September 21, 2013

PRISM as part of the BLARNEY program

(Updated: December 18, 2013)

Last June, the still on-going Snowden-leaks started with the unveiling of PRISM, an NSA program which collects information about foreign targets from American internet companies like Facebook, Google, Yahoo, Microsoft and Apple.

Since then, no new information about PRISM was published, but recently some new details could be found. These show that PRISM is part of another NSA program, codenamed BLARNEY, and that US-984XN is not a single designator for PRISM, but stands for multiple designators, one for each of the internet companies.

New slides

On September 8, the Brazilian television news magazine Fantástico aired a report about the NSA trying to access the network of the Brazilian oil company Petrobras. In the background of this report, a number of hitherto unseen NSA slides were shown.

One of the slides shows details about the BLARNEY program, which has the SIGAD, or SIGINT Activity Designator US-984 and the PDDG, or Producer Designator Digraph AX. The slide says that BLARNEY collects DNR (telephony) and DNI (internet) communications under authority of the FISA court. Main targets of the program are diplomatic establishments, terrorists, foreign governments and economic targets:

Top left the slide shows the NSA seal and top right we see a green leprechaun hat with a clover leaf, symbolizing Blarney, as this is also the name of a small town in Ireland.

However, the most intesting fact is that the BLARNEY SIGAD US-984 is almost the same as US-984XN, which is prominently shown on the first slide of the PRISM presentation that was published in June:

This similarity indicates that PRISM is part of BLARNEY, which is also suggested in the Wikipedia article about the latter program.


Wikipedia also has a good article about the SIGAD or SIGINT Activity Designator itself, which teaches us that a SIGAD with two letters followed by three or four numbers, like US-984, is for identifying signals intelligence collection programs and activities.

An additional alphabetic character is added to denote a sub-designator for a subset of the primary collection unit, like a detachment. Lastly, a numeric character can be added after the aforementioned alphabetic to provide for a sub-sub-designator. This already confirms that with the designation US-984XN, PRISM is a sub-program of BLARNEY.

But there's more. In the Wikipedia-article the SIGADs are represented like XX-NNNxn, where an X represents an alphabetic character and an N represents a numeric character. Here we see the same XN-suffix as in the alleged PRISM designator US-984XN, so it seems that XN is only meant as a placeholder for the actual designations of PRISM subsets.

This is confirmed by another slide from Brazilian television, which says that the SIGAD US-984X stands for multiple programs and partners collecting under FAA authority:


In one of the PRISM slides published in June, there's an explanation of the PRISM case notations. These start with a designation for each PRISM provider, like P1 for Microsoft, P2 for Yahoo, etc. (the first position in the slide below). These designators fit the XN-scheme of one alphabetic character followed by one numeric character.

If we combine this, it seems likely that instead of US-984XN as a single PRISM SIGAD, there might be actually the following multiple SIGADs, one for each of the internet companies:
- Microsoft: US-984P1
- Yahoo: US-984P2
- Google: US-984P3
- Facebook: US-984P4
- PalTalk: US-984P5
- YouTube: US-984P6
- Skype: US-984P7
- AOL: US-984P8
- Apple: US-984PA

After P8 for AOL, the final number becomes the letter A for Apple. Maybe this is because more than nine companies became involved, and so NSA chose to go on with hexadecimal numbers, so PA can be followed by PB, PC, etc.

Having separate SIGADs for each internet company makes sense, because a SIGAD identifies a specific facility where collection takes place, like a ship or a listening post. PRISM as a program is not such a facility, but comprises a number of them.

The notation of the multiple PRISM SIGADs is also more like that of other collection facilities, for example US-987LA and US-987LB for the Bavarian and Afghanistan listening posts of NSA's German partner-agency BND.


Meanwhile, high-resolution video footage of the Brazilian television magazine Fantástico became available, from which I could make a readable screenshot of a slide that was ineligible until now:

This slide is from an NSA presentation about the FAIRVIEW program and shows that both FAIRVIEW and STORMBREW have a number of subsets that were not known before. It also shows that my previous interpretation of the US-984X SIGAD wasn't correct.

The slide learns us that BLARNEY collection under the FISA Amendment Act (FAA) is designated US-984X* and it's this asterisk which apparently acts as a placeholder for other facilities collecting under FAA authority:

- US-984XA-H for eight STORMBREW collection facilities under FAA
- US-984XR for a FAIRVIEW collection facility under FAA
- US-984X2 for another FAIRVIEW collection facility under FAA

Here we see US-984X followed by different letters and also a number, which means it's now unlikely that "XN" in the PRISM SIGAD US-984XN is a placeholder for a letter and a number, as I assumed before. With US-984XN, PRISM actually fits the format of BLARNEY facilities which collect data under FAA authority. This also means that there's only one SIGAD for the PRISM program, and not one for each of the internet companies, although that would have made some sense.

My idea that the first two characters of the PRISM case notation (P1, P2, etc) could be the suffix after US-984 is also refuted by the fact that the high resolution slide shows that US-984P is actually the SIGAD for a STORMBREW facility under FISA authority. FAIRVIEW has also collection under FISA, which is designated US-984T.

The original parent programs of FAIRVIEW (US-990) and STORMBREW (US-983) are under Transit (T) authority, which means that they collect communications which originate and terminate in foreign countries when they transit the United States.


Under BLARNEY, information is collected from both telephone and internet communications at facilities in the United States. The program was started in 1978 under the authority of the Foreign Intelligence Surveillance Act (FISA), which was enacted in the same year for regulating foreign intelligence collection in which communications of Americans could be involved. The SIGAD for BLARNEY collection under this initial FISA authority is US-984.

According to a report of the Wall Street Journal, BLARNEY was established with AT&T, for capturing foreign communications at or near key international fiber-optic cable landing points, like the AT&T facility Room 641A in San Francisco that was revealed in 2006. A similar facility was reportedly built at an AT&T site in New Jersey.

One of the doors of room 641A in the building of AT&T in San Francisco,
where the NSA had a secret internet tapping device installed,
which was revealed by an AT&T technician in 2006.

After the 2001 attacks these intercept capabilities were expanded to top-level telecommunications facilities within the United States, like main switching stations for telephone and internet traffic. These are accessed through arrangements with American internet backbone providers. Finally companies providing internet services like Microsoft, Google and Facebook were added.

Since 2008 this collection takes place under authority of the FISA Amendments Act (FAA) and the specific BLARNEY sub-programs and corporate partners are identified by SIGADs in the format US-984X*.

According to the recently disclosed US Intelligence Budget, NSA pays 65.96 million USD for costs made by corporate partners under the BLARNEY program. As PRISM is part of BLARNEY, it's possible that part of that money (maybe the 20 million mentioned in this slide?) is also for expenses made by the internet companies like Facebook, Google and Yahoo.

When PRISM was unveiled in June, the Guardian said this program was one of the main contributors to the President's Daily Brief, the top-secret document which briefs the US president every morning on intelligence matters. Being the PRISM parent program, BLARNEY is also one of the top sources to this document. According to a report by Der Spiegel, some 11,000 pieces of information reportedly come from BLARNEY every year.

This is shown in the slide below with a chart of the Top Ten Collection SIGADs from 2010-2011:

(screenshot courtesy @koenr)

In green we see the signals intelligence sources where NSA's Special Source Operations (SSO) division uses arrangements with corporate partners, in blue the sources where there are no such arrangements needed, which means SSO can collect the data on its own.

By far the most productive sources are the facilties under US-984X*, which include PRISM. Second comes information from what is called "transit only" traffic under the FAIRVIEW program (US-990). The initial BLARNEY collection under US-984, which is apparently from the AT&T network, is the nineth most productive source.

Some more information about BLARNEY is in another slide that was shown on Brazilian television:

Click for a readable version

Among other things, the slide says that BLARNEY is used for gathering information related to counter proliferation, counter terrorism, foreign diplomats and governments, as well as economic and military targets. PRISM seems to be used against more or less the same targets, as can be seen in a lesser known slide of the famous PRISM powerpoint presentation:

(it seems the bottom part of this slide was blacked out by Brazilian media, as the Indian
paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as
topics under the header "India", and also information from Asian and African
countries is contributing to a total of "589 End product Reports")

Once again this makes clear that programs like BLARNEY and PRISM are used to gather information about the usual strategic and tactical topics and therefore not for spying on Americans or other ordinary people.

(Updated on September 23 with the slide describing US-984X, the slide with the PRISM topics, some additional information from the WSJ report and a new slide about the top ten FAA sources)


Anonymous said...

outstanding cross referencing and leg work !!!

"this makes clear that programs like BLARNEY and PRISM are ... not for spying on Americans or other ordinary people."

because they don't put it in slides , doesn't mean they don't do it .
You ever seen a slide describing wet work or entrapment techniques ?
they destroyed almost all MKULTRA documents , they destroyed the Enhanced Interrogation Transcripts too

when Henry Stimson said "gentlemen don't read each others mail" , Little Did He Know

P/K said...

It's true that those slides don't provide a positive proof of the fact that no ordinary people or Americans are targeted, but still they give a strong indication. Remember that these slides were secretly taken away by Snowden, so they contain information that's only for internal use.

Snowden and Greenwald are making quite a big point of the spying on ordinary people, but if NSA really does that, then they should provide more direct proof, which shouldn't be that difficult, as there are priority lists for which people and organizations have to be targeted by the various US intelligence agencies.