Monday, August 31, 2015

FAIRVIEW: Collecting foreign intelligence inside the US

(Updated: September 7, 2015)

On August 15, The New York Times and Pro Publica published a story in which the big US telecommunications company AT&T was identified as a key partner of the NSA.

Interesting details about this cooperation and the cable tapping were already in the 2008 book The Shadow Factory by James Bamford, but with the new story, also a number of clarifying documents from the Snowden-trove were disclosed.

Among them are some powerpoint presentations that contain the slides which had been shown on Brazilian televion two years ago. They were first discussed on this weblog in January 2014.

Here we will combine these new and old documents to provide a detailed picture of this important collection program, that was previously misunderstood on various occasions.





The AT&T switching center at 611 Folsom Street, San Francisco,
where there's a cable access under the FAIRVIEW program
(Photo via Wikimapia - Click to enlarge)

 

Context

At NSA, the division Special Source Operations (SSO) is responsible for collecting data from backbone telephone and internet cables. For that, SSO also cooperates with private telecommunication providers under the following four programs, which are collectively referred to as Upstream Collection:
- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- OAKSTAR (cooperation with 7 other telecoms, since 2004)*

Before the new revelations, it was often assumed that BLARNEY was the program for NSA's cooperation with AT&T. The Wall Street Journal reported this in August 2013, based upon former officials, saying that BLARNEY was established for capturing foreign communications at or near over a dozen key international fiber-optic cable landing points. This assumption was also followed by Glenn Greenwald in his book No Place to Hide from May 2014.

In a letter to Cryptome, James Atkinson suggests that BLARNEY was the covername for cooperation with AT&T since 1978, and that after the Bell break-up, BLARNEY stayed active for FISA collection, and the new covername FAIRVIEW was created for the "new" AT&T. One new slide however, shows that BLARNEY actually encompasses all (over 30) companies that are cooperating for FISA collection, including of course AT&T and Verizon.


Speculations

The assumption that BLARNEY was the program for AT&T left room for speculation about the purpose and scope of the FAIRVIEW program.

For example, former NSA official and whistleblower Thomas Drake told DailyDot.com in July 2013 that FAIRVIEW was for tapping into the world's intercontinental fiber-optic cables and "to own the Internet". According to Drake it was an umbrella program with other programs, like BLARNEY, underneath it.

Similarly speculative was Bill Binney, also a former NSA official who left and became a whistleblower in 2001. On multiple occasions he said that a map showing the FAIRVIEW tapping points proofs that NSA collects "content and metadata on US citizens" because those collection points are spread across the country:



Slide from an NSA presentation as shown on the Brazilian
television show Fantástico on September 8, 2013


The new revelations by The New York Times and Pro Publica have now shown that the explanations by both Drake and Binney were misleading: FAIRVIEW is neither an overarching internet tapping program, nor is it collecting communications of US citizens.


Cover names

Closest to the truth came NSA historian Matthew Aid, who in an article by The Washington Post from October 2013, said that STORMBREW is the NSA alias used for Verizon, while FAIRVIEW stands for AT&T.

That's the right connection, although STORMBREW and FAIRVIEW aren't the cover names for these companies themselves, but the code words for the programs under which NSA cooperates with these telecoms.

The cover name for AT&T itself (at least under the BLARNEY program) is probably LITHIUM and for Verizon ARTIFICE. Cover names for other, but yet unidentified US telecoms are ROCKSALT, SERENADE, STEELKNIGHT and WOLFPOINT - their actual names are in the Exceptionally Controlled Information (ECI) compartment WHIPGENIE (WPG).

Although Snowden seems to have had no access to that ECI compartment, reporters for Pro Publica were able to identify both companies based upon various details found in the NSA documents about the STORMBREW and FAIRVIEW programs.

  Legal authorities

The actual purpose of FAIRVIEW can be learned from an NSA presentation, which clearly says the program is for collecting communications of foreign targets at collection points that are inside the United States. Two other excerpts say that FAIRVIEW is also used for current and future "cyber plans", which probably include searching for cyber signatures.

All this happens under three different legal authorities, and for each there's a different SIGINT Activity Designator (SIGAD):
Traditional FISA:
- Communications of persons being agents of foreign powers or connected to international terrorist groups
- Individualized warrant needed from the FISA Court
- Internet traffic only (SIGAD: US-984T)

Section 702 FAA:
- Communications of foreigners/with one end foreign
- Must be justified under an annual FAA Certification
- All kinds of internet traffic (SIGAD: US-984XR)
- Telephone traffic (SIGAD: US-984X2)

Transit Authority:
- Communications with both ends foreign
- No external approval required
- Internet traffic: only e-mail (SIGAD: US-990)
- Telephony: according to "Directory ONMR" (SIGAD: US-990)

For collection under Transit Authority, the presentation says that communications "must be confirmed foreign-to-foreign", which is ensured by filters at the actual tapping points (see stage 1 of the dataflow, down below).

These filters only forward authorized traffic to the selection engines, which then pick out the communications that match with strong selectors, like e-mail addresses, phone numbers, etc. These selectors are entered into the system by analysts using the tasking tools UTT, CADENCE (for internet) and OCTAVE (for telephony).

Examples of such selected, authorized traffic can be seen in a number of slides that were shown in a Fantástico report from July 9, 2013. They are from a presentation that has not yet been released. These slides contain maps, which show the amount of internet traffic to countries like North Korea, Russia, Pakistan and Iran, as seen on March 4-5, 2012.
Scroll here > 

In the first slide we see for example internet traffic (DNI) to Pakistan, which has been determined to be foreign-to-foreign and may therefore be collected under Transit Authority. As such, front-end filters forwarded this traffic to the selection engines for further filtering.



The slide below has a map showing the internet traffic to Pakistan, which is eligible for collection under FAA authority:



The next slide shows a list of "Top 20 Pakistani domains (.pk)" which where tracked between February 15, 2012 and March 11, 2012:



A map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment", which means internet traffic which is authorized for collection under FAA authority:



Next is a list op "Top 20 North Korean domains (.kp)" which where tracked between February 15, 2012 and March 11, 2012. Note that only two websites generate notable traffic, all other have less than 1 Kbps:



A map showing internet traffic to Iran, which is eligible for collection under FAA authority:



A map showing internet traffic to Russia, which is authorized for collection under Transit authority:




Determining what traffic is foreign is done by filtering based upon telephone country codes and internet IP addresses. For telephony this is quite reliable, but particularly for internet traffic, the speaker's notes for another NSA presentation admit that it is difficult to proof the foreigness. Therefore, it is occasionally discovered that one end of an intercept is actually in the US, which then has to be reported as a "domestic incident".

  Tapping points

One of the most interesting new documents is an NSA presentation from 2010 about the Corporate Partner Accesses, which has the map for the FAIRVIEW program with all the domestic dots, but this time with the explaining legend:




From the legend in combination with the dots on the map, we learn that under the FAIRVIEW program, NSA at that time had access points at the following parts of the AT&T network:
- Peering Link Router Complex (8)
- VoIP Router Complex (26, planned: 0)
- Hub VoIP Router Complex (1, planned: 30)
- Program Cable Station (9, planned: 7)
- Non-Program Cable Station (0)
- RIMROCK 4ESS Circuit Switch (16)
- Program Processing Site (1)

One important thing is that most of the markers inside the US do not represent traditional cable tapping points like those along the borders, but are current and planned accesses to Voice over IP communications. Here's some explanation about the other types of access points too:

Peering Link Router Complex
NSA has 8 access points at AT&T Peering Link Router Complexes. According to Pro Publica they correspond to AT&T's Service Node Routing Complexes (SNRCs), where other communication providers connect to the AT&T backbone through OC-192 and 10GE fiber-optic cables. For NSA, this means they can catch traffic from those other providers too. This backbone access is codenamed SAGURA or SAGUARO. The 8 facilities are in:
- Seattle
- San Francisco
 - Los Angeles
- Dallas
 - Chicago
- Atlanta
 - New York City
- Washington DC
It was this kind of access point that was/is in Room 641A in San Francisco, as was exposed by Mark Klein during a lawsuit in 2006. Klein told that the equipment in room 641a was installed early 2003, which could fit the turning on of "a new DNI (Digital Network Intelligence) collection capability" in September of that year.

VoIP Router Complex
The largest number of active access points, 26, are at VoIP Router complexes, which are apparently used for routing voice communications over IP networks, like the internet. No new accesses of this kind were plannend, but expansion seems to be in the next category:

Hub VoIP Router Complex
In the map from 2010 we see only one active access at a Hub VoIP Router Complex, which is somewhere near New York City (maybe in Florham Park, NJ, where AT&T has a data warehouse and its laboratory?). Access to VoIP communications was clearly seen as something that needed expansion, as 30 locations are marked as a planned access point. Unfortunately, no documents have yet been released about this effort.



Map of the US internet backbone network of AT&T in 2009
(Source: AT&T brochure - Click to enlarge)



Program Cable Station
At the time of the presentation, there were 9 AT&T cable stations with a tapping facility, and another 7 for which that was planned. For an article on Pro Publica, it was found out that 9 of these active and planned stations in the continental US correspond to cable landing stations owned by AT&T.
There are also two active and five planned accesses at cable landing points which are probably located in Hawaii and Puerto Rico. Some of the active facilities are in:
- Nedonna Beach, Oregon
- Point Arena, California
- San Luis Obispo, California
- Tuckerton, New Yersey
- West Palm Beach, Florida

RIMROCK 4ESS Circuit Switch
These facilities refer to a 4ESS switch, which is used for long-distance telephone switching. Approximately 100 of these switches are operated by AT&T, but according to the map, only 16 of them have a tapping facility codenamed TOPROCK. Except for two, they are situated along the US border, so seem to be for collecting (the metadata of) in- and outgoing phone calls. These sites appear to be in or near:
- Seattle
- Spokane
- Sacramento
- Los Angeles
 - San Diego
- Albuquerque
- San Antonio
- Lansing
 - Atlanta
- Pittsburgh
- Buffalo

 - Kingston
- Hartford (2)
- New York City (2)


Program Processing Site
Finally, there's one centralized Program Processing Site, which is codenamed PINECONE. The map indicates that it's situated somewhere near the AT&T cable landing station of Tuckerton in New Jersey.



The AT&T intercontinental cable landing station in Tuckerton, New Jersey,
which got a fake facade when residences were build around it.
(Photo: Bing maps - Click to enlarge)


  Dataflow

Seen for the first time is an NSA presentation from 2012 with five diagrams showing the dataflow for the various collection methods under the FAIRVIEW program. There are diagrams for:
- Transit internet content (US-990)
- Transit internet metadata (US-990)
- Transit telephony metadata and SMS (US-990)
- FISA e-mail content (US-984T)
- FISA internet content (US-984T)

There are no diagrams for FAIRVIEW collection under the authority of section 702 FAA.



Dataflow for internet content collected under the
FAIRVIEW program under Transit Authority
(Click to enlarge)



These diagrams show that processing the data from tha various collection points takes places in 3 different stages at 3 different locations:
1. Access and processing at the partner company
2. Site processing in a central secure facility
3. Processing and storage at NSA headquarters

Here's a description of what roughly happens during these 3 stages:


1. Access and processing at the partner company

In the first stage, AT&T provides access to internet and telephone cables and does some filtering and processing right at the various tapping points:
- For the internet collection, we see that the traffic is split at the switches where AT&T's own accesses, as well as peering partner's cables connect to the AT&T Common Back Bone (CBB).

This duplicated traffic goes to one or more routers, where "Foreign IP Filtering" takes place to select foreign and discard domestic traffic. The remaining data stream is then sent over to the central processing facility of the second stage, probably over OC-48 links of 2,4 Gbit/s. The same happens with traffic from other cable access points codenamed MESA.

It was this kind of installation that Mark Klein discovered in Room 641A in the SBC building in San Francisco in 2006. Many people assumed that in this way, NSA was able to store everything that runs over those cables, including American's communications, but now we know that filters ensure that only foreign traffic is sorted out for further processing.
Update:
Klein also testified that in room 641A there was equipment from Narus, which can be used to sessionize and filter data streams, but this is not seen in the diagrams. Maybe, after the exposure of room 641A, NSA moved that kind of equipment from the actual AT&T tapping points to the centralized processing facility codenamed PINECONE.

According to an NSA glossary, there are tens of thousands access links to the AT&T Common BackBone, which "would make 100% coverage prohibitively expensive". Therefore, NSA's Operations and Discovery Division (ODD) worked with AT&T to rank the access routers, and (only?) 8 router uplinks were deemed of high SIGINT interest and subsequently nominated for monitoring.

- Telephone metadata under Transit Authority are collected from Foreign Gateway Switches and "ATPs", by a "CNI [Calling Number Identification] & Call Processor" in facilities codenamed TOPROCK. These metadata are also sent over to the central processing facility of the second stage.


One of the doors to room 641A in the building of AT&T in San Francisco,
where there's an access point to the AT&T Common BackBone


2. Site processing in a central secure facility

The second stage comprises processing which takes place at a central location, in a highly secured building, a Sensitive Compartmented Information Facility (SCIF), which for the FAIRVIEW program is codenamed PINECONE. The equipment there is partly controlled by the partner company and partly by NSA.

Processing data from the many tapping points under the FAIRVIEW program at one central facility is only possible when already large amounts have discarded during the first stage. The remaining data stream is probably sent (unencrypted) to PINECONE over dedicated links within the AT&T network.
- Internet data arrive at IP Routers (IPRs) and via IP Processors (IPPs) go to an "Information Media Manager Distribution Box". Internet metadata then go directly to MAILORDER. This device sends them to NSA headquarters (NSA-W), where they are received by another MAILORDER box.

Until now, MAILORDER was known as a tool for transferring data, but now it becomes clear that MAILORDER actually is the device that encrypts the data so they can be transmitted safely from the PINECONE facility to NSA headquarters.

Before going to MAILORDER, internet content has to pass another box codenamed COURIERSKILL/CLEARSIGHT. This device also gets an input from the CADENCE tasking tool at NSA headquarters: the selectors for filtering.

Therefore, COURIERSKILL/CLEARSIGHT is the device that sorts out the communications that match the e-mail addresses and other identifiers as requested by NSA analysts. For e-mail collection under FISA authority, this filtering is done (directly) by XKEYSCORE.

After passing GATEKEEP, which could be some kind of access control system, the filtered internet content of interest goes to MAILORDER to be sent over to Fort Meade.

- Telephone metadata and SMS messages also pass an "Information Media Manager Distribution Box", which is connected to an unknown device marked NGTPD. Via MAILORDER, these data too are sent over to NSA headquarters.

3. Processing and storage at NSA headquarters

In the third and final stage, which is at NSA headquarters, the data from the central processing facility PINECONE arrive at a MAILORDER box, which is on the FAIRVIEW Local Area Network (LAN) codenamed HIGHDECIBEL.

From this LAN, the data are sent to NSA's core corporate network, again via secure MAILORDER transmission, to be stored in the various and meanwhile well-known databases, like PINWALE, MAINWAY, MARINA, FASCIA and DISHFIRE.
- Internet content first passes FISHWAY, which is a "Data Batching & Distribution System", and then SCISSORS. The latter was first seen in the earliest PRISM slides, and is a "Data Scanning, Formatting & Distribution System", as we learn from this diagram.

Raw internet content and e-mails collected under FISA authority are stored in the RAGTIME partition of the PINWALE database and are classified as TOP SECRET//SI-ECI RGT//REL [...].

- Internet metadata first pass FALLOUT, which is an internet metadata ingest processor/database, while telephone metadata and SMS go to FASCIA, which has the same function for this type of data.



Overview of the numbers of data collected under the FAIRVIEW program
(Click to enlarge)

  Results

According to one of the newly disclosed NSA documents, the internet access under the FAIRVIEW program was initially used only for collecting e-mail messages. In 2003, this resulted in more than one million e-mails a day being forwarded to the keyword selection system at NSA headquarters.

This number had risen to 5 million a day in 2012, which remained after applying some kind of "3 Swing Algorithm" to 60 million foreign-to-foreign e-mail messages that were captured by FAIRVIEW every day under Transit Authority - according to the speaker's notes for an NSA presentation from 2012.

Again we see a huge amount of data passing (which in de documents is called "captured" by) the FAIRVIEW tapping points, but that filters only select a small part which is then forwarded to the NSA for further selection. The 5 million e-mail messages a day in 2012 made 150 million a month and 1,8 billion a year.


BOUNDLESSINFORMANT

The most recent numbers of the data collected under FAIRVIEW can be derived from a chart from the NSA's BOUNDLESSINFORMANT tool, which was published in May 2014 as part of Glenn Greenwald's book No Place to Hide:




During the one month period between December 10, 2012 and January 8, 2013, exactly 6.142.932.557 metadata records were counted for collection under Transit Authority, which for the FAIRVIEW program is denoted by the SIGAD US-990.

This means the numbers for FAIRVIEW collection under FISA and section 702 FAA authority are not included in this chart. But in those cases, only communications related to specific e-mail addresses or similar identifiers are collected, which results in far smaller numbers: according to a 2011 FISA Court ruling (pdf), Upstream collection under section 702 FAA resulted in just 22 million "internet communications" each year.

The over 6 billion records for FAIRVIEW account for only 3,75% of the total number of data the NSA collects through its cable tapping programs, which is remarkably small given the large number of access points at major internet cables and switches.


Tech details

In the lower part, the pie chart shows that under Transit Authority, roughly the following number of records were counted for FAIRVIEW:

- 87% or 5,3 billion: Personal Communications Services (PCS, cell phone, etc)
- 2% or 122 million: Mobile communications-over-IP (MOIP)
- 8% or 488 million: Public Switched Telephone Network (PSTN)
- 3% or 183 million: Internet communications (DNI)

As reflected by the bar chart, the overwhelming majority of data come from foreign-to-foreign telephone communications, mostly from cell phones. Because there's no dataflow diagram for the content of phone calls, it's possible that this is only telephone metadata and SMS messages.

Only about 3% comes from foreign-to-foreign e-mail messages, for which some 183 million metadata records were counted. This number comes close to the roughly 150 million e-mails a month that were processed in 2012, which could indicate that one metadata record equals one e-mail message.

The technology used to process 97% of these data is called FAIRVIEWCOTS, which could be a combination of the program's codename and the abbreviation COTS, which stands for Commercial-Of-The-Shelf equipment. Only nearly 3%, so probably the e-mail traffic, is processed by a hitherto unknown system codenamed KEELSON. Finally, a tiny number also went through SCISSORS.


Product reports

After the data have been collected and stored, analysts go through it, looking for useful intelligence information and put that in so-called product reports. A slide from a 2012 presentation about SSO's Corporate Portfolio, shows the Top Ten programs based upon the product reports that were prepaired during the fiscal year 2010-2011:




We see that with 7357 product reports, US-990, which is FAIRVIEW collection under Transit Authority, ranks as the second most productive source. However, 4 times more reports came from collection under section 702 FAA, which is not only derived from PRISM, but also from the STORMBREW and FAIRVIEW programs.

Although below the program ranking first, there are not very big differences in the numbers of reports, the chart still shows how focused FAIRVIEW collection must be: the 3,75% of the data it pulls in, is apparently so useful that it results in a big number of product reports.

From a different presentation, we have a similar diagram with the numbers for the fiscal year 2009-2010:



Cooperation

The FAIRVIEW map also mentions a close partnership with the FBI. Under the PRISM program it's the FBI that actually picks up the data at the various internet companies, but for Upstream collection, like under FAIRVIEW, that's not the case: here the NSA has a direct relationship with the telecoms.

This leaves the option that the FBI (just like the DEA and the CIA) is also a so-called customer of the program, meaning that the Bureau can request the collection of certain target's communications and access some of the data that NSA collected under FAIRVIEW.

  Domestic metadata

The newly disclosed documents about FAIRVIEW also provide some new details about the bulk collection of domestic metadata, which is considered to be one of the most controversial activities of the NSA. Somewhat unexpected is that for AT&T this happens under FAIRVIEW, instead of a separate program.


Internet metadata

An NSA document from 2003 seems to be about bulk internet data. It says that FAIRVIEW also collected "metadata, or data about the network and the communications it carries" and that for September 2003 alone, "FAIRVIEW captured several trillion metadata records - of which more than 400 billion were selected for processing or storage".

This doesn't really sound like AT&T handed over bulk metadata indiscriminately, but it would fit how it's described in the 2009 STELLARWIND-report (in which, according to Pro Publica, AT&T is mentioned as "Company A") about the collection efforts under the President's Surveillance Program (PSP):
"In order to be a candidate for PSP IP metadata collection, data links were first vetted to ensure that the preponderance of communications was from foreign sources, and that there was a high probability of collecting al Qaeda (and affiliate) communications. NSA took great care to ensure that metadata was produced against foreign, not domestic, communications"

It seems that at that time, AT&T did hand over massive amounts of internet metadata from its domestic infrastructure, but also made sure these were not about American communications.
Update:
The "internet dragnet", that is, the bulk collection of internet metadata of domestic communications under the authority of section 402 FISA (at NSA called PR/TT) was first approved by the FISA Court on July 14, 2004. That means, the 400 billion metadata collected under FAIRVIEW in 2003 were not yet part of the PR/TT bulk collection, and accordingly not domestic.

It is still remarkable that AT&T was able to forward 400 billion metadata records a month just from its foreign communications: in 2012, the total number of internet metadata that NSA collected worldwide was "just" 312 billion a month.

The 2003 document says these metadata were flowing to MAINWAY, which appears to be not only for telephone records, but "NSA's primary tool for conducting metadata analysis" in general.* One of the dataflow diagrams also shows that internet metadata first flow into MAINWAY, and from there to MARINA, which is the repository for internet metadata:



Dataflow for internet metadata collected under the
FAIRVIEW program under Transit Authority
(Click to enlarge)



Telephone metadata

About bulk telephone metadata there's an NSA document from 2011. It says that as of September 2011, FAIRVIEW began handing over "1.1 billion cellular records a day in addition to the 700M records delivered currently" under the Business Record (BR) FISA authorization, which refers to section 215 of the USA PATRIOT Act.

It was already known that the major US telecoms handed over their metadata records of landline telephone calls, but here we see that AT&T also started doing so for cell phone calls.

And for the very first time we also have some numbers now: the total of 1,8 billion a day provided by AT&T make 54 billion a month and about 650 billion phone records a year. For comparison, in 2012, NSA's regular foreign collection resulted in a total number of 135 billion telephone records a month and 1,6 trillion a year.

The mobile phone metadata provided by AT&T were fed into the MAINWAY database to be used for contact chaining in order to "detect previously unknown terrorist threats in the United States". Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders, that don't allow those data to be collected.

Apparently Verizon Wireless and T-Mobile US don't strip off these location data, so their cell phone records cannot be handed over to NSA, which therefore only gets less than 30% of the domestic telephone metadata.
 
Conclusion

The reports by Pro Publica and The New York Times stress AT&T's "extreme willingness to help" the NSA, which some people consider bad and scary. But maybe this very close cooperation helps to make data collection as targeted and focused as possible. Apart from the domestic metadata collection under BR-FISA, the relatively small numbers of data collected under the FAIRVIEW program, appear to contain a lot of valuable foreign intelligence information.

The fear was that under FAIRVIEW, large numbers of American's communications were sucked up by the NSA. However, the documents and diagrams show that there are filter systems that for collection under Transit Authority only let foreign-to-foreign communications through. Collection under section 702 FAA is already about foreign targets outside the US, while under FISA authority there's an individualized FISA Court order.

Interesting questions that remain are about the function of the rapidly growing number of VoIP collection points, as well as about the scope of the cyber security effort, and how in these fields, NSA tries to protect the rights of American citizens.




Links and sources
- Bruce Schneier: NSA's Partnership with AT&T
- Matthew Green: The network is hostile
- EmptyWheel.net: What’s a Little (or a Lot) Cooperation Among Spies?
- EmptyWheel.net: AT&T Pulled Cell Location for Its “Mobility Cell Data”
- Wired.com: AT&T Whistle-Blower's Evidence
- Atlantic-cable.com: History of the Atlantic Cable & Undersea Communications

Monday, July 27, 2015

New IP phones in the White House



From a recent photo from the Oval Office, we learn that, probably last May, new telephones for non-secure calls have been installed in the White House. They replace older ones, that were used there since 1996.

The new devices are IP phones, which means they run over an internal packet-switched IP network, instead of a traditional circuit-switched telephone network.


The new Avaya 9608

The new device is a dark gray office phone, model 9608, made by Avaya, which is a leading American manufacturer of telecommunications equipment. Avaya was previously part of Lucent Technologies, which was a spin-off of AT&T.

This model is relatively simple, it's one that is commonly used in offices all over the world. It just has an average monochrome display - not a fancy color touch screen, like other high-end executive models from Avaya's 9600-series.

Although that may look nice, for the president such features would not be of much use, as most of his calls are made through an operator from the White House switchboard.



President Obama talks on his phone for secure calls with Secretary of State
John Kerry. In front of it there's the new Avaya 9608, July 13, 2015.
(White House photo by Pete Souza - Click to enlarge)



The new Avaya 9608 phone has no special security features, as it is used for all non-secure calls, both within and outside the White House.


The Cisco 7975G

For secure calls that have to be encrypted, the president uses the other phone on his desk, which is a Cisco 7975G Unified IP Phone (with expansion module 7916). This is also a very widely used high end office phone, and as such not specially secured itself, but here it is connected to the dedicated Executive Voice over Secure IP (VoSIP) network, which connects the White House with some of the most senior policy makers and provides the highest level of encryption.


The previous Lucent 8520

For non-secure calls, the new Avaya replaces the Lucent 8520T on Obama's desk. This Lucent phone was from the most widely used business phone series worldwide. It came in use in 1996, when the White House got a completely new telephone system, which was installed by AT&T and costed 25 million USD.

This new system consisted of an automated private branch exchange (PBX) with black executive phone sets models 8410 and 8520 from Lucent, with the large 8520 on the president's desk in the Oval Office:



The previous Lucent 8520 and the Cisco 7975 on Obama's desk, July 31, 2011
(White House photo by Pete Souza)



Before 1996, the White House still used the manual switchboard from the days of president Johnson. On the president's desk there was even the push button version of the Western Electric 18-button Call Director dating back to the 1960s. The installation of the new telephone system under president Clinton is also discussed in this television report:




NBC television on the new White House phone system (1996)



See also:

- Does Obama really lack cool phones?
- A White House staff phone

- Overview of older Presidential Telephones of the United States

Friday, June 26, 2015

Wikileaks published some of the most secret NSA reports so far

(Updated: June 30, 2015)

Last Tuesday, June 23, the website Wikileaks (in cooperation with Libération and Mediapart) published a number of NSA-documents showing that between 2006 and 2012, NSA had been able to eavesdrop on the phone calls of three French presidents.

This is the first time we see actual finished intelligence reports that prove such eavesdropping, and being classified as TOP SECRET//COMINT-GAMMA they are much more sensitive than most of the documents from the Snowden-archive.

Also it seems that these new Wikileaks-documents are not from Snowden, but from another source, which could be the same as the one that leaked a database record about NSA's eavesdropping on German chancellor Merkel.

Update:
On Monday, June 29, Wikileaks published two Information Need (IN) requests and five additional intelligence reports, but the latter are not as highly classified as the ones revealed earlier.




NSA intelligence report about an intercepted conversation between French president
François Hollande and prime minister Jean-Marc Ayrault, May 22, 2012.
(Watermarked by Wikileaks - Click to enlarge)
 

Intelligence reports

The reports are from various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Only one report is published in the original layout with header and a disclaimer, the other ones are just transcripts, probably because they are taken from pages that also contain reports about other countries. For Wikileaks it is very unusual to disclose documents in such a selective way.

The newsletter contains or is based upon so-called Serialized Reports, which are "the primary means by which NSA provides foreign intelligence information to intelligence users", most of whom are outside the SIGINT community. Such a report can be in electrical, hard-copy, video, or digital form.

The first five intelligence reports published by Wikileaks are:

2006:
Conversation between president Jacques Chirac and foreign minister Philippe Douste-Blazy.
- Method: Unconventional
- Serial number: G/OO/6411-06, 271650Z
- Classification: Top Secret/Comint-Gamma

2008:
Positions of president Nicolas Sarkozy.
- Method: Unidentified
- Serial number: G/OO/503290-08, 291640Z
- Classification: Top Secret/Comint-Gamma

2010, March 24:
Conversation between the French ambassador in Washington Pierre Vimont and Sarkozy's diplomatic advisor Jean-David Levitte.
- Method: Unconventional
- Serial number: Z-3/OO/507179-10, 231635Z
- Classification: Top Secret/Comint

2011, June 11:
Conversation between president Nicolas Sarkozy and foreign minister Alain Juppé.
- Method: Unconventional
- Serial number: Z-G/OO/513370-11, 091416Z
- Classification: Top Secret/Comint-Gamma

2012, May 22:
Conversation between president François Hollande and prime minister Jean-Marc Ayrault.
- Method: Foreign satellite and Unconventional
- Serial numbers: Z-G/OO/503643-12, 211549Z and Z-G/OO/503541-12, 161711Z
- Classification: Top Secret/Comint-Gamma
 
Methods

For most of the five initial, and for all five additional reports, NSA's source of the intercepted communications is "Unconventional". It's not clear what that means, but phone calls between the president and his ministers will in most cases be handled by a local switch and therefore don't go through the intercontinental submarine fiber-optic cables, where they could pass NSA's conventional filter systems for telephone and internet traffic.

For intercepting this kind of foreign government phone calls, NSA would have to have access to the public telephone exchange(s) of Paris or the private branch exchanges (PBX) of the presidential palace and important government departments.

This would indeed require unconventional methods, like those conducted by the joint NSA-CIA units of the Special Collection Service (SCS) who operate from US embassies, or NSA's hacking division TAO.
Update:
According to a book by James Bamford, NSA had an Office of Unconventional Programs in the late 1990s, which in another book was presented as NSA's own equivalent of the SCS units. It is not known whether this office still exists or has evolved into another division.
A 2010 presentation (.pdf) says that RAMPART-A is "NSA's unconventional special access program". This is about cable tapping in cooperation with Third Party partner agencies, but seems not the means to get access to local government phone calls.

In one case, the source is "Foreign Satellite" (or FORNSAT), which is the traditional interception of the downlinks of communication satellites. This method was probably used because president Hollande visited his American counterpart in Washington a few days earlier.

In yet one other case, the method is "Unidentified", and although Wikileaks says it's about an "intercepted communication", the actual report only reflects the positions of president Sarkozy, without mentioning a conversation counterpart.



Google Earth view of the US embassy in Paris, where a joint NSA-CIA unit
of the SCS is stationed. The building in the center has a rooftop
structure that is probably used for spying purposes.
(Click to enlarge)


Classification

Looking at the classification level of the reports shows that they are TOP SECRET//COMINT-GAMMA when the president is involved in the conversation. Intercepted communications between ministers and/or top level advisors, diplomats and government officials are "only" classified as TOP SECRET//COMINT.

Three of the reports have the dissemination marking NOFORN, meaning they may not be released to foreigners. The other two may be released to officials with a need-to-know from agencies of the Five Eyes community.

Four of the reports also have the marking ORCON, meaning the originator controls dissemination of a document, for example by imposing that it has to be viewed in a secured area, or by not allowing copies to be made.


The GAMMA compartment

Probably most remarkable about these reports is that they are from the GAMMA compartment, which protects highly sensitive communication intercepts. It was already used in the late 1960s for intercepted phone calls from Soviet leaders.

The overwhelming majority of the Snowden-documents is classified TOP SECRET//COMINT, with COMINT being the control system for signals intelligence which covers almost anything the NSA does. All those powerpoint presentations, wiki pages and daily business reports are therefore not the agency's biggest secrets.

It is not clear whether Snowden had access to the GAMMA compartment. So far, no such documents have been published, except for five internal NSA Wiki pages, for which the highest possible classification was TOP SECRET//SI-GAMMA/TALENT KEYHOLE/etc., but without GAMMA information being seen in them.

Only a few of the Snowden documents that have been published have a more special classification: we have seen a document from the STELLARWIND and the UMBRA control system, as well as from the ECI RAGTIME, but it is possible that Snowden found these as part of his task to move documents that were not in the right place, given their classification level.


Serial number & time stamp

Besides the source and the topic, there's also a serial number and a timestamp below each report. The time is presented according to the standard military notation. 161711Z for example stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year being that of the particular briefing.

The serial number is in the format for NSA's serialized reports, for example Z-G/OO/503643-12. According to the 2010 NSA SIGINT Reporter's Style and Usage Manual (.pdf), such a serial number consists of a code for the classification level, the Producer Designator Digraph (PDDG), a one-up annual number, and the last two digits of the year in which the report was issued. For the classification level, the following codes are known:

1 = Confidential(?)
2 = Secret
3 = Top Secret
 S = ?
E = ?
I = ?
 Z-G = Top Secret/Comint-Gamma
Z-3 = Top Secret/Comint


The Producer Designator Digraph (PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector", but it's not clear what exactly that means. The serial numbers mentioned in the reports about France all have OO as PDDG. That one is not associated with a specific interception facility, and therefore it might be a dummy used to actually hide the source in reports for people outside the agency.


 

Tasking database records

Besides the NSA intelligence reports, Wikileaks also published an database extract which includes the (landline and/or mobile) phone numbers of significant French political and economic targets, including the office of the President.

Because this list is about phone numbers, it seems most likely from a database system codenamed OCTAVE, which kept the selectors used for instructing the various collection facilities. It was reportedly replaced by the Unified Targeting Tool (UTT) in 2011.



Entries from an NSA tasking database with French government targets
(Source: Wikileaks - Click to enlarge)


TOPI: Stands for Target Office of Primary Interest, which is the NSA unit in the Analysis & Production division where the interceptions are analysed and intelligence reports are produced. In the list we see the following TOPIs, all part of the so-called Product Line for International Security Issues (S2C):
S2C13: Europe, Strategic Partnerships & Energy SIGDEV *
S2C32: European States Branch
S2C51: (unknown)

Selector: Shows the particular identifier to select the communications that have to be collected, in this case a phone number. +33 is the country code for France, the third digit being a 1 means that it's a landline (Paris area code), being a 6 means it's a mobile phone.

Subscriber_ID: A description of the subscriber of the selector phone number:
- President of the Republic (cell phone)
- Presidential advisor for Africa (landline, date: 101215)
- Director for Global Public Property of the Ministry of Foreign Affairs (cell phone)
- Government communications center at the Elysée palace (landline)
- Diplomatic advisor at the Elysée palace (cell phone)
- Secretary general at the Elysée palace (cell phone)
- Spokesman of the foreign minister (cell phone)
- Cabinet of the Ministry of Foreign Affairs (MAE, cell phone)
- Presidential advisor for Africa (landline, date: 101214)
- Secretary of State for European Affairs (cell phone)
- Secretary of State for Trade (cell phone)
- Ministry of Agriculture SWBD (landline)
- Ministry of Finance, Economy and Budget (landline, for S2C32)
- Ministry of Finance, Economy and Budget (landline, for S2C51)
- Government air transportation wing (landline)

Information_Need: The collection requirement derived from the National SIGINT Requirements List (NSRL), which is a daily updated compendium of the tasks given to the various Signals Intelligence collection units around the world. These needs have a code number, consisting of the year in which the need was established, followed by a number that refers to a specific topic:
165: France: Political Affairs
204: France: Economic Developments
388: Germany: Political Affairs (see Merkel-entry below)
1136: European Union: Political Affairs
2777: Multi-country: International Finance developments
From all its allies, the US was most interested in France - according to the 1985 version of the NSRL, which fell in the hands of East Germany and was eventually returned in 1992.

TOPI_Add_Date: According to Wikileaks this is the date of tagging of the entry with the responsible TOPI. These dates seem to be in the format yymmdd, which means they are either December 14 or December 15, 2010.

Priority: The priority of the particular Information Need, likely derived from the National Intelligence Priority Framework (NIPF, a reconstruction of which can be found here). This is a huge list containing all countries and topics the US government wants to be informed about, and which prioritizes these topics with a number from 1 (highest) to 5 (lowest). As we can see in the Wikileaks-list, for France, only the president and the director for global public property of the ministry of foreign affairs have priority 2, the rest is medium level 3.

IN_Explainer: Description of the Information_Need

 

A second source

The database entries published by Wikileaks are very similar to the database record that revealed NSA's intention of eavesdropping on German chancellor Merkel back in October 2013. This record contains the number of Merkel's non-secure cell phone and several other entries just like we saw in the Wikileaks list, but it also has some additional information:



Printed version of a transcription of an NSA database
record about German chancellor Merkel


Because for Merkel only this record was available, and no finished intelligence reports like those about the French presidents, there is no hard proof that NSA succesfully intercepted her communications.


What many people don't realize, is that this database record about Merkel wasn't from the Snowden-documents. Der Spiegel received it from another source that was never identified, which was confirmed by Glenn Greenwald and Bruce Schneier (this seems to exclude the option that someone with access to the Snowden-documents leaked this on his own).

Because the tasking records about France are very similar, and most likely from the same database as the one about chancellor Merkel, it's very well possible that they are from the same source. Because keeping an eye on foreign governments is a legitimate task, this source is not a whistleblower. He or she could be a cryptoanarchist, or maybe even an agent of a foreign intelligence agency.

Perhaps Wikileaks itself also doesn't know who the source is, because last May, it relaunched its secure TOR-based drop box that allows anonymous submissions of sensitive materials.

During his work for the NSA, Edward Snowden was not involved with European targets. He was based in Japan, and later in Hawaii, where they are responsible for the Pacific region. His last job was supporting the regional NSA/CSS Threat Operation Center (NTOC), which counters cyber threats.

This is reflected by the intercepted content that Snowden apparently did had (legal) access to, according to a report by The Washington Post from July 5, 2014. These intercepts came "from a repository hosted at the NSA’s Kunia regional facility in Hawaii, which was shared by a group of analysts who specialize in Southeast Asian threats and targets".

 

Some perspective

French prime minister Manuel Valls strongly condemned these spying activities, but that was of course just for show. France's own foreign intelligence service DGSE is well-known for its aggressive industrial espionage against American and German companies, and for example also targeted former US president George W. Bush and foreign secretary Madeleine Albright.

On the other hand, the French government was well aware of the security risks, as in 2010 it ordered over 14.000 secure mobile phones, to be used by the president, ministers and high officials of the armed forces and the various ministries that deal with classified defence information.

This highly secure TEOREM cell phone is manufactured by the French multinational defence company Thales, and the price of a single device is said to be around 1.500,- euros. Because the TEOREM has a rather old-fashioned design and the security features don't improve usability, it was apparently not used as often as it should be...



The TEOREM secure mobile phone made by Thales
(Source: Thales leaflet - Click to enlarge)


White House response

A spokesman of the US National Security Council (NSC) told the website Ars Technica that "we do not conduct any foreign intelligence surveillance activities unless there is a specific and validated national security purpose. This applies to ordinary citizens and world leaders alike". Later he added: "We are not targeting and will not target the communications of President Hollande."

Just as in the case of German chancellor Merkel, the past tense misses, which means the US government doesn't deny that the French president had been eavesdropped on in the past. But it seems that at least for the near future, both leaders will not be targeted by NSA anymore.



Links and sources
- Reuters.com: NSA wiretapped two French finance ministers: Wikileaks
- ArsTechnica.com: WikiLeaks publishes top secret NSA briefs showing US spied on France
- Wired.com: With its French NSA Leak, Wikileaks is Back
- Zeit.de: Was die Frankreich-Dokumente preisgeben
- LeMonde.fr: Trois présidents français espionnés par les Etats-Unis
- Tagesschau.de: NSA spähte Frankreichs Staatsspitze aus

- See also the thread on Hacker News

Tuesday, June 16, 2015

A mysterious Tektron secure telephone



Recently, a mysterious telephone was offered for sale at eBay. The device was made by the little-known company Tektron Micro Electronics, Inc. from Hanover, Maryland, and seems to be a secure phone for military use.

Apart from the pictures shown below, nothing more is known about it, but maybe some readers of this weblog recognize the device and have some more information about its purpose and where it was used.



A Tektron secure military telephone
(Photo via eBay - Click to enlarge)


The phone comes without a handset, but it has a display and a common 12-button key pad, with some additional special purpose buttons. According to the seller, all of them are made of some kind of rubbery material instead of hard plastic. The big round buttons reveal that this is a secure phone, capable encrypting the calls: a green button with a green light for Secure and a red button with a (probably) red light for Non-Secure:



Keypad of the Tektron telephone
(Photo via eBay - Click to enlarge)


It seems the small button with "2nd" can be used to select the functions which are marked in blue above the standard buttons. Most interesting are the FO (Flash Override) designation above the "3", the F (Flash) above the "6", the I (Immediate) above the "9" and the P (Priority) above the "#" button.

FO, F, I, and P designate the four levels of a system called Multilevel Precedence and Preemption (MLPP), which allows to make phone calls that get precedence over ones with a lower priority. Flash Override (FO) was designed to allow the US President and the National Command Authority to preempt any other traffic in the network in case of a national military emergency.

This precedence system only works on telephone networks that allow this special capability, like the AUTOVON network that was used by the US military (since 1982 replaced by the Defence Switched Network). One of the characteristics of the AUTOVON network was that most of its phones were equipped with a standardized keypad with four extra red buttons for the precedence levels:



The standard AUTOVON keypad
(Click to enlarge)


So apparently, the Tektron phone was intended for use on the military telephone network, but why it doesn't have the standard AUTOVON keypad is a mystery.

We also don't know when the phone was manufactured. The only indication is provided by the label on the back of the device. It says the model number is EXT-4Rx and has the serial number 271/4.0. The seller had a second device with serial number 111.

There is also a National or NATO Stock Number (NSN): 5810-01-357-8193. Looking up this number on a stock number website returns a "Date Established" of 1992. This indicates the phone must be somewhere from the 1990s, although the way this number is placed, without its own line, also looks like it could have been added later on:



Label of the Tektron telephone
(Photo via eBay - Click to enlarge)


It's not known where exactly this phone was used, which is an even bigger question because in the 1990s secure telephony for the US government and military had largely been standardized after the introduction of the STU-III family of secure voice products.

The STU-III standard was introduced by the NSA in 1987, and three manufacturers were allowed to produce secure telephones based on this standard:
- Motorola
- AT&T (later: Lucent Technologies > General Dynamics)
- RCA (later: General Electric > Lockheed Martin > L3-Communications)
Motorola and AT&T each made a few hundred thousand of these devices. Tektron is not known for having participated in the STU-III program.



Side view of the Tektron secure military telephone
(Photo via eBay - Click to enlarge)


The Tektron secure phone measures 7.75 inches (19,6 cm) wide, a little over 9 inches tall (22,8 cm) and 2 inches (5 cm) thick. The encryption function made it very heavy: it weighs about 5,5 pounds (2,5 kg), as the case is fully made from cast non-metallic metal, perhaps aluminum.

Such a metal encasing prevents electromagnetic radiation from being intercepted from the outside (TEMPEST). The STU-III, and the newer STE phones only have their bottom part out of metal, with the upper part out of plastic.


Thursday, May 28, 2015

New details about the joint NSA-BND operation Eikonal

(Updated: June 30, 2015)

This weblog first reported about the joint NSA-BND operation Eikonal on October 15, 2014, but meanwhile interesting new details became available from the hearings of the German parliamentary inquiry, and from recent disclosures by a politician from Austria.

Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about this operation so far. New information may be added as it comes available.





 

Initial reporting

Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA.

For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

To prevent communications of German citizens being passed on to NSA, BND installed a special program (called DAFIS) to filter these out. But according to the reporting, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out, which was considered a violation of the constitution.

Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as some people noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn't add up.

As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.



Operations center room in the former BND headquarters in Pullach
(Photo: Martin Schlüter - Click to enlarge)


Eikonal as part of RAMPART-A

As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella program RAMPART-A, under which the Americans cooperate with 3rd Party countries who "provide access to cables and host U.S. equipment".

Details about the RAMPART-A program itself had already been revealed by the Danish newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.

On October 20, Information published about a document from NSA's Special Source Operations (SSO) division, which confirms that an operation codenamed "EIKANOL" was part of RAMPART-A and says it was decommissioned in June 2008.

The slide below shows that under RAMPART-A a partner country taps an international cable at an access point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C), while they are also forwarded to NSA sites in the US (D, E):




 

Parliamentary hearings

Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation commission of the German parliament (NSAUA) decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange.

During hearings of BND officials it became clear that operation Eikonal was not about tapping into the Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was first confirmed by German media on December 4, 2014.


Hearing of November 6, 2014 (Live-blog)

According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that the filter system was only able to filter out 95% of German communications. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.


Hearing of November 13, 2014 (Live-blog - Official transcript)

During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The internal codename for Eikonal was Granat, but that name wasn't shared with NSA. There was even a third codename.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program.

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not all selectors can be attributed to a particular country and there may have been up to several hundred thousand selectors, witness W.K. said that BND was still able to check whether every single one was appropriate: only selectors that could be checked were used.



Hearing of December 4, 2014 (Live-blog - Official transcript)

During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.

These rooms were only accessible for BND personnel and contained the front-end of the interception system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and servers. These devices were remotely controlled from the headquarters in Pullach.*

Based upon analysis of public information about telecommunication networks, BND choose specific cables that would most likely contain traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other one.



The switching center of Deutsche Telekom in Frankfurt-Nied
where some cables were tapped under operation Eikonal
(Screenshot: ZDF Frontal21 - Click to enlarge)


After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND and NSA.

The selected data were sent back to BND headquarters in Pullach over a leased commercial line, of which the capacity was increased after the internet collection became fully operational. From Pullach to the JSA in Bad Aibling there was a 2 Mbit/s line.

Timeframe

Eikonal started with access to a telephone cable (Leitungsvermittelt). Project manager S.L. told that the first cable was connected (aufgeschaltet) in December 2004, but that it's signal was too weak. Therefore, in January 2005, an amplifier was installed.

In February, March and April additional cables were connected, so telephony collection started in the spring of 2005. By the end of 2006, Deutsche Telekom announced that its business model for dedicated transit cables would be terminated, so in January 2007 the telephone collection ended.*

BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by the end of 2005, but because the backlink was missing, collection was technically not possible. This was solved in 2006, and in the spring of 2006 a second cable was added, and they tested the front-end system and subsequently the filter systems until mid-2007 (Probebetrieb).

During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully automated forwarding only happened from late 2007 until operation Eikonal was terminated in June 2008 (Wirkbetrieb).*

Legal issues

The collection of telephone communications from transit cables was done under the general authority of the BND Act, with details specified in the "Transit Agreement" between BND and Deutsche Telekom, which for the latter was signed by Bernd Köbele.

For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it couldn't be ruled out that German communications were in there too. Therefore, BND requested an order from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their own citizens could be involved.

A G10-order describes the communication channel (Germany to/from a specific foreign country) that BND is allowed access to, the threat profile and it also authorizes the search terms that may be used for filtering the traffic.*

Such an order allows the collection of G10-data (communications with one end German), which were processed within BND's separate G10 Collection program. As a bycatch, this G10-interception also yielded fully foreign traffic (Routine-Verkehre), which was used for operation Eikonal:




Some employees from Deutsche Telekom and from BND had doubts about the legality of this solution, which seemed to use a G10-order as a cover for getting access to fully foreign internet traffic.

Eventually, the federal Chancellery, apparently upon request of the BND, issued a letter saying that the operation was legal. This convinced the Telekom management and the operation went on. It didn't become clear under what authority this letter was issued.

After BND had learned how to collect internet traffic from fiber-optic cable, it applied for G10-orders to intercept (one end German) communications from 25 foreign and domestic internet service providers in 2008. This time these cables were being tapped at the DE-CIX internet exchange, which is also in Frankfurt.

Results

The collection under operation Eikonal resulted in only a few hundred intelligence reports (German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call. These were burned onto a CD to hand them over to NSA personnel at the JSA.*

According to S.L., metadata (containing up to 91 fields) were "cleaned" so only technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.

Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical metadata are for example used to identify the telecommunication providers, transmission links and the various protocols.


Hearing of December 18, 2014 (Live-blog - Official transcript)

During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.


Hearing of January 15, 2015 (Live-blog - Official transcript)

In this hearing, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom personnel only knows between which cities a cable runs, but they don't know what kind of traffic it contains - they are not allowed to look inside.



A room where hearings of the parliamentary committee take place
(photo: DPA)

 

Disclosures from Austria

On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party, disclosed an e-mail from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic cable had been connected to the interception equipment. The e-mail describes this cable as follows:

Transit STM1 (FFM 21 - Luxembourg 757/1), containing 4 links of 2 Mbit/s:

Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of 155,52 Mbit/second. A similar multiplexing method is Wavelength-Division Multiplexing (WDM) commonly used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5 Gbit/second.

The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal connections.

According to the meanwhile updated LSZ List, the number 750 stands for a "DSV2 Digitalsignal-Verbindung 2 Mbit/s", which is a digital signal path.

The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA and/or BND selected it carefully.

FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom's network map is the name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied - the location where that Eikonal tapping took place.

This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in Frankfurt, but containing channels to cities which are much further, so they have to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:



As the e-mail is from February 3, 2005, it must relate to telephone collection, because for Eikonal, the first cable containing internet traffic only became available by the end of that year.


The Transit agreement

On May 18, the Austrian tabloid paper Kronen Zeitung published the full "Transit Agreement" (pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables, and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective effect as of February 2004.

This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.

It is not known how Pilz came into possession of these documents, but it seems the source must be somewhere inside the German parliamentary investigation commission. They are the only persons outside BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the other documents.

Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that the commission will ever get access to the list of suspicious NSA selectors.


Country lists

On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German government, and two tables with cable links to or from Austria and Luxembourg:



Lists of links that apparently were on a priority list of NSA.
LSZ = Leitungsschlüsselzahl (cable type indentifier);
Endstelle = Endpoint; Österreich = Austria.
(Source: Peter Pilz - Click to enlarge)



According to Pilz, the full list contains 254 (or 256) cable links. 94 of them connect EU member states, 40 run between EU members and other European countries like Switzerland, Russia, Serbia, Bosnia-Herzegovina, Ukraine, Belarus and Turkey. 122 links connect European countries with nations all over the world, with Saudi Arabia, Japan, Dubai and China being mentioned most.

The country which most links (71) run to or from is the Netherlands. The list for that country was disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015. The US, the UK and Canada are not on the list, although there were apparently 156 links from/to Britain too.

Update:
On June 25, 2015, the Dutch telecommunications provider KPN announced the results of its inquiry into the alleged tapping of its cables. It was very difficult to identify the channels in the list because meanwhile KPN's whole network had been restructured. Eventually it became clear the connections (being channels within cables and KPN only being responsible for the first half until Frankfurt) had been rented out under telephony wholesale contracts, so it was impossible to trace individual customers or users.
 
Additional details

On June 5, 2015, Peter Pilz held a press conference in Paris, where he presented a statement (.docx) containing a list of 51 transit links to or from France. Interestingly, this list now also includes some additional technical identifiers for these links, which were apparently left out in the earlier ones:



First part of the list with links related to France
(Source: Peter Pilz - Click to enlarge)


On June 29, 2015, Peter Pilz presented a similar detailed list (.pdf) of 28 transit links to and from Poland.

According to the updated LSZ List, the new codes in these lists stand for:

- 703: VC3 Virtual Container connection with 48,960 MBit/s
- 710: (not yet known)
- 712: VC12 Virtual Container connection with 2,240 MBit/s
- 720: (not yet known)
- 730: (not yet known)

VC3 and VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital bit streams synchronously over optical fiber. This has the option for virtual containers for the actual payload data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).

The new identifiers in this list stand for: O-nr.: Ordnungsnummer; GRUSSZ: Grundstücksschlüsselzahl; FACHSZ: Fachschlüsselzahl.

No information about these identifiers was found yet, but by analysing the data in the list, it seems that the FACHSZ codes are related to a telecom provider. France Telecom for example appears with FACHSZ codes CFT, VPAS, VCP3, VB5 or 0.

The GRUSSZ number identifies a particular city, with the first two or three digits corresponding with the international telephone country codes. The last two digits seem to follow a different scheme, as we can see that a capital always ends with "10":
Paris = 33010
Lyon = 33190
Reims = 33680
 Brussels = 32010
Prague = 42010
Oslo = 47010
 Warsaw = 48010
Poznan = 48020
Moscow = 70010
It's possible that these are just internal codes used by Deutsche Telekom, as internationally, connections between telephone networks are identified by Point Codes (PC). From the Snowden-revelations we know that these codes are also used by NSA and GCHQ to designate the cable links they intercept.



NSA or BND wish lists?

Initially, Peter Pilz claimed these links were samples from a priority list of the NSA, but on May 27, he said in Switzerland, that the list was from BND, and was given to NSA, who marked in yellow the links they wanted to have fully monitored.

The German parliamentary hearings were also not very clear about these lists. On December 4, project manager S.L. confirmed that NSA had a wish list for circuit-switched transit links, but in the hearing from January 15 it was said that there was a "wish list of BND" containing some 270 links. And on March 5, former SIGINT director Urmann said he couldn't remember that NSA requested specific communication links.

Maybe the solution is provided by the Dutch website De Correspondent, which reports that there is a much larger list (probably prepared by BND) of some 1000 transit links, of which ca. 250 were marked in yellow (probably those prioritized by NSA).


Whose cables?

Media reports say that these cables belong to the providers from various European countries, but that seems questionable. As we saw in the aforementioned e-mail, it seems most likely that the lists show channels within fiber-optic cables, and that the physical cables all run between the Deutsche Telekom switching facility in Frankfurt and the cities we see in the lists.

In theory, these cables could be owned or operated by those providers mentioned in the lists, but then they would rather connect at a peering point like the DE-CIX internet exchange, instead of at the Deutsche Telekom switching center. Deutsche Telekom runs its own Tier 1 network, a worldwide backbone that connects the networks of lower-level internet providers.



Simplified structure of the Internet, showing how Tier 1, Tier 2 and Tier 3 providers
transit data traffic in a hierarchial way and how Tier 2 providers exchange
traffic directly through peering at an Internet eXchange Point (IXP)
(diagram: Wikimedia Commons - click to enlarge)


Questions

It is not clear how many of the over 250 links on the list were actually intercepted. We only know that for sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche Telekom to BND.

Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about "a cable in Frankfurt", which sounds like one single physical cable, whereas the disclosures by Peter Pilz clearly show that multiple channels must have been intercepted.

Update:
During the commission hearing of January 29, 2015, BND technical engineer A.S. said that under operation Eikonal, telephone traffic came in with a data rate of 622 Mbit/s. This equals a standard STM-4 cable, which contains 252 channels of 2 Mbit/s. This number comes close to the channels on the "wish list", but it seems not possible that those were all in just one physical cable.

Another question is whether it is possible to only filter the traffic from specific channels, or that one has to have access to the whole cable.

It should be noted that not the entire communications traffic on these links was collected and stored, but that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for which there was a match was picked out and processed for analysis.


Possible targets

Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom and one employee of BND for spying on Austria, although at the same time he said he was convinced the NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.

Apparently he didn't consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.

Green party members from various countries claimed that this cable tapping was used for economical or industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.



Links and sources
- LeMonde.fr: Deutsche Telekom a espionné la France pour le compte de la NSA
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Duitse BND tapte tientallen internetverbindingen KPN af
- DerStandard.at: BND-NSA-Affäre: Laut Pilz auch Spionage in Belgien und Niederlanden
- Golem.de: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt