January 20, 2016

Section 215 bulk telephone records and the MAINWAY database

(Updated: February 3, 2016)

One of the most controversial NSA programs was the bulk collection of domestic telepone records (metadata) under authority of Section 215 of the USA PATRIOT Act.

The Snowden revelations provided hardly any information about this program, but many details became available from documents that were declassified by the US Director of National Intelligence (DNI).

Because in these declassified documents all codenames are redacted, it was largely a mystery which NSA systems were used to store and analyse these metadata.

By combining many separate pieces from both the Snowden-documents, as well as those declassified by the government, it now has become clear that NSA put the domestic phone records in its central contact chaining system MAINWAY, which also contains all sorts of metadata collected overseas.



Reconstruction of the MAINWAY dataflow
(Click to enlarge)



MAINWAY versus MARINA

Initially it was thought that MAINWAY was a repository just for telephone metadata. This goes back to a report by USA Today from May 10, 2006, which revealed that the NSA created a database containing "the phone call records of tens of millions of Americans" obtained from AT&T, Verizon and BellSouth (the latter merged with AT&T as of 2007).

As such, MAINWAY was seen as the equivalent of MARINA, which is NSA's storage for internet metadata. But meanwhile, various documents from the Snowden revelations have made clear that the actual repositories for telephone metadata are ASSOCIATION (for metadata from mobile calls) and BANYAN (for metadata from landline calls).

MAINWAY itself isn't just a database that stores raw metadata, but a system that also "performs data quality, preparation and sorting functions, and then summarizes contacts represented in the processed data". Afterwards, MAINWAY stores the "resulting contact chains and provides analysts with access to these contact chains".

New documents have also shown that MAINWAY contains metadata from internet communications too. For example, in the following diagram about the FAIRVIEW collection program, we see that internet metadata from the Upstream collection first flow into MAINWAY before ending up in MARINA:


Dataflow for internet metadata collected under the
FAIRVIEW program under Transit Authority
(Click to enlarge)



It seems likely that in MAINWAY, metadata are stored more or less temporarily for the purpose of contact chaining and analysing them. Metadata that NSA wants to keep for a longer period of time, or even indefinitely are then stored in repositories like MARINA, ASSOCIATION and BANYAN.
(However, a report by The Guardian from September 30, 2013 says that MARINA "has the ability to look back on the last 365 days' worth of DNI metadata seen by the Sigint collection system")

While the domestic metadata collected in bulk have to be destroyed after 5 years, the calling records that are the result of a query can be stored by the analyst. According to the PCLOB-report (.pdf), they may then be "subjected to other analytic methods or techniques besides querying, or integrated with records obtained by the NSA under other authorities", as well as shared with others inside and outside NSA.



MAINWAY, SIGINT Navigator (SIGNAV), ASSOCIATION and BANYAN
mentioned in a presentation about DEMONSPIT, under which call
records were obtained from major Pakistan telecom providers(!)
(Click to enlarge)



MAINWAY receiving domestic phone records

Based upon Snowden documents, The New York Times reported on September 28, 2013, that MAINWAY is used for chaining both phone numbers and e-mail addresses and that it is fed with data from tapping "fiber-optic cables, corporate partners and foreign computer networks that have been hacked".

The report also says that as of August 2011, MAINWAY was fed with "1.1 billion cellular records a day in addition to the 700M records delivered currently". However, The New York Times erroneously attributed these numbers to collection under authority of section 702 FAA and was therefore not able to identify that MAINWAY was also fed with the bulk phone records of Americans (which happens under section 215 Patriot Act).

The latter only became clear after The New York Times and ProPublica published some NSA documents about the FAIRVIEW program on August 15, 2015. One of these documents confirms that it was AT&T that provided the aforementioned number of records, and also that this happened under BR FISA (= Section 215) authority.
(A report by the Washington Post from June 15, 2013 also identified MAINWAY as the database in which the phone records from the Section 215 program were stored)
So as of 2011, at least 1,8 billion domestic phone records a day were coming in, which makes 54 billion a month and about 650 billion a year. Before they were handed over to NSA, AT&T stripped off the location data in order to comply with the FISA Court orders, that don't allow those data to be collected.

Apparently Verizon Wireless and T-Mobile US saw no obligation to remove these location data, so their cell phone records couldn't be collected by NSA, which therefore only got less than 30% of the domestic telephone metadata.

According to NSA, one of the advantages of putting phone records from multiple American telecommunication companies in one big repository, was that this allowed analysts "to identify chains of communications that cross different telecommunications networks".




Under the President's Surveillance Program (2001 - 2004/2006)

NSA started collecting telephone and internet metadata from US telecommunication providers shortly after the attacks of September 11, 2001. This was part of the President's Surveillance Program (PSP, protected under the STELLARWIND classification compartment), which was based upon what in the end would be 43 subsequent secret authorizations by president George W. Bush.

The goals of collecting these metadata were identifying unknown terrorist operatives through their contacts with known suspects, discover links between known suspects, and monitor the pattern of communications among suspects.

At first, only metadata were collected from communications in which at least one party was outside the US. AT&T (identified as Company A or FAIRVIEW) started to provide both phone and internet metadata from international channels as early as November 2001, and for Verizon (Company B or STORMBREW) the automated transfer of such data started in February 2002. Qwest refused to hand over its records because the government couldn't present a warrant.

Allegedly, raw metadata were transferred in real-time through a high speed data link from the main computer centers of the telecoms to a government facility in Quantico, Virginia. Although Quantico is an FBI compund, the BR FISA review says that it was an NSA mission element, the name of which was redacted, that obtained the records from the providers.

Then, parsers were used to filter the metadata of unwanted information (like credit card numbers), and the records were put in a standard format compatible with NSA databases.

For example, in September 2003, AT&T "captured" several trillion internet metadata, of which some 400 billion records (apparently those with a high probability of containing terrorist communications) were selected for processing. These were flowing into the MAINWAY contact chaining database, which also contains metadata from collection abroad. The 2009 report about the STELLARWIND program says:
"NSA's primary tool for conducting metadata analysis, for PSP and traditional SIGINT collection, was MAINWAY. MAINWAY was used for storage, contact chaining, and for analyzing large volumes of global communications metadata."

(interestingly, in some documents MAIN WAY seems to be written as two separate words, which make it resemble MAIN CORE, which is a central database containing essential intelligence information on Americans produced by the FBI and other US intelligence agencies)



Under FISA Court orders (2004/2006 - 2011/2015)

In July 2004, the collection of domestic internet metadata was moved from the President’s Surveillance Program to the FISA Court, which authorized this effort based upon section 402 FISA, or as it is called by NSA: PR/TT (short for Pen Register/Trap and Trace).

In May 2006, the same happened with the bulk telephone records, for which the FISA Court allowed continuation under authority of section 215 USA PATRIOT Act, or as NSA calls it: BR FISA (short for Business Records FISA).

Under the FISA Court orders, bulk telephone collection eventually became to include "all call detail records or 'telephony metadata' created [...] for communications between the United States and abroad" or "wholly within the United States, including local telephone calls". Only metadata of fully foreign communications were excluded, as was the case for most mobile phone calls, due to technical reasons.

Because right from the beginning, NSA stored these domestic phone and internet metadata in the same database (MAINWAY) that contains metadata from traditional collection efforts abroad, queries could result in contacts chains made up of identifiers from both foreign and domestic sources. The query tool simply didn't identify the difference.

Also it was possible for analysts to start a query with selectors that were not BR FISA-approved, and in some cases this also provided results from both the foreign and the domestic collection. This was not according to the FISA Court orders, and after NSA informed the court about this, they had to stop accessing the telephone metadata in 2009, until these issues had been solved.*

An internal NSA training module from 2011 shows that at least by then, NSA had tagged the metadata records with XML tags to identify not only what legal authority the metadata were collected under, but also the SIGAD of the intercept facility where that had happened.



A rare diagram about the BR FISA metadata collection:
the decision process as it was from 2006 - 2009
(Source - Click to enlarge)



Other databases for domestic call records

The domestic call records were not only stored in MAINWAY, but also in another database, one that was apparently dedicated for US phone metadata. An NSA training presentation (.pdf) from 2007 confirms that BR FISA data were stored in two NSA repositories, although both names had been redacted.

An NSA review from June 2009 describes this second database as a "repository for individual BR FISA metadata call records for access by authorized Homeland Security Analysis Center (HSAC) and data integrity analysts to view detailed information about specific telephony calling events".

This seems to refer to the complete calling records, and also the PCLOB-report (.pdf) about the BR FISA program says there's analysis software that "provides the associated information about the telephone calls involved, such as their date, time of day, and duration".

So probably the second database gave access to these additional details, whereas MAINWAY only contains or provides "summaries of one-hop chains", i.e. selector #1 was in contact with selector #2 and the number of times this happened within a specific timeframe.

In the glossary of the 2009 NSA Review, the second repository is listed with a remarkably long name, which, according to its position, has to start with and M, N or O:



This exceptionally long name of the second database could indicate that it was some kind of provisional repository, because on page 23 of the 2009 BR FISA review it is said:
"NSA is preparing to incorporate the [second database] into the NSA corporate architecture. This transition to the corporate engineering framework will maximize use of the latest technologies and proven configuration management to minimize any security and compliance risks"

And indeed, in appendix B of a report (.pdf) by the NSA's Inspector General from August 1, 2012, we see that the second database now has a shorter name, and that it had replaced a "Transaction Database" with a much longer name in January 2011:



Transaction is another term that NSA uses for metadata, so "transaction database" probably just means that it contains the (full) metadata records. This 2012 Inspector General report lists three additional storage systems for BR FISA data, making a total of five being involved here:
1. Contact chaining database that accepts metadata from multiple sources (= MAINWAY)
2. Database repository that stores detailed metadata information, which supports the contact chaining summaries in [MAINWAY]. Replaced an earlier database in January 2011.
3. Contingency database for the time the aforementioned database was being rebuild
4. System backup that stores an exact copy of the raw metadata from the providers
5. Backup tapes on which periodically the raw metadata were saved off-line

So when NSA needs large data centers, that's also because the same sets of data are stored multiple times. Besides backups, there are often separate databases dedicated to a specific purpose or analysis method.


Bulk internet metadata (PR/TT)

As mentioned before, MAINWAY was not only fed with telephone metadata, but also with metadata from domestic internet communications. These metadata include the "to", "from", and "cc" lines of an e-mail, as well as the e-mail’s time and date. Its seems that for contact chaining, no metadata from other kinds of internet communications, like messengers, were used.

On August 11, 2014, an internal NSA Review (.pdf) about this PR/TT program was declassified, which shows similar storage systems as for the phone records: full copies of the internet metadata were also stored in the MAINWAY contact chaining database, as well as in a dedicated second repository:


The PR/TT bulk internet metadata program was shut down in December 2011 for "operational and resource reasons" and all data were deleted. Based upon declassified NSA reports, The New York Times reported on November 19, 2015, that this "internet dragnet" was ended because, among other reasons, similar results could be achieved under other authorities:
- Section 702 FAA, which allows access to internet communications between foreigners and Americans from the "PRISM-providers" and "Upstream collection".

- The SPCMA regulation, which allows using US person identifiers for querying metadata that have been collected abroad.

With collection of internet metadata both overseas (under EO 12333 authority) as well as at the physical and virtual borders of the US (under 702 FAA), NSA probably didn't need the purely domestic ones anymore, to still capture those that are of interest.

Also, querying the metadata collected overseas appeared more attractive, because abroad, NSA is allowed to collect much more types of metadata, than inside the US, where collection was heavily restricted by the FISA Court.

In a declaration for the FISA Court from February 13, 2009, then NSA director Alexander explained that multi-tiered chaining of phone calls is more efficient and useful, "because unlike e-mail, which involves the heavy use of spam, a telephonic device does not lend itself to simultaneous contact with large numbers of individuals".


Replacement?

According to the secret Budget Request to Congress for 2013, NSA wanted to create (or maybe expand MAINWAY into) a metadata repository capable of taking in 20 billion metadata records a day and make these available to analysts within 60 minutes.

But after Snowden disclosed the Verizon bulk phone records order in June 2013, the American public became aware of the actual scope of this program and it became the most controversial part of NSA's activities.

In January 2014, the Privacy and Civil Liberties Oversight Board (PCLOB) judged that Section 215 collection was actually of "minimal value in safeguarding the nation from terrorism" and that there was "no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack".

According to PCLOB, the bulk phone records did provide some value "by offering additional leads regarding the contacts of terrorism suspects already known to investigators, and by demonstrating that foreign terrorist plots do not have a U.S. nexus". This however, was not seen as a sufficient justification for the large-scale collection of domestic phone records.

In the course of 2015, US Congress eventually enacted the USA FREEDOM Act, which prohibits NSA to collect and store domestic call records in bulk as of November 29, 2015. Instead, the agency now has to apply for a warrant from the FISA Court approving specific selectors, which are then provided to telecommunication providers, who use them for querying their own databases and only the results are handed over to NSA.

How this new regime will work out, is explained in the USA FREEDOM Act Business records Fisa Implementation Transparancy Report (.pdf), which was published just a few days ago.


> Next time: a closer look at the contact chaining process



Links and Sources
- EmptyWheel.net: What We Know about the Section 215 Phone Dragnet and Location Data (2016)
- PCLOB: Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act (pdf) (2014)
- Cryptome.org: NSA FISA Business Records Offer a Lot to Learn (2013)
- US Administration White Paper: Bulk Collection of Telephony Metadata under Section 215 of the USA PATRIOT Ac(pdf) (2013)
- NSA: Business Records FISA NSA Review (.pdf) (2009)
- NSA: Pen Register/Trap and Trace FISA NSA Review (.pdf) (2009)
- Andrew P. MacArthur: The NSA Phone Call Database: The Problematic Acquisition and Mining of Call Records in the United States, Canada, the United Kingdom, and Australia (2007)

December 23, 2015

Leaked documents that were not attributed to Snowden

(Last edited: December 30, 2015)

Since June 2013, numerous top secret documents from the American signals intelligence agency NSA and its British counterpart GCHQ have been disclosed. The overwhelming majority of them came from the former NSA contractor Edward Snowden.

But what many people probably didn't notice, is that some of these documents were not provided by Snowden, but by other leakers. Often, the press reports didn't mention that very clear, and it was only by not attributing such documents to Snowden, that it became clear they came from someone else.

So far, the following secret and top secret documents have been disclosed without having been attributed to Snowden:

- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: TOR and TAILS
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- XKEYSCORE rules: New Zealand
- Ramstein AFB supporting drone operations
- NSA tasking & reporting: France
- NSA tasking & reporting: Germany
- NSA tasking & reporting: Brazil
- NSA tasking & reporting: Japan
- Chinese cyber espionage against the US
- XKEYSCORE agreement between NSA, BND and BfV
- The Drone Papers
- Cellphone surveillance catalogue

- Some thoughts on the form of the documents
- Some thoughts on the motives behind the leaks
- Conclusion


Document collections

The most user-friendly collection of all the leaked documents can be found on the website IC Off The Record (which started as a parody on IC On The Record, the official US government website on which declassified documents are published).

Other websites that collect leaked documents related to the Five Eyes agencies, so from Snowden as well as from other sources, are FVEY Docs and Cryptome. The Snowden-documents are also available and searchable through the Snowden Surveillance Archive.


Domestic US leaks

Here, only leaks related to foreign signals intelligence and related military topics will be listed. Not included are therefore documents about American domestic operations, like for example several revelations about the DEA.

(Also not included are stories based upon leaks without original documents being published, like for example about NSA's interception efforts against Israel)



          - Documents not attributed to Snowden -         


Chancellor Merkel tasking record

On October 23, 2013, the German magazine Der Spiegel revealed that the NSA may have eavesdropped on the cell phone of chancellor Merkel. This was based upon "the excerpt from an NSA database about Merkel's cell phone", which the magazine received.* A journalist from Der Spiegel made a transcription of the database record, and later on, a copy of this transcription was printed in some German newspapers.
Glenn Greenwald confirmed that this information didn't came from the Snowden archive, and also Bruce Schneier was convinced that this came from a second source.

Articles:
- Kanzler-Handy im US-Visier? Merkel beschwert sich bei Obama
- NSA-Überwachung: Merkels Handy steht seit 2002 auf US-Abhörliste

Document:
- Transcript of an NSA database record






TAO product catalog

On December 29, 2013, the German magazine Der Spiegel published a 50-page catalog from the ANT-unit of NSA's hacking division TAO. It contains a wide range of sophisticated hacking and eavesdropping techniques. The next day, Jacob Appelbaum discussed them during his presentation at the CCC in Berlin.
According to Bruce Schneier this catalog came from the second source, who also leaked the Merkel tasking record and the XKEYSCORE rules.

Article:
- Shopping for Spy Gear: Catalog Advertises NSA Toolbox

Document:
- ANT Product Catalog (SECRET/COMINT)




XKEYSCORE rules: TOR and TAILS

On July 3, 2014, the German regional television magazine Reporter disclosed the transcripts of a set of rules used by the NSA's XKEYSCORE system to automatically execute frequently used search terms, including correlating different identities of a certain target.
According to Bruce Schneier, these rules could be leaked by the second source, which also provided the Merkel tasking record and the TAO catalog.

Article:
- NSA targets the privacy-conscious

Document:
- Transcript of XKeyscore Rules (classification not included)




NCTC watchlisting guidance

On July 23, 2014, the website The Intercept published a manual from the US National CounterTerrorism Center (NCTC) with rules and indications used for putting people in terrorist databases and no-fly lists.
The Intercept says this document was provided by a "source within the intelligence community".

Article:
- The Secret Government Rulebook for Labeling You as a Terrorist

Document:
- March 2013 Watchlisting Guidance (UNCLASSIFIED/FOUO)




NCTC terrorist watchlist report

On August 5, 2014, The Intercept published a report from the US National CounterTerrorism Center (NCTC) about terrorist watchlists and databases.
Just like the previous document, this was also obtained from a "source within the intelligence community". Bruce Schneier says this report is from August 2013, which is well after Snowden had fled the US, and therefore he assumes it was leaked by a third source.

Article:
- Watch Commander - Barack Obama’s Secret Terrorist-Tracking System, by the Numbers

Document:
- Directorate of Terrorist Identities (DTI) Strategic Accomplishments 2013 (SECRET/NOFORN)




XKEYSCORE rules: New Zealand

On March 14 and March 22, 2015, The New Zealand Herald published transcripts of two sets of XKEYSCORE fingerprints that define targets of the New Zealand signals intelligence agency GCSB. They were not attributed to Snowden, although in the weeks before, New Zealand media published several other documents that did come from the Snowden cache.

Articles:
- Revealed: The names NZ targeted using NSA's XKeyscore system
- How spy agency homed in on Groser's rivals

Documents:
- Fingerprint about the WTO (TOP SECRET/COMINT)
- Fingerprint about the Solomon Islands (TOP SECRET/COMINT)






Ramstein AFB supporting drone operations

On April 17, 2015, The Intercept and Der Spiegel published a series of slides showing the infrastructure which is used for operating drones, for which the US base in Ramstein, Germany, acts as a relay station.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program.

Articles:
- Germany is the Tell-Tale Heart of America's Drone War
- Bündnisse: Der Krieg via Ramstein

Document:
- Architecture of U.S. Drone Operations (TOP SECRET/REL)




NSA tasking & reporting: France

On June 23, 2015, Wikileaks, in collaboration with the French paper Libération, the German newspaper Süddeutsche Zeitung and the Italian paper l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level French targets.

Articles:
- Espionnage Élysée
- Nsa, intercettati i presidenti francesi Francois Hollande e Nicolas Sarkozy

Documents:
- Top French NSA Targets (no classification available)
- Top French NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)
- Economic Spy Order (SECRET/REL)






NSA tasking & reporting: Germany

On July 1, 2015, Wikileaks, in collaboration with Libération and Mediapart, Süddeutsche Zeitung and l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level German targets.

Articles:
- NSA Helped CIA Outmanoeuvre Europe on Torture
- I dubbi di Angela Merkel sulla Grecia spiati dalla Nsa americana

Documents:
- Top German NSA Targets (no classification available)
- Top German NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)




NSA tasking & reporting: Brazil

On July 4, 2015, Wikileaks published the transcript of entries from an NSA tasking database about high-level Brazilian targets. Unlike similar disclosures about France, Germany and Japan, no intelligence reports about Brazil were disclosed.

Article:
- Bugging Brazil

Document:
- Top Brazilian NSA Targets (no classification available)




NSA tasking & reporting: Japan

On July 31, 2015, Wikileaks, in collaboration with Süddeutsche Zeitung, l'Espresso, The Saturday Paper from Australia and the Japanese newspaper Asahi Shimbun, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level Japanese targets.

Articles:
- Target Tokyo
- Wikileaks: 'Nsa spiava il governo giapponese. Sotto controllo anche Mitsubishi'

Documents:
- Top Japanese NSA Targets (no classification available)
- Top Japanese NSA Intercepts (TOP SECRET/COMINT)




Chinese cyber espionage against the US

On July 30 and August 10, 2015, NBC News published two slides about Chinese cyber espionage against over 600 US companies and government agencies, including access to the e-mail of top government officials since at least 2010.
This leak stands out because the slides are in digital form, and they support a story that shows the neccessity of NSA - which seems to point to an authorized leak.

Articles:
- Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets
- China Read Emails of Top U.S. Officials

Documents:
- China: Cyber Exploitation and Attack Units (SECRET)
- U.S. Victims of Chinese Cyber Espionage (SECRET)




XKEYSCORE agreement between NSA, BND and BfV

On August 26, 2013, the German newspaper Die Zeit published the transcript of the Terms of Reference (ToR) about the use of NSA's XKEYSCORE system by the German security service BfV.
Being a transcript and being about XKEYSCORE, this could be from the same source as the XKEYSCORE rules, but it's also possible it came from a source within a German government agency.

Article:
- A Dubious Deal with the NSA

Document:
- XKeyscore - the document (SECRET/COMINT)




The Drone Papers

On October 15, 2015, The Intercept published a series of documents with details about drone operations by the US military between 2011 and 2013.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program, including the chain of command diagram which is part of this batch of documents.

Articles:
- The Assassination Complex
- The Kill Chain

Documents:
- Small Footprint Operations 2/13 (SECRET/NOFORN)
- Small Footprint Operations 5/13 (SECRET/NOFORN)
- Operation Haymaker (SECRET/NOFORN)
- Geolocation Watchlist (TOP SECRET/COMINT)






Cellphone surveillance catalogue

On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment, including IMSI-catchers like Stingrays and DRT boxes.
Just like the NCTC reports, The Intercept obtained this document from a "source within the intelligence community".

Article:
- Stingrays - A Secret Catalogue of Government Gear for Spying on Your Cellphone

Document:
- Government Cellphone Surveillance Catalogue (SECRET/NOFORN)







It is difficult to tell exactly from how many different leakers these documents come. The journalists involved will of course do everything to hide their source's identity, including creating distraction and confusion, but also creating the impression that many other leakers followed the example of Edward Snowden.



Some thoughts on the form of the documents

Content-wise the documents from the alleged other sources are not very different from the ones from Snowden. But what seems to distinguish them most, is their form, which is either digital, a transcript or scanned from paper.


Digital

Almost all documents that were attributed to Snowden came in their original digital form (with some very few exceptions that were scanned from paper). This makes it remarkable that only two documents from the other sources are in a similar digital form.

The first one is the famous TAO Product Catalog with hacking and eavesdropping techniques, which also given its content comes closest to the Snowden documents. Despite that, this catalog was never attributed to him.

The other leak in digital form are the two slides about Chinese cyber espionage, but these probably come from a source in support of the US government.


Transcripts

A number of other leaks didn't provide documents in their original form, but only transcripts thereof. This is the case for the following revelations:
- Chancellor Merkel tasking record
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- XKEYSCORE agreement between NSA, BND and BfV
The lists from an NSA tasking database with targets for France, Germany, Brazil and Japan are also transcripts, but for the intelligence reports, which Wikileaks published simultaneously, we have at least one example that is in its original format. All other ones came as transcripts.


Scanned from paper

All other documents that didn't came from Snowden look like they were printed out (some were even recognized as being double-sided) and scanned again. This is the case for:
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
This doesn't automatically mean they are all from the same source, as two of them are from the civilian NCTC and the other three are clearly from a military context.

We don't know when or where these documents were printed out: maybe it was done by the leaker, for whom it could have been easier to exfiltrate them as hard copy, than on a detectable thumb drive.

It's also possible that they were printed out by the press contact in order to make them look different from the Snowden documents. But on the other hand, publishing them in digital form would have made it more difficult to prove they were not from the Snowden cache.



Some thoughts on the motives behind the leaks

We can also take a look at the motives that could have been behind these leaks. Interestingly, these seem to correspond quite well with the different forms the documents have.


A second source

The disclosures of the transcriptions of the XKEYSCORE rules and the tasking database lists are quite far from being in the public interest. They are about legitimate targets of foreign intelligence and publishing them seems solely meant to discredit the NSA and/or damage US foreign relationships.

The same applies to the TAO Product Catalog, which contains devices and methods that are only used against "hard targets" that cannot be reached by other means, so this is not about spying on ordinary citizens, but does compromise valid US intelligence operations.

At first sight, one would assume that these documents were from the Snowden cache, but published by people like Appelbaum and an organization like Wikileaks, who have a more radical approach than Snowden himself, and maybe therefore could have pretended they came from another source.

However, both Greenwald and security expert Bruce Schneier said these documents were really provided by another leaker. Because a number of them were published by German media, Schneier guesses it might be "either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents".

If that's the case, then it's not only remarkable that there's a second source from within or close to NSA, but also that this source is apparently fine with leaking documents that show no abuses, but only seriously harm US interests - which is either treason, or the work of a hostile intelligence agency. Snowden at least acted from his concern about increasing mass surveillance on innocent civilians.


A third source

The documents that are scanned from paper are a somewhat different story. These are about issues that concern a wider range of people. For some of them, The Intercept even gives the reason why the source leaked them: for the cellphone surveillance catalogue it was because of a concern about militarization of domestic law enforcement.

For the drone papers, the source is cited saying: "This outrageous explosion of watchlisting [...] assigning them death sentences without notice, on a worldwide battlefield". Given that he mentions watchlists, it seems very well possible that this source actually also leaked the two NCTC reports about terrorist databases and watchlists.

Combining this with the fact that both the NCTC reports and the cellphone surveillance catalog were from a source "within the intelligence community" seems to confirm that all the documents that came as scanned from paper are from the same leaker - maybe someone from a military intelligence agency like the DIA.



Conclusion

Given these thoughts on the form of the leaked documents and the possible motives behind these leaks, it seems that they can be attributed to at least three other sources, beside Snowden:

Source nr. 1 (Edward Snowden)

Source nr. 2 (German NSA employee or hostile intelligence?)
- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting France/Germany/Brazil/Japan
- XKEYSCORE agreement between NSA, BND and BfV
Source nr. 3 (someone from US military intelligence?)
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
Source nr. 4 (someone from the US government?)
- Chinese cyber espionage



Links and Sources
- Schneier.com: The US Intelligence Community has a Third Leaker

More comments on Hacker News

December 6, 2015

How NSA targeted the Venezuelan oil company PdVSA


There aren't many new revelations from the Snowden-documents anymore, but recently an NSA document was published telling how the agency prepared the interception of communications from the Venezuelan oil company Petróleos de Venezuela, S.A. (PdVSA).

It's not a very spectacular disclosure, but it gives a nice insight in what an NSA analyst actually does. The story was published on November 18 by the website The Intercept and the Latin-American broadcaster teleSUR.

Most people will have read The Intercept's report, but that misses one of the most interesting details of the story. Here, the disclosed NSA document will be discussed in full, with details explained based upon information from earlier disclosures.



Building of PdVSA in Maracaibo with on its facade Fidel Castro's motto
"Patria, Socialismo o Muerte" (Fatherland, Socialism or Death)
(Photo: Reportero24)


The document that was published is an excerpt from SIDtoday, the internal newsletter of the NSA's Signals Intelligence Division from March 23, 2011 (which was apparently accessed (by Snowden?) on Saturday, November 10, 2012). It contains a story that is told by a Signals Intelligence Development (SIGDEV) analyst from the NSA's Transnational & Strategic Partnerships SIGDEV branch.

A SIGDEV analyst is someone who looks for new targets or new means to access communications of existing targets. His unit S2C13 is part of the International Security Issues (ISI) Product Line, which is responsible for analysis and production of intelligence about countries in Europe, South-America and elsewhere.


Intelligence requirements

As the analyst recalls, a year-end review had shown that there was no progress on the "Venezuelan Energy target set" as most reporting came from warranted collection. That could refer to PRISM and Upstream collection under section 702 FAA, but that only requires annual certifications approved by the FISA Court. Strictly spoken, individual warrants are only needed for "traditional FISA" collection, like for example for eavesdropping on the Venezuelan embassy in Washington.

The analyst decided to do a "target reboot", which he describes as "taking a fresh look at opportunities for collection". He first looked at specific Information Needs (INs) and used SURREY, which is the main NSA requirements database.

These requirements are the outcome of an administrative process, that starts with the US president setting the highest priorities for foreign intelligence collection. These priorities are then translated into the National Intelligence Priorities Framework (NIPF) for the US Intelligence Community as a whole.


Strategic Mission List

For Signals Intelligence (SIGINT), it's the National Signals Intelligence Committee (SIGCOM) that collects the requests for information from the various intelligence "consumers", checks whether they are consistent with the NIPF and assignes them a priority. An overview of the SIGINT priorities can be found in the 2007 Strategic Mission List, which was published in November 2013.

This document lists Venezuela as one of six countries that are treated as "enduring targets". According to this document, NSA should "Provide U.S. decision makers with a holistic SIGINT perspective of regional trends and developments" and also "Provide indicators of regime stability, particularly in the energy sector":



Section about Venezuela in the 2007 Strategic Mission List
(Click to enlarge)


Economic or commercial espionage?

The Intercept makes a point out of NSA targeting a petroleum company "for economic espionage" - earlier disclosures had already brought up the names of the Brazilian company Petrobras and Gazprom from Russia. Why that should be a problem isn't explained however: all three companies are government-controlled and oil is an issue of strategic interest for almost any country.

The website also cites US Director of National Intelligence James Clapper, who explained the difference between gathering intelligence on economic issues for government policy makers (which the US admits doing), and stealing trade secrets of foreign companies to help individual American corporations (which the US strongly denies doing). And in this case, there's (again) no evidence for the latter.


Collaboration

The story of the analyst then continues with that he met with the Target Office of Primary Interest (TOPI) responsible for Venezuelan targets, in order to "re-assure myself that we were both on the same page in regards to our goals". A TOPI consists of analysts who analyse the communications that come in as a result of the collection process and who prepare the intelligence reports.

These first steps show that NSA analysts work within a bureaucratic framework that requires collaboration with colleagues and superiors who make sure their activities are in accordance with the goals set by the government - as a rule, they're not free to target anyone at will, which is the impression people can get when listening to Edward Snowden.


Get started

The TOPI analyst wanted information from the highest level of PdVSA, i.e. from the president and members of the Board of Directors, as much of it as possible in the form of internet communications, which, unlike phone calls, don't have to be transcribed. Also there was no time for "extensive target development".

Then the SIGDEV analyst started his work. He first visited the PdVSA website on the internet for the names of the Board of Directors. He put them into a new document in Analyst's Notebook, which is an analysis tool widely used by intelligence and law enforcement agencies all over the world.



Demonstration of a "Pattern-of-Life Analysis" using Analyst's Notebook


Sigint already-collected

The next step was looking at what had already been collected about his targets. For this he first accessed the PINWALE database, which is NSA's main repository for all kinds internet content that was collected by using specific selectors (i.e. no bulk content collection).

A few queries, using the names he had found on the website, returned not much of interest: a lot of e-mails in which these persons were "cc-ed", but hardly anything to or from them personally. This also provided some e-mail addresses, but the analyst already knew these.

He entered the mail addresses into CADENCE, which is NSA's tasking tool for internet communications, and also into the Unified Targeting Tool (UTT). This would show whether these e-mail addreses were already tasked, which means whether the actual collection facilities had been instructed to collect the related communications.


Finding new selectors

Apparently collection against PdVSA did take place in the past, as PINWALE kept providing documents containing the target's names. This weren't communications, but some kind of information forms with contact details and organizational information about PdVSA employees.

The analyst says that these forms were similar to what is in NSA's SEARCHLIGHT database, which apparently also holds such kind of information forms. As these information forms mention who within PdVSA is somebody's supervisor, they resulted in a whole tree of entries and names:



Internal PdVSA information form which shows president of the board
Rafael Ramirez as supervisor of another board member, Luis Vierma


Lots of them

The new selectors include business and private e-mail addresses and work, home and cell phone numbers. The newly found e-mail addresses could again be entered into CADENCE and the UTT, while the phone numbers could be used to enter them in OCTAVE, which is NSA's tasking tool to initiate the interception of telephone conversations. It's not said whether this happened or not - the TOPI analyst at least didn't prefer phone calls.

The Intercept writes that NSA apparently "collects so much communications data from around the world that it often fails to realize what it has". This however applies to most intelligence and law enforcement agencies that conduct automated eavesdropping: there are often way too many phone calls to listen in to, let alone digital communications to translate, read and analyse.


Internal network

When the SIGDEV analyst was analysing the PdVSA forms (of which there were over 10.000 in the PINWALE database), he discovered that they all came from IP addresses starting with 10.x.x.x and 172.18.x.x, which are from address ranges that are reserved for use within private networks. The analyst now realised these entries came from the internal PdVSA network, and not from communications over the public internet.

One of the most interesting details of this whole story is how NSA had been able to get access to PdVSA's internal network - which isn't told in the report by The Intercept, but only in the one from teleSUR...



Front side of the US embassy in Caracas, Venezuela
(Photo: Yongo @ SkyScraperCity.com)


Special Collection Service

After the analyst discovered that he was looking at information from the internal PdVSA network, he "fired off a few emails to F6 here and in Caracas, and they confirmed it!"

F6 is the NSA's internal designator for the Special Collection Service (SCS) units in which specialists from NSA and CIA cooperate against targets that require "close access". These units operate out of some 80 US embassies all over the world.

This means it was the SCS unit from the US embassy in Caracas that had been able to get access to the internal network of PdVSA. The story doesn't tell how they did this, but probably they found a way to secretly tap a network cable or switch over which the oil company's computer network runs. If this access was still active, it has now has certainly been compromised.


SCS operations

From an earlier revelation we know that the SCS unit in the US embassy in Berlin was responsible for eavesdropping on the (non-secure) mobile phone of German chancellor Merkel. Maybe that was also done by tapping a local telephone network, or by just intercepting the cell phone's airwave signals.

For such wireless interception operations, many US embassies have a rooftop structure that conceals sophisticated antenna and other eavesdropping equipment. Such a structure is also clearly visible on the roof of the US embassy in Caracas:



Back side of the US embassy in Caracas, with the rooftop structure
(Photo: Carlos Garcia Rawlins/Reuters - Click to enlarge)


XKEYSCORE

After finding out the source of those PdVSA forms, the SIGDEV analyst started to coordinate his work with the F6 unit in Caracas. Apparently they fed data from their network access into XKEYSCORE, which is NSA's system to buffer, index and search internet communications, not only from large submarine cables, but also from smaller accesses, like from the SCS units.

This enabled the analyst at NSA headquarters to search through a rolling buffer of several days worth of content, which is especially useful to find files which aren't directly associated with hard selectors like e-mail addresses.

This resulted in "several juicy pdf documents" and one of them was eventually used for preparing a serialized report (number 3/OO/505480-11) dated January 2011 and titled "Venezuela State-Owned Oil Company Information Shows a Decrease in Overall Oil Thefts and Losses" - which doesn't sound like a trade secret that would benefit individual US oil companies, but on the other hand shows that such high-level accesses are also used for rather general intelligence information.


Hacking opportunities

Through XKEYSCORE, the analyst also found over 900 username and password combinations of PdVSA employees, which he handed over to NSA's hacking division, Tailored Access Operations (TAO). With a username and password one doesn't have to "break in" into a network, which makes the access almost impossible to detect.

The analyst also provided TAO with some other data along with a targeting request, especially aimed at getting access to the e-mail boxes of the PdVSA board members.


It is not known whether this was successful, but The Intercept and teleSUR mention that in May 2011, which is two months after the analyst's story in SIDtoday, the US State Department announced sanctions to be imposed on PdVSA because it had delivered at least two cargoes of reformate (used to produce gasoline) to Iran between December 2010 and March 2011, worth approximately $ 50 million.



> See also: An NSA eavesdropping case study about targeting the presidents of Mexico and Brazil.



November 22, 2015

Unnoticed leak answers and raises questions about operation Eikonal

(Last edited: November 23, 2015)

Almost unnoticed, the Austrian member of parliament Peter Pilz recently disclosed new information about operation Eikonal, under which NSA and BND cooperated in tapping some fiber-optic cables at a switching center of Deutsche Telekom in Frankfurt, Germany.

As part of the NSA umbrella program RAMPART-A, Eikonal was set up to gather intelligence about targets from Russia, the Middle East and North-Africa. Because the cables that were tapped came also from countries like Austria, Switzerland, France, Belgium and the Netherlands, there were fears that their communications were intercepted too.

Here, the newly disclosed information will be discussed and combined with things we learned from the hearings of the German parliamentary commission that investigates NSA spying, including operation Eikonal.




Overview of the joint NSA-BND operation Eikonal (2004-2008)
(Click to enlarge)


Leak

The new information comes from transcripts of some fax and e-mail messages from employees of BND, Deutsche Telekom and the federal Chancellery, which Peter Pilz published on his website on October 23, 2015.

He never told how he got these highly sensitive documents, but as they were made available to the parliamentary inquiry commission, it seems most likely someone from or very close to this commission must have leaked them to Pilz. Strangely enough, this leak was never investigated.


Media attention

Also remarkable is that the information and documents disclosed by Peter Pilz were almost completely ignored by mainstream German media like ARD and ZDF and the major newspapers. The latest disclosure was for example only reported by the Austrian paper Der Standard and the German tech website Heise.de.

By contrast, in neighbouring countries like Austria, Belgium and the Netherlands, the Pilz revelations were big news and led to official investigations. Through May and June of this year, he had published lists of communication links related to Switzerland, France, Luxembourg and Poland too, claiming they showed to what extent BND and NSA spied upon these countries.



First part of the list with communication links related to France
(Source: Peter Pilz - Click to enlarge)


Whose's links?

Initially, Peter Pilz claimed these links were from a priority list of the NSA, but neither he, nor the commission hearings could clearly confirm this. The Dutch website De Correspondent reported that there was even a much larger list of some 1000 transit links, of which ca. 250 were marked in yellow.

Now, Pilz confirms that there's indeed such a large list: it was prepared by Deutsche Telekom and contains all its 1028 transit links. Employees of BND had marked 256 of them in yellow, apparently the ones they were most interested in, and hence the list became known as the BND priority list. He doesn't mention an involvement of NSA at this stage anymore.

Now that we know the large list of over 1000 links isn't an even larger "wish list", but a list of all available transit links, it could well be that BND tried to select around 20% of them, as a rather strange provision in German law says that bulk collection is only allowed up to a maximum of 20% of a cable's capacity.

As Telekom Austria rented the channels to Vienna, we can assume that other national telecommunication providers also rented their links to Frankfurt, with Deutsche Telekom being the owner of the cables as part of their international backbone network.


Determining the access points

After BND selected the 256 channels, Deutsche Telekom had to look which of them ran through Frankfurt and could be intercepted there. For this purpose Harald Helfrich of the lawful interception unit of Deutsche Telekom AG (DTAG) sent his collegue mr. Tieger the following e-mail on September 16, 2003:


Hallo LK,

wie heute morgen besprochen übersende ich Ihnen die Liste der Transit-Leitungen der DTAG. Wir bitten Sie die gelb unterlegten Verbindungen bzgl. ihrer Führung (z.B. Ffm 21 oder Norden-Nordeich) und ob in der 2-Mb-Ebene greifbar, zu analysieren.

Anlage: Trans mit ausgesuchten Strecken



In this mail it is asked to analyse whether the transit channels marked in yellow can be intercepted at the 2 Mbit-level, either at Deutsche Telekom's Frankfurt am Main Point-of-Presence 21 (Ffm 21) or at Norden-Norddeich.

The latter is a town at the northern coast of Germany, where the SeaMeWe-3 and TAT-14 submarine cables land. For the parliamentary commission this was a reason to ask whether also cables where intercepted over there, but that was strongly denied by the witnesses involved.


Selecting individual channels?

Interestingly, the phrase "ob in der 2-Mb-Ebene greifbar" suggests that it could be possible to just intercept specific 2 Mbit/s channels while leaving the other ones untouched (one physical STM1-cable has a data rate of 155 Mbit/s and contains 63 virtual channels).

Whether this is possible is important for how focused such cable tapping can be. Isolating individual channels depends in the first place on where exactly the tapping takes place:

A. When the physical fiber is intercepted before it reaches the switch, it has to be bend in order to catch the light that leaks. Because this leaking signal is much weaker, it has to be amplified before it can be processed. In this way it's not possible to select individual channels: the eavesdropper gets everything that runs over the fiber, and has to demultiplex the channels himself to select the ones that contain traffic of interest.


Splitting a traffic from a fiber-optic cable by bowing it
(diagram: OSA Publishing, slightly simplified)


B. When the interception takes place at an optical switch itself, then it's possible to only grab the virtual channels you are interested in. A physical cable contains channels which have to be demultiplexed at the switch in order to be forwarded (switched) to the fiber that leads to the intended destination. When the switch converts the optical signals into electronic signals it is even more easy to duplicate only individual channels of interest.


Diagram showing (de)multiplexing at a fiber-optic switch
(diagram modified from Wikimedia Commons/Jflabourdette)


Different methods

During the commission hearing of March 26, 2015, Klaus Landefeld, board member of the DE-CIX internet exchange, indicated that at least since 2009, interception takes place at the switch. Also, the so-called G10-orders authorise interception based upon Autonomous System Numbers (ASN) which are used for logical paths, rather than by naming physical cables to or from a certain city.

However, it seems that under operation Eikonal, the fiber-optic cables were tapped by splitting the cable signal before it reached the switch. This was more or less clearly indicated by several witnesses heard by the parliamentary commission, and there are several other indications too.

In 2004, it was apparently not yet possible to establish a tap at the switch itself to get access to individual channels (although Deutsche Telekom could have demultiplexed the fiber and only forward the channels of interest to BND, but this wasn't the case).


Government authorisation

After BND had made clear what they wanted, the Deutsche Telekom management wasn't sure whether such cable access was legal. Therefore they wanted to be backed by the federal Chancellery. On December 30, 2003, the coordinator for the intelligence services at the Chancellery, Ernst Uhrlau, sent the following fax message to Kai-Uwe Ricke, then CEO of Deutsche Telekom, and Josef Brauner, head of the landline division T-Com:


Sehr geehrter Herr Ricke, sehr geehrter Herr Brauner,

das Bundeskanzleramt ist sehr interessiert, dass der Bundesnachrichtendienst im Rahmen seines gesetzlichen Auftrages kabelgestützte Transitverkehre aufklärt. Der vom Bundesnachrichtendienst in Ihrem Unternehmen geplante Aufklärungsansatz steht aus hiesiger Sicht in Einklang mit geltendem Recht.

Ich darf auf diesem Weg die Anregung des Bundesnachrichtendienstes weitergeben, in der Deutschen Telekom AG, T-Com, den Bereich RA 43 (Staatliche Sonderauflagen), zu dem bereits im Rahmen der Strategischen Fernmeldekontrolle Kontakte bestehen, mit der Durchführung der auf Seiten der Deutschen Telekom AG erforderlichen Maßnahmen zu beauftragen.


It says that in the opinion of the Chancellery, the proposed BND operation is according to German law. The Chancellery encourages Deutsche Telekom to instruct its lawful intercept unit RA 43 (which is one of four Regionalstellen für staatliche Sonderauflagen or ReSA) to start taking the necessary measures for the interception.


Transit Agreement

On behalf of the board of Deutsche Telekom, Josef Brauner answers the fax from the Chancellery on January 13, 2004. He says the T-Com division is aware of the importance of a well-functioning intelligence service, and will therefore support the interception of cable-bound transit traffic:


Sehr geehrter Herr Ministerialdirektor,

gerne bestätigen wir Ihnen den Erhalt Ihres Schreibens vom 30. Dezember des letzten Jahres.

Die T-Com ist sich der Bedeutung eines gut funktionierenden Nachrichtendienstes für das Gemeinwesen der Bundesrepublik Deutschland - insbesondere vor dem Hintergrund der terroristischen Angriffe des 11. September 2001 - bewusst und wird daher die geplanten Aktivitäten des Bundesnachrichtendienstes, die kabelgestützten Transitverkehre im Rahmen seines gesetzlichen Auftrages aufzuklären, unterstützen.

Entsprechend der Anregung des Bundesnachrichtendienstes wird diesseits unser Bereich RA43 (staatliche Sonderauflagen) beauftragt, die hierfür von unserer Seite erforderlichen Maßnahmen vorzunehmen



Then on March 1, 2004, the BND and Deutsche Telekom signed the so-called Transit Agreement (pdf), in which the latter agreed to provide access to its transit cables, and in return will be paid 6.500,- euro a month for the expenses. This agreement was also leaked to Peter Pilz, who published it on May 18, 2015 in the Austrian tabloid paper Kronen Zeitung.


Preparing for collection

After the agreement had been signed, BND sent an e-mail on March 9, 2004 to Wolfgang Alster, head of Deutsche Telekom's lawful interception unit RA 43 asking for the connection (schaltung) of the first communication links. He adds that he had ordered the payment of the first two monthly payments:


Schaltauftrag

DTAG RA 433

Hallo Herr Alster,

Der Geschäftsbesorgungsvertrag "Transit" ist ja jetzt von beiden Seiten unterzeichnet und gestern habe ich die beiden ersten Monatszahlungen veranlasst.

Daher erdreiste ich mich, Sie um die erste Schaltung von Leitungen zu bitten.



Realising the access was apparently not that easy, because it took until December 2004 before the first cable was connected. Then it appeared that it's signal was too weak, so in January 2005 an amplifier was installed - as the parliamentary commission was told by S.L., who was the BND project manager for Eikonal (note that the use of an amplifier indicates tapping the entire fiber-optic cable).

At this first stage of operation Eikonal, only circuit-switched (Leitungsvermittelte) telephone communications were intercepted. Collection of packet-switched (Paketvermittelte) internet communications started in 2006 (see below).


RUBIN

On February 3, 2005, mr. Knau mailed his colleague Harald Helfrich at the RA 43 unit that an STM1-link between switching center Frankfurt 21 and Luxembourg had been connected. Channels 2, 6, 14, and 50 contained the virtual channels that had Luxembourg as their endpoint:


Hallo Herr Helfrich,

Habe heute früh die o.g. Verbindung auf die Punkte 71/00/002/03 19 + 39 zugeschaltet. In der Anlage ist die Belegung lt. RUBIN ersichtlich.

Auf den Kanälen 2, 6, 14, 50 befinden sich die in der Liste markierten DSVn mit der Endstelle Luxembourg.

Bitte um Rückmeldung ob das ganze funktioniert.

Anlage: Belegung 7571 Luxbg


We also see the term RUBIN (German for ruby), and during the commission hearings it seemed that this was an alternate codename for operation Eikonal. But when heard on January 15, 2015, Harald Helfrich explained that RUBIN is actually a system that Deutsche Telekom uses to manage its communication links and cables - which perfectly fits how the term is used in this e-mail.


Channels of interest

The next e-mail is also from February 3, 2005, but was already published by Peter Pilz on May 15, 2015 and is the only one that is available in what seems to be its original form. It's from Harald Helfrich, who informs a mr. Siegert at the BND that mr. Knau had connected an STM1-link earlier that morning (see previous e-mail). He says it contains the channels that were on the BND priority list:


This e-mail says that BND was interested in the following 2 Mbit/s channels from the Transit STM1-cable "Ffm 21 - Luxembourg 757/1":
Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

According to Peter Pilz, additional cables were connected on February 14 and 25, as well as on March 3, 2005. Unfortunately, he either doesn't possess or didn't disclose the related e-mails, so we still don't know how many and which channels have actually been intercepted.

The interception of telephony communications therefore started in the Spring of 2005, which means that collection under Eikonal only lasted for 3 years, and not 4 years, when one would count from signing the agreement in 2004 until the end of the operation in 2008.


Ending telephone interception

Peter Pilz published the transcripts of two more e-mails, which are about ending the telephone interception. On May 27, 2008, mr. Thorwald from Deutsche Telekom sent the following message to his colleague Harald Helfrich, informing him that fully circuit-switched transit traffic isn't supported anymore. Therefore, the extraction of transit traffic at the company's premises can be terminated:


Sehr geehrter Herr Helfrich,

Wie wir bereits telefonisch besprochen, teile ich Ihnen mit, dass die Verarbeitung von reinen leitungsvermittelten "Transit-Verkehren" von uns nicht mehr durchgeführt wird.

Aus diesem Grund kann die Ableitung der Transit-Verkehre in unseren Betriebsräumen eingestellt werden.

Im leitungsvermittelten Bereich (Ableitung auf höherer Ebene) besteht aktuell der Bedarf zur Ableitung von folgenden Verkehren:

+ 2 x STM-64
+ 4 x STM-16


After that, Thorwald writes that there's currently a need to extract the traffic of two STM-64 and four STM-16 cables, which have a data rate of ca. 10 Gbit/s and 2,5 Gbit/s respectively. This is also said to be circuit-switched, but "extraction at a higher level".


Anomalies

If we assume that Peter Pilz provided the correct date for this e-mail, it's strange that there was apparently a need for new cable accesses, hardly a month before operation Eikonal was officially terminated (June 2008).

Even more strange is that the e-mail says the new accesses are also circuit-switched (leitungsvermittelt), while during the hearings it was testified that the collection of such telephone communications ended in January 2007, after Deutsche Telekom fased-out its business model for dedicated transit cables. This e-mail brings that message almost 1,5 years later!


Internet access

From the commission hearings we also learned that BND wanted access to internet traffic too, which is packet-switched (Paketvermittelt). For this, the first cable became available by the end of 2005, but it took some months before the backlink was also connected. In the spring of 2006 a second cable was added, and the front-end system and the filters were tested until mid-2007.

Could it be that mr. Thorwald just made a mistake, and wrote "leitungsvermittelten" where he meant "paketvermittelten"? But even then, why add new internet cables, just before the operation was ended?


Another question

A similar anomaly can be found in an e-mail, that according to Peter Pilz, was sent one day later, on May 28, 2008. In it, mr. Knau informed Harald Helfrich and his superior Wolfgang Alster that the access to four STM1-cables can be terminated immediately.

Given what was said during the commission hearings, one would have expected that this also had happened already in January 2007, instead of May 2008. It seems some things don't add up here.


Wie bereits fernmündlich besprochen, können nachfolgende STM1-Zuschaltungen mit sofortiger Wirkung aufgehoben werden:

Ffm 21 - Stuttgart 10 757/22A
Ffm 21 - Paris 757/1
Ffm 21 - Reims 757/1
Ffm 21 - Luxembourg 757/1


Physical cables

Unlike the numerous virtual channels in the lists, this e-mail is about physical cables. "Ffm 21 - Luxembourg 757/1" is the one mentioned in the e-mail from February 3, 2005, containing 4 channels of interest to Luxembourg; the others are cables from Frankfurt (Ffm) to Reims, Paris, and Deutsche Telekom's Point-of-Presence in Stuttgart. With this, we now have proof of 3 other cables having been tapped.

According to a list (.docx) publiced by Peter Pilz, there are 29 channels to/from Reims and 22 channels to/from Paris, all of which could easily have been in the fiber-optic cable between Frankfurt and Reims, and Frankfurt and Paris, respectively, as one single STM1-cable contains 63 separate channels:
Frankfurt - Stuttgart: ? channels of interest
Frankfurt - Paris: 22 channels of interest
Frankfurt - Reims: 29 channels of interest
Frankfurt - Luxembourg: 11 channels of interest



Peter Pilz concludes that operation Eikonal was the start of NSA's illegal mass surveillance of European telecommunications. But that's not supported by evidence. After Eikonal, NSA continued joint cable tapping operations with BND and other European agencies, but as these programs are part of RAMPART-A, they are mainly aimed at specific targets in Russia, North-Africa and the Middle East.*


BND cable tapping

Operation Eikonal did start something else though: it provided BND with the knowledge and the experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25 internet service providers, this time at the DE-CIX internet exchange in Frankfurt - as was revealed by Der Spiegel on October 6, 2013.

Among these 25 providers are foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

It appears that this interception takes place in cooperation with the DE-CIX Management and that the various providers themselves didn't knew that this was happening. A smart move, as this provides BND with just one single point-of-contact, while the indivual providers can honestly deny that their cables are being intercepted.



Links and sources
- Heise.de: BND-Operation Eikonal: "Freibrief" für die Telekom aus dem Kanzleramt
- DerStandard.at: Pilz: Berlin genehmigte NSA-Spionage gegen Österreich
- PeterPilz.at: "Ich darf die Anregung weitergeben..." Die Operation Transit in Europa