August 5, 2014

What if Google was an intelligence agency?



This time we present an article written in cooperation with the French weblog about intelligence and defence Zone d'Intérêt in which we compare the data collection of Google to intelligence agencies like NSA:


Introduction

Since 1998, Google has grown to become an essential part of the web infrastructure and took an important place in the daily lives of millions. Google offers great products, from search engine to video hosting, blogs and productivity services. Each day, users provide Google, willingly and candidly, with many different kind of personal information, exclusive data and files. Google justifies this data collection for commercial purposes, the selling of targeted ads and the enhancement of its mostly free services.

These terabytes of user data and user generated content would be of tremendous value to any intelligence service. As former director of CIA and NSA Michael Hayden half-jokingly stated at Munk debates: "It covers your text messages, your web history, your searches, every search you’ve ever made! Guess what? That’s Google. That’s not NSA."

But really, how would a company like Google compare to an intelligence agency like the NSA? How would it be able to gain access to confidential information and go beyond OSINT (Open Source Intelligence)? Does Google even have the resources, data and technical capabilities to harvest all-sources intelligence like a major intelligence service would?

Google's unofficial motto is "Don't be evil", but what if Google started being evil and used all of its collected information as an intelligence agency would? What if intelligence professionals had access to Google's resources and data ? What would it mean for the users? And can this be prevented somehow? (it’s also rather ironic that many people now see NSA as a big evil organization, but Google collects even more)

This is the worst case scenario we'd like to explore:
What if Google was an intelligence agency?


Communications to intercept, private data to collect

As a major webmail (425 million active Gmail users in 2012 - source: Google I/O 2012) and instant messaging provider with Hangouts, Google has access to the daily communications of millions of individuals, corporations and organizations. This privileged access to telecommunications worldwide gives Google the opportunity to act as a major COMINT agency, not unlike NSA or GCHQ. Storing its users e-mails and broadcasting their instant messages with audio and video, Google is able to obtain a deep-reaching knowledge of their habits, intents and projects, either personal, professional or commercial. Enhanced with behavior analysis and targeted with collection selectors, theses communications, already stored on the company's servers could be used as a very powerful intelligence database.

NSA only stores data that have any foreign intelligence value, other data that might be useful are automatically deleted after 5 years, but how is that with Google? In the European Union, administrative authorities in charge of data protection, assembled in the Article 29 Working Party of the European Commission (or "G29"), have issued multiple warnings and penalties against Google regarding this issue. In January 2014, the french CNIL, an Art. 29 Working Party member, issued a 150 000€ monetary penalty to Google for failing to define retention periods applicable to the data which it processes. Data collected by Google isn't as strictly regulated and controlled as data collected by intelligence agencies, and it can stay on Google's servers until the company decides to delete it, at its own discretion.

And how about the risk if internal policy and privacy violations by Google personnel? Does Google has access control mechanism just as strict and tight as the compartimentalization and ‘need-to-know’ at NSA? They should have, as Google has far more information about ordinary people in its databases, which could be much more tempting to look at for employees than for example all the military and terrorism stuff that NSA collects. But Google also has to protect this information against foreign intelligence agencies.

Google also provides its users with phone services through its Android phone and tablet operating system, with 1 billion users worldwide in 2014 (source: Google I/O 2014). This could be used as an opportunity to monitor the calls - made or received - by its users, collect their metadata and even record their calls for intelligence purposes. This also goes for SMS and MMS send or received by its users, as android users send 20 billion text messages each day (source: Google I/O 2014). NSA’s database for SMS-messages DISHFIRE receives just around 200 million messages a day. Google is expanding the reach of its phone services, as calls to landline and mobile phones can be placed from Hangouts by any user of Gmail, Google+ and Chrome, even without using an Android device. With Fiber, Google is providing ISP services to three cities in the United States, with plans to expand. Google even wants to introduce internet access to remote areas in Africa via solar-powered balloons – which would also make it much easier for NSA, as many of these regions are also terrorist-related conflict zones where there’s often only mobile phone and radio traffic, which is more difficult to intercept than internet traffic, especially when the latter goes through a US company.

The expanding realm of its webmail and cloud services provides Google with a rare trove of otherwise private individual data and even confidential information from governments and companies. With Gmail, Google has access to sensitive information about individuals, such as their names, phone numbers, addresses or even social security numbers which may transit via e-mail. Logins and passwords from web services are often sent by e-mail, and so are activation and authentication codes. Many users want to take advantage of the free services offered by Gmail and automatically forward e-mails from other webmails or their company e-mail address to their Gmail address, creating a POP/SMTP link. Doing so, they increase the amount of e-mails and information accessible to Google. Private information about individuals, from health and financial issues to clues about their emotional state or relationship status can be found in e-mails. Everything from their buying habits, reading habits or subscriptions, to confidential information, can be extracted from e-mails using already available software, and then easily exploited by intelligence professionals.

Contact lists from services like Gmail, Hangouts, Google+ and from operating systems like Android and Chrome OS would be a valuable source for intelligence analysts, as they allow to identify links between individuals and perform social network analysis. Contacts lists were used in many occasions by intelligence agencies leading investigations against terrorist cells or organized crime groups, but can also be used in social engineering schemes or commercial intelligence.

Corporate information is hosted by Google through most of its services, as Gmail is used by many entrepreneurs and employees, whether it is duly authorized by their company or not. Important information can be retrieved in e-mails, such as details of industrial projects, business offers and everyday company communications. Many companies use Gmail attachments to send and receive corporate documents or use Google Drive to store their information. Google Calendar can also provide a great window into the daily activities of a company, as a way to identify links between individuals, be alerted of forthcoming meetings,  receive status reports from ongoing projects, or deduce a precise timeline of employees work habits. Recently, Google announced that 58% of Fortune 500 companies have "gone Google" and so did 66% of "50 top Start-Ups" and 72 of the 100 best universities (Source: Google Enterprise).

Given all these data containing often highly sensitive and private information, it is remarkable that people, businesses and organisations are so willing to trust it into the hands of Google. One wonders why some people really don’t like it when government officials could have access to such kind of information, but apparently completely trust the Google personnel. Who guarantees that Google isn’t looking into confidential information of other businesses that can be of interest?

Google Search, the first service provided by Google since 1998, receives about 100 billion searches per month and is a great tool used every day by intelligence professionals. Google search crawlers scan the web for individual URLs, web pages and files, using the Google powerful servers. They are able to record, collect and cache any kind of text content, images, video and audio files, and most document formats such as Word and PDF. Google Search can be used to find unrestricted or insufficiently secured subdomains, files, folders and archives, from websites and networks. Using advanced operators, Google can be used to find misplaced confidential information and other vulnerabilities. If there’s one application that is able to read your deepest thoughts, fears and desires, like Edward Snowden said NSA is capable of, then it is Google Search.


Individuals to identify, targets to monitor

Google Search can also be exploited for advanced statistics, behavior analysis of users, identification of single users, and to locate them. Using cookies and connection data recorded by Google for every search, such as IP address, user agent and search terms, the user can be identified and located to a certain extent. Taking advantage of persistent cookies, IP adresses and forensic techniques, such as discourse analysis or syntax analysis, and sifting through recorded searches, online activity through Google services can then be narrowed down to a single organization, a set of users or even a single user.

Recording precisely the search terms from an identified user, company or organization can help an intelligence professional create new, more efficient selectors for intelligence collection and communication interception, based on the interest of users and unique searches. For example, many companies will use Google to find new business prospects, partners or suppliers. Journalists will do background checks on their sources using Google. Scholars and scientists will do their research using Google search, revealing precise information about what they are looking for and what they are working on.

Similar data is collected on many other websites which are not owned or related to Google, but which make use of Google Analytics, a Google-run service allowing webmasters to collect detailed information about their users, such as their IP addresses (collected by Google but not shown to webmasters), what search terms they used to reach their websites and which pages they browsed. While challenging sanctions from the European Art. 29 Working Party, Google refuted that an IP address constitutes personal data, even when associated with data from cookies, and should not be treated as such regarding privacy issues. Which once again shows the different views on privacy  in Europe and the US

But Google has access to much more precise data to identify users and monitor their online activities. Some services, such as Gmail, require users to be registered and to give accurate personal information, such as their real name, their birthdates, their country of residence or another e-mail address they own. Google is also pushing two-factor authentication, requiring that their users disclose an active phone number. While launching its Google+ service, which is now linked to other services such as Gmail and Youtube, Google discouraged the use of pseudonyms and required that all users registered using their real name, or risk account suspension. In October 2012, G29 issued a recommendation to Google that it must inform new users more clearly that they can sign-up to a Google account without providing their real name.

 When users use any Google service while logged in, or with Google cookies activated, or even from an IP address which was previously used while logged in, all of their online activity transiting on Google networks can be traced back to them. On many occasions, personal files and documents stored on Google Drive, or images stored on Google+ Images and Picasa could be traced by Google back to the real name of a registered user. E-mails, instant messages, personal documents, videos and pictures, all stored by Google, can be used to create a very complete and precise profile of a single individual. According to numbers published by Google during I/O 2014, Android users send "93 millions selfies" each day.

The Google image search algorithm is able to identify faces and places in pictures. The image search facial recognition feature is only activated to find pictures of celebrities, but Google+ Photos includes an opt-in service called "Find My Face" capable of automatically recognizing and tagging the user's face in photos uploaded by him or by his friends. Google implemented a "Face Unlock" feature in Android, allowing users to unlock their devices using their camera, showing that Google's recognition algorithms are precise enough to identify an individual, even with slight changes due to lighting conditions or face expression. In addition, Google recurring pop-ups incite Android users to activate a function which automatically uploads all new photographs taken with their device to Google+ Photos and Google Drive. EXIF data and geotags from each photo are collected too. As another option, Google image search has a "reverse image search" functionality which allows any user to upload an image from his computer and let Google's pattern recognition algorithm find similar images. In the help section of Google's image search, it is stated that "any images or URLs that you upload will be stored by Google".

Google's photos database would be an extraordinary tool to any intelligence professional trying to find someone, learn about its habits or identify people he is related to. Recently, intelligence agencies such as the American DIA (Defense Intelligence Agency) or the French DGSE have been acquiring commercial software to collect videos and photos posted online for intelligence purposes, which shows the interest of intelligence analysts for user generated content. In 2010, Google invested 100 million dollars in Recorded Future a company specializing in data mining, advanced statistics, internet traffic monitoring and defense intelligence. Recorded Future was also funded by In-Q-Tel, the technology investment firm of the CIA.

Using data collected through Google Voice Search and Google Now, intelligence technicians could be able to build a large phonemes database to enhance word recognition algorithms, but also to implement voice recognition in order to identify single users based on their voice. For advanced target monitoring, the microphone from a computer, tablet or smartphone running Android or Chrome OS could be activated in order to eavesdrop on a target, using OS-level or App-level backdoors. Coupled with voice recognition, these techniques could be used to identify and locate targets.

In such a scenario, OS-level access could be used to implement backdoors for keylogging, password collection, communication intercepts, microphone or camera hijacking, or even GPS silent activation and monitoring. Access to Google's database would make network penetration easier, as Android devices record the WiFi passwords from secured access points they connect to and store them to the cloud.


Map any place, locate anyone

In 2004, Google acquired Keyhole, a company partly funded by the CIA and the NGA, which developed the technology behind Google Earth, a Google product which provides users with maps and commercial satellite imagery from around the world. Other Google mapping initiatives are Google Maps and Street View. Google Earth is used by many intelligence professionals, whether they work for government agencies or for private contractors, and is often listed as a common tool in intelligence sector job descriptions and resumes.

A useful feature of Google Maps and Google Earth is the ability for users to add tags, photos and points of interests (POI) over the maps and imagery provided by Google. This feature results in crow-sourced sets of maps, which are improved by the output of users who have good knowledge of the places they describe, whether they are travelers, dwellers or experts. This ground knowledge is obtained at no cost by Google and can result in very detailed descriptions, even from remote places. Google also benefits from the geotagged photographs from Panoramio, acquired by Google in 2007, and from POIs added by users participating in Google side-projects, such as Niantic Labs' Field Trip and Ingress applications. Google recently acquired the imaging company Skybox, taking advantage of its growing constellation of satellites.

Another way for Google to get intel from the ground and improve its worldwide mapping capabilities is Street View, by which Google collects 360° snapshots along roads and trails. With Street View, Google is able to get detailed and fresh information about buildings, installations and constructions. This collection effort even captures photos from remote places or restricted areas, such as military bases or intelligence facilities (examples: MI5 installation in the United Kingdom, DGSE station in France) Google has recently announced Project Tango, which is aimed at developing new sensors for mobile devices, in order to map their surroundings in 3D, such as the interior of buildings. Access to the photographs and geospatial information collected by Google through Google Maps, Street View, Google Earth and Panoramio, but also from search crawlers and user content uploaded to the cloud, would be of considerable interest to intelligence technicians. For instance, Letitia A. Long, director of the National Geospatial Intelligence Agency (NGA) recently stated that her agency was increasingly taking advantage of data collected through open sources and social networks. In these cases the possibilities of Google’s commercial tools seem to have already outpaced those used by government agencies.

Google is also making considerable effort in precisely locating its users. Users are often prompted to authorize their localization by Google services, from Google Search to Google Maps and Android. To achieve precise location of a user, Google is using all data available, from search queries which mention a place, to IP addresses and connection data, to GPS signal provided by the user's device.* Google also uses a patiently crafted database of Wi-Fi access points, hotspots and cell towers, which contains MAC addresses, BSSIDs and Cell IDs. This data is collected by Google Street View cars, contractors, but also when a user device allows localization privileges to a Google service or application. This worldwide crowd-sourced database is very detailed, precise and regularly updated. This data collection is often running in the background on users' devices and provide Google with the precise location of many of its users.

For intelligence purposes, geolocation data could be used to silently track a target or get information about their routines. Localization data is stored and logged by Google, and can be accessed by registered users in their Location History. Access to such information by intelligence technicians could be used for behavior analysis, remote surveillance, forensics and social network analysis. Combined with Google access to many Wi-Fi passwords, a precise map of MAC addresses worldwide would provide intelligence technicians and operators with an opportunity to conduct network penetration and communication intercepts. All this could be very valuable for agencies like NSA, as some of the Snowden-documents showed that they now have to put much effort in mapping such communication networks “from the outside”.


A proxy in intelligence collection?

Google collects user data for commercial purposes, mainly to sustain its business model based on online targeted ads, which accounted for 96% of Google's revenue in 2011. However, Google is sharing its worthy data with governments and their intelligence services, when complying with court orders or local laws. According to its Transparency Report, in 2013 Google complied to thousands of user data requests from governments of countries such as the United States, India, France, Germany, United Kingdom, Brazil or Italy. Google reports that it provides user data to "law enforcement agencies", but does not state exactly what kind of data is given. As example, Google cites IP addresses and personal information given by the users when they register, but it is not clear whether or not data provided to authorities is restricted to these elements. Given the large amount of data collected and stored by Google on every user, government agencies could receive a very detailed history of a user's communications and online activity, or even a copy of its hosted files.

In recent NSA and FBI intelligence collection programs, user data can be requested under a legal framework, such as FISA requests, which does not authorize Google to inform its users of the request. Moreover, clandestine intelligence efforts gave the NSA access to Google's data, without the need for legal requests.

In most democratic countries, intelligence services aren't allowed to intercept communications from their citizens nor to collect user data without  the authorization of a judge or commission. Many intelligence activities are meant to be constrained by the rule of law and monitored by congressional oversight to ensure that individual liberties are respected. However, commercial companies are not subject to the same restrictions and can collect a lot of their users data, as long as they duly inform them.

Such loophole can be purposely exploited by an intelligence agency, taking advantage of the ever-growing database from big companies such as Google, either by legally requesting the information collected from their users or by trying to access it covertly. In such occurrences, Google would act as a proxy in intelligence collection, unwillingly (?) putting its resources at the disposal of intelligence services. Citizens and businesses may not want to share as much private information and contents with an internet services company given the possibility that it may later be accessed by intelligence services, domestic or foreign.

One major argument against the collection of data conducted by NSA (or other intelligence angencies) is that they can be used against the people when government is taken over by evil people. Western governments at least have checks and balances, but Google is just a commercial company, and what would happen when, say, some huge  Chinese company would take it over? Then our complete digital lives would be under control of people who care less about individual freedom and privacy. As probably no one (especially the US government) wants that to happen, Google will have to stay an American company one way or another – which makes it even more like a proxy for US intelligence.

In a recent case, Google tipped off the National Center for Missing and Exploited Children after scanning the emails of its users, looking for contents related to child pornography. It seems that Google was not asked by a law enforcement agency to monitor the communications of a single user under investigation, or even to scan emails for suspicious contents. Google acted on its own, scanning emails, maybe on a massive scale, to find suspicious activities. Even though going against child exploitation can be seen as a noble endeavor, it seems that Google may be running its own law enforcement operations, scanning its users' data for what it deems illicit. As Google gives little information about the company's operations, it is hard to know what kind of users' activities could be monitored by Google and proactively reported to authorities or others organizations. It is not clear if this proactive reporting only occurs in the United States, or if it may extend to other, less democratic countries.


Closing thoughts

From an intelligence standpoint, the sheer amount of data that Google collects about individuals and businesses is unrivaled. A single piece of information recorded by Google about a user could be considered innocuous, but the sum of all collected data which can be narrowed down to an individual or an organization gives an intimate picture of its thoughts, intent and activity.

The way Google systematically tries to gain access to new kind of data about its users, whether it's their e-mails, their work files, their personal pictures, their location, or confirmation of their real identity, is propelled by a commercial strategy and a so-called wish to "change the world", making their users' lives easier. However, this "know-it-all" approach facilitates data mining efforts from intelligence services which pursued programs such as "Total Information Awareness" and are conducting large-scale intercepts.*

Of course, this issue is not confined to Google but affects other companies such as Amazon, Apple or Facebook, as well as many other smaller companies. Still, Google owns a special place in the digital world of user data, as it concentrates a wide range of user information, operates phone and email services, develops operating systems and stores users files in the cloud. Google holds a big responsibility to ensure the security and privacy of its users data worldwide, but its ongoing efforts to do so can hardly be considered sufficient.

Google security practices are generally considered state of the art and the company recently announced support for end-to-end encryption in GMail, but the body of messages will remain unencrypted on Google's servers and accessible to the company's bots. In october 2013, Google became aware of a covert network penetration lead by the NSA, targeting communications links connecting the company's data centers, which were not encrypted.* The exact amount of user data which may have been collected by the NSA during the operation is still unclear.

- Google privacy policy is sometimes cloudy, and users trying to get informed about what data they release to Google, how this data will be used and how long it will be retained, have to sift through disclaimer pages scattered on Google's websites.

- As a major stakeholder in the worldwide web, Google has to bring more accountability and transparency about what is shared from its users. The user data that could potentially be provided to law enforcement agencies should be clearly and precisely marked as such. It should become clear to all users that some of their data, whether it's personal information, files, e-mails, messages, metadata from network traffic or phone calls, or even recorded communications may become available to intelligence services.

- Also, Google should clarify if this information can be provided only to the law enforcement agencies of the user's country of residence or also to United States government agencies, as Google is an American company with most of its servers and activities in the US.

- American web companies and cloud operators are facing growing critics about their vulnerability to US intelligence operations. Some in Europe advocates for sovereign "national clouds" restricting data retention and traffic between secured servers and users, forbidding access to the American government. During an hearing before the United States Senate in November 2013, Richard Salgado, Google's director for law enforcement and information security, stated that "in the wake of press reports about the so-called "PRISM" program", he was concerned by the trend of "data localization" that could result in the creation of a "splinternet" and the "effective Balkanization of the Internet". Data localization would also probably cost more to Google, and would place the company under the law of each country where the company processes user data. In many cases Google argued that it was established in the United States and therefore was not subjected to the law of European countries, as all data processing occurs in the USA. However in France, Google was imposed a (small) financial penalty as the administrative authority made clear that the company had to comply with the French Data Protection Act.

- Google cannot condone a systematic breach of confidentiality and privacy of its users. A call to reform US government surveillance laws cannot be considered enough. Google must implement proactive measures, reinforcing its network security, offer end-to-end encryption for all of its services, securely distribute users' files hosting in their countries of residence and better inform its users of privacy risks. These measures could be seen as costly, but are necessary to maintain the trust of Google's user base and main source of revenue.


Google has massive technical capabilities for user data retention, metadata collection, telecommunications monitoring, localization, mapping and imaging, all which could allow it to act as an intelligence agency. The main difference is that Google has a different goal (commercial) than an intelligence agency, but this also makes that Google gathers far more data than an intelligence agency is legally allowed to do.

How long is user data kept on Google's servers? What kind of user data is shared with law enforcement agencies or intelligence services around the world? How does Google prevent its employees to access their users personal data or location? How is the data you gave Google secured against hackers or from intelligence services malicious attacks?

Google don't really say, but you have to take their word for it.


July 20, 2014

New phones aboard Air Force One

(Updated: July 24, 2014)

The location that best represents Top Level Telecommunications in every sense of the word is probably Air Force One, the aircraft that carries the president of the United States.

As unbelievable as it sounds, the telephone sets used aboard this plane dated back to the 1980s and so they were finally replaced by new ones in August 2012. Here we will take a look at this new telephone equipment, which is now used by president Obama when he travels by air.


The new phones

In a range of pictures showing president Barack Obama using a telephone aboard Air Force One, we can see that the new phones consist of a handset in a customized cradle. In the conference room they have a rubber foot so they can be placed on the table without sliding away:



President Obama using one of the new phones aboard Air Force One
(Photo: AP - October 24, 2012)


The phone sets to be used by the president in his office room and the conference room have a brown/goldish color that matches the wood and the leather chairs. All other handsets that have been installed throughout the plane are in standard gray:



President Obama talks with Chief of Staff Jack Lew, former President Bill Clinton,
Justin Cooper, David Axelrod, and Senior Advisor David Plouffe. November 4, 2012.
In the back we see two new phones in gray on a wall mounted cradle.
(White House Photo by Pete Souza - Click to enlarge)



President Obama and Press Secretary Jay Carney disembark from Air Force One.
Left of the door we see a wall mounted version of new phone in gray.
(White House Photo by Pete Souza - June 17, 2014)


The Airborne Executive Phone

These new phones aboard Air Force One can be recognized as the Airborne Executive Phone (AEP) made by L-3 Communications. This is a military contractor that, among many other things, also manufactures the STE, the secure desktop telephone that is most widely used by US military and government.

The Airborne Executive Phone is able to make both secure and non-secure calls from a single handset. It also provides Multiple Independent Levels of Security (MILS) for digital voice and internet data access. This should provide end users with the experience of "reliable connectivity, interoperability and security they would have in an executive office environment".


Global Secure Information Management Systems

The Airborne Executive Phone is part of L-3 Communication's Global Secure Information Management Systems (GSIMS). This is an IP-based system for secure airborne communications and has a modular, scalable, and redundant design.

GSIMS integrates existing analog and digital radio and interphone systems with its own IP-based architecture, this in order to provide reliable connectivity, secure video conferencing and controlled wireless connections. The system is effectively controlled from an operator workstation.

L-3 Communications advertises (pdf) the GSIMS system as the most advanced secure communication system for VIP and Head of States aircraft:



More details about the Global Secure Information Management Systems (GSIMS) can be found in the fact sheet (pdf).


Development and installation

The installation of new phones aboard Air Force One was part of a larger, 81 million dollar contract that was awarded to L-3 Communications in 2009. This contract included the installation of Airborne Information Management Systems (AIMS) hardware and software. It modernized the on-board communication systems and replaced outdated analog systems, providing fixed bandwidth switching and integrated secure/non-secure video teleconferencing. Also included was the installation of seamless passenger information interfaces throughout the VC-25 aircraft that serve as Air Force One.

It seems that the Airborne Executive Phone (AEP) was originally developed by Telecore Inc., as can be read in the resume of someone who made a video presentation of this device (he did the same for the Senior Leadership Airborne Information Management System of L-3 Communications). Telecore is the company that manufactures the IST-2 telephone for the Defense Red Switch Network (DRSN), which is also a single device that can be used for both secure and non-secure calls. Probably Telecore sold the AEP to L-3 Communications.


Secure and non-secure calls

As we can see in the L-3 Communications advertisement, secure calls are indicated by a red background in the display and non-secure calls by a green one. This corresponds with two lights on the back of the handset: a green light which is on when the call is non-secure, and a red light that will indicate when it's a secure call over a highly encrypted line.



President Obama talks with NASA's Curiosity Mars rover team aboard Air Force One,
August 13, 2012. We see the green light on, as this is an unencrypted call.
(White House Photo by Pete Souza - Click to see the full version)



President Barack Obama talks on the phone aboard Air Force One, April 10, 2014.
Here we see the red light on, and interestingly, the White House didn't
release to whom Obama was talking on this occasion.
(White House Photo by Pete Souza - Click to see the full version)


Air Force Two

The new Airborne Executive Phones are also installed in the smaller Boeing C-32, a modified Boeing 757, which gets the air traffic call sign Air Force Two when it is carrying the vice-president of the United States. Sometimes this plane is also used by the president, and then serves as Air Force One, like for example for a trip on July 17, 2014 to the Port of Wilmington in Delaware:



President Obama talks on the phone with president Petro Poroshenko of Ukraine
about the Malaysia Airlines plane crash in eastern Ukraine, July 17, 2014.
Here we see the new phone in gray, and as Obama's finger is covering
the red light, and the green light is off, it seems a secure call.
(White House Photo by Pete Souza - Click to enlarge)



The old phones aboard Air Force One

Initially, Air Force One had sets of two telephone handsets installed all over the plane. These consisted of a cradle and an old-fashioned, so-called G-style handset, one in white and one in beige. The white handset was for non-secure calls and the beige one for phonecalls over a secure line. These phones were introduced on the previous plane that served as Air Force One, during the presidency of Ronald Reagan(!).



President Obama takes questions from seven reporters from the black press aboard
Air Force One on their way to the NAACP convention in New York. July 2009.
In this picture we see the phones that were previously used.
(White House Photo)


After the new Executive Voice over Secure IP (VoSIP) telephone network was installed in 2007-2008, which connects the White House with some of the most senior policy makers, the Cisco 7975G Unified IP Phone used for this network was also placed in Air Force One, where the big device was somewhat out of place:



Close-up of the white and the beige handsets and the Cisco 7975 IP phone
in the conference room of Air Force One, March 2009.
(Photo: Stephen Crowley/The New York Times)


Now, all these three different phones have been replaced by a single Airborne Executive Phone, which connects to both ordinary and highly secure telephone networks.



Links
- jp.MSN.com: 米大統領専用機の電話はアイアンマンっぽいヘンな電話
- Gizmodo: The Phones on Air Force One Look Like Iron Man Accessories
- Tinker AFB: Maintenance in chief: Looking after Air Force One
- History of the Presidential Telephones of the United States

- More comments in the Hacker News thread

July 12, 2014

Document shows that it was not NSA, but FBI that monitored 5 Americans



Three days ago, on July 9, 2014, Glenn Greenwald published an article which he earlier announced as being the grand finale of the Snowden-revelations. It would demonstrate that NSA is also spying on ordinary American citizens, something that would clearly be illegal.

The report is titled "Meet the Muslim-American Leaders the FBI and NSA Have Been Spying On" and it tells the story of Faisal Gill, Asim Ghafoor, Hooshang Amirahmadi, Agha Saeed and Nihad Awad whose e-mail addresses were found in an NSA file from the Snowden-trove. Although the article confusingly mentions both FBI and NSA, many people and media got the impression that this was the long-awaited major NSA abuse scandal.

But as we will show here, the document that was published contains no evidence of any involvement of the NSA in this particular case. Everything indicates that it was actually an FBI operation, so it seems not justified to have NSA mentioned in the article.


The FISA spreadsheet

Greenwald's report is all about a spreadsheet titled "FISA recap" - which refers to the Foreign Intelligence Surveillance Act (FISA) from 1978. This law allows electronic surveillance of Americans who are suspected of espionage or terrorism.

The spreadsheet contains 7485 e-mail addresses that were apparently monitored under FISA authority between 2002 and 2008. Unfortunately the article doesn't say whether the addresses are all from American e-mail providers or that some of them are foreign.

We do know that 202 (or 3%) of these e-mail addresses belong to a "US person", 1782 (or 24%) to a "Non-US person" and of 5501 (or 73%) addresses the nationality of the user is unknown:



Part of a spreadsheat titled "FISA recap" showing e-mail addresses monitored
between 2002 and 2008. The table seems to be ordered by expiration date
(click to enlarge)


In this sample, there are 8 e-mail addresses where the nationality is marked as "US Person" and except for one, these are all under responsibility of FBI. Of the 12 marked "Non-US Person", 4 are under responsibility of the CIA, 7 under the NSA and 1 has no responsible agency.


FBI Case Notations

Each entry in the list has a unique Case Notation starting with XX.SQF followed by six numbers. Greenwald states that such a case notation starting with XX.SQF is "assigned to all “FISA accounts” as a unique identifier" and points to a slide titled "FISA dataflow" as evidence for that:


Slide showing "FISA dataflow". It's unclear why the Case Notation format
has been partially redacted, and PALMCARTE is also not explained.
NAC presumably stands for NSA's Network Analysis Center.
(date unknown)


But in a little known NSA document (pdf) from 2006, which was published on March 11, 2014 by The New York Times, we see that XX.SQF is actually the prefix for FBI FISA data. It also says that US-984J is a SIGINT Activity Designator (SIGAD) which denotes FBI collection.

Data collected by NSA under FISA authority is identified by the SIGAD US-984*, in which the asterisk is a placeholder for additional suffixes (other than a J), like for example in US-984XN, which is the SIGAD for NSA's famous PRISM program.

So, the prefix XX.SQF isn't used for "all FISA accounts" as Greenwald wants us to believe, but just for those from the FBI. The 2006 document doesn't say what prefix is used for NSA data, but from the PRISM-presentation we know that communications collected by NSA through PRISM are identified by the trigraph SQC.

Analogue to the way the PRISM case notations are composed, a case notation from the spreadsheet, like for example XX.SQF055191 for the e-mail address of Asim Ghafoor breaks down into the following parts:
XX - This may stand for Internet Service Providers
. (dot) - Indicating multiple types of content
SQF - Fixed trigraph denoting FBI FISA collection
05 - Year the Case Notation was established: 2005
5191 - Serial number of the targeted address


The FBI as Responsible Agency

A second role of the FBI becomes clear when we look at the spreadsheet column for the "Responsible Agency". According to Greenwald's article, this column shows the federal agency that requested the monitoring of a particular e-mail address. In the sample shown above we see that this can either be FBI, NSA or CIA.

Most striking is that for the e-mail addresses of all five Muslim-American leaders, the FBI is the responsible agency that requested their surveillance. This was also recognized in Greenwald's story, and it's of course exactly how it should be, as it's officially up to the FBI to investigate American citizens and residents:



Excerpts of the FISA spreadsheet showing the entries for five Muslim-American leaders
The asterisk behind some of the mail addreses seems to
indicate that collection has been terminated
(compilation by IC Off the record - click to enlarge)


As we can see, these entries for the five Americans contain nothing that points to any kind of involvement of the NSA. Instead, both the case notation and the responsible agency indicate that it were FBI operations.

Greenwald and his co-author Murtaza Hussain were asked on Twitter whether there might be some additional evidence for the involvement of the NSA, but they haven't responded to this question.

The only relationship this list has to the NSA, is that it was among the Snowden-documents, but that can also be easily explained by the fact that for many other entries the NSA is the responsible agency. The list was most likely sent to all three agencies as a recap of which addresses were monitored on their behalf.

Given these considerations, it seems that the spreadsheet actually shows a large number of e-mail addresses that have been monitored by the FBI, and therefore their case notation starts with XX.SQF. This monitoring apparently took place partly for the FBI's own investigations and partly on behalf of NSA and CIA, to whom the FBI would have passed the communications from the e-mail addresses they requested.

According to a Foreign Policy article, the NSA is the most frequent requester of data from the FBI's interception unit DITU, for which there's a direct fiber-optic cable between Quantico and the NSA headquarters at Fort Meade.

Someone's suggestion that the case notation reflects the agency that requested the surveillance seems not plausible, because in that case there would have been a different prefix for FBI, NSA and CIA, but here the communications they requested all have the same XX.SQF-prefix.


How the FBI intercepts messages

All the cases on the list started before the FISA Amendments Act of 2008 was enacted, so it was done under the authority of the original Foreign Intelligence Surveillance Act (FISA) of 1978, which requires an individual order of the FISA Court (FISC) for every American that is considered a target. According to a top FBI lawyer, the application for every single US person consists of a 35 to 150 page packet that has to demonstrate the necessary probable cause.

After the FISC granted a warrant, the FBI probably went to the target's Internet Service Provider (ISP) in order to collect his communications. Each ISP is legally obliged to have Lawful Intercept (LI) equipment installed on their networks, in order to "perform electronic surveillance on an individual target as authorized by a judicial or administrative order", in this case the FISA Court warrant.

The equipment filters internet data packets based upon identifiers like e-mail and IP addresses, which means all kinds of communications that contain a particular e-mail address will be pulled out and forwarded to the FBI's Data Intercept Technology Unit (DITU). This method would also explain why in all case notations from the spreadsheet we see a dot, indicating that the collection resulted in multiple types of content.

Some people suggested that the government went to Yahoo and Google to get the messages from the Gmail.com and Yahoo.com e-mail domains (and retorically asked whether these companies did fight the order), but that is unlikely. For the assistance of these kind of web service providers, NSA set up the PRISM program, wich started in the fall of 2007, so only shortly before the surveillance cases mentioned in the spreadsheet expired. Yahoo joined PRISM in March 2008 and Google in January 2009.

The NSA has similar filtering equipment installed at switches of major internet backbone cables (for the so-called Upstream collection), but these are specifically used for foreign or international communications. One would expect that data collected this way, has a case notation with an NSA trigraph, but Washington Post journalist Barton Gellman writes that Upstream collection from network switches also has case notations that begin with XX.SQF, because this kind of collection is "managed by the bureau and shared with NSA". This seems to be a mistake because it is generally considered proven that Upstream interception is done by the NSA (for example: the Upstream slides don't mention the FBI, and a PRISM slide says NSA has a direct relationship with Upstream-providers).


There's a lot we don't know

In trying to clarify what the spreadsheet tells us, I assumed for the sake of readability that the FBI actually intercepted, processed and stored messages from these five Muslim-American leaders. But in his article, Glenn Greenwald suggests that even that is not known for sure:

"Given that the government’s justifications for subjecting [these five] U.S. citizens to surveillance remain classified, it is impossible to know why their emails were monitored, or the extent of the surveillance. It is also unclear under what legal authority it was conducted, whether the men were formally targeted under FISA warrants, and what, if anything, authorities found that permitted them to continue spying on the men for prolonged periods of time."

What he says is that we actually know hardly anything, except for the fact that the e-mail addresses of the men were found on the "FISA recap" list. Although the Muslim-leaders seem innocent of spying or acts related to terrorism, there's still the possibility that the FBI had good reasons to monitor them, but we just have no information about that.

In an ABC News report, anonymous former and current US government officials said that the five men could be guilty or innocent or even cooperating with the government (for example by having agreed with monitoring their communications in order to collect evidence against suspects).

According to these officials, Snowden or Greenwald may well have misunderstood the spreadsheet and made wrong interpretations. ABC further noticed that the document was also curiously absent of the regular classification markings, but that is probably because the list isn't in a .doc or a .pdf document, but in its original .xls spreadsheet file format.


Conclusion

Just like many other documents from the Snowden-leaks that were misrepresented, the original file disclosed in this latest Greenwald piece contains no evidence that NSA had anything to do with the monitoring of the five Muslim-American leaders. In fact, everything points to the FBI, but apart from that we know too little about these cases to say whether the Bureau acted illegally or out of paranoia. However that may be, we can't blame that on the NSA.



Links and Sources
- TheWeek.com: What you need to know about the latest NSA revelations
- Salon.com: First Amendment’s racial tumult: Why Greenwald’s latest revelation matters
- ABCNews.com: Feds Spied on Prominent Muslim-Americans, Report Claims
- ForeignPolicy.com: Meet the Spies Doing the NSA's Dirty Work

July 8, 2014

NSA still uses the UMBRA compartment for highly sensitive intercepts

(Updated: July 17, 2014)

Three days ago, on July 5, 2014, The Washington Post published some of the most important stories from the Snowden-leaks so far. It revealed that Snowden did had access to the content of data collected under FISA and FAA authority - a fact that had been kept secret until now. I'll come back on that main story later.

Here we will take a look at a remarkable detail from two slides that were also disclosed in the Post's article. The classification marking of these slides contains the codeword UMBRA, which was generally considered to be abolished in 1999, but now seems to be still in use. After going through several options, my conclusion is that UMBRA is most likely the codename of a so-called unpublished SCI control system.





"Target Package" prepared by the National Security Agency
prior to the capture of Abu Hamza in January 2011
(click to enlarge)


These slides are from a 2011 powerpoint presentation which details the plan to capture al-Qaeda facilitator Muhammad Tahir Shahzad and which pinpoints his location and his activities based upon intercepts from his various e-mail accounts. He was captured in Abbottabad the day after this presentation was finalized.


In the 2012 NRO Review and Redaction Guide (pdf) the existance of the UMBRA codeword is approved for public release, just like its paragraph portion marking TSC (for Top Secret Codeword). But as this manual also lists many revoked codewords, it is not conclusive about wether UMBRA is still used. One thing that is interesting though, is that the TSC portion marking would fit some of the redacted spaces in the newly disclosed slide:


Some possible options for the portion markings



Top Secret Codeword

UMBRA was one of three codewords that were used to protect sensitive intercepts of Communication Intelligence (COMINT). These codewords represented three levels of sensitivity:
- UMBRA for the most sensitive material (Category III)
- SPOKE for less sensitive material (Category II)
- MORAY for the least sensitive material (Category I)

These kind of codewords were used since the end of the 1950s World War II and together they were commonly called "Top Secret Codeword" (TSC), which was often seen as a level "above Top Secret", although it was actually more like a "vertical" division of the Top Secret-level. The codewords UMBRA, SPOKE and MORAY can be seen on many highly secret documents, a number of which have been declassified, like for example this statement from 1980 for a court case about NSA's information about UFOs:


(click for the full document as pdf-file)


According to instructions like these, the use of the codewords UMBRA, SPOKE and MORAY was terminated as of May 1999. From then on, the kind of information they were used for, had now to be protected by the general COMINT control system, or by specific compartments thereof for more sensitive information.
Update:
Since World War II, the NSA and her predecessors used codewords for protecting highly sensitive COMINT information and they were generally replaced by a new one every one or more years. The Top Secret codeword TRINE was compromised when the North Koreans captured the NSA spy ship USS Pueblo in 1968. TRINE was then replaced by UMBRA.


SPOKE

Very interesting is that not only UMBRA, but also the codeword SPOKE seems to be still in use. One document from the Snowden-leaks, which was published by Der Spiegel on December 20, 2013, is marked SECRET STRAP1 SPOKE. STRAP is the codeword that GCHQ uses to protect sensitive information, with STRAP1 denoting the least sensitive category:


Given the rather old-fashioned logo-type of the letters SD, it's not quite clear whether the document, or at least the header might predate 1999, although the content is clearly from more recent years. Der Spiegel said that it's an "analysis of the communication paths between Belgium and Africa prepared in January 2009".


Possible options

NSA using codewords that were generally considered abolished, reminds of a similar case in which the NOCON marking appeared in a document from the Snowden-trove. The general use of that marking was terminated in 1995, but NSA kept using it as an internal marking. As such it isn't listed in the official Classification Manuals, which are declassified regularly.

Now it seems that the same could have happened to the codewords UMBRA, SPOKE and maybe also to MORAY, but there's a difference: NOCON is a dissemination marking, a category which is less strictly controlled than a compartment, like UMBRA.

As the classification line of the newly disclosed slides seems not fully correct (there has to be a single, instead of a double slash between ORCON and REL USA, FVEY), which makes that there are a few options for what UMBRA could actually represent.



One option is that the double slash between COMINT and UMBRA is correct. In that case UMBRA wouldn't be a Sensitive Compartmented Information (SCI) label for intelligence information - which it actually looks like most - but a codeword from another category, like for example a Special Access Program (SAP) or Foreign Government Information (FGI) (Marc Ambinder favors this option).

Another option is that there should have been just a single slash between both terms. That would mean UMBRA is a normal SCI control system, in this case one that is apparently kept secret, as it was never mentioned anywhere since 1999.

The latter option seems very well possible, because the most recent Intelligence Community Classification Manual (pdf) acknowledges the existance of "registered but unpublished SCI control systems" which "must remain unpublished due to sensitivity and restrictive access controls".

It seems less likely that UMBRA is the undisclosed compartment of the COMINT (SI) control system, which is listed in the most recent Intelligence Community Classification Manuals, because in that case the marking would have read TOP SECRET//COMINT-UMBRA//etc.

Questions

Given this sensitivity, one wonders why in the orange classification bars of the slides UMBRA hasn't been blacked out. The overall classification line in the first slide and also most of the portion markings were fully redacted, although the latter can hardly contain something that is more sensitive than the UMBRA abbreviation.

Another question is whether Edward Snowden had authorized access to the UMBRA compartment, or that he was able to just grab these slides otherwise. The Washington Post suggests that he did had access to the Exceptionally Controlled Information (ECI) compartment RAGTIME, which is similar to UMBRA, but for content collected under FISA authority (UMBRA is probably for content collected under EO 12333).


Conclusion

For those who are somehow familiar with the US classification system, it must be quite surprising to see a codeword that has been considered dead for 15 years popping up from the Snowden-leaks. The most likely explanation is that after UMBRA (and SPOKE too) was publicly abolished in 1999, NSA kept using it in secret as a compartment for very sensitive communication intercepts, but now as an unpublished SCI control system - letting outsiders think that UMBRA was something from the past!



Links and Sources
- Lux ex Umbra: UMBRA history
- TheWeek.com: The return of an intelligence code word with a storied history
- A work of art from the series "Secret Codewords of the NSA": UMBRA
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

July 3, 2014

The National Security Agency in 2002



During the past year, a number of slides from a 2002 NSA presentation titled "National Security Agency: Overview Briefing" were disclosed as part of the Snowden-leaks.

This presentation as a whole would have been a great comprehensive overview of the structure and the mission of NSA at the start of this millennium, but until now only six slides were made public, widely scattered over a period of almost a year and media from 3 continents, almost as to prevent people getting to see the whole picture.

All slides from this presentation can be recognized by their rather overloaded blue background, combining the seals of NSA and CSS, a globe, numerous ones and zeros representing digital communications, and a fancy photoshopped lens flare. In a number of slides, the font type of the classification marking looks different, which could indicate that the presentation was altered and/or re-used several times.




This slide was published by Brasilian media in July 2013. A somewhat distorted version (pdf) was published by Der Spiegel on June 18, 2014. It shows a world map with all the locations where there's a satellite intercept station, which is used for the collection of foreign satellite (FORNSAT) communications.

Nine stations are operated by NSA, including two as part of an SCS unit (see below), and seven stations operated by 2nd Party partners, in this case Great Britain, Australia and New Zealand:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, ? (New Zealand)

All these satellite intercept stations were interconnected, and it was this network that became publicly known as ECHELON. Revelations about this eavesdropping system in the late 1990s led to public and political outrage and subsequent investigations very similar to what happened since the start of the Snowden-leaks.

Until the new millennium, international communications travelled via satellite links, which made ECHELON one of NSA's most important collection systems. But since then, international traffic has shifted almost entirely to fiber-optic cables, making this the agency's current number one source.

We have no slide about NSA's cable tapping capabilities in 2002, but from other sources we know that there were at least three programs operational outside the US:
- RAMPART-M for access to undersea cables
- RAMPART-T for land-based cables, in cooperation with CIA
- RAMPART-A for cable access in cooperation with 3rd Party partner agencies




This slide was published by the Italian paper L'Espresso on December 6, 2013. It once again shows a world map, this time with the names of over 80 cities where there's a joint NSA-CIA Special Collection Service (SCS) unit. These units operate covertly from inside a US embassy or consulate to get access to targets that are difficult to reach otherwise. The names of cities in countries that are hostile to the US are redacted by the paper.

There are also four "Survey Sites" and seven "Future Survey Sites", but at present it is not clear what that means. Finally, there are two Technical Support sites: PSA in Bangkok, Thailand, and RESC (Regional Exploitation Support Center?) at the US Air Force base in Croughton, UK. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.




This slide was published by Der Spiegel on June 18, 2014. It shows a world map with the locations where there's a Cryptologic Support Group (CSG). These CSGs are part of the signals intelligence and cryptologic branches of the five US Armed Services (Army, Navy, Air Force, Marines, Coast Guard), which together form the Central Security Service (CSS) - the tactical part of NSA.

Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:
- STRATCOM: United States Strategic Command, Omaha
- TRANSCOM: United States Transportation Command, Belleville
- USSPACECOM: United States Space Command, Colorado Springs
- JSOC: Joint Special Operations Command, Spring Lake
- State Department, Washington
- NMJIC: National Military Joint Intelligence Center, Washington
- CIA: Central Intelligence Agency, Langley
- ONI: Office of Naval Intelligence, Suitland
- San Francisco
- FORSCOM: United States Army Forces Command, Fort Bragg
- JFCOM: United States Joint Forces Command, Norfolk
- SOCOM: United States Special Operations Command, MacDill AFB
- CENTCOM: United States Central Command, MacDill AFB
- Key West (Naval Air Station)
- SOUTHCOM: United States Southern Command, Doral
- EUCOM: European Command, Molesworth
- NAVEUR: United States Naval Forces Europe, London
- USAREUR: United States Army Europe. Wiesbaden
- USAFE: United States Air Forces in Europe, Ramstein
- EUCOM: European Command, Stuttgart
- USFK: United States Forces Korea, Seoul
- Japan
- Hawaii (United States Pacific Command)

This large number of CSG locations is one of the things that reflects the importance of NSA's military mission, which is almost completely ignored in the Snowden-reportings (the slide was published rather unnoticed as part of a batch of 53 NSA-documents)




This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It shows what NSA saw as current threats in 2002, with an overlay that seems to have been added later and which lists a range of communication techniques. Greenwald says this slide shows that NSA also counts these technologies, including the Internet, as threats to the US, proving that the US government sees this global network and other types of communications technology as threats that undermine American power.*

This interpretation is rather far-fetched because in that case, pagers and fax machines would also be a threat to the US. It's obvious the list shows the means by which individuals and organisations that threaten the US can communicate - which of course is important to know for a signals intelligence agency like NSA.

The actual threats listed in the slide are:
- Hackers
- Insiders
- Traditional Foreign Intelligence
- Foreign [...]
- Terrorists
- Criminal elements
- Developing nations



This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It says that NSA has alliances with over 80 major global corporations supporting both missions (i.e. Signals Intelligence and Information Assurance) and presents the names of a number of big American telecommuncations and internet companies, along with pictures of some old-fashioned communication devices.

Greenwald's book says that in the original presentation, this slide follows some unpublished ones that are about "Defense (Protect U.S. Telecommunications and Computer Systems Against Exploitation)" and "Offense (Intercept and Exploit Foreign Signals)".*



This slide was also published in Greenwald's book on May 13, 2014. It shows the three main categories of "customers" of NSA, which are government and military organizations that can request and receive intelligence reports. Besides other major US intelligence agencies, we see that NSA works for civilian policy makers as well as for military commanders, from the Joint Chiefs of Staff (JCS) and the Commanders-in-Chief (CINCs) down to tactical commanders.

Greenwald uses this slide to point to the Departments of Agriculture, Justice, Treasury and Commerce, the mentioning of which he sees as proof for an economic motive of NSA's spying operations.* Although almost all countries (try to) spy in order to get information that can be usefull for their national economic interests, Greenwald is doing as if this kind of intelligence is somehow off limits, and thereby discrediting NSA.


> See also: NSA's global interception network in 2012



Links and Sources
- National Security Agency: Transition 2001 (pdf)