November 22, 2015

Unnoticed leak answers and raises questions about operation Eikonal

(Last edited: November 23, 2015)

Almost unnoticed, the Austrian member of parliament Peter Pilz recently disclosed new information about operation Eikonal, under which NSA and BND cooperated in tapping some fiber-optic cables at a switching center of Deutsche Telekom in Frankfurt, Germany.

As part of the NSA umbrella program RAMPART-A, Eikonal was set up to gather intelligence about targets from Russia, the Middle East and North-Africa. Because the cables that were tapped came also from countries like Austria, Switzerland, France, Belgium and the Netherlands, there were fears that their communications were intercepted too.

Here, the newly disclosed information will be discussed and combined with things we learned from the hearings of the German parliamentary commission that investigates NSA spying, including operation Eikonal.

Overview of the joint NSA-BND operation Eikonal (2004-2008)
(Click to enlarge)


The new information comes from transcripts of some fax and e-mail messages from employees of BND, Deutsche Telekom and the federal Chancellery, which Peter Pilz published on his website on October 23, 2015.

He never told how he got these highly sensitive documents, but as they were made available to the parliamentary inquiry commission, it seems most likely someone from or very close to this commission must have leaked them to Pilz. Strangely enough, this leak was never investigated.

Media attention

Also remarkable is that the information and documents disclosed by Peter Pilz were almost completely ignored by mainstream German media like ARD and ZDF and the major newspapers. The latest disclosure was for example only reported by the Austrian paper Der Standard and the German tech website

By contrast, in neighbouring countries like Austria, Belgium and the Netherlands, the Pilz revelations were big news and led to official investigations. Through May and June of this year, he had published lists of communication links related to Switzerland, France, Luxembourg and Poland too, claiming they showed to what extent BND and NSA spied upon these countries.

First part of the list with communication links related to France
(Source: Peter Pilz - Click to enlarge)

Whose's links?

Initially, Peter Pilz claimed these links were from a priority list of the NSA, but neither he, nor the commission hearings could clearly confirm this. The Dutch website De Correspondent reported that there was even a much larger list of some 1000 transit links, of which ca. 250 were marked in yellow.

Now, Pilz confirms that there's indeed such a large list: it was prepared by Deutsche Telekom and contains all its 1028 transit links. Employees of BND had marked 256 of them in yellow, apparently the ones they were most interested in, and hence the list became known as the BND priority list. He doesn't mention an involvement of NSA at this stage anymore.

Now that we know the large list of over 1000 links isn't an even larger "wish list", but a list of all available transit links, it could well be that BND tried to select around 20% of them, as a rather strange provision in German law says that bulk collection is only allowed up to a maximum of 20% of a cable's capacity.

As Telekom Austria rented the channels to Vienna, we can assume that other national telecommunication providers also rented their links to Frankfurt, with Deutsche Telekom being the owner of the cables as part of their international backbone network.

Determining the access points

After BND selected the 256 channels, Deutsche Telekom had to look which of them ran through Frankfurt and could be intercepted there. For this purpose Harald Helfrich of the lawful interception unit of Deutsche Telekom AG (DTAG) sent his collegue mr. Tieger the following e-mail on September 16, 2003:

Hallo LK,

wie heute morgen besprochen übersende ich Ihnen die Liste der Transit-Leitungen der DTAG. Wir bitten Sie die gelb unterlegten Verbindungen bzgl. ihrer Führung (z.B. Ffm 21 oder Norden-Nordeich) und ob in der 2-Mb-Ebene greifbar, zu analysieren.

Anlage: Trans mit ausgesuchten Strecken

In this mail it is asked to analyse whether the transit channels marked in yellow can be intercepted at the 2 Mbit-level, either at Deutsche Telekom's Frankfurt am Main Point-of-Presence 21 (Ffm 21) or at Norden-Norddeich.

The latter is a town at the northern coast of Germany, where the SeaMeWe-3 and TAT-14 submarine cables land. For the parliamentary commission this was a reason to ask whether also cables where intercepted over there, but that was strongly denied by the witnesses involved.

Selecting individual channels?

Interestingly, the phrase "ob in der 2-Mb-Ebene greifbar" suggests that it could be possible to just intercept specific 2 Mbit/s channels while leaving the other ones untouched (one physical STM1-cable has a data rate of 155 Mbit/s and contains 63 virtual channels).

Whether this is possible is important for how focused such cable tapping can be. Isolating individual channels depends in the first place on where exactly the tapping takes place:

A. When the physical fiber is intercepted before it reaches the switch, it has to be bend in order to catch the light that leaks. Because this leaking signal is much weaker, it has to be amplified before it can be processed. In this way it's not possible to select individual channels: the eavesdropper gets everything that runs over the fiber, and has to demultiplex the channels himself to select the ones that contain traffic of interest.

Splitting a traffic from a fiber-optic cable by bowing it
(diagram: OSA Publishing, slightly simplified)

B. When the interception takes place at an optical switch itself, then it's possible to only grab the virtual channels you are interested in. A physical cable contains channels which have to be demultiplexed at the switch in order to be forwarded (switched) to the fiber that leads to the intended destination. When the switch converts the optical signals into electronic signals it is even more easy to duplicate only individual channels of interest.

Diagram showing (de)multiplexing at a fiber-optic switch
(diagram modified from Wikimedia Commons/Jflabourdette)

Different methods

During the commission hearing of March 26, 2015, Klaus Landefeld, board member of the DE-CIX internet exchange, indicated that at least since 2009, interception takes place at the switch. Also, the so-called G10-orders authorise interception based upon Autonomous System Numbers (ASN) which are used for logical paths, rather than by naming physical cables to or from a certain city.

However, it seems that under operation Eikonal, the fiber-optic cables were tapped by splitting the cable signal before it reached the switch. This was more or less clearly indicated by several witnesses heard by the parliamentary commission, and there are several other indications too.

In 2004, it was apparently not yet possible to establish a tap at the switch itself to get access to individual channels (although Deutsche Telekom could have demultiplexed the fiber and only forward the channels of interest to BND, but this wasn't the case).

Government authorisation

After BND had made clear what they wanted, the Deutsche Telekom management wasn't sure whether such cable access was legal. Therefore they wanted to be backed by the federal Chancellery. On December 30, 2003, the coordinator for the intelligence services at the Chancellery, Ernst Uhrlau, sent the following fax message to Kai-Uwe Ricke, then CEO of Deutsche Telekom, and Josef Brauner, head of the landline division T-Com:

Sehr geehrter Herr Ricke, sehr geehrter Herr Brauner,

das Bundeskanzleramt ist sehr interessiert, dass der Bundesnachrichtendienst im Rahmen seines gesetzlichen Auftrages kabelgestützte Transitverkehre aufklärt. Der vom Bundesnachrichtendienst in Ihrem Unternehmen geplante Aufklärungsansatz steht aus hiesiger Sicht in Einklang mit geltendem Recht.

Ich darf auf diesem Weg die Anregung des Bundesnachrichtendienstes weitergeben, in der Deutschen Telekom AG, T-Com, den Bereich RA 43 (Staatliche Sonderauflagen), zu dem bereits im Rahmen der Strategischen Fernmeldekontrolle Kontakte bestehen, mit der Durchführung der auf Seiten der Deutschen Telekom AG erforderlichen Maßnahmen zu beauftragen.

It says that in the opinion of the Chancellery, the proposed BND operation is according to German law. The Chancellery encourages Deutsche Telekom to instruct its lawful intercept unit RA 43 (which is one of four Regionalstellen für staatliche Sonderauflagen or ReSA) to start taking the necessary measures for the interception.

Transit Agreement

On behalf of the board of Deutsche Telekom, Josef Brauner answers the fax from the Chancellery on January 13, 2004. He says the T-Com division is aware of the importance of a well-functioning intelligence service, and will therefore support the interception of cable-bound transit traffic:

Sehr geehrter Herr Ministerialdirektor,

gerne bestätigen wir Ihnen den Erhalt Ihres Schreibens vom 30. Dezember des letzten Jahres.

Die T-Com ist sich der Bedeutung eines gut funktionierenden Nachrichtendienstes für das Gemeinwesen der Bundesrepublik Deutschland - insbesondere vor dem Hintergrund der terroristischen Angriffe des 11. September 2001 - bewusst und wird daher die geplanten Aktivitäten des Bundesnachrichtendienstes, die kabelgestützten Transitverkehre im Rahmen seines gesetzlichen Auftrages aufzuklären, unterstützen.

Entsprechend der Anregung des Bundesnachrichtendienstes wird diesseits unser Bereich RA43 (staatliche Sonderauflagen) beauftragt, die hierfür von unserer Seite erforderlichen Maßnahmen vorzunehmen

Then on March 1, 2004, the BND and Deutsche Telekom signed the so-called Transit Agreement (pdf), in which the latter agreed to provide access to its transit cables, and in return will be paid 6.500,- euro a month for the expenses. This agreement was also leaked to Peter Pilz, who published it on May 18, 2015 in the Austrian tabloid paper Kronen Zeitung.

Preparing for collection

After the agreement had been signed, BND sent an e-mail on March 9, 2004 to Wolfgang Alster, head of Deutsche Telekom's lawful interception unit RA 43 asking for the connection (schaltung) of the first communication links. He adds that he had ordered the payment of the first two monthly payments:



Hallo Herr Alster,

Der Geschäftsbesorgungsvertrag "Transit" ist ja jetzt von beiden Seiten unterzeichnet und gestern habe ich die beiden ersten Monatszahlungen veranlasst.

Daher erdreiste ich mich, Sie um die erste Schaltung von Leitungen zu bitten.

Realising the access was apparently not that easy, because it took until December 2004 before the first cable was connected. Then it appeared that it's signal was too weak, so in January 2005 an amplifier was installed - as the parliamentary commission was told by S.L., who was the BND project manager for Eikonal (note that the use of an amplifier indicates tapping the entire fiber-optic cable).

At this first stage of operation Eikonal, only circuit-switched (Leitungsvermittelte) telephone communications were intercepted. Collection of packet-switched (Paketvermittelte) internet communications started in 2006 (see below).


On February 3, 2005, mr. Knau mailed his colleague Harald Helfrich at the RA 43 unit that an STM1-link between switching center Frankfurt 21 and Luxembourg had been connected. Channels 2, 6, 14, and 50 contained the virtual channels that had Luxembourg as their endpoint:

Hallo Herr Helfrich,

Habe heute früh die o.g. Verbindung auf die Punkte 71/00/002/03 19 + 39 zugeschaltet. In der Anlage ist die Belegung lt. RUBIN ersichtlich.

Auf den Kanälen 2, 6, 14, 50 befinden sich die in der Liste markierten DSVn mit der Endstelle Luxembourg.

Bitte um Rückmeldung ob das ganze funktioniert.

Anlage: Belegung 7571 Luxbg

We also see the term RUBIN (German for ruby), and during the commission hearings it seemed that this was an alternate codename for operation Eikonal. But when heard on January 15, 2015, Harald Helfrich explained that RUBIN is actually a system that Deutsche Telekom uses to manage its communication links and cables - which perfectly fits how the term is used in this e-mail.

Channels of interest

The next e-mail is also from February 3, 2005, but was already published by Peter Pilz on May 15, 2015 and is the only one that is available in what seems to be its original form. It's from Harald Helfrich, who informs a mr. Siegert at the BND that mr. Knau had connected an STM1-link earlier that morning (see previous e-mail). He says it contains the channels that were on the BND priority list:

This e-mail says that BND was interested in the following 2 Mbit/s channels from the Transit STM1-cable "Ffm 21 - Luxembourg 757/1":
Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

According to Peter Pilz, additional cables were connected on February 14 and 25, as well as on March 3, 2005. Unfortunately, he either doesn't possess or didn't disclose the related e-mails, so we still don't know how many and which channels have actually been intercepted.

The interception of telephony communications therefore started in the Spring of 2005, which means that collection under Eikonal only lasted for 3 years, and not 4 years, when one would count from signing the agreement in 2004 until the end of the operation in 2008.

Ending telephone interception

Peter Pilz published the transcripts of two more e-mails, which are about ending the telephone interception. On May 27, 2008, mr. Thorwald from Deutsche Telekom sent the following message to his colleague Harald Helfrich, informing him that fully circuit-switched transit traffic isn't supported anymore. Therefore, the extraction of transit traffic at the company's premises can be terminated:

Sehr geehrter Herr Helfrich,

Wie wir bereits telefonisch besprochen, teile ich Ihnen mit, dass die Verarbeitung von reinen leitungsvermittelten "Transit-Verkehren" von uns nicht mehr durchgeführt wird.

Aus diesem Grund kann die Ableitung der Transit-Verkehre in unseren Betriebsräumen eingestellt werden.

Im leitungsvermittelten Bereich (Ableitung auf höherer Ebene) besteht aktuell der Bedarf zur Ableitung von folgenden Verkehren:

+ 2 x STM-64
+ 4 x STM-16

After that, Thorwald writes that there's currently a need to extract the traffic of two STM-64 and four STM-16 cables, which have a data rate of ca. 10 Gbit/s and 2,5 Gbit/s respectively. This is also said to be circuit-switched, but "extraction at a higher level".


If we assume that Peter Pilz provided the correct date for this e-mail, it's strange that there was apparently a need for new cable accesses, hardly a month before operation Eikonal was officially terminated (June 2008).

Even more strange is that the e-mail says the new accesses are also circuit-switched (leitungsvermittelt), while during the hearings it was testified that the collection of such telephone communications ended in January 2007, after Deutsche Telekom fased-out its business model for dedicated transit cables. This e-mail brings that message almost 1,5 years later!

Internet access

From the commission hearings we also learned that BND wanted access to internet traffic too, which is packet-switched (Paketvermittelt). For this, the first cable became available by the end of 2005, but it took some months before the backlink was also connected. In the spring of 2006 a second cable was added, and the front-end system and the filters were tested until mid-2007.

Could it be that mr. Thorwald just made a mistake, and wrote "leitungsvermittelten" where he meant "paketvermittelten"? But even then, why add new internet cables, just before the operation was ended?

Another question

A similar anomaly can be found in an e-mail, that according to Peter Pilz, was sent one day later, on May 28, 2008. In it, mr. Knau informed Harald Helfrich and his superior Wolfgang Alster that the access to four STM1-cables can be terminated immediately.

Given what was said during the commission hearings, one would have expected that this also had happened already in January 2007, instead of May 2008. It seems some things don't add up here.

Wie bereits fernmündlich besprochen, können nachfolgende STM1-Zuschaltungen mit sofortiger Wirkung aufgehoben werden:

Ffm 21 - Stuttgart 10 757/22A
Ffm 21 - Paris 757/1
Ffm 21 - Reims 757/1
Ffm 21 - Luxembourg 757/1

Physical cables

Unlike the numerous virtual channels in the lists, this e-mail is about physical cables. "Ffm 21 - Luxembourg 757/1" is the one mentioned in the e-mail from February 3, 2005, containing 4 channels of interest to Luxembourg; the others are cables from Frankfurt (Ffm) to Reims, Paris, and Deutsche Telekom's Point-of-Presence in Stuttgart. With this, we now have proof of 3 other cables having been tapped.

According to a list (.docx) publiced by Peter Pilz, there are 29 channels to/from Reims and 22 channels to/from Paris, all of which could easily have been in the fiber-optic cable between Frankfurt and Reims, and Frankfurt and Paris, respectively, as one single STM1-cable contains 63 separate channels:
Frankfurt - Stuttgart: ? channels of interest
Frankfurt - Paris: 22 channels of interest
Frankfurt - Reims: 29 channels of interest
Frankfurt - Luxembourg: 11 channels of interest

Peter Pilz concludes that operation Eikonal was the start of NSA's illegal mass surveillance of European telecommunications. But that's not supported by evidence. After Eikonal, NSA continued joint cable tapping operations with BND and other European agencies, but as these programs are part of RAMPART-A, they are mainly aimed at specific targets in Russia, North-Africa and the Middle East.*

BND cable tapping

Operation Eikonal did start something else though: it provided BND with the knowledge and the experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25 internet service providers, this time at the DE-CIX internet exchange in Frankfurt - as was revealed by Der Spiegel on October 6, 2013.

Among these 25 providers are foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

It appears that this interception takes place in cooperation with the DE-CIX Management and that the various providers themselves didn't knew that this was happening. A smart move, as this provides BND with just one single point-of-contact, while the indivual providers can honestly deny that their cables are being intercepted.

Links and sources
- BND-Operation Eikonal: "Freibrief" für die Telekom aus dem Kanzleramt
- Pilz: Berlin genehmigte NSA-Spionage gegen Österreich
- "Ich darf die Anregung weitergeben..." Die Operation Transit in Europa

November 3, 2015

New details about the selectors NSA provided to BND

(Updated: November 28, 2015)

Since last Spring, the German parliamentary commission investigating NSA spying is trying to find out whether the Americans secretly tried to spy on German and European targets.

During the hearings it became clear that the German foreign intelligence service BND wasn't able to fully prevent that selectors, like e-mail addresses and phone numbers, provided by the NSA, were fed into the collection system.

A special investigator was allowed access to the lists of rejected selectors and he reported about his findings last week. Here follows the background of this affair and the most important and interesting details from the investigation report.

> Many more details pieced together from the commission hearings can be found here

The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images)

Satellite interception

The origins of the selector affair go back to 2004, when the Americans turned their satellite intercept station Bad Aibling over to German intelligence. In return, BND had to share the results from its satellite collection with the NSA, for which the latter provided selectors, like e-mail addresses, phone numbers, etc. of the targets they were interested in.

Besides the satellite interception, Bad Aibling was also involved in cable tapping, but only under operation Eikonal (2004-2008), which was limited to cables from Deutsche Telekom in Frankfurt.

Until 2013, NSA is said to have provided some 690.000 phone numbers and 7,8 million internet identifiers. As a foreign intelligence service, BND is not allowed to collect German communications, let alone hand them over to NSA. In order to prevent that, BND tried to check all these selectors, initially by hand, but since 2008 by using a automated filter system called DAFIS.

Blocking German selectors

During a number of tough and lengthy hearings of the parliamentary commission that investigates NSA spying, BND employees had to admit that DAFIS was only able to defeat selectors that were clearly recognizable as belonging to Germans, like mail addresses ending with .de or phone numbers starting with (00)49.

There was hardly any effort to sort out selectors related to other European countries. Also the foreign e-mail addresses, like from Hotmail or Google, used by Germans were only blocked when someone at BND stumbled upon them. Although these kind of selectors could have been blocked more systematically, it's impossible to enter all relevant ones into the DAFIS filter.

This means, when NSA targeted such foreign addresses, the chances they were rejected by DAFIS are not very high and will therefore have been activated on the collection system. Such selectors went into the tasking database, without practicable or reliable means to identify and block them.

Rejected selectors

When the DAFIS system found recognizable German selectors, they were marked as disapproved and not entered into the collection system, so they could not lead to any results.

Initially it seemed that these rejected selectors were put into a separate repository (German: Ablehnungsdatei, also Ausschussliste), but actually they stayed in the tasking databases and were only extracted for the purpose of the parliamentary inquiry.

This resulted in a list of almost 40.000 rejected selectors. An investigation by BND employee Dr. T. in August 2013, revealed almost 2000 e-mail selectors that had been activated, but now seemed politically sensitive. A simultaneous investigation by W.O. resulted in over 10.000 e-mail selectors belonging to European government agencies.

Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)

Special investigator

Members of the parliamentary investigation commission were eager to see those selectors, but they are sensitive and classified, so the government denied them access. Finally, a compromise was made, under which an independent special investigator was allowed to examine the lists of rejected and suspicious selectors and report back to the commission, without disclosing individual targets.

The coalition parties agreed upon Dr. Kurt Graulich, a former judge at the Federal Administrative Court, for this job. During the past 4 months he examined the selector lists and finished his investigation on October 23 with a report, which was presented in three versions on October 29:
- A classified report for the federal government
- A classified report for the commission
- A public report (263 pages pdf)

Report by special investigator Dr. Kurt Graulich
(Click for the full report in .pdf)

Selector lists

Special investigator Graulich examined the following lists (German: Liste) of selectors that had been rejected by the DAFIS filter, or sorted out by hand because they were considered politically sensitive:

a. The Ablehnungsliste, containing 39.082 selectors (2.918 from the telephony and 36.164 from the internet tasking database) from 2005 till March 2015.

Including most parts of:
b. The 2000er-Liste, containing 1.826 e-mail selectors, which were found in August 2013 by Dr. T. and subsequently marked as disapproved.

c. The 2005er-Liste, containing 74 telephone selectors (52 belonging to EADS, 22 to Eurocopter), which were found by the end of 2005 and were marked as disapproved in January 2006.

d. The Nachfund 1, containing several lists with a total of 444 telephone selectors that were found by semi-manual checks in 2007 and were all marked as disapproved.

e. Not available anymore were between 10.000 and 12.000 e-mail selectors that were found by BND employee W.O. when he checked the tasking database for terms related to European government agencies. He found results for 18 EU member countries and these selectors were marked as disapproved.

Types of selectors

By examining the largest list of rejected selectors (Ablehnungsliste), Dr. Graulich found that it contains the following types of selectors:
For telephony:
- IMSI: Numbers of cell phone SIM cards
- IMEI: Numbers of cell phone devices
- SCREENNAMES: User names or numbers, mainly used for VoIP calls.
- EMAIL_ID: E-mail addresses, mainly used for VoIP calls
- PSTN: Phone and fax numbers

For internet:
- EMAIL_ID: E-mail addresses without permutations
- IMEI: Numbers of cell phone devices
- IMSI: Numbers of cell phone SIM cards
- IPV4: IP addresses
- PSTN: Phone numbers
- OTHER: For example user names, messenger or social network identifiers, cookies, login-data, phone numbers, hashes, etc.

In the tables that contain telephone selectors there's also a field for a description, like a text explaining the reason for targeting, a code or an abbreviation like CT for Counter-Terrorism.

For internet selectors, these descriptions were only visible for NSA personnel, but due to technical reasons not for BND and are therefore not available anymore. Because they lacked justifications, BND stopped using NSA provided internet selectors for the time being as of May 2015.

Keywords were also used as selectors, but according to the report, they are rarely used, because they have to be very specific. Generic words like "bomb" would produce way too many irrelevant results.

It's not clear whether PSTN only applies to traditional land line phone numbers, or also includes mobile phone numbers (known as MSISDN).

Telephone selectors

Together with experts from BND, special investigator Graulich examined all the selectors on these lists and tried to determine the reason for which they were originally rejected. Most important is the Ablehnungsliste, with the selectors that had been filtered out by the DAFIS system.

Most of the telephone selectors appeared to have been rejected because they belonged to German persons or companies and/or contained .de or (00)49. The e-mail addresses for VoIP calls were all blocked because they had no top-level domain - selectors that could not be attributed to a country were rejected.
On the website it was noticed that for VoIP, one doesn't use e-mail addresses, but SIP addresses, which do have a similar format, like, but which are often under generic top-level domains. Also, blocking IMEI addresses containing "49" wouldn't be very effective, as there are other codes used for Germany, and phones may be sold throughout the European Union.

Some telephone selectors were also not activated because the description field contained terms like for example "German", "Germany" and "Europe".


For one internet identifier, like for example an e-mail address, there are multiple permutations, each of which is counted as a separate selector. There can be up to 20 different permutations for one identifier, which explains the very high total number of internet selectors (7,8 million), compared to those for telephony (690.000).

Such a permutation is used to address the various encoding protocols used on the internet. The report gives the following examples:
mustermann%40internet%2Eorg (HTML-Hex)
mustermann\&\#37; (multiple encodings)
mustermann\\ (UTF-16)
Taken together, all permutations of an internet address are called a Telecommunications Identifier (German: TeleKommunikationsMerkmal or TKM). For telephony, the TKM equals the selector, in other words, there are no permutations for phone numbers.

Internet identifiers

Many internet selectors were rejected by the DAFIS filter system because they belonged to German persons or companies, contained German codes like .de and (00)49, or names of German companies. Also a number of IP addresses had been rejected, but it wasn't possible to determine why. They now belong to providers outside Europe.

The investigator could also not determine what the reasons had been for blocking the remaining internet identifiers, like user names, messenger or social network identifiers, cookies and login-data. NSA provided them combined with other selectors in a so-called equation, but BND separated these for DAFIS filtering, which makes it impossible now to relate them to identifiable selector types.


Of the Telecommunications Identifiers (TKMs) found in the main Ablehnungsliste with the rejected selectors, 62% belong to government agencies of EU member states, 19% to Germans outside Europe, 7% to EU institutions, 6% to Germans, 4 to foreigners abroad, 1% to Germans in Europe and 1% to German embassies.

For all selector lists, the reasons why the selectors were apparently rejected can be found in this table:

Table with the reasons why BND rejected certain NSA selectors
(Table: Graulich report; Translation:; Click to enlarge)

German targets

The examination of the selector lists revealed that NSA provided several hundred selectors related to Germans, but most of them were blocked by the DAFIS filter. Around 250 had been active for a shorter or longer period of time, but it is not known whether this resulted in communications being collected.

As the 2002 Memorandum of Agreement (MoA), under which the cooperation at Bad Aibling was established, prohibits targeting Germans, the German selectors that had been activated are a violation of the agreement, and moreover also a violation of German law.

The rejected selectors are mainly about German companies, both inside Germany and outside Europe. Without knowing the reasons for targeting these companies, it cannot be said whether this would constitute economical espionage. Construction companies for example can be involved in both civilian and military projects (so-called dual-use).

WikiLeaks' lists

It is interesting to see that there are no rejected selectors that belong to German cabinet ministers. This means, NSA wasn't so stupid to send BND the list of selectors that contains the phone numbers of chancellor Merkel, several ministers and high-level federal government officials - a list that was published by WikiLeaks last July.

Even more interesting would be to know whether the rejected selectors contain the phone numbers of the French prime minister and his cabinet ministers, which were on a similar tasking database list that was published by Wikileaks in June. Special investigator Graulich wasn't able to determine this, because Wikileaks redacted the last four digits of the phone numbers.

European targets

The biggest number of rejected selectors are e-mail addresses (and some other internet identifiers) of European government agencies: 22.024 selectors, being the permutations of 2195 telecommunication identifiers (TKMs).

The overwhelming majority of them was only blocked after August 2013, when the public outrage over NSA spying began. First, selectors were disapproved after the investigations by Dr. T. and W.O., and in November, BND president Schindler ordered all e-mail addresses with a European Top-Level Domain (TLD) to be removed from the BND and NSA tasking database.

Before that new directive, the DAFIS filter wasn't configured to block these European selectors:
- Stage 1 of this system only blocked things like the German TLD .de, the telephone country code (00)49 and the IMSI country code 262;
- Stage 2 blocked foreign identifiers when BND noticed that they were used by German citizens or German companies;
- Stage 3 blocked an initially small number of foreign identifiers that should not be activated because that would be against "German interests".

This means that until the end of 2013, the e-mail addresses belonging to European governments had been active in the collection system: 12% of them for up to 100 days and 87% for an even longer period of time.


Foreigners and especially foreign government agencies, have no right to privacy under the German constitution, so the collection of their communications is not a violation of German law. But investigator Graulich does consider the targeting of European governments a violation of the Memorandum of Agreement, which allows collection against European targets only for a very few specific topics.

Although the reasons why NSA was interested in these subjects are not known, the investigator judges that the broad targeting of European governments (like e-mail addresses of all members of government staff bureaus) is far beyond what the memorandum allows, and therefore this constitutes a severe violation of the agreement.


Graulich also says that NSA apparently misused the Bad Aibling satellite station to spy on other European countries - risking an embarrassment for Germany in its relationship with EU and NATO partners.

However, BND itself also targeted for example the British embassy in India and the French embassy in Mali, and eavesdropped on the US Defense and Foreign secretaries as well as senators, when they used non-secure phone lines while traveling.

When in November 2013, BND searched through its own tasking database (PersonenBezogene DatenBestände, or PBDB), it came out that it too contained some 2800 selectors belonging to friendly nations. They were subsequently deleted, but this was kept quiet for almost 2 years.

On November 11, 2015, it was reported that a preliminary report by the investigation team of the parliamentary intelligence oversight committee says that among BND's own selectors, there were ones belonging to the FBI, the Voice of America, French foreign minister Fabius and the interior departments of EU member states like Poland, Austria, Denmark and Croatia. Also targeted were international organizations like the ICC, the WHO and UNICEF. The selectors also included e-mail addresses, phone and fax numbers of the diplomatic representations of the US, France, Great Britain, Sweden, Portugal, Greece, Spain, Italy, Austria, and Switzerland, as well as European and US companies like for example Lockheed.

On November 26, 2015, Albert Karl, an official from the federal Chancellery, testified that European governments are not among the official goals which the government set for BND's intelligence mission (German: AufgabenProfil der Bundesregierung or APB). It's of course possible that European citizens are targeted because they are involved in terrorism or weapon proliferation.

Crisis regions

One last thing that should be mentioned is that at Bad Aibling, the collection effort is directed at (the downlinks of) satellite links from crisis regions like the Middle East, Afghanistan and Africa. This means, that if NSA deliberately provided BND all those selectors of European government officials, they should have known that they couldn't result in their day-to-day business communications.

Using these selectors to filter traffic from the satellite links from the crisis regions, would only provide content when those European officials communicate with their counterparts or other people over there. And maybe it was just that what NSA wanted to find out - an option that was not considered in the Graulich report though.


In a first reaction on the report, the German government said that there will be stricter guidelines for the cooperation between BND and NSA, and also that oversight by the federal Chancellery will be increased. Opposition party members of the commission aren't fully satisfied with the report and still want access to the rejected selectors, as well as an examination of all 8 million selectors that NSA provided to BND.


On Thursday, November 5, special investigator Dr. Kurt Graulich was heard by the parliamentary investigation commission about his findings. This hearing didn't provide any significant new insights.

The other witness that day, BND lawyer Dr. Werner Ader, revealed that at Bad Aibling, there's highly sophisticated equipment, which allows the interception of satellites even under difficult circumstances, like coping with atmospheric disturbances and following non-geostationary satellites. The equipment "can follow what happens at the satellite".

Links and sources
- Yahoo News: Germany reins in spy service over NSA report
- Kein Ersatz für Selektorenliste: Abgeordnete Renner und von Notz über Graulich-Bericht
- Geheimdienstaffäre: Sonderermittler spricht von klarem Vertragsbruch der NSA

September 30, 2015

NSA's Legal Authorities

(Updated: November 22, 2015)

Since the start of the Snowden-revelations, we not only learned about the various collection programs and systems of the National Security Agency (NSA), but also about the various legal authorities under which the agency collects Signals Intelligence (SIGINT).

Bceause these rules are rather complex, the following overview will show which laws and regulations govern the operations of the NSA, showing what they are allowed to collect where and under which conditions. Also mentioned are various collection programs that run under these authorities.

The overview provides a general impression of the most important elements of the various laws and regulations and does not pretend to be complete in every detail. For example, provisions for emergency collection are not included. Also, some of these laws and regulations govern the work of other US intelligence agencies too, but here the focus is on the NSA.

Collection INSIDE the US:
Targeted collection - US persons & foreigners:

- Section 105 FISA
- Section 703 FISA Amendments Act (FAA)

Targeted collection - Foreigners:

- Transit Authority

- Section 702 FISA Amendments Act (FAA)
- PRISM Collection
- Upstream Collection

Bulk collection - US persons:

- Section 402 FISA (PR/TT)

- Section 215 USA PATRIOT Act (BR FISA)


Collection OUTSIDE the US:
Targeted collection - US persons:

- Sections 704 & 705 FISA Amendments Act (FAA)

Targeted & Bulk collection - Foreigners:

- Executive Order 12333
- Classified Annex Authority (CAA)
- Special Procedures governing Communications Metadata Analysis (SPCMA)

Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)

  - Inside the US - Targeted collection - US persons -

Section 105 FISA
- Effective since October 25, 1978.
- For communications of US citizens and foreigners inside the US for which there's a probable cause that they are agents of a foreign power or connected to an international terrorist group. Initially also for foreigners outside the US using an American webmail provider.
- Collection takes place at telephone and internet backbone switches, wireless networks, Internet Service Providers and data centers at over 70 locations inside the United States.
- Requires an individualized warrant from the FISA Court (which takes between four and six weeks), but if no US person will likely be overheard, only a certification by the Attorney General is required.
Section 703 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications of a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court.
- Collection takes place inside the United States (see Section 105 FISA).

  - Inside the US - Targeted collection - Foreigners -

Transit Authority
- Effective since ?
- Probably based upon a presidential directive that has to be re-authorized regularly, but the 2009 STELLARWIND report says NSA is authorized to acquire transiting phone calls under EO 12333.
- For communications with both ends foreign: originating and terminating in foreign countries, but transiting US territory.
- Collection takes place inside the US, at major fiber-optic cables and switches operated by American telecommunication providers.
- Data may apparently be shared with other US intelligence agencies.


Section 702 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- For communications to or from foreigners who are reasonably believed to be outside the United States.
- Requires an annual certification by the Attorney General (AG) and the Director of National Intelligence (DNI), which has to be approved by the FISA Court. Certifications are known that have been approved for:
- Counter-Terrorism (CT, since 2007)
- Foreign Government (FG, since 2008; including some cyber threats since 2012)
- Counter-Proliferation (CP, since 2009)
- Cyber Threats (planned in 2012)
- Companies get a directive ordering them to cooperate. In return they are granted legal immunity and are compensated for reasonable expenses.
- Dissemination rules differ slightly per certification. Ordinarily, US person identifiers have to be masked, but unevaluated data may be shared with FBI and CIA, and foreign data may be shared with the 5 Eyes partners.
- Unencrypted data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director.

Section 702 FAA has two components, each with slightly different rules:
PRISM Collection
- Only internet communications "to" and "from" specific e-mail addresses or other types of identifiers. Filtering only allowed for selectors, not for keywords.
- Collection is done by the FBI's DITU, which acquires the data from at least 9 major American internet companies. This results in both stored and future communications.
- Raw (unminimized) data may be shared with FBI and CIA.
- Data are retained for a maximum of 5 years.
- NSA is permitted to use US person identifiers for querying already-collected data when there's a reasonable expectation that this will return foreign intelligence.*
- Collection program: PRISM
Upstream Collection
- Both internet and telephone communications. The internet communications may be "to", "from" and "about" specific e-mail addresses or other types of identifiers, including IP addresses and cyber threat signatures.
- Collection takes place inside the US, at major telephone and internet backbone switches. This only results in future communications.
- Raw (unminimized) data may not be shared outside NSA.
- Data are retained for a maximum of 2 years.
- Collection programs: FAIRVIEW, STORMBREW

  - Inside the US - Bulk collection - US persons -

Section 402 FISA (PR/TT)
- Effective since October 25, 1978.
- Since July 14, 2004, orders from the FISA Court allowed the NSA to collect domestic internet metadata in bulk under this authority. These metadata included the "to", "from", and "cc" lines of an e-mail, as well as the e-mail’s time and date.
- Only for Counter-Terrorism purposes.
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Query results could only be accessed by specially trained NSA analysts, and could only be shared for a counter-terrorism purpose.
- Data were being retained for a maximum of 5 years.
- Collection terminated in December 2011 for "operational and resource reasons" and all data were deleted, as the requirements could also be fulfilled under 702 FAA and SPCMA authorities.*
- Collection programs: ?


Section 215 USA PATRIOT Act (BR-FISA)
- Effective since October 26, 2001; expired as of May 31, 2015.
- Since 2006, orders from the FISA Court allowed the NSA to collect domestic telephone metadata in bulk under this authority. These metadata included the originating and receiving phone number, the date, time and duration of the call, and, since 2008, the IMEI and IMSI number.
- Only for Counter-Terrorism purposes: there must be a reasonable and articulable suspicion (RAS) that the query term belongs to a foreign terrorist organization.
- Collection took place inside the US, by acquiring the metadata from big American telecommunication providers.
- Query results may only be accessed by specially trained NSA analysts, and may only be shared when a manager certifies the data are for a counter-terrorism purpose.
- Data are retained for a maximum of 5 years.
- Collection programs: FAIRVIEW, STORMBREW

During a 180-day transition period, the NSA may continue the collection of bulk telephony metadata under section 215 USA PATRIOT Act, which is until November 29, 2015. In this period, telephony metadata may only be queried after a judicial finding that there is a reasonable, articulable suspicion that the selector is associated with an international terrorist group. The results must be limited to metadata within 2 (instead of 3) hops of the seed term.

- Effective since June 2, 2015.
- Allows the NSA to request metadata from telephone companies based upon specific selection terms for which there's a reasonable, articulable suspicion that they are associated with a foreign power or an international terrorist group. These metadata may consist of "session-identifying information", like originating and receiving numbers, IMSI, IMEI and telephone calling card numbers, and the date, time and duration of the call. Collection of, and contact chaining on location data is prohibited.
- Requires a specific warrant from the FISA Court, upon which the provider has to produce the metadata in a useful format on a daily basis for a period of time limited to 180 days.
- All records that are not foreign intelligence information have to be destroyed promptly.
- Companies providing these data are granted legal immunity and will be compensated for reasonable expenses.
- Query results may be fully shared with CIA and FBI.
- Also, foreign terrorists may be tracked for up to 72 hours when they enter the US, with authorization by the Attorney General.

  - Outside the US - Targeted collection - US persons -

Section 704 & 705 FISA Amendments Act (FAA)
- Effective since July 10, 2008; expires on December 31, 2017.
- Collection takes place outside the United States.
- Data may be retained for up to 5 years, or for a longer period in response to an authorized foreign intelligence or counterintelligence requirement, as determined by the NSA's SIGINT Director. Inadvertent collection of US data has to be destroyed upon recognition, but the Attorny General can authorize exceptions.

The differences for these sections are:

Section 704 FAA
- For collection against a US person outside the US, when there is probable cause that this person is an officer, employee, or agent of a foreign power or related to an international terrorist group.
- Requires an individualized warrant from the FISA Court, for a period of up to 90 days.

Section 705(a) FAA
- For communications of a US person reasonably believed to be outside the United States.
- Requires an individualized warrant from the FISA Court.
- Collection may take place both inside and outside the United States.

Section 705(b) FAA
- For communications of a US person reasonably believed to be outside the US, when there is already an existing FISA Court order for collection against this person inside the US under section 105 FISA.
- Requires authorization by the Attorney General.

  - Outside the US - Targeted & Bulk collection - Foreigners -

Executive Order 12333
- Effective since December 4, 1981.
- For communications between foreigners outside the US.
- Requires no external approvals, except for fitting the mission and the goals set for NSA by the government.
- Collection takes place outside the US and for all foreign intelligence purposes. However, Presidential Policy Directive 28 (PPD-28) from January 17, 2014, limits bulk collection to the following 6 purposes:
- Espionage and other threats by foreign powers
- Threats from terrorism
- Threats from weapons of mass destruction
- Cybersecurity threats
- Threats to US or allied armed forces
- Threats from transnational crime
- Data may be shared with other US intelligence agencies, as well as with foreign partner agencies.
- Dissemination of US person identifiers is only allowed when necessary and personal information should not be inapproprately included in intelligence reports.
- Unencrypted data from targeted collection are retained for up to 5 years, unless it is determined that continued retention is required; encrypted data are retained for an unlimited period of time.

Under EO 12333, there are two additional authorizations:
Classified Annex Authority (CAA)
- Effective since 1988.
- For communications of US persons outside the US, for whom there's probable cause that they are agents of a foreign power or engaged in international terrorism.
- Requires prior approval by the Attorney General, limited to a period of time of up to 90 days.
- Also for communications of a US person who is held captive by a foreign power or a terrorist group, which requires approval of the Director of NSA.

Special Procedures governing Communications Metadata Analysis (SPCMA)
- Effective since January 2011
- Allows contact chaining and other analysis on metadata already-collected under EO 12333, regardless of nationality and location, including US person identifiers.
- For the purpose of following or discovering valid foreign intelligence targets (i.e. not restricted to counter-terrorism).
- Only covers analytic procedures and does not affect existing collection, retention or dissemination (including minimization) procedures for US person information.
- SPCMA-enabled tools: ICREACH, Synapse Workbench, CHALKFUN

  - Information Assurance -

Besides collecting Signals Intelligence, the NSA is also responsible for Information Assurance (IA). This mission is conducted under the following authorities:

- National Security Directive 42 ("National Policy for the Security of National Security Telecommunications and Information Systems", 1990)

- Executive Order 13587 ("Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information", 2011)

- . - . - . - . - . - . - . - . -

Links and sources
- Internet Dragnet Timeline - Phone Dragnet Timeline - 10 Goodies USA Freedom Act Gives the Intelligence Community
- Executive Order 12333 on American Soil, and Other Tales from the FISA Frontier
- IC on the Record: Transition from the USA PATRIOT Act to the USA FREEDOM Act
- Documents Regarding the Now-Discontinued NSA Bulk Electronic Communications Metadata
- Section 214 and Section 215 FISA
- National Research Council: Bulk Collection of Signals Intelligence: Technical Options (pdf) (2015)
- NSA Civil Liberties and Privacy Report about Targeted SIGINT Activities under EO 12333 (pdf) (2014)
- Privacy and Civil Liberties Oversight Board report about the Surveillance Program Operated Persuant to Section 702 FISA (pdf) (2014)
- Legal fact sheet: Executive Order 12333 (pdf) (2013)
- The Department of Defense Directive about NSA/CSS (pdf) (2010)
- NSA OGC: Course on legal compliance and minimization procedures (pdf)
- Memo about Reauthorization of the FISA Amendments Act (pdf)
- NSA OGC: FISA Amendments Act of 2008 - Section 702 - Summary Document (pdf)

September 16, 2015

9/11 inside the White House emergency bunker

On July 24, the US National Archives released a series of 356 never-before-seen photos, most of them taken on September 11, 2001 inside the emergency bunker under the White House.

The bunker is officially called the Presidential Emergency Operations Center (PEOC), but White House officials also call it the shelter. It was constructed in 1942 underneath the East Wing of the White House, which was primarily built to cover the building of the bunker. It is said the PEOC can withstand the blast overpressure from a nuclear detonation.

One of the very few photos from inside the PEOC available before the recent release
(White House photo - Click to enlarge)

The photos were released in response to a Freedom of Information Act (FOIA) request filed by Colette Neirouz Hanna, coordinating producer for the FRONTLINE documentary film team. They focus on the reaction from then-vice president Dick Cheney and other Bush administration officials during the terrorist attacks.

How Cheney reached the White House emergency bunker was reconstructed in the official report of the 9/11 Commission, which was issued on July 22, 2004:

American 77 began turning south, away from the White House, at 9:34. It continued heading south for roughly a minute, before turning west and beginning to circle back. This news prompted the Secret Service to order the immediate evacuation of the Vice President just before 9:36. Agents propelled him out of his chair and told him he had to get to the bunker.The Vice President entered the underground tunnel leading to the shelter at 9:37.

Once inside, Vice President Cheney and the agents paused in an area of the tunnel that had a secure phone, a bench, and television. The Vice President asked to speak to the President, but it took time for the call to be connected. He learned in the tunnel that the Pentagon had been hit, and he saw television coverage of smoke coming from the building.

The Secret Service logged Mrs. Cheney’s arrival at the White House at 9:52, and she joined her husband in the tunnel. According to contemporaneous notes, at 9:55 the Vice President was still on the phone with the President advising that three planes were missing and one had hit the Pentagon.We believe this is the same call in which the Vice President urged the President not to return to Washington. After the call ended, Mrs. Cheney and the Vice President moved from the tunnel to the shelter conference room.

The Vice President remembered placing a call to the President just after entering the shelter conference room. There is conflicting evidence about when the Vice President arrived in the shelter conference room. We have concluded, from the available evidence, that the Vice President arrived in the room shortly before 10:00, perhaps at 9:58. The Vice President recalled being told, just after his arrival, that the Air Force was trying to establish a combat air patrol over Washington.


Conference room

The newly released photos provide an almost 360-degree view of the conference room in the Presidential Emergency Operations Center. It appears to have two installations for secure videoconferencing: one at the long side of the room and one at the short side, so it can be used from either the long side or the short side of the table.

In the picture below we see the videoconference set-up at the long side of the room. Within a wooden paneling there are two television screens with the camera in between. Right of the paneling are four digital clocks showing the time for various places around the globe, and there's also a wall map of the United States:

(White House photo by David Bohrer - Click to enlarge)

On the screen on the far left we see a videoconference taking place with four participants, including the CIA and the Department of Defense. Reports about the events on 9/11 say there was a secure videoconference in which the White House, the CIA, the State Department, the Department of Justice and the Department of Defense participated.

The next picture shows the videoconferencing monitors at the short side of the room, which can also be used for normal television: other photos show feeds from CNN and Fox. In the corner on the right there's a wooden door with a (mirror?) window. Next to the door on the long side wall, there's a large mirror:

(White House photo by David Bohrer - Click to enlarge)

The wall at the long side of the room opposite to the videoconferencing installation has the presidential seal, which appears behind the person leading a videoconference from the chair in which vice president Cheney was sitting, in order to show that this is the White House:

(White House photo by David Bohrer - Click to enlarge)

Looking to the right provides a view of the other corner, where we see two doors: first there's a heavy metal door opening to a room with pinkish light. Next to it, at the short side of the room, there's another door which opens to what looks like a corridor with blueish light. Some people seem to come in through that door, so maybe that corridor leads to the entrance of the bunker:

(White House photo by David Bohrer - Click to enlarge)

At 6:54 PM in the evening, president Bush arrived back at the White House and joined vice-president Cheney in the Presidential Emergency Operations Center. This was captured in another series of photos. In the picture below we see Cheney and Bush, with on the right side a good view of the vault-like door, which has three heavy-duty hinges and a long downward pointing door handle:

(White House photo - Click to enlarge)

Exactly the same type of white metal door with the long door handle, can be seen in a picture from 1962 of an office next to the Situation Room in the basement of the West Wing (maybe a door to the tunnel leading to the bunker? The current entrance to the PEOC is still a well-kept secret).

Viewing from a different angle, we see more of the wall at the other short side of the room, which was probably never seen before. At the left it has the door to the corridor, and in the middle there are wooden folding doors with handles and a lock. As there are already two banks of monitors for videoconferencing, these doors probably hide something else:

(White House photo - Click to enlarge)

At 9:00 PM president Bush gathered his National Security Council for a meeting in the underground shelter, as can be seen in the picture below. This makes a 360-degree view of the conference room almost complete:

(White House photo - Click to enlarge)

A close look at this photo shows that something is mirrored in the glass pane for the camera of the videoconferencing system in the short side wall of the room. It clearly looks like a world map, more specifically like an automatic daylight map, which must be at the opposite wall, right of the wooden folding doors:


Telephone equipment

The newly released photos show the people in the PEOC conference room regularly making phone calls, using telephones that are somewhat hidden in drawers underneath the conference table. Probably just like the table itself, the drawers are custom made for a device that can be recognized as a small version of the Integrated Services Telephone (IST):

The IST was designed by Electrospace Systems Inc. and manufactured by Raytheon as a dedicated device for the Defense Red Switch Network (DRSN) and hence was called a "red phone". The DRSN is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

The standard version of the IST has 40 programmable buttons for access to both secure and non-secure lines (therefore sometimes called IST-40). Encryption isn't done by the phone itself, but by a network encryptor, after the switch separated secure and non-secure traffic. Although the IST phone had very futuristic looks, it was gradually replaced by the IST-2 since 2003.

The phone we see in the drawers of the PEOC conference room table are about half the size of the standard IST: instead of the 40 direct line buttons, there are just 6, replacing some of the special function buttons above the AUTOVON keypad with the four red keys for the Multilevel Precedence and Preemption (MLPP) function.

This small version of the IST is rarely seen, but it was in the collection of the JKL Museum of Telephony in Mountain Ranch, California, which unfortunately was completely destroyed by a wildfire last week.

The small version of the IST displayed
in the JKL Museum of Telephony

The ultimate test for these kind of communications systems is a real emergency situation. However, during 9/11, it came out that the Defense Red Switch Network (DRSN) didn't work like it should have. The 9/11 Commission report said:
On the morning of 9/11, the President and Vice President stayed in contact not by an open line of communication but through a series of calls. The President told us he was frustrated with the poor communications that morning. He could not reach key officials, including Secretary Rumsfeld, for a period of time. The line to the White House shelter conference room and the Vice President kept cutting off.

Besides the ISTs under the table, there's also a black telephone set, which sits on a shelf or a drawer underneath the wall map of the US. This phone is a common Lucent 8410, used in numerous offices all over the world. Here, it is part of the internal telephone network which is used for all non-secure calls both within the White House as well as with the outside world.

Vice-president Cheney using the Lucent 8410. On the conference table
at the right there's the thick laptop-like device
(White House photo - Click to enlarge)

On the corner of the conference table, there's also another kind of communications device: a black box, of which the upper part can be opened up like a laptop. The bottom part however is higher than normal notebooks, even for those days. It's also connected to a big adapter. Maybe it's a rugged and/or secure laptop for military purposes - readers who might recognize the device can post a reaction down below this article.

All three communications devices: the black Lucent 8410, the black
notebook-type of thing and the small version of the IST.
(White House photo - Click to enlarge)


Mysterious marking

A final photo shows then-Secretary of State Colin Powell sitting at the table in the PEOC conference room, reading a document which has a cover sheet for classified information:

The cover sheet seems of light yellowish paper and has a broad dark red border, which is a common feature for these sheets. Most of the text isn't eligable, but the lines in the upper half read like:
TOP SECRET//[....]



The lines in the bottom half are probably the standard caveats and warnings that can be found on such cover sheets. With Top Secret being the classification level, and Eyes Only a well-known dissemination marking, the most intriguing are the letters CRU.

On Twitter it was suggested that CRU stands for Community Relations Unit, an FBI unit responsible for transmitting information to the White House. However, the website of the FBI says that this unit is actually part of the Office of Public Affairs, and as such is responsible for relationships with local communities and minority groups. Although that unit could stumble upon suspected terrorists, another option seems more likely:

After a 2009 FOIA request by the ACLU, a 2004 memo from the Justice Department's Office of Legal Counsel about the CIA's detention program and interrogation techniques was released. The classification marking of this memo was blacked out, but on one page this was forgotten. It read: TOP SECRET/CRU/GST.

In a job posting this was written like "CRU-GST", which indicates GST is a compartment of the CRU control system. Meanwhile we also know that GST is the abbreviation of GREYSTONE, which is a compartment for information about the extraordinary rendition, interrogation and counter-terrorism programs, which the CIA established after the 9/11 attacks.

Because Powell is reading the CRU-document on September 11, 2001 itself, the CRU parent-program must have been established somewhere before that day. It's still a secret what CRU stands for, but it probably covers information about highly sensitive CIA operations.

Links and sources
- Wikipedia: Timeline for the day of the September 11 attacks
- 9/11 Myths: Dick Cheney at the PEOC
- New York Times: Essay; Inside The Bunker (2001)