October 15, 2013

What are SIGADs starting with DS for?

(Updated: November 26, 2013)

Recently, some new NSA powerpoint presentations were published which mention communication intercept facilities with designators like DS-200, DS-200B, DS-300 and DS-800.

These don't fit the regular format for such SIGINT Activity Designators (SIGADs), as they normally begin with two letters indicating one of the UKUSA or Five Eyes-countries: US for the United States, UK for the United Kingdom, CA for Canada, AU for Australia and NZ for New Zealand.

Initially, the Washington Post wrote that DS referred to NSA's Australian counterpart, the Defence Signals Directorate, probably because of its abbreviation DSD, although this agency was recently renamed to Australian Signals Directorate or ASD. Later the Post corrected this and now says DS refers to the British signals intelligence agency GCHQ.


But there's another lead. In the third slide of a presentation about SSO Collection Optimization, which was published by the Washington, we see that the collection facility designated DS-200B is codenamed MUSCULAR.

This codename was mentioned earlier in a document with Frequently Asked Questions (pdf) about the BOUNDLESSINFORMANT tool. On page 2 it reads:
"Only metadata records that are sent back to NSA-W through FASCIA or FALLOUT are counted. Therefore, programs with a distributed data distribution system (e.g. MUSCULAR and Terrestrial RF) are not currently counted."

The first sentence is about data sent back to the NSA headquarters in the Washington-area (NSA-W) through FASCIA or FALLOUT, which are ingest processors for phone and internet metadata respectively.

In the second sentence we see MUSCULAR mentioned as an example of programs with a "distributed data distribution system". Another example is the interception of Terrestrial RF (Radio Frequency), which are communications through microwave radio relay systems.

Presently, it's not clear what the "distributed data distribution system" might be, but for now it's interesting that this description could very well fit the abbreviation DS.

A SIGAD like DS-200 might then stand for a particular (Distributed Data) Distribution System, not related or bound to a specific country, like the regular SIGADs starting with the country codes.

As "data distribution" is a way to describe how files are stored in data clouds, it's probably a good guess that also in this case, the "distributed data distribution system" may refer to one or more NSA data clouds. This could also explain the fact that the SIGADs starting with DS don't fit the country code scheme, this because the data cloud might be a repository shared by all five UKUSA partners.

DS-200: GCHQ Special Source collection

On October 30, the Washington Post provided more details about the MUSCULAR program, with a follow-up on November 4. Attached to that story are a number of new slides showing that MUSCULAR is a joint NSA-GCHQ operation to collect data by tapping the main communication links which connect the Yahoo and Google data centers around the world.

This interception takes place at a "large international access located in the United Kingdom". People who are familiar with Google and Yahoo’s infrastructure said it's likely that the fiber-optic cables that connect the data centers are owned by companies like Verizon Communications, the BT Group, the Vodafone Group and especially Level 3 Communications, being the world’s largest internet backbone provider. As was revealed earlier, GCHQ has surveillance arrangements with each of these companies.

More specific, the MUSCULAR "distributed data distribution system" is described by Sean Gallagher as a way to collect, filter, and process the content from the internal networks of Google and Yahoo. For doing this, the data streams, which are optimized by Google and Yahoo to be sent across wide-area networks over multiple simultaneous data links, have to be broken apart again. After that, the system separates the traffic which is of intelligence interest from the vast amount of intra-data center communications that have nothing to do with user activity.

One slide, titled "2nd Party Accesses", shows that DS-200B/MUSCULAR is a sub-program of DS-200, which is "NSA's reporting of GCHQ's "Special Source" collection", where Special Source means gathering data from private companies:

Unfortunately, the rest of the slide is completely blacked out, so we aren't even allowed to see the other SIGADs which may also be part of the DS-200 program. Nevertheless we learned from other sources about the existance of facilities designated DS-200A and DS-200X, which are clearly sub-programs of DS-200, and therefore probably similar private network tapping operations as MUSCULAR.


In an explanation of a screenshot of the BOUNDLESSINFORMANT tool, the Washington Post says that the SIGAD DS-300 refers to INCENSER, which is another high-volume cable tapping operation, jointly run by NSA and GCHQ. But INCENSER is not just "another" cable tapping operation, it's a far bigger program, collecting over 14 billion metadata records, which is 77 times as much as MUSCULAR!

Both MUSCULAR and INCENSER are part of WINDSTOP. According to the Washington Post, this is an umbrella program for at least four collection systems which are jointly operated by NSA and one or more 2nd Parties (2P) - the signals intelligence agencies of Britain, Canada, Australia and New Zealand.


Some more information abouth the SIGAD DS-800 can be found in a slide that was shown in a report by the Brazilian television magazine Fantastico from October 6, 2013. It reveals how the Canadian signals intelligence agency CSEC mapped the communications infrastructure of the Brazilian Ministry of Mines and Energy.

For that effort, CSEC used OLYMPIA, and a presentation about that tool shows step-by-step how all the ministry’s telephone and computer communications were mapped:

Reconstruction of a slide showing the interception of the
communications of the Brazilian Ministry of Mines and Energy
(click for a bigger version!)

In this slide we can see that DS-800 collects both telephony (DNR) and internet (DNI) data. At the left side DS-800 is mentioned as the facility intercepting phone calls between the Brazilian ministry and numbers in Equador and Venezuela. Telephone communications to some other countries are monitored by facilities designated US-3294 and US-966V.

At the right side of the slide are the internet communications. Traffic between IP addresses from Global Village Telecom and internet providers in Africa, the Middle East and Canada are also collected by DS-800. We can also see that internet traffic to India is intercepted by DS-200 (maybe because GCHQ has good access to India?).

Given this information and regarding that Global Village Telecom is a major Brazilian telecommunications company, providing both telephony and internet services, DS-800 could probably be intercepting the infrastructure of this company. Because within the Five Eyes-community, Canada is more or less responsible for covering Latin America, we can imagine that DS-800 might be operated by the Canadian CSEC, just like the British GCHQ operates DS-200B.

Links and Sources
- ArsTechnica.com: How the NSA’s MUSCULAR tapped Google’s and Yahoo’s private networks
- Golem.de: Dokumente belegen Zugriffe auf Google- und Yahoo-Clouds

No comments: