schindler. They provided interesting and clarifying details which are added to this article and are marked "Update #2" and "Update #3" respectively.



BND president Gerhard Schindler just before he testified before
the parliamentary investigation committee on May 21, 2015
(Click to enlarge)



The cooperation between NSA and BND

The cooperation between NSA and BND which is at stake here, started with a Memorandum of Agreement (MoA) signed on April 28, 2002, in which both parties agree on joint espionage areas and targets, such as counter-terrorism, the battle against organized crime and against proliferation of weapons of mass destruction.
Update #3: This Memorandum, classified as Top Secret, is an extensive document, with 5 annexes, describing in detail the regions that should and should not be monitored. For reasons unknown, and also unknown to current BND president Schindler, these guidelines were never converted into internal regulations for the personnel that had to work on this.

Two years later, NSA abandoned its Bad Aibling Station for satellite interception, that under the codename GARLICK was part of the ECHELON network. Most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to BND.

In return, BND had to share the results from its satellite collection with the NSA. For this cooperation the Joint SIGINT Activity (JSA) was set up, consisting of personnel from both NSA and BND. The Americans provided most of the equipment. The JSA was located at the nearby Mangfall Barracks and was closed in 2012.

Besides the satellite interception, Bad Aibling was also involved in cable tapping, but only for operation Eikonal (2004-2008), which was limited to cables from Deutsche Telekom in Frankfurt.



Google Maps view of the Mangfall Barracks in Bad Aibling, Germany.
The building in the upper left corner could be the BND facility,
and the one with the white roof the NSA's "Tin Can".

Selectors

For the satellite interception in Bad Aibling, initially some 4 out of 5 selectors came from the Americans, the rest were German (currently still 4:1). NSA started providing the Germans with telephony selectors in April 2005, followed in 2007 with selectors for IP communications. Most of them were related to Afghanistan.

According to Süddeutsche Zeitung, NSA provided BND with roughly 690.000 phone numbers and 7,8 million internet identifiers between 2002 and 2013. That is an average of something like 60.000 phone numbers and 700.000 internet identifiers a year, or 164 phone numbers and over 1900 internet identifiers each day.

Just recently, BND found two additional selector databases in the legal division of its SIGINT directorate: one containing some 400.000 selectors from early 2005, including some related to European governments, but it couldn't be determined whether selectors were rejected.

A second database contains 59.000 selectors from September 2006 till early 2008. 400 were marked as disapproved. Both lists contain phone and fax numbers as well as e-mail addresses, but no IP addresses. They don't include German companies or phone numbers starting with the German country code 0049.

Such selectors generally include phone and IMEI numbers, e-mail, IP and MAC addresses of computers and tablets, but also other kinds of internet identifiers, like names, nicknames and chat handles. These are called "hard selectors". It is not known whether also "soft selectors" like keywords or maybe even cookies and malicious code signatures were also used in this cooperation.
 
Update #2: To the surprise of the commitee, witness W.O. testified that the term "IP selectors" does not include IP addresses, but denotes e-mail addresses and other internet communication identifiers, for example for messaging.

In general, for one target there are multiple selectors (German: Telekommunikationsmerkmale (TKM)) like phone numbers or e-mail addresses. For the latter there can be multiple permutations, like the use of "%20" instead of a dot. The witness never saw the use of wildcards, like *@example.com.

Already in 2005, there were separate databases for phone and internet selectors, which were newly set up in 2001. All selectors were first put in the database, and after they were checked, the ones that were rejected, were marked as inactive. So with all the old selectors staying in, and more and more new selectors came in, the database expanded rapidly.

Until 2012, the NSA sent the selectors in the form of a so-called "equation", which appears to be a record containing a name, a phone number and an e-mail address. An equation can contain up to one hundred selectors used by or related to a particular target. Besides phone numbers and e-mail addresses, an equation also contains the different ways of spelling and technical permutations thereof.
Update #3: According to president Schindler, e-mails can have up to 20 permutations, each of which is a separate selector, which explains the large numbers. He gave the example of gerhardschindler, gerhard.schindler, etc. However this seems a simplification, as such variations can of course belong to different persons with the same name.

Because of this, when BND rejected say a phone number, BND employees in Bad Aibling had to ask NSA to remove that number from the equation, or else the other selectors in that equation were rejected too. It's always the full selector profile that has to be activated for collection. Until 2011 NSA saw all the selectors that were rejected by BND because of this.

As of 2011 these equations were split up and phone and internet selectors were each put in separate databases. This made it possible to reject individual selectors. Then the computer system combines these parts to their proper equations, which can now have for example a rejected phone number alongside an approved e-mail address. But if one part is disapproved, such an equation will not be forwarded to the collection system.

 
How BND checks NSA selectors

The selectors provided by NSA were picked up by BND employees at Bad Aibling from an NSA server a few times a day. Initially their number was not very large. They were for example on Excell sheets which were checked manually at Bad Aibling.
Update #2: This check was only for the so-called G10-compliance, which means that selectors related to German citizens and corporations were taken out. Somewhere in 2005, BND also began to check for German interests, the meaning of that was determined by unit T2AB, which conducts these selectors checks.

Apparently talking about the Eikonal operation, witness D.B. explained the committee that in the testing phase, one BND employee did this on his own, which led to a delay of one day. In 2007 NSA wasn't satisfied by that and wanted the results in real-time.

 
3-stage filtering: DAFIS

Later, the number of selectors increased to a level that couldn't be checked by hand anymore. A new procedure was set up, in which, since June or August 2008, Bad Aibling personnel sent over the selectors to unit T2AB at the BND headquarters in Pullach once a week, without further inspection (until 2011 there was also a rarely used manual Emergency Approval).

At the headquarters, the selectors are checked in an automated process of 3 stages called DAFIS (probably the abbreviation of DatenFilterSystem):

1. A negative filter which filters out e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

2. A positive filter consisting of a list of German citizens, for example businessmen, journalists, but also jihadis using foreign phone numbers and e-mail addresses. This is a relatively large list of a few thousand numbers that will also not be monitored.

3. A filter to sort out selectors that collide with German interests. Witnesses heard by the committee wouldn't publicly explain how this works, but maybe in this stage selectors for European military contractors in which Germany participates (like EADS and Eurocopter) are filtered out.
Update #3: Former SIGINT director Pauland confirmed that this stage includes names of companies (also from other European countries when there's a German participation), but also names of German politicians (although not the names of the chancellor, members of parliament and EU commissioners), and newly added top level domains and country codes are blocked here too. These names were not added systematically. The DAFIS filter system is used for all collection facilities. For metadata this filter is applied after they have been collected from specific links.

The only regular manual check is for false positives, because for example SIM cards can have an IMEI number that also starts with 49 (the telephone country code for Germany).

Although this filtering was considered 99,99% accurate, the witness R.U. admitted in the hearing on May 6 that this method is not always able to prevent German communications being intercepted, for example when a German citizen uses an Afghan phone number and/or is calling locally in Afghanistan. Such numbers would not be rejected for tasking, and there's also no system that filters out spoken German language.


How to determine nationality?

During an earlier hearing, BND lawyer Stefan Burbaum said that in rare cases a conversation first had to be collected and listened to in order to determine whether the contents are under constitutional protection or not.

Likewise it is impossible to determine the nationality of the person using an e-mail address like for example "redgoose1432@hotmail.com" without further circumstancial information. Even the content isn't always decisive.

We know that NSA analysts have to determine a "foreignness factor" for every selector, to exclude that it belongs to an American. For BND however it's impossible to automatically check whether such a mail address could belong to a German.

Witness R.U. reminded that such cases are rather speculative, because generally selectors like phone numbers are only tasked when they have a connection to a known suspect or target.

Update #3: Former SIGINT director Pauland said that selectors can be attributed to a particular country by for example a telephone country code, the extension of an e-mail address, a mobile phone cell-ID, or the IP address which is contained in metadata of certain messenger services.
He also explained that metadata include all data that are not content: not only an address, but also technical data that are generated automatically, and they can also include browser-specific features like the language.


How to check internet selectors?

During most of the hearings for the parliamentary inquiry, the witnesses mainly spoke about (selectors for) intercepting telephone calls, and they weren't questioned about how internet communications are filtered.

This seems to be a missed opportunity, because for the latter it is much more difficult to sort out domestic communications. Phone numbers always start with a country code, but on the internet people use many kinds of identifiers that are not easily attributable to a specific country.

It would have been interesting to know how BND thinks they can prevent for example MAC addresses of devices used by Germans being monitored, or to what extent it is possible to determine the nationality of people behind nicknames. This is important, not at least because there are far more selectors for IP traffic than for telephony.

Update #2: The way this is done became more clear during the hearings of May 20 and 21, when we learned that selectors come in "packets" that seem to include all known selectors for a particular target.
Witness W.K. for example explained that for each target, there are multiple selectors, so when at least one selector can be attributed to a specific country, that also applies to the other selectors.


Positive filtering

It seems that BND tries to solve this issue with the positive filter, using a list of foreign identifiers used by German citizens. However, keeping such a list up-to-date would almost require an intelligence operation itself, but maybe they take a shortcut by requesting the phone numbers and e-mail addresses of Germans abroad from for example the foreign ministry, chambers of commerce and press organisations.

This seems doable for Germans, but it's obvious that this is impossible for companies and citizens from other European countries. This explains why apparently some NSA selectors for European companies made it through BND's selection system.


Economical espionage?

This doesn't automatically means NSA was (trying to) conducting economical or industrial espionage. According to Süddeutsche Zeitung, there are only very few indications for that. The paper says NSA was mainly interested in certain companies because they were looking for illegal (arms) exports.

For example, the e-mail address of an Airbus employee who was probably targeted by NSA, reportedly belongs to someone who is responsible for applying for arms export licences, which shows that targeting commercial companies can very well have valid foreign intelligence reasons.

On May 13, the head of Germany's domestic security service BfV, Hans-Georg Maassen, said that he has no evidence that the United States carried out industrial espionage in his country. The same was said by BND president Schindler, when he testified before the parliamentry commission on May 21, 2015.



An operations center room in the former BND headquarters in Pullach
(Photo: Martin Schlüter - Click to enlarge)


 
Discovery of suspicious selectors

Already in 2005, a BND employee discovered that among the selectors provided by NSA (at that time also used for the cable tapping under operation Eikonal), there were indentifiers for the European defense contractors EADS and Eurocopter (both now part of Airbus Group).

These companies have no protection under the German constitution, but it was considered that such information shouldn't be forwarded automatically. Selectors for French government officials were discovered somewhat later, according to witness D.B. on May 7.

Then in 2008, a BND official informed the Chancellery saying that NSA was apparently going after its own interests in Europe too. At least by then, BND started sorting out suspicious NSA selectors and put them in a separate database. Only in 2010 and 2011 three suspect things from 2005, 2006 and 2007/2008 were reported to the BND top management.


Storing rejected selectors

The check on the selectors took place at BND headquarters, but after that, they were sent back to Bad Aibling, where they were either entered into the collection system or stored in the rejected selectors repository (German: Ablehnungsdatei).
Update #3: Actually there are two separate tasking systems: the main system is for BND's own selectors, and another, unique one, is for the selectors from NSA. The latter is only used in Bad Aibling, the main system is used at all BND collection facilities, so in Bad Aibling there were two separate tasking systems.

Although it could be interesting to know what NSA looks for but didn't pass BND filters, witness D.B. said this database isn't routinely looked at. He also said that NSA is informed about the selectors that have been rejected, which was apparently no problem for them.

Storing the rejected selectors was said to be useful because when NSA sends a suspicious selector again, it can be sorted out by checking against this list. Approved selectors are also sometimes marked as inactive, for example when a foreign extremist travels into Germany. Then BND monitoring has to stop, but when he leaves the country, the selector is activated again.



Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)


40.000 rejected selectors

Until 2013, the Ablehnungsdatei was filled with up to 38.000 NSA selectors which therefore didn't make it into the collection systems. With the 2000 selectors sorted out by Dr. T. (see below) this makes number of 40.000 selectors the press reported about, which is about 0,47% of the total number of selectors provided by the Americans.

Initially, Der Spiegel reported that these 40.000 were found through an investigation in the Fall of 2013, suggesting they had been active all the time and that thereby, BND enabled NSA to illegally spy on some 40.000 targets.

Given the criteria of BND's 3-stage filter system, these 40.000 must include NSA selectors that either have a German country code, a foreign identifier used by a German citizen or entity, or a match with the mysterious "German interests" criteria.

We don't know how many selectors were rejected for each of these stages, but we can assume that in a number of cases NSA did sent identifiers for targets that were recognizable as German. For selectors rejected in the second stage, NSA may not have known that a particular identifier was used by a German, something that BND could probably find out easier.

We also don't know how these 40.000 are divided among phone and internet selectors, which can also make a big difference, as it is much easier to attribute phone selectors to a particular country than it is for internet identifiers. Opposition leaders are demanding that the parliamentary investigation committee can see the list, but the government said they are still negotiating with NSA about this.

Update:
On May 15, 2015, Der Spiegel reported that it seems some 25.000 of the 40.000 rejected selectors had been active. It's not clear yet how this was possible, nor when and for how long.



Office room in the former BND headquarters in Pullach, used by
an employee who cleary is a hardcore fan of Elvis Presley
(Photo: Martin Schlüter - Click to enlarge)


Investigating active selectors

Early August 2013, just a few months after the start of the Snowden revelations, BND Unterabteilungsleiter D.B. asked technical employee Dr. M.T. to take a look at the active NSA internet selectors to see what types of identifiers they contain and whether it could be determined what regions (Interessensschwerpunkte) NSA was interested in. This was the first systematic check since 2005(!).

For that, Dr. T. was provided with a copy of the database containing all selectors used in Bad Abling. This database copy was stored on a separate computer, because ordinary work stations couldn't process such a large dataset.

To his surprise, he found selectors that seemed politically sensitive. This investigation took about four weeks and resulted in some 2000 suspicious selectors. Dr. T. put them in a separate database, of which a single copy was printed out. These selectors were still active at that time, unlike the 38.000 which were prevented from being activated.

His copy of the database containing all selectors was deleted after the job was done. The one with the 2000 sorted out by Dr. T. wasn't found back after he had returned the dedicated computer, just like the list that had been printed out.
Update #3: Apparently, 40% of the selectors investigated by Dr. T. could not be attributed to a specific country.



Overview of the BND employees involved in the affair of the NSA selectors
(Click to enlarge)


Suspicous selectors deactivated

Immediatly after finding suspicious selectors, Dr. T. informed his superior Referatsleiter H.K., who reported this to Unterabteilungsleiter D.B. Around mid-August 2013, D.B. called the unit in Bad Aibling and ordered Dienststellenleiter R.U. to deactivate (although press reports call it "delete") the suspicious selectors in the phone and internet tasking databases (Steuerungsdatenbanken) and put them in the Ablehnungsdatei.

Meanwhile, D.B. had received the printed list with the 2000 selectors, consisting of a large number of sheets of paper, from Dr. T., and he sent this list to R.U. by courier. Using some specific criteria, it was then possible to remove the suspicious selectors. Strangely enough, D.B. thought all this not to be relevant enough to report to the BND president or to the Chancellery.

Der Spiegel reported that in the hearing behind closed doors on May 6, BND president Schindler said that the list of 2000 selectors almost exclusively contains e-mail addresses, not of companies, but mainly of European politicians, EU institutions and government agencies.

The reason for this result is clear now: e-mail addresses because Dr. T. only investigated internet selectors, and of European governments because BND didn't filter those out - according to BND president Schindler because they expected that NSA would comply with the Memorandum of Agreement, that prohibits selectors for European targets.

At least the fact that the list contains no German addresses seems to confirm that preventing German selectors from being monitored was successful, and that therefore there's no evidence that BND helped NSA in spying on German citizens, corporations or government officials.


Another investigation?

According to a report by Der Spiegel, BND employee R.U. was instructed on August 14, 2013 to "delete" some 12.000 search terms. These were apparently the outcome of an investigation in which BND's database with NSA selectors had been searched using terms like "gov", "diplo" and "bundesamt" (initially in some press reports erroneously presented as search terms provided by NSA).

This search had resulted in 12.000 hits (which doesn't necessarily means an equal number of selectors). The tabloid paper Bild am Sonntag reported that e-mail addresses containing the term "bundesamt" were targeted against Austrian government agencies and appeared in over 10 NSA selectors.

However, during the parliamentary inquiry, witness Dr. T. said that the three search terms mentioned by Der Spiegel and the number of 12.000 had nothing to do with his investigation. It's therefore unclear whether there was a second investigation, or that the press has mixed things up.

Update #2: During the committee hearing of May 20, it was confirmed that there was indeed a second investigation: mid-August 2013, R.U., head of the BND unit at Bad Aibling, ordered W.O. to check the NSA selectors for whether they were related to European governments. He only looked at e-mail addresses, because for other selector types it is too difficult to do such a check. W.O. also did research on the internet for his investigation, maybe for finding out the elements used in foreign government e-mail addresses.

Already after one day he found some, which were then deactivated ("deleted"). After that the search was continued for three weeks, adding additional search criteria. In the end this resulted in a few ten thousand selectors that were marked as rejected and then being deactivated.

W.O. only reported this to his immediate superior R.U., but at the Pullach headquarters, D.B. only heard of this second investigation and the subsequent deactivations in March 2015. SIGINT director Pauland wasn't even aware of both investigations before March 13, 2015. Then, a working group, led by BND lawyer Ms. F. was formed to investigate all these issues.


BND takes measures

In November 2013, BND president Schindler issued a new internal regulation, saying that BND's own selectors may not include NATO and European targets anymore (no reason was seen to apply this to NSA selectors too). Reportedly e-mail addresses ending with .eu will now be blocked and the same has to happen for all European partners. We can assume this also applies to their telephone country codes.
Update #2: This regulation was apparently issued after chancellor Merkel came with her famous statement that it is not done to spy upon friends ("Ausspähen unter Freunden geht gar nicht") on October 24, 2013, following revelations that her mobile phone was targeted by NSA.
For blocking selectors related to European governments, there's a profile containing the e-mail extensions for all foreign government agencies.

However, this won't help European citizens, companies and organisations who are for example using phone numbers from outside Europe or mail addresses with a generic top level domain like .com, .org or .net. The new regulation is therefore most effective for preventing that communications of European government agencies will get caught in the filter systems.

Recently, BND asked NSA to provide a justification for every of their selectors. For telephone numbers, this was already practice,* but the Americans said that for internet selectors they needed more time. This led BND to stop the collection of internet data for the time being as of early May. Phone and fax data are still collected and forwarded.



BND president Schindler standing inside one of the huge golfball-like
radomes at the satellite intercept station Bad Aibling
(Photo: Reuters - Click to enlarge)
 

Results of the collection

After the approved selectors have been entered into the collection systems, all data for which there's a match with one or more selectors will automatically be picked out. These results are then converted into a readable format.

Matches for BND's own selectors are stored in a database: metadata went into VERAS and content into INBE. From there, analysts can see whether it is relevant for the foreign intelligence as required by the government. If not, the data are destroyed.

Many metadata collected in Bad Aibling were automatically forwarded to NSA, after passing the DAFIS filter system to sort out those related to Germans. According to the newspaper Die Zeit, BND collects about 220 million metadata each day, which is 6,6 billion a month. Up to 1,3 billion of these metadata are shared with NSA, an example being the 552 million metadata seen in a chart from the NSA tool BOUNDLESSINFORMANT.

Update #2: After the chart with the 552 million metadata was first published on July 29, 2013, the BND unit at Bad Aibling was in shock. They worked day and night and over the weekend to find out what had happened, and provide explanations of the technical circumstances in weekly reports, like for the regular parliamentary oversight committee.
After a week, BND was then able to issue a statement that these 552 million metadata were not collected by NSA, but by them, from crisis regions abroad.


Screenshot from BOUNDLESSINFORMANT, showing some 552 million telephone and internet
metadata that were shared with NSA between December 10, 2012 and January 8, 2013
(Click to enlarge)


Shortages

Content collected through selectors provided by NSA was also automatically forwarded after a final check by the DAFIS filter system, but here, BND personnel in Bad Aibling also took random samples to check whether it contained German data.

Because of shortages in personnel and technical capacity, BND employees were fully occupied with the results from their own selectors, and therefore had no time to take a closer look at what came out for NSA. They simply relied upon the initial selector check. Only when BND's own selectors didn't provide useful results, they would take a look at the results of the NSA selectors.


Selected communication links

One important fact that was largely overlooked in the reporting on this issue, but was pointed to by BND president Schindler and one of the witnesses, is that the Bad Aibling station only intercepts satellite links from crisis regions in the Middle East and Africa.
Update #3: During the hearing on May 21, Schindler specified this and said Bad Aibling collects data from all the countries where German forces are deployed and one other country he would not name. SIGINT director Pauland said BND is currently watching various crises around the world: Ukraine, IS, Boko Haram, Bundeswehr deployments, kidnappings, and Ebola; they are not spying on their own citizens.

Interception results therefore include for example phone calls between Afghanistan and Pakistan or communications from European companies and agencies with activities in the Middle East. This would also minimize the chance that German communications were being collected. BND selects which satellites and which communication channels from those satellite links are intercepted; NSA is said to have no influence on that.



No records kept

According to Der Spiegel, BND president Schindler said that his agency has no technical means to reconstruct which data were passed on to NSA as no records or statistics were kept on this. Earlier, BND employees also testified that their agency doesn't count the raw data that come in, only the end reports.

This means, that the lists of selectors can only show what NSA was interested in, but that we will probably never know what exactly the results from that collection were.

 
Update #1:

In an article of the newspaper Die Zeit from May 19, 2015, the Left party member of parliament Martina Renner says that in August 2013, there were between 8 and 9 million active selectors. Other sources say 8,2 million.

Earlier, Süddeutsche Zeitung reported that currently there are some 4,6 million active selectors, most of them for filtering internet communications and related to 1,267 million people and corporations.
If these numbers are correct, they would show a huge decrease of active selectors between 2013 and 2015. The hearings haven't provided clarity about this yet.

In Die Zeit, Martina Renner also said that BND didn't check all these selectors for whether they contained suspicious ones, but only looked at e-mail addresses for whether these contained parts like .de or names of German companies.

The reason for that seems to be that, according to Renner, there are more than 20 different kinds of selectors, and for 40% of the selectors (which would be over 3 million) it wasn't possible to attribute them to a particular country.
 
Update #2:

On May 20, 2015, the parliamentary investigation committee heard BND employees W.O., W.K. and D.B. about the issue of the selectors and the internal BND inquiries. New details from this hearing have been added to the relevant sections of this article. They are marked "Update #2".

In general, the witnesses from BND gave the impression that they don't look much further than the requirements and the responsibilities of their job. They just follow orders and that's it.
 
Update #3:

On May 21, 2015, the parliamentary investigation committee heard Hartmut Pauland, the former head of BND's SIGINT directorate, and BND president Gerhard Schindler. Details from these hearings will be added gradually. They are marked "Update #3".

President Schindler admitted that the automated filtering of selectors was a mistake and that there were serious deficiencies in how this was handled internally. But he was also convinced that spying on European countries ("friends") isn't illegal, explicitly contradicting the opinion of three constitutional experts from the very first committee hearing.

Former SIGINT director Pauland said that with every newly disclosed Snowden-document, his people considered whether they were also capable of doing those things. In many things, NSA appeared to be way ahead of BND. Nowadays, signals intelligence is metadata-centric: from the metadata it's decided which communications are worth and useful to pick out for analysing their content.



Links and sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Zeit.de: BND-Chef Schindler will nichts gewusst haben
- Netzpolitik.org: Interne Kommunikation: Wie der BND die „Weitergabe von Rohdaten in großem Umfang“ an die NSA verheimlicht (May 2015)
- Welt.de: Gezielter Angriff (May 2015)
- Zeit.de: BND liefert NSA 1,3 Milliarden Metadaten – jeden Monat (May 2015)
- Golem.de: Der Mann, der die brisanten NSA-Selektoren fand (May 2015)
- Netzpolitik.org: Untersuchungsausschuss: „Ich habe Weisung von oben empfangen und vollzogen“ (May 2015)
- Spiegel.de: Spionageaffäre: BND kann Daten-Weitergabe an NSA nicht rekonstruieren (May 2015)
- Sueddeutsche.de: BND half NSA beim Ausspähen von Frankreich und EU-Kommission (April 2015)
- FAZ.net: BND-Spionage-Vorwürfe: Spionieren und spionieren lassen (April 2015)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA (June 2014)

April 24, 2015

Some equipment that connects NSA with its foreign partners



A close look at a unique photo of NSA computer equipment revealed the names of five countries: Tunisia, the Netherlands, Belgium, Germany and Italy. The devices are routers, but it's not certain what exactly they used for. The circumstances indicate that they enable the exchange of data for military operations in which these NSA partner countries participate.



Presentation about Strategic Analystics at the
NSA's European Cryptologic Center (ECC)
(Click for the full presentation in pdf)


On June 14, 2014, the German magazine Der Spiegel published 53 documents pertaining to the NSA's operations in Germany and its cooperation with German agencies. Many of them got little attention, and so they often contain interesting things which are not yet reported.

One of these documents is an undated presentation about Strategic Analystics used at the NSA's European Cryptologic Center (ECC), which is located near the city of Darmstadt in Germany. This presentation contains some unique photos of what seems to be NSA equipment.


Cisco routers

One of the photo's shows a 19-inch rack for computer equipment modules, which contains 13 common Cisco 2811 routers. In the photo we see the front panels of the routers, with each one having a black power cable and a red network cable, which connects to a computer in order to manage the router. The cables for the actual data are on the rear side, where the device has four high-speed WAN interface card (HWIC) slots, two 10/100 Gigabit Ethernet ports, and a slot for an Enhanced Network Module (ENM).



Slide from the presentation about Strategic Analystics
at the NSA's European Cryptologic Center (ECC)
(Click to enlarge)


Classification labels

Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures.

All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.


Sometimes, the photos in the presentation are related to what the slide is about, but here that seems not to be the case. The slide is about MapReduce analytics, with MapReduce being a particular method to filter, sort and generate data from very large databases. This is completely different from what routers do, which is transferring data from one computer network to another.



Photo of the equipment rack with 13 Cisco routers
(Click to enlarge)


The white labels

Most interesting in this photo is the text on the white labels, which unfortunately is very difficult to read. But after I brought these photos under attention, a twitter-user noticed that these labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:

BAYBRIDGE
TUNISIA

PARTSTREAMER
NETHERLANDS

BAYBRIDGE
SEENFLARE

BAYBRIDGE
BELGIUM

BAYBRIDGE
SIDELIGHT

BAYBRIDGE
MALFRACK

BAYBRIDGE
THAWFACTOR TR82/...

... EXPANSION
GERMANY ...

CRO......
MEVE/ORION ..MG/..EF

BAYBRIDGE
...... ..../....

BAYBRIDGE
FAIRLANE

BAYBRIDGE
ITALY ....

........
....... ....


Most of the routers are labeled BAYBRIDGE, either accompanied by another codeword or by the name of a country: Tunisia, Belgium and probably Italy. The Netherlands and Germany are mentioned on routers which appear to be related to other systems, which for the Netherlands is codenamed PARTSTREAMER. Germany is related to some kind of EXPANSION.

All these codewords are seen here for the first time, so it's not known what they stand for and the variations make it even more difficult to guess what these routers are actually used for. Maybe some future disclosures of NSA documents can provide an explanation.



Close-up of the white labels for the routers labeled
BAYBRIDGE TUNISIA and PARTSTREAMER NETHERLANDS


Third Party partners

One thing that these five countries have in common, is the fact that they are 3rd Party partners of NSA. This means there's a close cooperation based upon a formal agreement between NSA and the agency responsible for signals intelligence in a given country.

Belgium, The Netherlands, Germany and Italy are long-time trusted allies of the US, but Tunisia only came more close to the US after 9/11. It for example supported the war on terrorism, conducted joint training exercises with the US, and US Navy ships regularly visited the ports of Bizerte, Sfax, Sousse and Tunis.*

Initially, Tunisia then fell under responsibility of the US European Command (EUCOM), but came under the newly created US Africa Command (AFRICOM) in 2008. There are even plans to move the AFRICOM headquarters from Stuttgart, Germany to Tunisia, after this small north-african country moved away from its close relationship with France in recent years.


We probably can come even closer to what the purpose of these routers is, by looking at where they are used. As we have seen, the photo isn't related to what's in the slide, but as the presentation as a whole is about certain efforts at the NSA's European Cryptologic Center (ECC), we can assume the routers were photographed there.
 

The European Cryptologic Center

The ECC is one of several Cryptologic Centers of the NSA. These were established in the mid-1990s to decentralize SIGINT operations and make their systems more redundant. Initially they were called Regional SIGINT Operations Center (RSOC).

Four of these centers are in the United States and named after the state they are in: Georgia (in Augusta), Texas (in San Antonio), Hawaii (in Honolulu) and Colorado (in Denver). There are two known centers outside the US: the European Cryptologic Center (ECC, in Griesheim, Germany) and the Afghanistan Remote Operations Cryptologic Center (AROCC, in Bagram, Afghanistan).



The NSA's European Cryptologic Center (ECC) at the Dagger
Complex in Griesheim near Darmstadt, Germany
(Photo: AP, July 2014 - Click to enlarge)


The European Cryptologic Center (ECC) is located within the US Army's Dagger Complex outside the small town of Griesheim, near the city of Darmstadt in Germany. In 2011, it had some 240 personnel, consisting of military and civilian members of the military services, NSA civilians and contractors.

On behalf of NSA, the center is operated by the US Army Intelligence and Security Command (INSCOM) and as such is part of the NSA's military branch, the Central Security Service (CSS), more specifically of NSA/CSS Europe and Africa (NCEUR/AF).

The ECC conducts the processing, analysis and reporting of signals intelligence in support of both the European Command and the Africa Command - which perfectly fits the countries we saw on the white labels. The ECC is primarily focussed on Counter-Terrorism and supporting military operations in Africa and the Middle East.


Military operations

According to NSA historian Matthew Aid, NSA's European center already supported American troops operating in Bosnia and Kosovo in the late 1990s. There were direct communication links not only with US military units, but also with all the SIGINT agencies and units of the partner nations operating in the Balkan, like Germany, France, Italy, the Netherlands, and others.

In a similar way the routers we see in the photo from the presentation could then be used for the exchange or transfer of data related to specific military and counter-terrorism operations, each involving different countries. For now, this seems the most likely option, as it could also explain the variations of the codewords.

This seems to be different from SIGDASYS, which is a database system where NSA and some partner agencies can put in and pull out military intelligence information on a more regular basis. Also, SIGDASYS is part of the SIGINT Seniors Europe (SSEUR or 14 Eyes) group, which doesn't include Tunisia.



Links and sources
- Matthew Aid: The European Cryptologic Center at Darmstadt, Germany (2013)
- Presentation about the US Army Intelligence and Security Command (INSCOM) (pdf, 2013)
- NIST: Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy (pdf, 2005)

April 8, 2015

Torus: the antenna to significantly increase satellite interception

(Updated: April 15, 2015)

At three satellite facilities, in Britain, Cyprus and New Zealand, there's a special antenna that allows NSA's partner agencies a significant increase in their capability to collect satellite communications.

This antenna is called Torus, and while conventional parabolic dish antennas can only view one satellite at a time, one single Torus antenna is able to receive the signals from up to 35 communications satellites.

These rare and expensive Torus antennas are used by some television networks, but a close look at photos of the Five Eyes satellite stations has now revealed the locations where Torus antennas are also used for gathering signals intelligence.



A General Dynamics Satcom Technologies Torus antenna
with the array of receiver heads clearly visible



The Torus antenna is rectangular, instead of circular like the conventional satellite dishes. Its quasi-parabolic shape is actually a section of a geometrical shape called torus, which it gave its name. Where a conventional satellite antenna only has one receiving head, called a Low-Noise Block (LNB) downconverter, a Torus antenna has many of them, placed in an array.



How one Torus antenna (brand name Simulsat) is able
to receive the signals of up to 35 satellites
(Source: Evertz.com - Click to enlarge)


With a focal arc instead of a single focus point, the Torus antenna can pick up the signals from a range of satellites which are in a GeoStationary Orbit (GSO), a fixed position above the equator. This is the case for most of the more than 100 communications satellites. Because a Torus antenna has to be aligned with the position of multiple satellites, it has to be adjusted to a specific position and therefore cannot be turned or spin around like circular satellite dishes.


Satellite collection

The usage of Torus antennas for signals intelligence first became clear from a slide that was part of a 2011 presentation for the annual Five Eyes conference. It was published in May 2014 in Glenn Greenwald's book No Place To Hide.

The slide is titled "New Collection Posture" and contains a diagram showing the various steps in the process of satellite collection. Greenwald saw this as evidence that NSA wants to "Collect it All", although the diagram clearly shows this refers to just one particular stage:




For the first step of this process it's said that "Torus increases physical access" - a clear description of the fact that one such antenna can receive the signals from many satellites. With one satellite having between 24 and 32 transponders to relay a signal, one Torus antenna, under the right circumstances, could in theory receive nearly 1,000 communications channels simultaneously.

This doesn't necessarily means that with Torus antennas, the Five Eyes agencies are now "collecting everything". The new antenna allows them access to much more satellites, but in the next stage (dubbed "Know it All") they look for and pick out the channels that have the best chances for useful information.


More access also means the need for more capacity to process these incoming signals, because they have to be converted, demodulated and demultiplexed before something can be done with them. And for internet communications, also more XKEYSCORE (XKS) servers would be needed for buffering, so analysts can sort out data of interest.

Torus antennas are useful to "increase the haystack", which doesn't mean that the whole haystack is stored - only those tufts that are likely to contain "needles".



Torus interception antennas

Now knowing what to look for, it was quite easy to "spy back" on the satellite intercept stations through the aerial images of Google Maps. By doing so, we can recognize Torus antennas in Britain, Cyprus and New Zealand.


Waihopai, New Zealand

Most information about the use of a Torus antenna for signals intelligence is available for the one at the Waihopai satellite intercept station in New Zealand, which is codenamed IRONSAND.

According to an article that was originally published in The Marlborough Express in July 2007, the Torus at Waihopai was built the month before and was expected to be operational later that year. Then GCSB director Bruce Ferguson said that this new dish would enable satellites to be tracked more efficiently, and with a cost of under 1 million dollars, it was very good value for money, he said.



The Waihopai station in 2012, with the Torus antenna at the far left
(Photo: Gilbert van Reenen/Vital Images - Click to enlarge)


The new Torus antenna joined the existing satellite dishes, the first of which was built in 1989, and the second in 1998. These dishes are covered by domes, which make them look like giant golf balls. According to the GCSB director this was to ward off the weather, but it is generally considered that it is actually to prevent seeing which direction the dishes face.

The Torus didn't get such a covering, maybe because it only has limited ability to manoeuvre on a fixed pad. But had the Torus antenna been covered like the old dishes, we wouldn't have known about this new and increased satellite interception capability.



The GCSB satellite station Waihopai, before (2005) and
after (2008) the Torus antenna was installed


The Torus at Waihopai is also mentioned in a recently disclosed GCSB presentation from April 2010, which says: "TORUS now enabling an increase of COMSAT/FORNSAT collection". This sounds like this antenna became operational not long before, although it was already installed in 2007. Maybe it took a few years before the necessary processing capacity became fully functional.


Bude, United Kingdom

A second Torus antenna used for satellite interception is at GCHQ Bude, in the west of Cornwall, in the United Kingdom. Bude, codenamed CARBOY, is a large station where GCHQ and NSA cooperate in the interception of both satellite and submarine cable communications.

Here, satellite interception started in the late 1960s with two giant dishes with a diameter of 27 meters. Nowadays there are 21 satellite antennas of various sizes that can cover all the main frequency bands and seem generally orientated towards the INTELSAT, Intersputnik and INMARSAT communication satellites.

The Torus antenna at GCHQ Bude must have been installed somewhere between January 2011 and June 2013: on the current Google Maps image, which is from December 30, 2010, the Torus antenna isn't yet present, but in the picture below, which is from June 23, 2013, the distinctively shaped antenna is clearly visible:



Satellite dishes at GCHQ Bude in Cornwall, with the Torus
antenna just right of the big radome in the center
(Photo: Reuters/Kieran Doherty - Click to enlarge)



Ayios Nikolaos, Cyprus

A third Torus antenna is installed at the GCHQ listening station Ayios Nikolaos, which is part of the British Sovereign Base Area (SBA) of Dhekelia in Cyprus, where British signals intelligence has already been present since the late 1940s.

This listening station is codenamed SOUNDER and is part of the Five Eyes satellite interception network that became known as ECHELON. A Google Maps satellite photo shows that there are several large and small satellite dishes, including one that can be recognized as a Torus antenna:



Satellite dishes at GCHQ Ayios Nikolaos in Cyprus with
the one at the left recognizable as a Torus antenna
(Photo: Google Maps - Click to enlarge)


This satellite image is from April 12, 2014, but because for this location no earlier images are available, it's not possible to say in which year this Torus antenna was installed. This makes that for now, the oldest reference to a Torus antenna used for signals intelligence is for Waihopai in New Zealand (2007).

Update:
As a reader noticed in a comment below, images from Google Earth show that the Torus antenna at Ayios Nikolaos must have been built somewhere between May 2008 and April 2011, according to the images available for those dates.
So for signals intelligence, Torus antennas were subsequently set up in Waihopai (2007), in Ayios Nikolaos (between 2008 and 2011) and in Bude (between 2011 and 2013).

No Torus dishes were visible at the other major satellite stations of the Five Eyes countries, like Yakima and Sugar Grove in the US, Menwith Hill in the UK, Misawa in Japan, and Geraldton in Australia. Torus antennas can also not be seen in aerial photos of the satellite intercept facilities in allied countries like The Netherlands, Denmark, Germany, and Austria.



Development

The Torus antenna was developed in 1973 by COMSAT Laboratories in Clarksburg, Maryland, where it operated an experimental installation that communicated with Intelsat satellites.

The original version of the Torus antenna was able to receive the signals of up to 7 satellites simultaneously and costed 1,1 million US dollars. At that time, the price of a conventional dish, that was much larger than those used nowadays, was around 800,000 dollars.


Probably the first experimental Torus antenna of Comsat,
here being disassembled in August 2007
(Photo: Dennis Boiter/Comara.org - Click to enlarge)


In 1979, COMSAT applied for the Federal Communications Commission (FCC) to build three Torus antennas for commercial use: in Etam (West Virginia), Andover (Maine) and Jamesburg (California). Each of them had to communicate simultaneously with three American domestic satellites which were in a geostationary orbit at 4° degrees apart from eachother.

After the presentation of the first commercial Torus antenna in 1981, the system didn't become very popular, apparently because the efficiency of this antenna type was less than the parabolic satellite dishes and also had increased sidelobe levels. General Dynamics was apparently able to reduce these effects by the offset design of its custom made antennas.


Manufacturers

The largest and custom made Torus antennas appear to be manufactured by General Dynamics Satcom Technologies. Smaller, standard Torus antennas are available from General Dynamics' subsidiary Antenna Technology Communications Inc (ATCi), which produces three types under the brand name Simulsat. The width of these dishes is between 8 and 13 meters.

Reportedly there are only about 20 Torus antennas in the world, but it's not clear whether this number is only about the largest ones made by GD Satcom Technologies, or that it also includes that smaller dishes from ATCi. Main customers are the US federal government and television stations that feed their cable networks with a large number of satellite channels.



Simulsat antenna at the Microsoft campus in Silicon Valley


Television networks

An example of a Torus used by television networks is the American sports broadcaster ESPN, which had a 24-meter Torus antenna installed at its headquarters in Bristol, Connecticut, in 2007. DIRECTV has three Torus dishes, including one at its Los Angeles Broadcast Center (LABC), which receives signals from 32 satellites.

It's not known what the price of a Torus antenna is, but it comes probably near 1 million dollars. This can be worth it as one single Torus eliminates the need to install multiple conventional parabolic dishes, that can cost up to several hundred thousand dollars each.
 

Update:
After this article had been published, a number of other Torus-antennas were found by Cryptome, @sigwinch and other people. Most of them are at the dish farms of television networks and commercial satellite companies. Until now, 17 additional Torus antennas can be seen at:

- CIA headquarters (present already in 2000)
- Schriever Air Force Base in Colorado
- An Intelsat ground station near Napa, California (2)
- An Intelsat ground station in Nuevo, California
- An Intelsat ground station near Atlanta, Georgia
- An RRsat America ground station near Hawley, Pennsylvania
- An Intelsat dish farm in Long Beach, California
- An Echostar satellite downlink facility in Chandler, Arizona
- The Intelsat Teleport near Castle Rock, Colorado
- An Echostar Broadcast Center in Cheyenne, Wyoming
- A satellite station near Lake Pochung, New Jersey
- A satellite ground station in Vernon county, New Jersey
- The HBO Communication Center in Hauppage, New York
- The roof of HBO Studio Productions in New York City (2)
- The Inmarsat access station in Nemea, Greece



Links and sources
- Stuff.co.nz: Snowden Files: Inside Waihopai Domes
- Business sheet: General Dynamics SATCOM Technologies Business Overview (pdf)
- Product sheet: General Dynamics 7.0 Meter Torus (pdf)

March 25, 2015

New Zealand and XKEYSCORE: not much evidence for mass surveillance



Since March 5, The New Zealand Herald and the website The Intercept published a number of stories based on top secret documents regarding New Zealand. These stories followed last year's claims by Edward Snowden saying that the New Zealand signals intelligence agency GCSB is involved in indiscriminate and illegal mass surveillance of ordinary citizens.

Here we will take a close look at the original documentes that accompanied these reportings and put them in a broader context in order to see whether they support these claims or not. Attention will also be paid to the notorious XKEYSCORE system.




The listening station at Waihopai (SIGAD: NZC-333) in New Zealand
after activists deflated one of the kevlar radomes in April 2008
(Source: GCSB presentation - Click to enlarge)
 

GCSB satellite collection

In the first story from March 5, it was claimed that New Zealand's signals intelligence agency GCSB conducted "mass spying on friendly nations" in the South Pacific on behalf of the Five Eyes partnership, which consists of the United States, the United Kingdom, Canada, Australia and New Zealand.

The allegation of "mass spying" seems to be based upon an excerpt from an GCHQ wiki page from about 2011, which talks about "full-take collection" at New Zealand's satellite intercept station in Waihopai (codenamed IRONSAND):



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)


A GCSB report from July 2009 says that GCSB users were trained by NSA XKEYSCORE trainers "in anticipation of full-take collection and 2nd party sharing" with the full-take collection expected to be running by October 2009.


"Full-take" collection

The New Zealand Herald explained that "full-take collection means the base now collects and retains everything it intercepts: both the content of all the messages and the metadata". If that would be true, then one could probably speak of "mass surveillance".

But later on, the report quotes the German magazine Der Spiegel, which reported already in 2013 that XKEYSCORE "enables 'full-take' of all unfiltered data over a period of several days". The latter is an important detail, but neither The New Zealand Herald, nor The Intercept paid any further attention to it.

When New Zealand's prime minister John Key was asked about the "full-take" at a press conference, he told a reporter: "With the greatest of respect, I don't actually think you understand the technical term and it's not my job to explain it to you". This is the standard response governments give in these matters, rather letting citizens think they are under massive surveillance than explaining what really happens...
 

XKEYSCORE

In the GCHQ wiki entry we also see two check boxes with next to them the Waihopai station mentioned as "GCSB_IRONSAND_WC2_FULL_TAKE". The abbreviation WC2 stands for WEALTHYCLUSTER 2, which is apparently the second generation of a system that is used to process low data rate signals: it sessionizes all of them and then forwards them to XKEYSCORE.

Using WEALTHYCLUSTER processing is called the traditional version of XKEYSCORE, which is used for satellite and terrestrial radio signals. For higher data rates, like on fiber-optic cables, it was/is not possible to forward all data to XKEYSCORE.

These yet unfiltered internet communication sessions forwarded to XKEYSCORE are called the 'full-take'. They are only stored for a short period of time: content is buffered for 3 to 5 days (sometimes shorter or sometimes longer, depending on the amount of traffic), and metadata for up to 30 days. In other words, XKEYSCORE creates a rolling buffer which is continually being rewritten:



Slide with some main characteristisc of the XKEYSCORE system
See also another, similar NSA presentation about XKEYSCORE


This buffering enables analysts to perform federated queries using so-called "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents, spreadsheets in English, as well as in Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just filtering out known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new "strong selectors", which can then be used for starting a traditional search.


XKEYSCORE Fingerprints

To use XKEYSCORE more efficient, analysts can create so-called 'fingerprints', which are rules that contain search terms (especially all the correlated identities of a certain target) that are automatically executed by the system. Some examples of XKEYSCORE fingerprints were disclosed by German regional television on July 3, 2014, who presented them as excerpts of XKEYSCORE's source code.

Until now, The New Zealand Herald has published two XKEYSCORE fingerprints that define GCSB targets: one related to candidates for the job of director-general of the World Trade Organisation (WTO), and another one related to the Solomon Islands, for which the fingerprints show that GCSB (and/or NSA) was interested in documents from the government of this island state, as well as in the Truth and Reconciliation Commission and former militia groups.


GCSB targets

Another document disclosed by The New Zealand Herald and The Intercept shows that GCSB also spies on China, Pakistan, India, Iran, South Pacific Island nations (like Tuvalu, Nauru, Kiribati and Samoa, Vanuatu, New Caledonia, Fiji, Tonga and French Polynesia), the diplomatic communications of Japan, North Korea, Vietnam, and South America, as well as French police and nuclear testing activities in New Caledonia, and even on Antarctica.

A number of these targets, and some others, were already listed in a 1985-86 annual report of GCSB (classified as TOP SECRET UMBRA), which was accidently released in 2006. So although it might be embarrassing for the New Zealand government that the spying on nearby friendly island states was exposed, it is nothing new and nothing what is very far out of the range of what intelligence agencies usually do.
 

"Collect it All"

In a GCSB presentation (pdf) about the Waihopai satellite station from April 2010 we read: "To brief IS on the MHS ‘Collect It All’ initiative" - with IS being the abbreviation for IRONSAND, the codename for Waihopai; and MHS for Menwith Hill Station, NSA's large satellite facility in England.

This seems to confirm that "Collect It All" was initially a project for the Menwith Hill Station, maybe meant to be extended to other satellite collection facilities, but not the primary aspiration for NSA's collection efforts in general, as Glenn Greenwald claimed in his book No Place To Hide.*

As evidence, Greenwald presented a slide from a 2011 presentation for the annual Five Eyes conference, but that shows that "Collect it All" actually refers to just one particular stage of the collection process for satellite traffic:




- On top of the diagram, the process starts with receiving the satellite signals ("Sniff it All") and this is followed by "Know it All", which is about detecting (survey) what kind of traffic certain communication channels contain.

- The stage for which they aim "Collect it All" is when signals are processed into usable data by conversion, demodulation and demultiplexing. This is done through systems codenamed ASPHALT and ASPHALT PLUS, but no further information on these system has been published. Apparently "Collect it All" is about increasing the capability to process signals.

- The next stage is "Process it All" where, after a Massive Volume Reduction (MVR) to get rid of useless data, XKEYSCORE (XKS) is used to search for things that are of interest. The last two stages are about analysing data at a large scale and share them with GCHQ and NSA's satellite intercept station in Misawa, Japan.



Photo of what might be XKEYSCORE equipment at the NSA's
European Cryptologic Center (ECC) in Griesheim, Germany
(Source: ECC presentation (pdf) - Click to enlarge)


Targeted collection

Combining the earlier disclosed information about XKEYSCORE shows that neither "full-take", nor "Collect it All" means that "everything" ends up in some NSA database (typically PINWALE for content and MARINA for metadata). This only happens with data that is extracted based upon 'strong selectors', 'fingerprints', or manual searches by analysts when they think it contains valuable foreign intelligence information.

A 2012 NSA document about a training course for XKEYSCORE, published by Der Spiegel in June 2014, says that this system helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

This suggests that XKEYSCORE is able to sort out data in a way that is even more targeted than the traditional method, in which communications are filtered out by internet addresses. This would make XKEYSCORE even less the "mass surveillance tool" as it is called by Snowden.
 


GCSB cable access

Besides the satellite station in Waihopai and the High-Frequency radio intercept facility near Tangimoana, some snippets disclosed in September 2014, show that GCSB also started a cable access program codenamed SPEARGUN, for which the first metadata probe was expected mid-2013. According to The Intercept, this program might be about tapping the Southern Cross cable, which carries "the vast majority of internet traffic between New Zealand and the rest of the world".

A bit confusing is that in a 2012 GCSB presentation (pdf), project SPEARGUN is listed among topics related to the "IRONSAND Mission", but maybe this means that the mission of this satellite intercept station in Waihopai was extended to include cable operations too.

IRONSAND is in the north east of the South Island of New Zealand, while the landing points for the Southern Cross cable are in the north of the North Island, a distance of more than 500 kilometers. It's possible that from the Waihopai station the actual cable intercept facilities are remotely controlled, maybe through a secure Virtual Private Network (VPN) connection over the domestic Aqualink cable:




The access points to the Southern Cross cable could then be identical with the "NSA facilities" in Auckland and "in the north" of the country, which Edward Snowden hinted to in his speech on the "Moment of Truth" meeting in Auckland on September 15, 2014.


Snowden's claims

The Intercept presented this cable access as a "mass metadata surveillance system" capable of "illegal domestic spying" on the communications of New Zealanders. These claims seem to be based upon a rather pathetic statement from Edward Snowden himself:

"If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called “XKEYSCORE.” It allows total, granular access to the database of communications collected in the course of mass surveillance. It is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic".

Snowden pretends that XKEYSCORE is primarily used to snoop on the communications of private citizens, as if GCSB, NSA and the other partner agencies don't have way too many other targets (see for example the long list of countries targeted by GCSB) and waste their time on ordinary civilians. Snowden however continues:

"The GCSB provides mass surveillance data into XKEYSCORE. They also provide access to the communications of millions of New Zealanders to the NSA at facilities such as the GCSB station at Waihopai"
"It means they have the ability see every website you visit, every text message you send, every call you make, every ticket you purchase, every donation you make, and every book you order online
"

This is also misleading, because, as we have already seen, GCSB isn't very much interested in "your" private communications. In his "Moment of Truth" speech, Snowden claimed that he would have been able to enter for example the e-mail address of prime minister John Key in XKEYSCORE to get access to all content and metadata of his internet activities.

What Snowden briefly acknowledged in this speech, but left out in his statement for The Intercept, is that such searches are constrained by policy restrictions. Indeed, every analyst who works with XKEYSCORE and wants to query data collected in New Zealand, has to do a training on the New Zealand Signals Intelligence Directive 7 (NZSID7), which contains the rules about what GCSB is allowed to do.

As GCSB is not allowed to collect communications of New Zealanders (except for when there's a warrant to assist domestic agencies), this means that the other Five Eyes agencies aren't allowed to do that either. Snowden would therefore not have been allowed to look at the communications of prime minister Key.


Not only must all queries against data from New Zealand sources be compliant with both the NZSID7 and the Human Rights Act (HRA), they will also be audited by GCSB:



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)

Snowden however considers these policy restrictions not sufficient because analysts "aren't really overseen". For GCSB, a 2013 review report found that there were indeed problems with oversight, but the new GCSB law, which is opposed by many people because it would supposedly enable "mass surveillance", actually also strengthens oversight. NSA noticed this too.


The government's response

New Zealand's prime minister John Key rejected the reportings by The New Zealand Herald, saying that "Some of the information was incorrect, some of the information was out of date, some of the assumptions made were just plain wrong". He strongly denied that GCSB collects mass metadata on New Zealanders, but he acknowledged that the agency had tapped into the cable, but only for the purposes of a cybersecurity program codenamed CORTEX.

As a proof, several secret government documents were declassified, but from them it doesn't become clear whether CORTEX really is the same program as the cable access which is codenamed SPEARGUN in the NSA and GCSB documents. According to Key, the CORTEX cybersecurity system was eventually scaled back and now only protects specific entities in the public sector and some private companies.

A snippet from an NSA document says that the implementation of the cable access project SPEARGUN was awaiting the new 2013 GCSB Act. It was said this was because the new law would enable "mass surveillance", but the proposed law also authorizes GCSB to ensure cybersecurity, which would support the statement of the government.

 

Conclusion

As the disclosed documents only contain a few lines and no further details about the cable acces codenamed SPEARGUN, it is not possible to say for sure whether this is about intercepting communications from the Southern Cross cable, like the Snowden-related media claim, or that it is actually a cybersecurity program, like the government says.

What did become clear is that XKEYSCORE isn't really a "mass surveillance tool", but is actually used to collect data in a way that is at least just as targeted as traditional methods. Many of GCSB's targets came out as legitimate, some are more questionable, but none of them included the bulk collection of communications from ordinary citizens, whether domestic or abroad.

Snowden also said that there are "large amounts of indiscriminate metadata about the communication and other online events of citizens" from all Five Eyes countries. But apart from the domestic phone records collected by the NSA, no evidence has yet been presented for such collection in the other countries.



Links and Sources
- EmptyWheel.net: What an XKeyscore Fingerprint Looks Like
- The New Zealand Herald: Bryce Edwards: The ramifications of the spying scandal
- The Press: We're snooping on the Pacific...so what?
- Report: Review of Compliance at the Government Communications Security Bureau (pdf) (2013)
- ArsTechnica.com: Building a panopticon: The evolution of the NSA’s XKeyscore