September 30, 2015

NSA's Legal Authorities

Since the start of the Snowden-revelations, we not only learned about the various collection programs and systems of the National Security Agency (NSA), but also about the various legal authorities under which the agency collects Signals Intelligence (SIGINT).

Bceause these rules are rather complex, the following overview will show which laws and regulations govern the operations of the NSA, showing what they are allowed to collect where and under which conditions. Also mentioned are various collection programs that run under these authorities.

The overview provides a general impression of the most important elements of the various laws and regulations and does not pretend to be complete in every detail. For example, provisions for emergency collection are not included. Also, some of these laws and regulations govern the work of other US intelligence agencies too, but here the focus is on the NSA.

Collection INSIDE the US:
Targeted collection - US persons:

- Section 105 FISA
- Section 703 FISA Amendments Act (FAA)

Targeted collection - Foreigners:

- Transit Authority

- Section 702 FISA Amendments Act (FAA)
- PRISM Collection
- Upstream Collection

Bulk collection - US persons:

- Section 402 FISA (PR/TT)

- Section 215 USA PATRIOT Act (BR FISA)


Collection OUTSIDE the US:
Targeted collection - US persons:

- Sections 704 & 705 FISA Amendments Act (FAA)

Targeted & Bulk collection - Foreigners:

- Executive Order 12333
- Classified Annex Authority (CAA)
- Special Procedures governing Communications Metadata Analysis (SPCMA)

Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)

  - Inside the US - Targeted collection - US persons -

Section 105 FISA
- Effective since October 25, 1978.
- For communications of US citizens and foreigners inside the US for which there's a probable cause that they are agents of a foreign power or connected to an international terrorist group. Initially also for foreigners outside the US using an American webmail provider.
- Collection takes place at telephone and internet backbone switches, wireless networks, Internet Service Providers and data centers at over 70 locations inside the United States.
- Requires an individualized warrant from the FISA Court (which takes between four and six weeks), but if no US person will likely be overheard, only a certification by the Attorney General is required.
Section 703 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications of a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court.
- Collection takes place inside the United States (see Section 105 FISA).

  - Inside the US - Targeted collection - Foreigners -

Transit Authority
- Effective since ?
- Probably based upon a presidential directive that has to be re-authorized regularly, but the 2009 STELLARWIND report says NSA is authorized to acquire transiting phone calls under EO 12333.
- For communications with both ends foreign: originating and terminating in foreign countries, but transiting US territory.
- Collection takes place inside the US, at major fiber-optic cables and switches operated by American telecommunication providers.
- Data may apparently be shared with other US intelligence agencies.


Section 702 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications to or from foreigners who are reasonably believed to be outside the United States.
- Requires an annual certification by the Attorney General (AG) and the Director of National Intelligence (DNI), which has to be approved by the FISA Court. Certifications are known that have been approved for:
- Counter-Terrorism (CT, since 2007)
- Foreign Government (FG, since 2008; including some cyber threats since 2012)
- Counter-Proliferation (CP, since 2009)
- Cyber Threats (planned in 2012)
- Companies get a directive ordering them to cooperate. In return they are granted legal immunity and are compensated for reasonable expenses.
- Dissemination rules differ slightly per certification. Ordinarily, US person identifiers have to be masked, but unevaluated data may be shared with FBI and CIA, and foreign data may be shared with the 5 Eyes partners.
- Unencrypted data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director.

Section 702 FAA has two components, each with slightly different rules:
PRISM Collection
- Only internet communications "to" and "from" specific e-mail addresses or other types of identifiers. Filtering only allowed for selectors, not for keywords.
- Collection is done by the FBI's DITU, which acquires the data from at least 9 major American internet companies. This results in both stored and future communications.
- Raw data may be shared with FBI and CIA.
- Data are retained for a maximum of 5 years.
- Collection program: PRISM
Upstream Collection
- Both internet and telephone communications. The internet communications may be "to", "from" and "about" specific e-mail addresses or other types of identifiers, including IP addresses and cyber threat signatures.
- Collection takes place inside the US, at major telephone and internet backbone switches. This only results in future communications.
- Raw data may not be shared outside NSA.
- Data are retained for a maximum of 2 years.
- Collection programs: FAIRVIEW, STORMBREW

  - Inside the US - Bulk collection - US persons -

Section 402 FISA (PR/TT)
- Effective since October 25, 1978.
- Since July 14, 2004, orders from the FISA Court allowed the NSA to collect domestic internet metadata in bulk under this authority. These metadata included the "to", "from", and "cc" lines of an e-mail, as well as the e-mail’s time and date.
- Only for Counter-Terrorism purposes.
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Data were being retained for a maximum of 5 years.
- Collection ended in 2011 because the program no longer met NSA’s operational expectations. All data were deleted.
- Collection programs: ?


Section 215 USA PATRIOT Act (BR-FISA)
- Effective since October 26, 2001; expired as of May 31, 2015.
- Since 2006, orders from the FISA Court allowed the NSA to collect domestic telephone metadata in bulk under this authority. These metadata included the originating and receiving phone number, the date, time and duration of the call, and, since 2008, the IMEI and IMSI number.
- Only for Counter-Terrorism purposes: there must be a reasonable and articulable suspicion (RAS) that the query term belongs to a foreign terrorist organization.
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Data are retained for a maximum of 5 years.
- Collection programs: FAIRVIEW, STORMBREW

During a 180-day transition period, the NSA may continue the collection of bulk telephony metadata under section 215 USA PATRIOT Act, which is until November 29, 2015. In this period, telephony metadata may only be queried after a judicial finding that there is a reasonable, articulable suspicion that the selector is associated with an international terrorist group. The results must be limited to metadata within 2 (instead of 3) hops of the seed term.

- Effective since June 2, 2015.
- Allows the NSA to request telephone metadata from telecommunication providers based upon specific selection terms for which there's a reasonable, articulable suspicion that they are associated with a foreign power or an international terrorist group. These metadata may consist of "session-identifying information", like originating and receiving numbers, IMSI, IMEI and telephone calling card numbers, and the date, time and duration of the call.
- Requires a specific warrant from the FISA Court, upon which the provider has to produce the metadata in a useful format on a daily basis for a period of time limited to 180 days.
- All records that are not foreign intelligence information have to be destroyed promptly.
- Companies providing these data are granted legal immunity and will be compensated for reasonable expenses.
- Also, foreign terrorists may be tracked for 72 hours when they enter the US, while seeking the proper authority under US law.

  - Outside the US - Targeted collection - US persons -

Section 704 & 705 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- Collection takes place outside the United States.
- Data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director. Inadvertent collection of US data has to be destroyed upon recognition, but the Attorny General can authorize exceptions.

The differences for these sections are:

Section 704 FAA
- For collection against a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court, for a period of up to 90 days.

Section 705(a) FAA
- For communications of a US person reasonably believed to be outside the United States.
- Requires an individualized warrant from the FISA Court.
- Collection may take place both inside and outside the United States.

Section 705(b) FAA
- For communications of a US person reasonably believed to be outside the US, when there is already an existing FISA Court order for collection against this person inside the US under section 105 FISA.
- Requires authorization by the Attorney General.

  - Outside the US - Targeted & Bulk collection - Foreigners -

Executive Order 12333
- Effective since December 4, 1981.
- For communications between foreigners outside the US.
- Requires no external approvals, except for fitting the mission and the goals set for NSA by the government.
- Collection takes place outside the US and for all foreign intelligence purposes. However, Presidential Policy Directive 28 (PPD-28) from January 17, 2014, limits bulk collection to the following 6 purposes:
- Espionage and other threats by foreign powers
- Threats from terrorism
- Threats from weapons of mass destruction
- Cybersecurity threats
- Threats to US or allied armed forces
- Threats from transnational crime
- Data may be shared with other US intelligence agencies, as well as with foreign partner agencies.
- Dissemination of US person identifiers is only allowed when necessary and personal information should not be inapproprately included in intelligence reports.
- Unencrypted data from targeted collection are retained for up to 5 years, unless it is determined that continued retention is required; encrypted data are retained for an unlimited period of time.

Under EO 12333, there are two additional authorizations:
Classified Annex Authority (CAA)
- Effective since 1988.
- For communications of US persons outside the US, for whom there's probable cause that they are agents of a foreign power or engaged in international terrorism.
- Requires prior approval by the Attorney General, limited to a period of time of up to 90 days.
- Also for communications of a US person who is held captive by a foreign power or a terrorist group, which requires approval of the Director of NSA.

Special Procedures governing Communications Metadata Analysis (SPCMA)
- Effective since January 2011
- Allows contact chaining and other analysis on metadata already-collected under EO 12333, regardless of nationality and location, including US person identifiers.
- For the purpose of following or discovering valid foreign intelligence targets.
- Only covers analytic procedures and does not affect existing collection, retention or dissemination (including minimization) procedures for US person information.
- SPCMA-enabled tools: ICREACH, Synapse Workbench, CHALKFUN

  - Information Assurance -

Besides collecting Signals Intelligence, the NSA is also responsible for Information Assurance (IA). This mission is conducted under the authority of National Security Directive 42 ("National Policy for the Security of National Security Telecommunications and Information Systems") and Executive Order 13587 ("Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information").

- . - . - . - . - . - . - . - . -

Links and sources
- Internet Dragnet Timeline - Phone Dragnet Timeline
- Executive Order 12333 on American Soil, and Other Tales from the FISA Frontier
- IC on the Record: Transition from the USA PATRIOT Act to the USA FREEDOM Act
- Documents Regarding the Now-Discontinued NSA Bulk Electronic Communications Metadata
- Section 214 and Section 215 FISA
- National Research Council: Bulk Collection of Signals Intelligence: Technical Options (pdf) (2015)
- NSA Civil Liberties and Privacy Report about Targeted SIGINT Activities under EO 12333 (pdf) (2014)
- Privacy and Civil Liberties Oversight Board report about the Surveillance Program Operated Persuant to Section 702 FISA (pdf) (2014)
- Legal fact sheet: Executive Order 12333 (pdf) (2013)
- The Department of Defense Directive about NSA/CSS (pdf) (2010)
- NSA OGC: Course on legal compliance and minimization procedures (pdf)
- Memo about Reauthorization of the FISA Amendments Act (pdf)
- NSA OGC: FISA Amendments Act of 2008 - Section 702 - Summary Document (pdf)

September 16, 2015

9/11 inside the White House emergency bunker

On July 24, the US National Archives released a series of 356 never-before-seen photos, most of them taken on September 11, 2001 inside the emergency bunker under the White House.

The bunker is officially called the Presidential Emergency Operations Center (PEOC), but White House officials also call it the shelter. It was constructed in 1942 underneath the East Wing of the White House, which was primarily built to cover the building of the bunker. It is said the PEOC can withstand the blast overpressure from a nuclear detonation.

One of the very few photos from inside the PEOC available before the recent release
(White House photo - Click to enlarge)

The photos were released in response to a Freedom of Information Act (FOIA) request filed by Colette Neirouz Hanna, coordinating producer for the FRONTLINE documentary film team. They focus on the reaction from then-vice president Dick Cheney and other Bush administration officials during the terrorist attacks.

How Cheney reached the White House emergency bunker was reconstructed in the official report of the 9/11 Commission, which was issued on July 22, 2004:

American 77 began turning south, away from the White House, at 9:34. It continued heading south for roughly a minute, before turning west and beginning to circle back. This news prompted the Secret Service to order the immediate evacuation of the Vice President just before 9:36. Agents propelled him out of his chair and told him he had to get to the bunker.The Vice President entered the underground tunnel leading to the shelter at 9:37.

Once inside, Vice President Cheney and the agents paused in an area of the tunnel that had a secure phone, a bench, and television. The Vice President asked to speak to the President, but it took time for the call to be connected. He learned in the tunnel that the Pentagon had been hit, and he saw television coverage of smoke coming from the building.

The Secret Service logged Mrs. Cheney’s arrival at the White House at 9:52, and she joined her husband in the tunnel. According to contemporaneous notes, at 9:55 the Vice President was still on the phone with the President advising that three planes were missing and one had hit the Pentagon.We believe this is the same call in which the Vice President urged the President not to return to Washington. After the call ended, Mrs. Cheney and the Vice President moved from the tunnel to the shelter conference room.

The Vice President remembered placing a call to the President just after entering the shelter conference room. There is conflicting evidence about when the Vice President arrived in the shelter conference room. We have concluded, from the available evidence, that the Vice President arrived in the room shortly before 10:00, perhaps at 9:58. The Vice President recalled being told, just after his arrival, that the Air Force was trying to establish a combat air patrol over Washington.


Conference room

The newly released photos provide an almost 360-degree view of the conference room in the Presidential Emergency Operations Center. It appears to have two installations for secure videoconferencing: one at the long side of the room and one at the short side, so it can be used from either the long side or the short side of the table.

In the picture below we see the videoconference set-up at the long side of the room. Within a wooden paneling there are two television screens with the camera in between. Right of the paneling are four digital clocks showing the time for various places around the globe, and there's also a wall map of the United States:

(White House photo by David Bohrer - Click to enlarge)

On the screen on the far left we see a videoconference taking place with four participants, including the CIA and the Department of Defense. Reports about the events on 9/11 say there was a secure videoconference in which the White House, the CIA, the State Department, the Department of Justice and the Department of Defense participated.

The next picture shows the videoconferencing monitors at the short side of the room, which can also be used for normal television: other photos show feeds from CNN and Fox. In the corner on the right there's a wooden door with a (mirror?) window. Next to the door on the long side wall, there's a large mirror:

(White House photo by David Bohrer - Click to enlarge)

The wall at the long side of the room opposite to the videoconferencing installation has the presidential seal, which appears behind the person leading a videoconference from the chair in which vice president Cheney was sitting, in order to show that this is the White House:

(White House photo by David Bohrer - Click to enlarge)

Looking to the right provides a view of the other corner, where we see two doors: first there's a heavy metal door opening to a room with pinkish light. Next to it, at the short side of the room, there's another door which opens to what looks like a corridor with blueish light. Some people seem to come in through that door, so maybe that corridor leads to the entrance of the bunker:

(White House photo by David Bohrer - Click to enlarge)

At 6:54 PM in the evening, president Bush arrived back at the White House and joined vice-president Cheney in the Presidential Emergency Operations Center. This was captured in another series of photos. In the picture below we see Cheney and Bush, with on the right side a good view of the vault-like door, which has three heavy-duty hinges and a long downward pointing door handle:

(White House photo - Click to enlarge)

Exactly the same type of white metal door with the long door handle, can be seen in a picture from 1962 of an office next to the Situation Room in the basement of the West Wing (maybe a door to the tunnel leading to the bunker? The current entrance to the PEOC is still a well-kept secret).

Viewing from a different angle, we see more of the wall at the other short side of the room, which was probably never seen before. At the left it has the door to the corridor, and in the middle there are wooden folding doors with handles and a lock. As there are already two banks of monitors for videoconferencing, these doors probably hide something else:

(White House photo - Click to enlarge)

At 9:00 PM president Bush gathered his National Security Council for a meeting in the underground shelter, as can be seen in the picture below. This makes a 360-degree view of the conference room almost complete:

(White House photo - Click to enlarge)

A close look at this photo shows that something is mirrored in the glass pane for the camera of the videoconferencing system in the short side wall of the room. It clearly looks like a world map, more specifically like an automatic daylight map, which must be at the opposite wall, right of the wooden folding doors:


Telephone equipment

The newly released photos show the people in the PEOC conference room regularly making phone calls, using telephones that are somewhat hidden in drawers underneath the conference table. Probably just like the table itself, the drawers are custom made for a device that can be recognized as a small version of the Integrated Services Telephone (IST):

The IST was designed by Electrospace Systems Inc. and manufactured by Raytheon as a dedicated device for the Defense Red Switch Network (DRSN) and hence was called a "red phone". The DRSN is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

The standard version of the IST has 40 programmable buttons for access to both secure and non-secure lines (therefore sometimes called IST-40). Encryption isn't done by the phone itself, but by a network encryptor, after the switch separated secure and non-secure traffic. Although the IST phone had very futuristic looks, it was gradually replaced by the IST-2 since 2003.

The phone we see in the drawers of the PEOC conference room table are about half the size of the standard IST: instead of the 40 direct line buttons, there are just 6, replacing some of the special function buttons above the AUTOVON keypad with the four red keys for the Multilevel Precedence and Preemption (MLPP) function.

This small version of the IST is rarely seen, but it was in the collection of the JKL Museum of Telephony in Mountain Ranch, California, which unfortunately was completely destroyed by a wildfire last week.

The small version of the IST displayed
in the JKL Museum of Telephony

The ultimate test for these kind of communications systems is a real emergency situation. However, during 9/11, it came out that the Defense Red Switch Network (DRSN) didn't work like it should have. The 9/11 Commission report said:
On the morning of 9/11, the President and Vice President stayed in contact not by an open line of communication but through a series of calls. The President told us he was frustrated with the poor communications that morning. He could not reach key officials, including Secretary Rumsfeld, for a period of time. The line to the White House shelter conference room and the Vice President kept cutting off.

Besides the ISTs under the table, there's also a black telephone set, which sits on a shelf or a drawer underneath the wall map of the US. This phone is a common Lucent 8410, used in numerous offices all over the world. Here, it is part of the internal telephone network which is used for all non-secure calls both within the White House as well as with the outside world.

Vice-president Cheney using the Lucent 8410. On the conference table
at the right there's the thick laptop-like device
(White House photo - Click to enlarge)

On the corner of the conference table, there's also another kind of communications device: a black box, of which the upper part can be opened up like a laptop. The bottom part however is higher than normal notebooks, even for those days. It's also connected to a big adapter. Maybe it's a rugged and/or secure laptop for military purposes - readers who might recognize the device can post a reaction down below this article.

All three communications devices: the black Lucent 8410, the black
notebook-type of thing and the small version of the IST.
(White House photo - Click to enlarge)


Mysterious marking

A final photo shows then-Secretary of State Colin Powell sitting at the table in the PEOC conference room, reading a document which has a cover sheet for classified information:

The cover sheet seems of light yellowish paper and has a broad dark red border, which is a common feature for these sheets. Most of the text isn't eligable, but the lines in the upper half read like:
TOP SECRET//[....]



The lines in the bottom half are probably the standard caveats and warnings that can be found on such cover sheets. With Top Secret being the classification level, and Eyes Only a well-known dissemination marking, the most intriguing are the letters CRU.

On Twitter it was suggested that CRU stands for Community Relations Unit, an FBI unit responsible for transmitting information to the White House. However, the website of the FBI says that this unit is actually part of the Office of Public Affairs, and as such is responsible for relationships with local communities and minority groups. Although that unit could stumble upon suspected terrorists, another option seems more likely:

After a 2009 FOIA request by the ACLU, a 2004 memo from the Justice Department's Office of Legal Counsel about the CIA's detention program and interrogation techniques was released. The classification marking of this memo was blacked out, but on one page this was forgotten. It read: TOP SECRET/CRU/GST.

In a job posting this was written like "CRU-GST", which indicates GST is a compartment of the CRU control system. Meanwhile we also know that GST is the abbreviation of GREYSTONE, which is a compartment for information about the extraordinary rendition, interrogation and counter-terrorism programs, which the CIA established after the 9/11 attacks.

Because Powell is reading the CRU-document on September 11, 2001 itself, the CRU parent-program must have been established somewhere before that day. It's still a secret what CRU stands for, but it probably covers information about highly sensitive CIA operations.

Links and sources
- Wikipedia: Timeline for the day of the September 11 attacks
- 9/11 Myths: Dick Cheney at the PEOC
- New York Times: Essay; Inside The Bunker (2001)

August 31, 2015

FAIRVIEW: Collecting foreign intelligence inside the US

(Updated: September 7, 2015)

On August 15, The New York Times and Pro Publica published a story in which the big US telecommunications company AT&T was identified as a key partner of the NSA.

Interesting details about this cooperation and the cable tapping were already in the 2008 book The Shadow Factory by James Bamford, but with the new story, also a number of clarifying documents from the Snowden-trove were disclosed.

Among them are some powerpoint presentations that contain the slides which had been shown on Brazilian televion two years ago. They were first discussed on this weblog in January 2014.

Here we will combine these new and old documents to provide a detailed picture of this important collection program, that was previously misunderstood on various occasions.

The AT&T switching center at 611 Folsom Street, San Francisco,
where there's a cable access under the FAIRVIEW program
(Photo via Wikimapia - Click to enlarge)



At NSA, the division Special Source Operations (SSO) is responsible for collecting data from backbone telephone and internet cables. For that, SSO also cooperates with private telecommunication providers under the following four programs, which are collectively referred to as Upstream Collection:
- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- OAKSTAR (cooperation with 7 other telecoms, since 2004)*

Before the new revelations, it was often assumed that BLARNEY was the program for NSA's cooperation with AT&T. The Wall Street Journal reported this in August 2013, based upon former officials, saying that BLARNEY was established for capturing foreign communications at or near over a dozen key international fiber-optic cable landing points. This assumption was also followed by Glenn Greenwald in his book No Place to Hide from May 2014.

In a letter to Cryptome, James Atkinson suggests that BLARNEY was the covername for cooperation with AT&T since 1978, and that after the Bell break-up, BLARNEY stayed active for FISA collection, and the new covername FAIRVIEW was created for the "new" AT&T. One new slide however, shows that BLARNEY actually encompasses all (over 30) companies that are cooperating for FISA collection, including of course AT&T and Verizon.


The assumption that BLARNEY was the program for AT&T left room for speculation about the purpose and scope of the FAIRVIEW program.

For example, former NSA official and whistleblower Thomas Drake told in July 2013 that FAIRVIEW was for tapping into the world's intercontinental fiber-optic cables and "to own the Internet". According to Drake it was an umbrella program with other programs, like BLARNEY, underneath it.

Similarly speculative was Bill Binney, also a former NSA official who left and became a whistleblower in 2001. On multiple occasions he said that a map showing the FAIRVIEW tapping points proofs that NSA collects "content and metadata on US citizens" because those collection points are spread across the country:

Slide from an NSA presentation as shown on the Brazilian
television show Fantástico on September 8, 2013

The new revelations by The New York Times and Pro Publica have now shown that the explanations by both Drake and Binney were misleading: FAIRVIEW is neither an overarching internet tapping program, nor is it collecting communications of US citizens.

Cover names

Closest to the truth came NSA historian Matthew Aid, who in an article by The Washington Post from October 2013, said that STORMBREW is the NSA alias used for Verizon, while FAIRVIEW stands for AT&T.

That's the right connection, although STORMBREW and FAIRVIEW aren't the cover names for these companies themselves, but the code words for the programs under which NSA cooperates with these telecoms.

The cover name for AT&T itself (at least under the BLARNEY program) is probably LITHIUM and for Verizon ARTIFICE. Cover names for other, but yet unidentified US telecoms are ROCKSALT, SERENADE, STEELKNIGHT and WOLFPOINT - their actual names are in the Exceptionally Controlled Information (ECI) compartment WHIPGENIE (WPG).

Although Snowden seems to have had no access to that ECI compartment, reporters for Pro Publica were able to identify both companies based upon various details found in the NSA documents about the STORMBREW and FAIRVIEW programs.

  Legal authorities

The actual purpose of FAIRVIEW can be learned from an NSA presentation, which clearly says the program is for collecting communications of foreign targets at collection points that are inside the United States. Two other excerpts say that FAIRVIEW is also used for current and future "cyber plans", which probably include searching for malware signatures.

All this happens under three different legal authorities, and for each there's a different SIGINT Activity Designator (SIGAD):
Traditional FISA:
- Communications of persons being agents of foreign powers or connected to international terrorist groups
- Individualized warrant needed from the FISA Court
- Internet traffic only (SIGAD: US-984T)

Section 702 FAA:
- Communications of foreigners/with one end foreign
- Must be justified under an annual FAA Certification
- All kinds of internet traffic (SIGAD: US-984XR)
- Telephone traffic (SIGAD: US-984X2)

Transit Authority:
- Communications with both ends foreign
- No external approval required
- Internet traffic: only e-mail (SIGAD: US-990)
- Telephony: according to "Directory ONMR" (SIGAD: US-990)

For collection under Transit Authority, the presentation says that communications "must be confirmed foreign-to-foreign", which is ensured by filters at the actual tapping points (see stage 1 of the dataflow, down below).

These filters only forward authorized traffic to the selection engines, which then pick out the communications that match with strong selectors, like e-mail addresses, phone numbers, etc. These selectors are entered into the system by analysts using the tasking tools UTT, CADENCE (for internet) and OCTAVE (for telephony).

Examples of such selected, authorized traffic can be seen in a number of slides that were shown in a Fantástico report from July 9, 2013. They are from a presentation that has not yet been released. These slides contain maps, which show the amount of internet traffic to countries like North Korea, Russia, Pakistan and Iran, as seen on March 4-5, 2012.
Scroll here > 

In the first slide we see for example internet traffic (DNI) to Pakistan, which has been determined to be foreign-to-foreign and may therefore be collected under Transit Authority. As such, front-end filters forwarded this traffic to the selection engines for further filtering.

The slide below has a map showing the internet traffic to Pakistan, which is eligible for collection under FAA authority:

The next slide shows a list of "Top 20 Pakistani domains (.pk)" which where tracked between February 15, 2012 and March 11, 2012:

A map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment", which means internet traffic which is authorized for collection under FAA authority:

Next is a list op "Top 20 North Korean domains (.kp)" which where tracked between February 15, 2012 and March 11, 2012. Note that only two websites generate notable traffic, all other have less than 1 Kbps:

A map showing internet traffic to Iran, which is eligible for collection under FAA authority:

A map showing internet traffic to Russia, which is authorized for collection under Transit authority:

Determining what traffic is foreign is done by filtering based upon telephone country codes and internet IP addresses. For telephony this is quite reliable, but particularly for internet traffic, the speaker's notes for another NSA presentation admit that it is difficult to proof the foreigness. Therefore, it is occasionally discovered that one end of an intercept is actually in the US, which then has to be reported as a "domestic incident".

  Tapping points

One of the most interesting new documents is an NSA presentation from 2010 about the Corporate Partner Accesses, which has the map for the FAIRVIEW program with all the domestic dots, but this time with the explaining legend:

From the legend in combination with the dots on the map, we learn that under the FAIRVIEW program, NSA at that time had access points at the following parts of the AT&T network:
- Peering Link Router Complexes (8)
- VoIP Router Complexes (26, planned: 0)
- Hub VoIP Router Complex (1, planned: 30)
- Program Cable Stations (9, planned: 7)
- Non-Program Cable Stations (0)
- RIMROCK 4ESS Circuit Switches (16)
- Program Processing Site (1)

One important thing is that most of the markers inside the US do not represent traditional cable tapping points like those along the borders, but are current and planned accesses to Voice over IP communications. Here's some explanation about the other types of access points too:

Peering Link Router Complex
NSA has 8 access points at AT&T Peering Link Router Complexes. According to Pro Publica they correspond to AT&T's Service Node Routing Complexes (SNRCs), where other communication providers connect to the AT&T backbone through OC-192 and 10GE fiber-optic cables. For NSA, this means they can catch traffic from those other providers too. This backbone access is codenamed SAGURA or SAGUARO. The 8 facilities are in:
- Seattle
- San Francisco
  - Los Angeles
- Dallas
  - Chicago
- Atlanta
  - New York City
- Washington DC
It was this kind of access point that was/is in Room 641A in San Francisco, as was exposed by Mark Klein during a lawsuit in 2006. Klein told that the equipment in room 641a was installed early 2003, which could fit the turning on of "a new DNI (Digital Network Intelligence) collection capability" in September of that year.

VoIP Router Complex
The largest number of active access points, 26, are at VoIP Router complexes, which are apparently used for routing voice communications over IP networks, like the internet. No new accesses of this kind were plannend, but expansion seems to be in the next category:

Hub VoIP Router Complex
In the map from 2010 we see only one active access at a Hub VoIP Router Complex, which is somewhere near New York City (maybe in Florham Park, NJ, where AT&T has a data warehouse and its laboratory?). Access to VoIP communications was clearly seen as something that needed expansion, as 30 locations are marked as a planned access point. Unfortunately, no documents have yet been released about this effort.

Map of the US internet backbone network of AT&T in 2009
(Source: AT&T brochure - Click to enlarge)

Program Cable Station
At the time of the presentation, there were 9 AT&T cable stations with a tapping facility, and another 7 for which that was planned. For an article on Pro Publica, it was found out that 9 of these active and planned stations in the continental US correspond to cable landing stations owned by AT&T.
There are also two active and five planned accesses at cable landing points which are probably located in Hawaii and Puerto Rico. Some of the active facilities are in:
- Nedonna Beach, Oregon
- Point Arena, California
- San Luis Obispo, California
- Tuckerton, New Yersey
- West Palm Beach, Florida

RIMROCK 4ESS Circuit Switch
These facilities refer to a 4ESS switch, which is used for long-distance telephone switching. Approximately 100 of these switches are operated by AT&T, but according to the map, only 16 of them have a tapping facility codenamed TOPROCK. Except for two, they are situated along the US border, so seem to be for collecting (the metadata of) in- and outgoing phone calls. These sites appear to be in or near:
- Seattle
- Spokane
- Sacramento
- Los Angeles
  - San Diego
- Albuquerque
- San Antonio
- Lansing
  - Atlanta
- Pittsburgh
- Buffalo

  - Kingston
- Hartford (2)
- New York City (2)

Program Processing Site
Finally, there's one centralized Program Processing Site, which is codenamed PINECONE. The map indicates that it's situated somewhere near the AT&T cable landing station of Tuckerton in New Jersey.

The AT&T intercontinental cable landing station in Tuckerton, New Jersey,
which got a fake facade when residences were build around it.
(Photo: Bing maps - Click to enlarge)


Seen for the first time is an NSA presentation from 2012 with five diagrams showing the dataflow for the various collection methods under the FAIRVIEW program. There are diagrams for:
- Transit internet content (US-990)
- Transit internet metadata (US-990)
- Transit telephony metadata and SMS (US-990)
- FISA e-mail content (US-984T)
- FISA internet content (US-984T)

There are no diagrams for FAIRVIEW collection under the authority of section 702 FAA.

Dataflow for internet content collected under the
FAIRVIEW program under Transit Authority
(Click to enlarge)

These diagrams show that processing the data from tha various collection points takes places in 3 different stages at 3 different locations:
1. Access and processing at the partner company
2. Site processing in a central secure facility
3. Processing and storage at NSA headquarters

Here's a description of what roughly happens during these 3 stages:

1. Access and processing at the partner company

In the first stage, AT&T provides access to internet and telephone cables and does some filtering and processing right at the various tapping points:
- For the internet collection, we see that the traffic is split at the switches where AT&T's own accesses, as well as peering partner's cables connect to the AT&T Common Back Bone (CBB).

This duplicated traffic goes to one or more routers, where "Foreign IP Filtering" takes place to select foreign and discard domestic traffic. The remaining data stream is then sent over to the central processing facility of the second stage, probably over OC-48 links of 2,4 Gbit/s. The same happens with traffic from other cable access points codenamed MESA.

It was this kind of installation that Mark Klein discovered in Room 641A in the SBC building in San Francisco in 2006. Many people assumed that in this way, NSA was able to store everything that runs over those cables, including American's communications, but now we know that filters ensure that only foreign traffic is sorted out for further processing.
Klein also testified that in room 641A there was equipment from Narus, which can be used to sessionize and filter data streams, but this is not seen in the diagrams. Maybe, after the exposure of room 641A, NSA moved that kind of equipment from the actual AT&T tapping points to the centralized processing facility codenamed PINECONE.

According to an NSA glossary, there are tens of thousands access links to the AT&T Common BackBone, which "would make 100% coverage prohibitively expensive". Therefore, NSA's Operations and Discovery Division (ODD) worked with AT&T to rank the access routers, and (only?) 8 router uplinks were deemed of high SIGINT interest and subsequently nominated for monitoring.

- Telephone metadata under Transit Authority are collected from Foreign Gateway Switches and "ATPs", by a "CNI [Calling Number Identification] & Call Processor" in facilities codenamed TOPROCK. These metadata are also sent over to the central processing facility of the second stage.

One of the doors to room 641A in the building of AT&T in San Francisco,
where there's an access point to the AT&T Common BackBone

2. Site processing in a central secure facility

The second stage comprises processing which takes place at a central location, in a highly secured building, a Sensitive Compartmented Information Facility (SCIF), which for the FAIRVIEW program is codenamed PINECONE. The equipment there is partly controlled by the partner company and partly by NSA.

Processing data from the many tapping points under the FAIRVIEW program at one central facility is only possible when already large amounts have discarded during the first stage. The remaining data stream is probably sent (unencrypted) to PINECONE over dedicated links within the AT&T network.
- Internet data arrive at IP Routers (IPRs) and via IP Processors (IPPs) go to an "Information Media Manager Distribution Box". Internet metadata then go directly to MAILORDER. This device sends them to NSA headquarters (NSA-W), where they are received by another MAILORDER box.

Until now, MAILORDER was known as a tool for transferring data, but now it becomes clear that MAILORDER actually is the device that encrypts the data so they can be transmitted safely from the PINECONE facility to NSA headquarters.

Before going to MAILORDER, internet content has to pass another box codenamed COURIERSKILL/CLEARSIGHT. This device also gets an input from the CADENCE tasking tool at NSA headquarters: the selectors for filtering.

Therefore, COURIERSKILL/CLEARSIGHT is the device that sorts out the communications that match the e-mail addresses and other identifiers as requested by NSA analysts. For e-mail collection under FISA authority, this filtering is done (directly) by XKEYSCORE.

After passing GATEKEEP, which could be some kind of access control system, the filtered internet content of interest goes to MAILORDER to be sent over to Fort Meade.

- Telephone metadata and SMS messages also pass an "Information Media Manager Distribution Box", which is connected to an unknown device marked NGTPD. Via MAILORDER, these data too are sent over to NSA headquarters.

3. Processing and storage at NSA headquarters

In the third and final stage, which is at NSA headquarters, the data from the central processing facility PINECONE arrive at a MAILORDER box, which is on the FAIRVIEW Local Area Network (LAN) codenamed HIGHDECIBEL.

From this LAN, the data are sent to NSA's core corporate network, again via secure MAILORDER transmission, to be stored in the various and meanwhile well-known databases, like PINWALE, MAINWAY, MARINA, FASCIA and DISHFIRE.
- Internet content first passes FISHWAY, which is a "Data Batching & Distribution System", and then SCISSORS. The latter was first seen in the earliest PRISM slides, and is a "Data Scanning, Formatting & Distribution System", as we learn from this diagram.

Raw internet content and e-mails collected under FISA authority are stored in the RAGTIME partition of the PINWALE database and are classified as TOP SECRET//SI-ECI RGT//REL [...].

- Internet metadata first pass FALLOUT, which is an internet metadata ingest processor/database, while telephone metadata and SMS go to FASCIA, which has the same function for this type of data.

Overview of the numbers of data collected under the FAIRVIEW program
(Click to enlarge)


According to one of the newly disclosed NSA documents, the internet access under the FAIRVIEW program was initially used only for collecting e-mail messages. In 2003, this resulted in more than one million e-mails a day being forwarded to the keyword selection system at NSA headquarters.

This number had risen to 5 million a day in 2012, which remained after applying some kind of "3 Swing Algorithm" to 60 million foreign-to-foreign e-mail messages that were captured by FAIRVIEW every day under Transit Authority - according to the speaker's notes for an NSA presentation from 2012.

Again we see a huge amount of data passing (which in de documents is called "captured" by) the FAIRVIEW tapping points, but that filters only select a small part which is then forwarded to the NSA for further selection. The 5 million e-mail messages a day in 2012 made 150 million a month and 1,8 billion a year.


The most recent numbers of the data collected under FAIRVIEW can be derived from a chart from the NSA's BOUNDLESSINFORMANT tool, which was published in May 2014 as part of Glenn Greenwald's book No Place to Hide:

During the one month period between December 10, 2012 and January 8, 2013, exactly 6.142.932.557 metadata records were counted for collection under Transit Authority, which for the FAIRVIEW program is denoted by the SIGAD US-990.

This means the numbers for FAIRVIEW collection under FISA and section 702 FAA authority are not included in this chart. But in those cases, only communications related to specific e-mail addresses or similar identifiers are collected, which results in far smaller numbers: according to a 2011 FISA Court ruling (pdf), Upstream collection under section 702 FAA resulted in just 22 million "internet communications" each year.

The over 6 billion records for FAIRVIEW account for only 3,75% of the total number of data the NSA collects through its cable tapping programs, which is remarkably small given the large number of access points at major internet cables and switches.

Tech details

In the lower part, the pie chart shows that under Transit Authority, roughly the following number of records were counted for FAIRVIEW:

- 87% or 5,3 billion: Personal Communications Services (PCS, cell phone, etc)
- 2% or 122 million: Mobile communications-over-IP (MOIP)
- 8% or 488 million: Public Switched Telephone Network (PSTN)
- 3% or 183 million: Internet communications (DNI)

As reflected by the bar chart, the overwhelming majority of data come from foreign-to-foreign telephone communications, mostly from cell phones. Because there's no dataflow diagram for the content of phone calls, it's possible that this is only telephone metadata and SMS messages.

Only about 3% comes from foreign-to-foreign e-mail messages, for which some 183 million metadata records were counted. This number comes close to the roughly 150 million e-mails a month that were processed in 2012, which could indicate that one metadata record equals one e-mail message.

The technology used to process 97% of these data is called FAIRVIEWCOTS, which could be a combination of the program's codename and the abbreviation COTS, which stands for Commercial-Of-The-Shelf equipment. Only nearly 3%, so probably the e-mail traffic, is processed by a hitherto unknown system codenamed KEELSON. Finally, a tiny number also went through SCISSORS.

Product reports

After the data have been collected and stored, analysts go through it, looking for useful intelligence information and put that in so-called product reports. A slide from a 2012 presentation about SSO's Corporate Portfolio, shows the Top Ten programs based upon the product reports that were prepaired during the fiscal year 2010-2011:

We see that with 7357 product reports, US-990, which is FAIRVIEW collection under Transit Authority, ranks as the second most productive source. However, 4 times more reports came from collection under section 702 FAA, which is not only derived from PRISM, but also from the STORMBREW and FAIRVIEW programs.

Although below the program ranking first, there are not very big differences in the numbers of reports, the chart still shows how focused FAIRVIEW collection must be: the 3,75% of the data it pulls in, is apparently so useful that it results in a big number of product reports.

From a different presentation, we have a similar diagram with the numbers for the fiscal year 2009-2010:


The FAIRVIEW map also mentions a close partnership with the FBI. Under the PRISM program it's the FBI that actually picks up the data at the various internet companies, but for Upstream collection, like under FAIRVIEW, that's not the case: here the NSA has a direct relationship with the telecoms.

This leaves the option that the FBI (just like the DEA and the CIA) is also a so-called customer of the program, meaning that the Bureau can request the collection of certain target's communications and access some of the data that NSA collected under FAIRVIEW.

  Domestic metadata

The newly disclosed documents about FAIRVIEW also provide some new details about the bulk collection of domestic metadata, which is considered to be one of the most controversial activities of the NSA. Somewhat unexpected is that for AT&T this happens under FAIRVIEW, instead of a separate program.

Internet metadata

An NSA document from 2003 seems to be about bulk internet data. It says that FAIRVIEW also collected "metadata, or data about the network and the communications it carries" and that for September 2003 alone, "FAIRVIEW captured several trillion metadata records - of which more than 400 billion were selected for processing or storage".

This doesn't really sound like AT&T handed over bulk metadata indiscriminately, but it would fit how it's described in the 2009 STELLARWIND-report (in which, according to Pro Publica, AT&T is mentioned as "Company A") about the collection efforts under the President's Surveillance Program (PSP):
"In order to be a candidate for PSP IP metadata collection, data links were first vetted to ensure that the preponderance of communications was from foreign sources, and that there was a high probability of collecting al Qaeda (and affiliate) communications. NSA took great care to ensure that metadata was produced against foreign, not domestic, communications"

It seems that at that time, AT&T did hand over massive amounts of internet metadata from its domestic infrastructure, but also made sure these were not about American communications.
The "internet dragnet", that is, the bulk collection of internet metadata of domestic communications under the authority of section 402 FISA (at NSA called PR/TT) was first approved by the FISA Court on July 14, 2004. That means, the 400 billion metadata collected under FAIRVIEW in 2003 were not yet part of the PR/TT bulk collection, and accordingly not domestic.

It is still remarkable that AT&T was able to forward 400 billion metadata records a month just from its foreign communications: in 2012, the total number of internet metadata that NSA collected worldwide was "just" 312 billion a month.

The 2003 document says these metadata were flowing to MAINWAY, which appears to be not only for telephone records, but "NSA's primary tool for conducting metadata analysis" in general.* One of the dataflow diagrams also shows that internet metadata first flow into MAINWAY, and from there to MARINA, which is the repository for internet metadata:

Dataflow for internet metadata collected under the
FAIRVIEW program under Transit Authority
(Click to enlarge)

Telephone metadata

About bulk telephone metadata there's an NSA document from 2011. It says that as of September 2011, FAIRVIEW began handing over "1.1 billion cellular records a day in addition to the 700M records delivered currently" under the Business Record (BR) FISA authorization, which refers to section 215 of the USA PATRIOT Act.

It was already known that the major US telecoms handed over their metadata records of landline telephone calls, but here we see that AT&T also started doing so for cell phone calls.

And for the very first time we also have some numbers now: the total of 1,8 billion a day provided by AT&T make 54 billion a month and about 650 billion phone records a year. For comparison, in 2012, NSA's regular foreign collection resulted in a total number of 135 billion telephone records a month and 1,6 trillion a year.

The mobile phone metadata provided by AT&T were fed into the MAINWAY database to be used for contact chaining in order to "detect previously unknown terrorist threats in the United States". Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders, that don't allow those data to be collected.

Apparently Verizon Wireless and T-Mobile US don't strip off these location data, so their cell phone records cannot be handed over to NSA, which therefore only gets less than 30% of the domestic telephone metadata.

The reports by Pro Publica and The New York Times stress AT&T's "extreme willingness to help" the NSA, which some people consider bad and scary. But maybe this very close cooperation helps to make data collection as targeted and focused as possible. Apart from the domestic metadata collection under BR-FISA, the relatively small numbers of data collected under the FAIRVIEW program, appear to contain a lot of valuable foreign intelligence information.

The fear was that under FAIRVIEW, large numbers of American's communications were sucked up by the NSA. However, the documents and diagrams show that there are filter systems that for collection under Transit Authority only let foreign-to-foreign communications through. Collection under section 702 FAA is already about foreign targets outside the US, while under FISA authority there's an individualized FISA Court order.

Interesting questions that remain are about the function of the rapidly growing number of VoIP collection points, as well as about the scope of the cyber security effort, and how in these fields, NSA tries to protect the rights of American citizens.

Links and sources
- Bruce Schneier: NSA's Partnership with AT&T
- Matthew Green: The network is hostile
- What’s a Little (or a Lot) Cooperation Among Spies?
- AT&T Pulled Cell Location for Its “Mobility Cell Data”
- AT&T Whistle-Blower's Evidence
- History of the Atlantic Cable & Undersea Communications

July 27, 2015

New IP phones in the White House

From a recent photo from the Oval Office, we learn that, probably last May, new telephones for non-secure calls have been installed in the White House. They replace older ones, that were used there since 1996.

The new devices are IP phones, which means they run over an internal packet-switched IP network, instead of a traditional circuit-switched telephone network.

The new Avaya 9608

The new device is a dark gray office phone, model 9608, made by Avaya, which is a leading American manufacturer of telecommunications equipment. Avaya was previously part of Lucent Technologies, which was a spin-off of AT&T.

This model is relatively simple, it's one that is commonly used in offices all over the world. It just has an average monochrome display - not a fancy color touch screen, like other high-end executive models from Avaya's 9600-series.

Although that may look nice, for the president such features would not be of much use, as most of his calls are made through an operator from the White House switchboard.

President Obama talks on his phone for secure calls with Secretary of State
John Kerry. In front of it there's the new Avaya 9608, July 13, 2015.
(White House photo by Pete Souza - Click to enlarge)

The new Avaya 9608 phone has no special security features, as it is used for all non-secure calls, both within and outside the White House.

The Cisco 7975G

For secure calls that have to be encrypted, the president uses the other phone on his desk, which is a Cisco 7975G Unified IP Phone (with expansion module 7916). This is also a very widely used high end office phone, and as such not specially secured itself, but here it is connected to the dedicated Executive Voice over Secure IP (VoSIP) network, which connects the White House with some of the most senior policy makers and provides the highest level of encryption.

The previous Lucent 8520

For non-secure calls, the new Avaya replaces the Lucent 8520T on Obama's desk. This Lucent phone was from the most widely used business phone series worldwide. It came in use in 1996, when the White House got a completely new telephone system, which was installed by AT&T and costed 25 million USD.

This new system consisted of an automated private branch exchange (PBX) with black executive phone sets models 8410 and 8520 from Lucent, with the large 8520 on the president's desk in the Oval Office:

The previous Lucent 8520 and the Cisco 7975 on Obama's desk, July 31, 2011
(White House photo by Pete Souza)

Before 1996, the White House still used the manual switchboard from the days of president Johnson. On the president's desk there was even the push button version of the Western Electric 18-button Call Director dating back to the 1960s. The installation of the new telephone system under president Clinton is also discussed in this television report:

NBC television on the new White House phone system (1996)

See also:

- Does Obama really lack cool phones?
- A White House staff phone

- Overview of older Presidential Telephones of the United States