September 21, 2013

PRISM as part of the BLARNEY program

(Updated: December 18, 2013)

Last June, the still on-going Snowden-leaks started with the unveiling of PRISM, an NSA program which collects information about foreign targets from American internet companies like Facebook, Google, Yahoo, Microsoft and Apple.

Since then, no new information about PRISM was published, but recently some new details could be found. These show that PRISM is part of another NSA program, codenamed BLARNEY, and that US-984XN is not a single designator for PRISM, but stands for multiple designators, one for each of the internet companies.


New slides

On September 8, the Brazilian television news magazine Fantástico aired a report about the NSA trying to access the network of the Brazilian oil company Petrobras. In the background of this report, a number of hitherto unseen NSA slides were shown.

One of the slides shows details about the BLARNEY program, which has the SIGAD, or SIGINT Activity Designator US-984 and the PDDG, or Producer Designator Digraph AX. The slide says that BLARNEY collects DNR (telephony) and DNI (internet) communications under authority of the FISA court. Main targets of the program are diplomatic establishments, terrorists, foreign governments and economic targets:


Top left the slide shows the NSA seal and top right we see a green leprechaun hat with a clover leaf, symbolizing Blarney, as this is also the name of a small town in Ireland.

However, the most intesting fact is that the BLARNEY SIGAD US-984 is almost the same as US-984XN, which is prominently shown on the first slide of the PRISM presentation that was published in June:




This similarity indicates that PRISM is part of BLARNEY, which is also suggested in the Wikipedia article about the latter program.


SIGADs

Wikipedia also has a good article about the SIGAD or SIGINT Activity Designator itself, which teaches us that a SIGAD with two letters followed by three or four numbers, like US-984, is for identifying signals intelligence collection programs and activities.

An additional alphabetic character is added to denote a sub-designator for a subset of the primary collection unit, like a detachment. Lastly, a numeric character can be added after the aforementioned alphabetic to provide for a sub-sub-designator. This already confirms that with the designation US-984XN, PRISM is a sub-program of BLARNEY.

But there's more. In the Wikipedia-article the SIGADs are represented like XX-NNNxn, where an X represents an alphabetic character and an N represents a numeric character. Here we see the same XN-suffix as in the alleged PRISM designator US-984XN, so it seems that XN is only meant as a placeholder for the actual designations of PRISM subsets.

This is confirmed by another slide from Brazilian television, which says that the SIGAD US-984X stands for multiple programs and partners collecting under FAA authority:



PRISM SIGADs

In one of the PRISM slides published in June, there's an explanation of the PRISM case notations. These start with a designation for each PRISM provider, like P1 for Microsoft, P2 for Yahoo, etc. (the first position in the slide below). These designators fit the XN-scheme of one alphabetic character followed by one numeric character.





If we combine this, it seems likely that instead of US-984XN as a single PRISM SIGAD, there might be actually the following multiple SIGADs, one for each of the internet companies:
- Microsoft: US-984P1
- Yahoo: US-984P2
- Google: US-984P3
- Facebook: US-984P4
- PalTalk: US-984P5
- YouTube: US-984P6
- Skype: US-984P7
- AOL: US-984P8
- Apple: US-984PA

After P8 for AOL, the final number becomes the letter A for Apple. Maybe this is because more than nine companies became involved, and so NSA chose to go on with hexadecimal numbers, so PA can be followed by PB, PC, etc.

Having separate SIGADs for each internet company makes sense, because a SIGAD identifies a specific facility where collection takes place, like a ship or a listening post. PRISM as a program is not such a facility, but comprises a number of them.


The notation of the multiple PRISM SIGADs is also more like that of other collection facilities, for example US-987LA and US-987LB for the Bavarian and Afghanistan listening posts of NSA's German partner-agency BND.


UPDATE and CORRECTION:

Meanwhile, high-resolution video footage of the Brazilian television magazine Fantástico became available, from which I could make a readable screenshot of a slide that was ineligible until now:




This slide is from an NSA presentation about the FAIRVIEW program and shows that both FAIRVIEW and STORMBREW have a number of subsets that were not known before. It also shows that my previous interpretation of the US-984X SIGAD wasn't correct.

The slide learns us that BLARNEY collection under the FISA Amendment Act (FAA) is designated US-984X* and it's this asterisk which apparently acts as a placeholder for other facilities collecting under FAA authority:

- US-984XA-H for eight STORMBREW collection facilities under FAA
- US-984XR for a FAIRVIEW collection facility under FAA
- US-984X2 for another FAIRVIEW collection facility under FAA

Here we see US-984X followed by different letters and also a number, which means it's now unlikely that "XN" in the PRISM SIGAD US-984XN is a placeholder for a letter and a number, as I assumed before. With US-984XN, PRISM actually fits the format of BLARNEY facilities which collect data under FAA authority. This also means that there's only one SIGAD for the PRISM program, and not one for each of the internet companies, although that would have made some sense.

My idea that the first two characters of the PRISM case notation (P1, P2, etc) could be the suffix after US-984 is also refuted by the fact that the high resolution slide shows that US-984P is actually the SIGAD for a STORMBREW facility under FISA authority. FAIRVIEW has also collection under FISA, which is designated US-984T.

The original parent programs of FAIRVIEW (US-990) and STORMBREW (US-983) are under Transit (T) authority, which means that they collect communications which originate and terminate in foreign countries when they transit the United States.



BLARNEY

Under BLARNEY, information is collected from both telephone and internet communications at facilities in the United States. The program was started in 1978 under the authority of the Foreign Intelligence Surveillance Act (FISA), which was enacted in the same year for regulating foreign intelligence collection in which communications of Americans could be involved. The SIGAD for BLARNEY collection under this initial FISA authority is US-984.

According to a report of the Wall Street Journal, BLARNEY was established with AT&T, for capturing foreign communications at or near key international fiber-optic cable landing points, like the AT&T facility Room 641A in San Francisco that was revealed in 2006. A similar facility was reportedly built at an AT&T site in New Jersey.



One of the doors of room 641A in the building of AT&T in San Francisco,
where the NSA had a secret internet tapping device installed,
which was revealed by an AT&T technician in 2006.


After the 2001 attacks these intercept capabilities were expanded to top-level telecommunications facilities within the United States, like main switching stations for telephone and internet traffic. These are accessed through arrangements with American internet backbone providers. Finally companies providing internet services like Microsoft, Google and Facebook were added.

Since 2008 this collection takes place under authority of the FISA Amendments Act (FAA) and the specific BLARNEY sub-programs and corporate partners are identified by SIGADs in the format US-984X*.

According to the recently disclosed US Intelligence Budget, NSA pays 65.96 million USD for costs made by corporate partners under the BLARNEY program. As PRISM is part of BLARNEY, it's possible that part of that money (maybe the 20 million mentioned in this slide?) is also for expenses made by the internet companies like Facebook, Google and Yahoo.

When PRISM was unveiled in June, the Guardian said this program was one of the main contributors to the President's Daily Brief, the top-secret document which briefs the US president every morning on intelligence matters. Being the PRISM parent program, BLARNEY is also one of the top sources to this document. According to a report by Der Spiegel, some 11,000 pieces of information reportedly come from BLARNEY every year.

This is shown in the slide below with a chart of the Top Ten Collection SIGADs from 2010-2011:


(screenshot courtesy @koenr)

In green we see the signals intelligence sources where NSA's Special Source Operations (SSO) division uses arrangements with corporate partners, in blue the sources where there are no such arrangements needed, which means SSO can collect the data on its own.

By far the most productive sources are the facilties under US-984X*, which include PRISM. Second comes information from what is called "transit only" traffic under the FAIRVIEW program (US-990). The initial BLARNEY collection under US-984, which is apparently from the AT&T network, is the nineth most productive source.

Some more information about BLARNEY is in another slide that was shown on Brazilian television:


Click for a readable version


Among other things, the slide says that BLARNEY is used for gathering information related to counter proliferation, counter terrorism, foreign diplomats and governments, as well as economic and military targets. PRISM seems to be used against more or less the same targets, as can be seen in a lesser known slide of the famous PRISM powerpoint presentation:


(it seems the bottom part of this slide was blacked out by Brazilian media, as the Indian
paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as
topics under the header "India", and also information from Asian and African
countries is contributing to a total of "589 End product Reports")


Once again this makes clear that programs like BLARNEY and PRISM are used to gather information about the usual strategic and tactical topics and therefore not for spying on Americans or other ordinary people.

(Updated on September 23 with the slide describing US-984X, the slide with the PRISM topics, some additional information from the WSJ report and a new slide about the top ten FAA sources)


September 13, 2013

The US Classification System

(Updated: December 24, 2016)

Top level telecommunications often involve information that has to be kept secret. To ensure that, governments have systems to protect sensitive information by classifying it, which is best known from document markings like "Top Secret".

Here we'll explain the classification system of the United States, which is far more complex than most people think, also because it's one of the world's biggest secrecy systems. In 2012 almost 5 million (!) people in the US had a clearance for access to classified information.*

The deeper parts of this classification system are classified, but some new details and codewords have been revealed in documents from the recent Snowden-leaks.



Classification markings

All documents that contain classified information, whether digital or hard copy, have to be marked with the appropriate markings. These are shown in the classification or banner line, which is shown at the top and bottom of every document and usually has three parts, separated by double slashes:


An example of such a classification line would be:

TOP SECRET//COMINT//NOFORN


Additionally, all sections of a document should have a portion marking, which is an abbreviation of the full classification line. Below, the abbreviations for these portion markings are shown in brackets.

When a document contains joint or Foreign Government Information (FGI), the necessary markings are shown in a separate part of the classification line. Finally declassification instructions can be added. These markings will not be discussed here.

The meaning of abbreviations and codewords can be found in the separate listing of Abbreviations and Acronyms and the listing of Nicknames and Codewords.



Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)



Classification levels

The United States government classifies information according to the degree which the unauthorized disclosure would damage national security. Like many other countries, the US has three classifications levels. From the highest to the lowest level these are:

- TOP SECRET (TS, color code: Orange)
- SECRET (S, color code: Red)
- CONFIDENTIAL (C, color code: Blue)

Government documents that do not have a classification can be marked as:
- UNCLASSIFIED (U, color code: Green)


With 1.4 million people having a Top Secret clearance, it's obvious that additional measures are needed to protect the more sensitive information. Therefore, that information is put in separated compartments, only accessible for those people who have the 'need-to-know'.

This system is called Sensitive Compartmented Information (SCI) for intelligence information, while other highly secret and sensitive information is protected by a Special Access Program (SAP). Both sub-systems will be explained below.

The classification levels Confidential, Secret and Top Secret are sometimes called 'Collateral', denoting that no additional Intelligence Community control systems or compartmentations, like SCI or SAP, apply.



SCI compartments

Sensitive Compartmented Information (SCI) is a system to protect national intelligence information concerning sources and methods, and is divided into control systems and compartments, which are further subdivided in subcontrol systems and subcompartments.
These systems and compartments are usually identified by a classified codeword, some of which were leaked or have been declassified. In total, there may be between 100 and 300 SCI compartments and subcompartments, grouped into about two dozen control systems.
SCI control systems and there compartments are species of Controlled Access Programs (CAPs), which also include Non-SCI CAPs, like for example at the Secret level.

Known and supposed SCI control systems from past and present are:


- COMINT or Special Intelligence (SI)
- UMBRA (TSC?)
- ENDSEAL (EL)
- TALENT KEYHOLE (TK)
- HUMINT Control System (HCS)
- KLONDIKE (KDK, since 2011)
- RESERVE (RSV, since 2005)
- BYEMAN (BYE or B, defunct since 2005)
- Special Navy Control Program (SNCP)
- VERDANT (VER, defunct)
- PANGRAM (PM, defunct)
- MEDITATE (M, defunct)
- SPECTRE
- LOMA
- KLAMATH (KLM)
- CREDIBLE WOLF (CW)
- FOCAL POINT (FP)
- AZURE BLUE (AB)
- ? (GG)
- ? (CRU)
- ? (OC)
- STELLARWIND (STLW, 2001-2009)

In a classification line this is shown like: TOP SECRET//SI

Multiple control systems are shown like: TOP SECRET//SI/TK


COMINT / Special Intelligence (SI)
This control system is for communications intercepts or Signals Intelligence and contains various sub-control systems and compartments, which are identified by an abbreviation or a codeword. In a classification line they follow COMINT or SI, connected by a hyphen.

Known COMINT/SI sub-control systems are:
- Very Restricted Knowledge (VRK, defunct)
- Exceptionally Controlled Information (ECI)
- GAMMA (G)
- DELTA (D, defunct)
- [undisclosed]

In a classification line this is shown like: TOP SECRET//SI-G

Multiple COMINT compartments shown like: TOP SECRET//SI-VRK-G

Very Restricted Knowledge (VRK)
This sub-control system was established in 1974 to limit access to uniquely sensitive COMINT activities and programs (no product or content). It contains compartments or categories which have an identifier of one to three alpha numeric characters.* VRK was succeeded by ECI shortly before 2004.*

Example: TOP SECRET//SI-VRK 11A

Exceptionally Controlled Information (ECI)
This sub-control system protects highly sensitive information and sources and contains compartments, which are identified by a classified codeword. In the classification line there's a three-letter abbreviation of this codeword. ECI succeeded VRK around 2004.*

Recently disclosed codewords for ECI compartments include:
- AMBULANT (AMB), APERIODIC, AUNTIE, ESCAPEE? (ESC), PAINTEDEAGLE, PAWLEYS, PENDLETON, PIEDMONT, PICARESQUE (PIQ), PITCHFORD, RAGTIME (RGT), REDHARVEST (RDV), WHIPGENIE (WPG).
Lists of ECI compartments from 2003 and 2013.

Example: TOP SECRET//SI-ECI PIQ

Multiple compartments: TOP SECRET//SI-ECI PIQ-ECI AMB

Since 2011, SCI type indicators used to group compartments, like ECI, may not be used anymore in classification lines and portion markings. For example, information formerly marked TS//SI-ECI ABC must now be marked TS//SI-ABC.

GAMMA (G)
This sub-control system of SI is for highly sensitive communication intercepts (product or content)* and may contain compartments, which are identified by a codeword or an identifier of four alphabetic characters.

Some former GAMMA compartments were:
- GABE, GANT, GART, GILT, GOAT, GOUT, GROL, GUPY, GYRO

Example: TOP SECRET//SI-G GUPY

Multiple compartments: TOP SECRET//SI-G GUPY GYRO

[undisclosed]
Classification manuals say there are undisclosed SI compartments which have identifiers of three alphabetical characters. Some documents from such a compartment were declassified in early May 2014. It seems that this compartment is for protecting information related to metadata collection, but is different from STELLARWIND.* It probably contains sub-compartments which are identified by three numeric characters.*

For example: TOP SECRET//SI-XXX 888


STELLARWIND (STLW)
This is a "controlled access signals intelligence program", created under presidential authorization in response to the attacks of September 11, 2001. It includes information related to the Terrorist Surveillance Program (TSP) and to the bulk telephony and internet metadata collection by the NSA.* It seems that STLW started as a COMINT compartment* but later on became a hitherto unknown classification category at the same level as SCI and SAP.

Terrorist Surveillance Program (TSP)
The markings "TSP" and "Compartmented" were used instead of "STELLARWIND" in briefing materials and documents related to the STELLARWIND program intended for external audiences, such as Congress and the courts. The term "TSP" was initially used in relation to only that portion of the program that was publicly disclosed by president Bush in December 2005.*


UMBRA
This codeword was used since 1968 to protect the most sensitive intercepts of Communication Intelligence (COMINT). The use of this compartment was publicly terminated in 1999, but the Snowden-leaks revealed that NSA is still using it, probably as a registered but unpublished SCI control system for the content of communications collected under authority of EO 12333.


ENDSEAL (EL)
The existance of this control system was declassified in 2014, but the name was already known in 2005. ENDSEAL is for finalized intelligence products, probably based upon information derived from US Navy SIGINT sensors. The raw data collected for ENDSEAL reports are likely handled under a different, still-classified coverterm. ENDSEAL information must always be classified as Special Intelligence (SI) too.*
The control system contains compartments for intelligence products intended for dissemination to Intelligence Community consumers. These compartments are identified by a codeword and can be divided into sub-compartments.

Declassified names of ENDSEAL compartments are:
- ECRU (EU)
- NONBOOK (NK)

In a classification line this is shown like: TOP SECRET//EL-NK/SI


TALENT KEYHOLE (TK)
This control system is for products of overhead collection systems, such as satellites and reconnaissance aircraft, and contains compartments, which are identified by a classified codeword. The original TALENT compartment was created in the mid-1950s for the U-2. In 1960, it was broadened to cover all national aerial reconnaissance and the KEYHOLE compartment was created for satellite intelligence.

Some former TK subcompartments were:
- CHESS, RUFF, DAFF and ZARF

In a classification line this is shown like: TOP SECRET//TK-RUFF


RESERVE (RSV)
This control system is for compartments protecting new sources and methods during the research, development, and acquisition process done by the National Reconnaissance Office (NRO). Compartments within RESERVE have an identifier of three alphanumeric characters.* There are no actual examples.

In a classification line this is shown like: TOP SECRET//RSV-XXX


KLONDIKE (KDK)
This control system is for Geospational Intelligence (GEOINT) produced by the National Reconnaissance Office (NRO). Since 2013, the control system contains compartments, which are identified by a codeword.

Declassified names of KLONDIKE compartments are:
- BLUEFISH (BLFH)
- IDITAROD (IDIT)
- KANDIK (KAND)

In a classification line this is shown like: TOP SECRET//KDK-IDIT

BLUEFISH (BLFH)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-BLFH XXXXXX

IDITAROD (IDIT)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-IDIT XXXXXX

KANDIK (KAND)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-KAND XXXXXX


? (GG)
This control system is for information derived from Measurement and Signature Intelligence (MASINT) and is identified by a codeword that is still classified. It's only known by the abbreviation.*


HUMINT Control System (HCS)
This control system is for protecting Human Intelligence (HUMINT), which is derived from information collected and/or provided by human sources. It has four compartments, two of which were recently revealed.*

Known compartments are:
- HCS-OPERATIONS (HCS-O)
- HCS-PRODUCT (HCS-P)

In a classification line this is shown like: TOP SECRET//HCS-P

HCS-OPERATIONS (HCS-O)
This compartment is for information related to ongoing clandestine human intelligence operations and therefore they require the ORCON and NOFORN dissemination markings. The information is also restricted from being disseminated outside the CIA. The compartment contains sub-compartments which are identified by up to six alphanumeric characters.* There are no actual examples.

Example: TOP SECRET//HCS-O XXXXXX

HCS-PRODUCT (HCS-P)
This compartment is for sanitized intelligence that is derived from HCS operations with the sensitive sources and methods removed and intended for distribution among Intelligence Community consumers. It contains sub-compartments which are identified by up to six alphanumeric characters.*

Example: TOP SECRET//HCS-P XXXXXX

? (CRD)
Sub-compartment of HCS-P, no further information available.*

Shown like: TOP SECRET//HCS-P CRD


KLAMATH (KLM)
A CIA control system, which in 2003 included the NSA ECI compartments CONQUERER (for joint NSA/CIA clandestine radio frequency operations), LYSERGIC (for NSA efforts to select and prosecute foreign deployed telecommunication cables) and WASHBURN (for a CLANSIG effort to exploit a source in a Middle Eastern location).*

? (CRU)
This control system is identified by a codeword that is still classified and is only known by the abbreviation which was accidentally revealed in 2009.* It's related to highly secret CIA programs.

> More about the CRU classification marking

A compartment of CRU seems to be:
- GREYSTONE (GST)

In a classification line this is shown like: TOP SECRET//CRU-GST

GREYSTONE (GST)
This compartment is for information about the extraordinary rendition, interrogation and counter-terrorism programs, which the CIA established after the 9/11 attacks. It contains more than a dozen sub-compartments, which are identified by numeric characters.*

Example: TOP SECRET//CRU-GST 001

FOCAL POINT (FP)
This compartment protects CIA support to the military, Special Technical Operations (STOs) and military CIA operations.*

VERDANT (VER)
Former Navy/NSA compartment for SIGINT information.*

PANGRAM (PM)
Former Navy/NSA compartment for information dealing with ocean surveillance.*

MEDITATE (M)
Former Navy/NSA compartment dealing with submarine operations and an IVY BELLS-like operation.*

SPECTRE
Counter-terrorism related compartment, probably no longer in use.*

LOMA
This compartment possibly protects nuclear-related information.*

ICS / PH / ZH
Compartments used by FEMA for continuity of government information and communications. Initiated in 1983, not clear whether these are still used.*

HOLLOW TILE (HT)
SCI control system or Special Access Program for the Air Intelligence Agency.*


SAP compartments

Special Access Programs (SAPs) are created to control access, distribution, and protection of particularly sensitive information. Each SAP is identified by a nickname which consists of two unassociated, unclassified words. Additionally, a Special Access Program Central Office (SAPCO) can also assign a single classified codeword to the program. These can be changed regularly. The nickname and the codeword can be abbreviated into an unclassified two or three-letter Program Identifier (PID).

There are over 100 SAPs, with many having numerous compartments and sub-compartments. More than 50 SAPs protect operations and capabilities of the Joint Special Operations Command (JSOC). Many others are for military procurement, acquisition, and testing programs. The existance of a SAP can be acknowledged or unacknowledged.*

Most SAPs protect military operational, tactical and strategical programs, but SAPs may also be created by the Secretaries of State, Energy, Homeland Security and the Attorney General r their principal deputies.

The classification line for SAP information shows the words SPECIAL ACCESS REQUIRED, often abbreviated as SAR, followed by the program's nickname or codeword. Examples of program nicknames are BUTTER POPCORN, MEDIAN BELL and SENIOR ICE.

In a classification line this is shown like: TOP SECRET//SAR-MEDIAN BELL

Multiple SAP's are shown like: TOP SECRET//SAR-MB/SAR-BP


Some examples of actual Special Access Programs are:

YANKEE WHITE
People who have been cleared for this SAP have unfettered access to presidential workspaces that might contain classified information at any level and may also carry a loaded weapon when the president is around. This clearance requires the most extensive background investigation.*


COPPER GREEN / MATCHBOX
This SAP protected a program for training interrogators to use techniques that had been reverse-engineered by the military's agency that trained special operations forces on how to resist torture.


? (CD)
This SAP is identified by a codeword that is still classified and is only known by its abbreviation. It protects all information related to the Air Force Flight Test Center at Groom Lake (aka Area 51).*


Other known Special Access Programs (SAPs) and related Alternative or Compensatory Control Measures (ACCMs) are:
- ADOBE, ANTEMATE, BELL WEATHER, BERNIE, BLACK LIGHT, BLUE MAIL, BLUE ZEPHYR, CAVALRY, CENTENNIAL, CHALK series, CHANNEL series, CITADEL, CLOUD GAP, COMPASS LINK, CONSTANT HELP, CONSTANT PISCES, CONSTANT STAR, COPPER COAST, CORONET PHOENIX, DISTANT PHOENIX, ELEGANT LADY, FIREANT, FOOTPRINT, GALAXY, GENTRY, GIANT CAVE, GIANT DODGE, GRASS BLADE, GREATER SLOPE, GREYHOUND, GULF, GUSTY series, GYPSY series, HAVE DJINN, HAVE FLAG, HAVE TRUMP, HAVE VOID, ISLAND SUN, LEO, LINK series, MALLARD, MERIDIAN, MILKYWAY, MUSTANG, OLYMPIC, OMEGA, OSPREY series, OVERTONE, OXIDE, OZONE, PANTHER series, PAVE RUNNER, PIRATE SWORD, POLO STEP, PROCOMM, PROJECT 19, PROJECT 643, PROJECT 9000, RADIUS, RAVEN, RETRACT series, REWARD, ROSETTA STONE, RUBY, SCATHE series, SCIENCE series, SEA BASS, SEEK CLOCK, SENIOR NEEDLE, SENIOR NIKE, SIERRA, SIT-II, SOFTRING, SPEAR, SUTER, STEEL PUMA, TALON RADIANCE, TAPESTRY, THEME CASTLE, THERMAL VICAR, THIRST WATCHER, THIRSTY SABER, TIGER LAKE, TITRANT RANGER, CAPACITY GEAR, TRACTOR series, UMBRELLA and WHITE KNIGHT.*


SAP compartments and sub-compartments
Special Access Programs can be divided into compartments, sub-compartments and programs. Compartments and sub-compartments can be identified by a two-word unclassified nickname or an alphanumeric designator. They are separated by spaces and they are listed in ascending alphabetic and numeric order. The classification markings do not show the hierarchy beyond the sub-compartment level.

In a classification line this is shown like: TOP SECRET//SAR-MB A691 D722




Dissemination markings

Dissemination markings or caveats are used to restrict the dissemination of information within only those people who have the appropriate clearance level and the need to know the information. Dissemination markings can also be used to control information which is unclassified. Some markings are used by multiple agencies, others are restricted to use by one agency.


Markings used by multiple agencies:
- FOR OFFICIAL USE ONLY (FOUO)
- SENSITIVE INFORMATION (SINFO, defunct since 2002)
- LAW ENFORCEMENT SENSITIVE (LES)


Intelligence community markings:
- WARNING NOTICE - INTELLIGENCE (WNINTEL; eliminated in 1987)
- NOCONTRACT (eliminated in 1987)
- ORIGINATOR CONTROLLED (ORCON) (OC)
- ORIGINATOR CONTROLLED-USGOV (ORCON-USGOV, since 2013)
- CONTROLLED IMAGERY (IMCON) (IMC)
- SOURCES AND METHODS INFORMATION (SAMI, defunct since 2009)
- NO FOREIGN NATIONALS (NOFORN) (NF)
- PROPRIETARY INFORMATION (PROPIN) (PR)
- AUTHORIZED FOR RELEASE TO (REL TO) [country trigraph or coalition tetragraph]
- Releasable by Information Disclosure Official (RELIDO)
- Foreign Intelligence Surveillance Act (FISA)
- DISPLAY ONLY [country trigraph or coalition tetragraph]


National Security Agency (NSA) markings:
- [country trigraph] EYES ONLY
NSA also used SIGINT Exchange Designators, which were gradually replaced by the 'REL TO [...]' marking. Some former SIGINT Exchange Designators were:
- FRONTO
- KEYRUT
- SEABOOT
- SETTEE

National Geospatial intelligence Agency (NGA) markings:
- LIMITED DISTRIBUTION (LIMDIS) (DS)
- RISK SENSITIVE (RSEN)


Department of Defense (DoD) markings:
- NC2-ESI
- SPECIAL CATEGORY (SPECAT, defunct since 2010)


Department of Homeland Security (DHS) markings:
- SENSITIVE SECURITY INFORMATION (SSI)


State Department (DoS) markings:
- EXCLUSIVE DISTRIBUTION (EXDIS) (XD)
- NO DISTRIBUTION (NODIS) (ND)
- SENSITIVE BUT UNCLASSIFIED (SBU)
- SBU NOFORN


Drug Enforcement Administration (DEA) markings:
- DEA SENSITIVE (DSEN)


Nuclear weapons related markings:
- RESTRICTED DATA (RD)
- FORMERLY RESTRICTED DATA (FRD)
- DOD UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (DCNI)
- DOE UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (UCNI)
- TRANSCLASSIFIED FOREIGN NUCLEAR INFORMATION (TFNI)

In a classification line this is shown like: SECRET//SI//ORCON

Multiple markings are shown like: SECRET//SI//ORCON/NOFORN


Nuclear weapons related markings
The markings Restricted Data (RD) and Former Restricted Data (FRD) are used by the Department of Defense and the Department of Energy for information about design and operation of nuclear warheads. Both can have the following two additional sub-markings:

- CRITICAL NUCLEAR WEAPON DESIGN INFORMATION (CNWDI)
- SIGMA (SG, followed by a number between 1 and 20)

In a classification line this is shown like: SECRET//RD-CNWDI

Multiple SIGMA markings are shown like: SECRET//RD-SIGMA 2 4


Internal markings
Some intelligence agencies also use internal markings, indicating that information may not be released or shown to anyone outside that particular agency without proper permission. Internal markings are shown after the dissemination markings at the very end of a classification line.


Central Intelligence Agency (CIA) internal markings:*
- CIA INTERNAL USE ONLY
- Administrative Internal Use Only (AIUO)


Federal Bureau of Investigation (FBI) internal markings:
- SENSITIVE
- JUNE (defunct)
- [undisclosed] *


National Security Agency (NSA) internal markings:
These markings are used to identify a COI or CoI, which stands for Community Of Interest. It seems that this term has recently been replaced by Secure Community of Interest (SCoI). Recently disclosed COI identifiers are:
- BULLRUN
- ENDUE
- NOCON

In a classification line this is shown like: TOP SECRET//SI//NOFORN/BULLRUN


Coalition designators
The designators or tetragraphs which are used in the dissemination marking "AUTHORIZED FOR RELEASE TO (REL TO)" are listed here:

- ABCA: American, British, Canadian, Australian (and New Zealand Armies’ Program)
- ACGU: Australia, Canada, Great Britain, United States (Four Eyes)
- AFSC: Afghanistan SIGINT Coalition
- BWCS: Biological Weapons Convention States
- CFCK: Combined Forces Command, Korea
- CMFC: Combined Maritime Forces Central
- CMFP: Cooperative Maritime Forces Pacific
- CPMT: Civilian Protection Monitoring Team (for Sudan)
- CWCS: Chemical Weapons Convention States
- ECTF: European Counter-Terrorism Forces
- EFOR: European Union Stabilization Forces in Bosnia
- FVEY: Five Eyes (Australia, Canada, New Zealand, UK, US)
- GCTF: Global Counter-Terrorism Forces
- GMIF: Global Maritime Interception Forces
- IESC: International Events Security Coalition
- ISAF: International Security Assistance Forces (for Afghanistan)
- KFOR: Stabilization Forces in Kosovo
- MCFI: Multinational Coalition Forces – Iraq
- MIFH: Multinational Interim Force Haiti
- NACT: North African Counter-Terrorism Forces
- NATO: North Atlantic Treaty Organization
- OSAG: Olympic Security Advisory Group
- UNCK: United Nations Command, Korea


CAPCO
In order to prevent codewords being assigned twice, the Controlled Access Program Coordination Office (CAPCO) lists all codenames and authorized abbreviations of Sensitive Compartmented Information (SCI) and Special Access Programs (SAPs) in the Authorized Classification and Control Markings Register or CAPCO list.
In 2013 this responsibility was transferred to the Office of the National Counterintelligence Executive (ONCIX), Special Security Directorate (SSD), Security Markings Program (SMP).


NSA Classification Guides
- Classification Guide for SIGINT material from 1945-1967 (2011)
- Classification Guide for Computer Network Exploitation (2010)
- Classification Guide for Project BULLRUN (2010)
- Classification Guide for Cryptgraphic Modernization (pdf) (2010)
- Classification Guide for FISA, PAA and FAA Activities (pdf) (2009)
- Classification Guide for STELLARWIND (pdf) (2009)
- Classification Guide for USS Liberty Incident (2006)
- Classification Guide for ECI PAWLEYS (2006)
- Classification Guide for Cryptanalysis (2005)
- Classification Guide for ECI WHIPGENIE (2004)
- Classification Guide for Cellular communications interception (undated)



Links and Sources
- The 2015 Intelligence Community Directive on Controlled Access programs (pdf)
- The latest SCI compartments: My First FOIA Request: ODNI CAPCO v6 + Update
- TheWeek.com: What Edward Snowden didn't disclose
- Wikipedia articles:
  - Classified information in the United States
  - Sensitive Compartmented Information
  - Special access program
- The 2013 Intelligence Community Classification and Control Markings Implementation Manual (pdf)
- The 2013 DoD Special Access Program (SAP) Instruction (pdf)
- The 2012 NRO Review and Redaction Guide (pdf)
- The 2008 DNI Authorized Classification and Control Markings Register (pdf)
- The 2004 listing of Country Code Trigraphs and Coalition Tetragraphs (pdf)
- Article about Security Clearances and Classifications
- Some notes about Sensitive Compartmented Information
- About The 5 secret code words that define our era
- Marc Ambinder & D.B. Grady, Deep State, Inside the Government Secrecy Industry, 2013, p. 164-167.
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

September 5, 2013

An NSA eavesdropping case study

(Updated: December 7, 2015)

On September 1, the popular Brazilian television news magazine Fantástico reported about an NSA operation for wiretapping the communications of the presidents of Mexico and Brazil. Fantástico is part of the Globo network, which already disclosed various top secret NSA presentations last July.

Now, the Brazilian magazine showed some new top secret NSA documents, like a powerpoint presentation about the eavesdropping operation, which were all among the thousands of documents which Edward Snowden gave to Guardian journalist Glenn Greenwald in June.

Fantástico also published the slides on their website, but as that's only in portuguese, we show these slides too, because they give a nice graphical insight in how the NSA intercepts foreign communications.


The Fantástico news magazine started showing a cover sheet of a presentation which bears the logo of the SIGDEV Strategy and Governance division of the NSA, where SIGDEV stands for SIGINT Development. However, it's not quite clear whether this division is also responsible for the eavesdropping operation which is shown below.


The presentation was prepared in June 2012 by the Scalable Analytics Tradecraft Center (SATC) of NSA. Except for the abbreviation SATC, the full name of this unit was initially unknown, so the Fantástico website assumed it stood for "Secure and Trustworthy Cyberspace" (SaTC), but that's actually a program of the US National Science Foundation. Brazilian television briefly showed the name of the author of the presentation, but here we blacked that out.


This slide shows the overall classification level of the presentation: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL. This means the information is Top Secret, contained in the COMINT (Communications Intelligence) control system and is only to be released to the US and it's "Five Eyes" or UKUSA partners: the UK, Canada, Australia and New Zealand.


The presentation starts with two slides, showing the benefits of searching for contacts by using graphs:





The next three slides show some more details of the specific elements of the process:







The Mexican target

The first target of the operation was the then Mexican candidate for the presidency, Enrique Peña Nieto. The information was analysed by NSA unit S2C41 which is the Mexican Leadership Team and is also part of the S2C production line for International Security Issues (ISI).


This slide shows the process of searching for contacts and communications of the mexican president:

1. Selectors, like known e-mail adresses or phone numbers related to EPN (Enrique Peña Nieto) are used as seeds to start the process.

2. The initial seeds lead to 2-hop graphs, apparently based upon metadata which are in the databases mentioned below the graph: MAINWAY is the NSA's database of bulk phone metadata, CIMBRI is seen here for the first time, and could be another kind of metadata database. JEMA probably stands for Joint Enterprise Modeling and Analytics, which is a tool that allows analysts to create more complex analytic scenarios.

3. Next, addresses discovered by creating the contact graphs can act as selectors for collecting SMS messages. For this the MAINWAY database is used too, just like ASSOCIATION, which, according to the Fantástico website, filters text messages (SMS) to mobile phones.

4. Finally, these messages go to DISHFIRE, which is NSA's database for text messages and can be searched for certain keywords.


This slide shows two "interesting messages", proving that content of text messages was collected. In the two quoted passages, the Mexican presidential candidate Enrique Peña Nieto is in discussion with some of the designated ministers of his future government. Parts of the messages are blacked out by Brazilian media.


The Brazilian target

The second target of the operation were the Brazilian president Dilma Rousseff and her key advisers. The information was analysed by NSA unit S2C42 which is focussed on the Brazilian leadership. This unit is part of the NSA's S2C production line for International Security.


This slide shows the process of searching for contacts and communications of the Brazilian president. The intelligence gathering starts with a few DNI Selectors (like e-mail or IP addresses) which act as seeds growing into a 2-hop contact graph. This graph shows all the addresses which had 2-hop or 2-step contacts with the original seed addresses.

Below the graph is the word SCIMITAR, seen here for the first time, which could be a tool to create such contact graphs, or maybe a database containing metadata from which these contacts can be derived.


From the 2-hop contact graph NSA apparently discovered new selectors (e-mail or IP addresses) associated with the Brazilian president and her advisers. Another slide, which was not published, is said to show all the names associated with the colored dots in this graph.


The presentation concludes that there was a successful cooperation between the mysterious unit SATC and the Latin American units from the S2C International Security division. This led to a successful implementation of contact filtering by using graphs, resulting in the interception of communications of high-profile, security-savvy Brazilian and Mexican targets.


This presentation gives insight in a specific eavesdropping operation, but also gives a good idea of how NSA is collecting information from the internet in general, for example through PRISM and various other programs which gather data from internet backbone cables.

Allthough the presentation is clarifying, it could also have been published without mentioning the specific targets involved. Showing that this operation targeted the presidents of Mexico and Brazil did not serve a public interest, but unnecessarily damaged the relationship between the United States and both countries.

Glenn Greenwald seemed to justify the publication by saying that the presentation proved that NSA was also intercepting the content of phone calls and e-mail messages. After earlier disclosures, the US had said that they only collect bulk metadata from Brazil and no content. But of course this statement only applied to ordinary citizens, as eavesdropping on foreign political and military leaders is generally considered to be a legal activity of (signals) intelligence agencies.

Greenwald, who lives in Rio de Janeiro, also said that "most of the spying they [= the US] do does not have anything to do with national security, it is to obtain an unfair advantage over other nations in their industrial and commerce economic agreements". But with this motive he also acts more in the national interest of Brazil, or at least like an activist, than as a journalist working for the public interest.

(Updated by rearranging the slide order and some related minor corrections - see the comment below)


> See also: How NSA targeted the Venezuelan oil company PdVSA



Links and Sources
- Globo.com: Documentos revelam esquema de agência dos EUA para espionar Dilma
- Cryptome.org: Translation in English
- The slides with Portuguese description: Veja os documentos ultrassecretos que comprovam espionagem a Dilma
- Bloomberg.com: U.S. Spied on Presidents of Brazil and Mexico, Globo Reports