February 14, 2018

The hotlines between North and South Korea

(Updated: April 22, 2018)

The current 2018 Winter Olympics, held in PyeongChang, South Korea, led to a charm offensive by neighbouring North Korea, which included the reopening of a border hotline with the South, that had been closed for almost two years.

The reopening came with new photos of the fancy-looking communications equipment, which will be described here, as well as the fact that there's not just one phone line, but over 40. Unlike other hotlines, the ones between North and South Korea are mostly used for low-level practical issues.

A South Korean liaison officer speaks with his North Korean counterpart over the
inter-Korean communications channel at Panmunjom, January 3, 2018
(photo: Unification Ministry - click to enlarge)

The Red Cross hotline

The first hotline between North and South Korea became operational on September 22, 1971. The link was the result of the first inter-Korean Red Cross meeting held on September 20, which resulted in an agreement to establish two lines for direct telephone calls between the two countries.

It was also agreed to construct a liaison office inside the Joint Security Area (JSA) of Panmunjom, which is in the heavily-fortified Demilitarized Zone (DMZ). The direct telephone link between the liaison offices is therefore often called the Red Cross or border hotline.

Equipment of the hotline

On the South Korean side, the hotline equipment is located in the communication office on the second floor of the Freedom House, which was built in 1998. On the North side, the line ends at a desk in the Panmungak building, which is less than 100 meters (328 feet) away. In the Panmunjom area, the hotlines connect the inter-Liaison Office, the inter-Korean Red Cross Talks Liaison Office and the Front Office of the inter-Korean Talks Headquarters.

The current equipment, which is seen in the most recent photos, was installed in 2009 and consists of a large, wood-panelled console on a desk. On top is a sign that says "South-North Direct Telephone". The system features two disk drives, two sets of USB ports and one computer screen, which shows the Windows XP user interface. It's not clear what the function of the screen is, as there's no keyboard visible.

Equipment of the Red Cross or border hotline on the South Korean side
(photo: YTN News - click to enlarge)

Update: As noted on Twitter, the computer screen appears to show the user interface of a VoIP softphone client, maybe an ancient version of X-Lite, but that hasn't been confirmed yet. Probably this setup made it easier to have the calls recorded, for example by using the CD-stations.

Most important parts are however two telephone handsets, one red and one green. The red one is for incoming calls from North Korea, while the South uses the green handset to make outgoing calls to the North. However, both phone sets are capable of sending and receiving, but there have been installed two of them just in case one fails.

Since 2015, the console has two digital clocks on top, as in that year North Korea shifted to UTC+08:30 or Pyongyang Time (PYT), while South Korea stayed in the UTC+09:00 or Korea Standard Time (KST) zone. In the photo below, the green clock shows 3:34 for South Korea and the orange/red one 3:04 for North-Korea.

At the left of the hotline console there's a Samsung SF 530 fax machine through which North Korea sometimes sends messages about topics that range from logistics to threats.

Operation of the hotline

The hotline phones at the Inter-Korean Red Cross Liaison Office and the Inter-Korean Liaison Office on the South side are operated by officials from the Unification Ministry. They are experts in diplomatic protocol and have in the past played roles in face-to-face talks as well.

To resolve the problem of who calls first, it was decided that the South calls the North on odd dates, while on even dates it's the other way around. The daily routine for weekdays is that communication officials make a phone call everyday at 9:00 AM and again at 4:00 PM. No routine calls are made on Monday morning, Saturdays and Sundays and on bilateral holidays, except for when there are special requests.

The government can instruct to use the hotline for the exchange of official messages, which come in the form of a 'telephone notice' which means that a liaison officer calls the other side and reads a document carrying a proposal or official position on a proposal of the other side. All this is very similar to how the hotline between Washington and Moscow is operated, although that one is just for written communications.

Finally, when a document with official seals has to be delivered to either North or South Korea, a call is made to arrange a face-to-face meeting at a certain time on the demarcation line.

Earlier hotline equipment

The earlier equipment that was used on the hotline of inter-Korean Liaison Office can be seen in a series of photos published on the occasion of its reopening on August 14, 2000, after having been closed since November 1996:

South Korean minister of Unification, Park Jae-kyu using the hotline, August 14, 2000
(photo: The Korea Times - click to enlarge)

The South Korean minister of Unification using the hotline, August 14, 2000
(photo: eHistory - click to enlarge)

This earlier hotline device, with the size of a small refrigerator, has two telephone handsets, one in yellow and one in some kind of light green. In the upper section there's a tape recorder for each of the phone lines. It seems that after the new equipment was installed in 2009, the old device was kept as a remembrance, covered by a blue cloth with a golden fringe:

The old (left) and the new (right) hotline equipment
(photo: Unification News - click to enlarge)

More hotlines between the Koreas

After the Red Cross border hotline at Panmunjom was established, more lines would follow. On April 29, 1972, a direct line between Seoul and Pyongyang was secretly set up to prepare the visit of high-ranking officials to Pyongyang. Following this visit, the director of the CIA contacted North Korean president Kim Il-sung and they agreed upon a direct telephone line for the Inter-Korean Control Committee.

There are no reports about a phone line that connects the presidents of North and South Korea, like for example the famous Washington-Moscow Hotline, or the hotlines between the American president and several other heads of government. (See Update!)

The Joint Security Area (JSA) between North en South Korea, with the
North Korean Panmungak building, seen from the South
(photo: iStock - click to enlarge)

33 hotlines through Panmunjom

More lines were established throughout the 1990s and 2000s and since December 2010 there are 33 direct phone lines which connect North and South Korea through Panmunjom. Five of them are intended for daily communications, 21 for negotiations between the two countries, two for handling air traffic, two for sea transport and three for economic co-operation:

- 2 lines in Panmunjom for the Red Cross, since September 22, 1971.

- 1 line between Seoul and Pyongyang to prepare a high-level visit, since April 29, 1972.

- 20 lines between Seoul and Pyongyang for inter-Korean Red Cross talks, including 2 lines for the Central Red Cross Organisation, since August 18, 1972.

- 1 line between Seoul and Pyongyang for economic talks, since December 20, 1984.

- 2 lines between the newly established inter-Korean Liaison Office in the Panmunjom Freedom House and the Panmokgak building for inter-agency business talks, since May 18, 1992.

- 2 lines between Daegu (since September 18, 2001: Incheon) and Pyongyang for air traffic control, since November 19, 1997.

- 2 lines between Seoul and Pyongyang for the inter-Korean Maritime Authority, since August 12, 2005.

- 3 lines between Seoul and the Kaesong Industrial Complex for the inter-Korean Economic Cooperation Consultation Office, since November 1, 2005.

Several of these direct phone lines through Panmunjom have lost their original function, such as the one for economic talks, but these lines are now for example used as a fax line for communications between the North and South Korean Red Cross Liaison Office, which was opened on April 11, 2004.

The Joint Security Area (JSA) between North en South Korea, with
the new South Korean Freedom House, seen from the North
(photo: jaytindall.asia - click to enlarge)

15 hotlines outside Panmunjom

There are also 15 inter-Korean direct telephone lines which, due to geographical reasons, are not connected to Panmunjom:

- 3 lines between military authorities for the Donghae Bukbu Line, since December 5, 2003 (ultimately terminated in October 2010)

- 6 lines between military authorities for the Gyeongui Line, since August 15, 2005.

- 6 lines between Dorasan Station in the South and Panmun Station in the North for the inter-Korean railroad, since May 14, 2007.

Military hotlines

Besides the aforementioned telephone ines, there are also several military hotlines. In accordance with bilateral agreements, a West Sea communications link was established in September 2002 and an East Sea link in December 2003, each consisting of a phone line, a reserve phone line and a fax line (these lines may well be identical with those for the Gyeongui and the Donghae Bukbu railroads respectively).

Another military hotline was agreed upon in June 2004, in a step towards easing tensions and avoid accidental clashes. On the internet there are at least two photos that apparently show military hotlines between North and South Korea. We see ordinary military field telephones, which don't seem to have encryption capability, but it's possible that they are connected to separate encryption units:

South Korean Lieutenant Choi Don-Rim (left) communicates with a North Korean officer
at a military office near the Demilitarized Zone (DMZ) in 2005.
(photo: AFP - click to enlarge)

A South Korean military official communicates with his North Korean
counterpart through a military hotline, September 6, 2013.
(photo: Yonhap - click to enlarge)

Interruptions of the hotlines

Since the establisment of the first hotline in 1971, the direct communication links between North and South Korea were interrupted seven times, each time by North Korea:

On August 30, shortly after the Panmunjom ax attack, the hotline was shut down by the North. It was resumed on February 7, 1980 following a first working-level agreement to discuss the inter-Korean prime ministerial talks.

North Korea unilaterally declared to cease contact on September 24. The hotline was reopened again on September 29, following an agreement with the North Korean Red Cross for consultation on North Korean flood assistance.

The direct phone lines were aborted immediately after a North Korean submarine ran aground near Gangneung in the South in an attempted infiltration mission. Communications resumed on August 14, 2000 following the first agreement on inter-Korean ministerial talks.

North Korea declared the hotline "disconnected" after Seoul proposed a resolution about human rights in North Korea during the General Assembly of the United Nations in November. Communications resumed on August 25, 2009 with the visit of President Kim Dae-jung's special envoy to Seoul and inter-Korean Red Cross talks.

After the Cheonan incident, North Korea shut down all communications channels with the South on May 26. The air control phone line was re-established on October 18, 2010, while the lines at the inter-Korean Red Cross liaison office were reconnected on January 12, 2011.

On March 11, North Korea had stopped responding to calls on the Red Cross hotlines and also shut down the communication line with the American military command in South Korea, as well as the military telephone and fax lines used to coordinate cross-border travel to the joint industrial park in Kaesong. The North connected the Red Cross hotline again on June 7. A hotline used by military officials regarding travels to Kaesong was restored on September 6, 2013.

In February, Pyongyang stopped responding to South Korea's calls in the Panmunjom office after Seoul suspended a joint economic project at the Kaesong Industrial Complex over Pyongyang's nuclear tests. The military West Sea hotline was also closed, just like all other hotlines through Panmunjom, except for the two air traffic controle lines.

Most recent reopening

On January 3, 2018, North Korean leader Kim Jong Un gave the order to reopen the Panmunjom border hotline at 3:00 PM local time. According to South Korea's Unification Ministry, the North Koreans made first contact at exactly the time ordered.

Both sides were on the phone from 3:30 PM to 3:50 PM local time and during this initial 20-minute conversation, the two nations "checked technical issues of the communication line," according to a statement from South Korea's Unification Ministry.

The Ministry said North Korea phoned for a second time several hours later, suggesting the two sides wrap up business for the day. Other than checking that the link was operational, it is unclear what was discussed. According to a ministry spokeswoman there was no mention of future talks or the Olympics.


A top-level telephone hotline between the presidents of North and South Korea was established on April 20, 2018, in preparation of a summit between both leaders later that month in the border town of Panmunjum. Before this meeting, both presidents are expected to have a talk over the phone, but no date has been set for the call.

According to the Yonhap news agency, the new hotline connects the desk of South Korean president Moon Jae-in at the presidential Blue House with North Korea's State Affairs Commission, which is headed by Kim Jong-un. South Korean officials were the first to pick up the phone, then took a return call from their North Korean counterparts to make sure the line was working in both directions.

A South Korean official talks on a phone for testing the new hotline
at the presidential Blue House in Seoul, April 20, 2018
(photo: Yonhap - click to enlarge)

A telephone set that is used for the hotline between
the presidents of North and South Korea
(photo: AFP - click to enlarge)

Links and sources
- Reuters: Unique 'hotline' sets stage for new North and South Korea talks (2018)
- Korea Exposé: Call Me Maybe: How N. and S. Korea Actually Communicate (2017)
- Huffington Post Korea: 남북 직통전화 개설과 중단의 간략한 역사 (2014)
- Ministry of Unification: 남북관계 지식사전

December 31, 2017

Section 702 FAA expires: what are the problems with PRISM and Upstream?

(UPDATED: January 20, 2018)

Two important NSA programs, PRISM and Upstream, are based upon section 702 of the FISA Amendments Act (FAA), a law that was originally scheduled to expire today. Now the US Congress has to decide whether to continue or to reform this crucial legal authority.

Although PRISM became almost synonymous for NSA's alleged mass surveillance, it's actually, just like the Upstream program, targeted collection aimed at specific foreign targets. Still, many people think that these programs pull in way too many data (incidental collection) to be subsequently queried in an illegal way (backdoor searches).

Here we'll show some of the complexities of these two collection programs and that there are various internal procedures and methods in order to keep collection and analysis as focussed as possible.

Slide from the PRISM presentation that for the first time revealed PRISM
and Upstream as part of section 702 FAA collection.

Until recently, US lawmakers were too involved with president Trump's tax reform to devote enough attention to section 702 FAA. Therefore, on December 21, Congress extended the authority of this law through January 19, 2018. Lawyers from the Trump administration even concluded that the intelligence agencies can lawfully continue to operate under the FAA through late April (because the current FISA Court certification for the program actually expires late April 2018).

This leaves Congress some extra months to either reform or strengthen this important authority. There are several proposals, spanning from making the existing law permanent without changes, to imposing significant new limits to safeguard the privacy rights of Americans.

Meanwhile, the Office of the Director of National Intelligence (ODNI) came with additional information about data collection under section 702 FAA, and published for example a Section 702 Overview, which includes some nice infographics:

Diagram from ODNI about section 702 FAA collection. Click to enlarge.

702 FAA collection

The Snowden-revelations have shown that under the legal authority of section 702 FAA, NSA conducts two types of data collection:

- Upstream collection, for both internet and telephone communications, which are filtered out based upon specific selectors at major telephone and internet backbone switches. This takes place under the collection programs FAIRVIEW and STORMBREW.

- Downstream collection, only for internet (including internet telephony) communications, based upon specific selectors, which are acquired from at least 9 major American internet companies. This takes place under the collection program PRISM.

The Upstream and Downstream programs are different from eachother in many ways, but the thing they have in common is that collection take place inside the United States, while being aimed at foreign targets, although just one end of their communications has to be foreign. This means these programs also pull in communications between targeted foreigners and Americans - which is one of the main purposes of these programs: finding connections between terrorists inside and outside the US.

Slide showing the main differences between PRISM and Upstream
Published on October 22, 2013. Click to enlarge.

Upstream filtering

Although Upstream collection is based upon specific selectors, the American Civil Liberties Union (ACLU) presents it as "bulk surveillance", because in their opinion, the automated filtering actually means that NSA is "searching the contents of essentially everyone’s communications." Therefore they call these searches extraordinarily far-reaching and unprecedented and unlawful.

The Electronic Frontier Foundation (EFF) has a similar position and says that splitting internet cables is "unconstitutional seizure", while the subsequent search for selectors is an "unconstitutional search."

These judgements seem based upon comparing digital filtering with intercepting letters or telegrams (like what happened under project SHAMROCK from 1945-1975), but this ignores the differences with computer technology: NSA does copy entire data streams, but at virtually the same moment the filter system picks out the communications associated with the selectors, the other data are gone.

Searching through data packets of innocent people means at the same time destroying them - except when they contain one of the selectors which NSA is interested in.

Diagram from the EFF about Upstream collection. Click to enlarge.

Storage and classification

Under section 702 FAA, only data that are associated with a specific selector are stored. For Upstream collection, this means only the communications that remain after the filtering proces. These are processed (decoded, formatted, etc.) and stored in NSA databases for a maximum of only 2 years.

Downstream collection under the PRISM program results in all the data associated with specific selectors that the big internet companies hand over to the FBI, which then forwards them to NSA. These are also processed and then stored for a maximum of 5 years.
Data from FAA collection are usually stored in separate database partitions and are protected by the Exceptionally Controlled Information (ECI) compartment RAGTIME (RGT). Only analysts who are cleared for RAGTIME, have the specific need-to-know and who are authorized by the data owner have access to these data.

Already a few months before the start of the Snowden-revelations a book revealed that RAGTIME has 4 components:
- RAGTIME-A: foreign-to-foreign counterterrorism (CT) data
- RAGTIME-B: data from foreign governments (FG) transiting the US
- RAGTIME-C: data related to counterproliferation (CP) activities
- RAGTIME-P: domestic bulk collection of internet metadata*
Note that the first three components correspond to the first three FISA Court certifications that authorize section 702 FAA collection.

Last November, ZDNet reported about a leaked NSA document that lists a total of 11 components of RAGTIME. Besides the 4 known ones, the document also mentions RAGTIME-BQ, F, N, PQ, S, T and USP, but so far, we don't know what kind of data they protect.

On August 26, 2013, Der Spiegel published the so far only document from the RAGTIME (RGT)
compartment: the floorplan of the EU mission to the United Nations in New York.
Note the PINWALE ID (PWID): PWZA20120551215230001427125

Incidental collection

As almost every NSA target will communicate with at least some individuals who are not involved in terrorism or other threats to national security, it's inevitable that even targeted interception will result in storing communications of innocent (American) people too - NSA calls this "incidental collection".

The share of this incidental collection as part of the overall collection is not known: early 2017, NSA agreed to provide some information about how many American citizens may be impacted, but later, Director of National Intelligence (DNI) Dan Coats said that it "remains infeasible" for the government to cite a meaningful number.

Actual intercepts

Edward Snowden was also eager to draw public attention to this issue, and maybe he took his last job for Booz Allen at NSA in Hawaii for the sole purpose of getting access to raw data collected under section 702 FAA. In his view, the PRISM and Upstream programs "crossed the line of proportionality."

He succeeded in his effort and was able to exfiltrate a cache of ca. 22.000 collection reports, containing 160.000 individual conversations (75% of which instant messages), which were intercepted by NSA between 2009 and 2012 - a much more substantive leak than the usual internal powerpoint and sharepoint stuff.

Snowden handed them over to The Washington Post, which reported about this cache on July 5, 2014. After a cumbersome investigation, it found that the intercepted communications contained valuable foreign intelligence information, but also that over 9 out of 10 account holders were not the intended surveillance targets and that nearly half of the files contained US person identifiers.

Breakdown of the intercepted messages collected under 702 FAA authority
that were reviewed by The Washington Post. Click for a larger version.

Targeted interception

The numbers from The Post do sound like a massive overcollection, but we should keep in mind that this still is targeted collection, something that privacy advocats always prefer rather than bulk collection.

NSA's Upstream program will likely result in just as many communications of innnocent people as when the police taps phone numbers and IP addresses under a warrant, although NSA targets may be more careful in conducting private telecommunications than ordinary criminals.

From the dataset examined by The Washington Post, it becomes clear that innocent people can be affected in two ways: first, when they communicate directly with (or about) a foreign target, and second, by "joining a chat room, regardless of subject, or using an online service hosted on a server that a target used for something else entirely."

This shows that even with targeted interception, the technical configuration of certain internet platforms make it apparently quite difficult, or even impossible to isolate the conversations in which a target is personally involved.

As the dataset that Snowden exfiltrated seems to be derived from both Upstream and PRISM collection, it's hard to say which of these programs is more intrusive. Upstream became a less useful source since the most common communication services have been encrypted, while PRISM may also not be as productive as before, after it was exposed by the press.

Dataflow diagram for Upstream collection under the FAIRVIEW program.
Published on November 16, 2016. Click to enlarge.
(More FAIRVIEW dataflow diagrams)

Backdoor searches

On August 9, 2013, The Guardian disclosed the so-called "backdoor searches". This is a method used by NSA analysts that was approved by the FISA Court in October 2011, so these searches are not illegal like the term "backdoor" suggests.

Apparently these backdoor searches were introduced as a replacement for the bulk collection of domestic internet metadata under the PR/TT program, which NSA terminated by the end of 2011.

These backdoor searches are not about collecting new data by tapping telephone and internet cables or acquiring data from internet companies, but about conducting searches in data that have already been collected.

While in general, NSA is only allowed to collect new data when they are related to foreign targets, these backdoor searches may also involve identifiers (like names, e-mail addresses and phone numbers) of US citizens, hence they are now officially called "U.S. person queries".

Initially, these searches were only allowed for data from PRISM, because Upstream not only collected communications "to" and "from", but also "about" targets, which made it more sensitive than PRISM collection (Upstream appeared to pull in tens of thousands of purely domestic e-mails each year).

In April 2017, NSA halted this "about" collection, after which the FISA Court allowed NSA to also conduct US person queries on data collected through the Upstream program - something that had already happened since at least mid-2013.

Risks and safeguards

NSA analysts retrieving communications of Americans is of course something that reminds of the notorious project MINARET (1967-1973), under which NSA targeted 1.650 US citizens, including civil rights leaders, journalists and even two senators.

After Glenn Greenwald tried, but failed to proof that NSA is still monitoring American citizens in that way, it's now these backdoor searches which are considered the biggest privacy violations under section 702 FAA - the ACLU says that they allow "spying on U.S. residents without a warrant."

Even former NSA director Michael Hayden was aware of the privacy risks of these queries, but the PCLOB report about section 702 explains that NSA has procedures and requirements to limit these US person queries, although they are different for content and for metadata:

- Queries of content are only permitted for US person identifiers that have been pre-approved (i.e. added to a white list) through one of several processes, including other FISA processes. Such approvals are for example granted for US persons for whom there are already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA's Office of General Counsel after showing that using a certain US person identifier would "reasonably likely return foreign intelligence information."

- Queries of metadata may only be conducted in a system that requires analysts to document the basis for their metadata query (a Foreign Intelligence (FI) justification) prior to conducting the query. An oversight report adds that "analysts are not required to check any specific database or seek any internal approvals prior to executing a query against [702 FAA] metadata."

Relevant queries

In general, NSA analysts are required to create queries that are as focussed as possible so they return information that is most useful and relevant for their foreign intelligence mission. According to the PCLOB report, analysts receive "training regarding how to use multiple query terms or other query discriminators (like a date range) to limit the information that is returned in response to their queries of the unminimized data."

In the Section 702 Overview that was published by ODNI on December 20, it is explained that US person queries on metadata are useful as they are often the fastest and most efficient way to check whether and how a certain US person (either suspect or victim) is connected to foreign actors. The overview also provides some remarkably concrete examples:
- Using the name of a US person hostage to cull through communications of the terrorist network that kidnapped her to pinpoint her location and condition;
- Using the e-mail address of a US victim of a cyber-attack to quickly identify the scope of malicious cyber activities and to warn the U.S. person of the actual or pending intrusion;
- Using the name of a government employee that has been approached by foreign spies to detect foreign espionage networks and identify other potential victims;
- Using the name of a government official who will be traveling to identify any threats to the official by terrorists or other foreign adversaries.

Dataflow diagram for Downstream collection under the PRISM program.
Published on June 29, 2013. Click to enlarge.

Numbers of queries

While NSA and the Office of the Director of National Intelligence (ODNI) were apparently not able to provide numbers about the "incidental collection" under section 702 FAA, they do better when it comes to numbers about the backdoor searches.

In a letter to senator Wyden, then DNI Clapper wrote that in 2013, NSA approved 198 US person identifiers for querying the content, and that there had been ca. 9.500 queries on metadata from data collected under the PRISM program, but of the latter ca. 36% were duplicative or recurring queries.

ODNI's annual transparancy report also provides numbers of US person queries. In 2016, there were 5.288 content queries, but this also includes CIA queries and NSA searches of content from Upstream collection, something that was actually unauthorized until April 2017 (see above), but which the agency is now trying to make visible.

The rise of the number of US person queries on metadata is even higher, as it went up from 9.500 in 2013, to 30.355 in 2016. The total presented in the ODNI report is supposed to apply to NSA, CIA and FBI, but actually it only shows the number for NSA, as the CIA isn't yet able to count such queries and the FBI isn't required to do so (see below).

It should be noted that for content, it's the particular identifier that is counted, not the number of times such an identifier is actually used to query the databases. For metadata this is different, as the agencies count each time a certain identifier is queried, which of course results in far higher numbers.

Numbers of US person queries on metadata, 2013-2016. Click to enlarge.

FBI searches

Besides NSA and CIA, the FBI is also allowed to conduct backdoor or US person searches on data that NSA collected under the PRISM program - something that is considered even more problematic, given the risk of parallel construction. The FBI doesn't need individual warrants for these searches either, but its agents should "design their queries in such a way that they will return evidence of a crime."

The FBI stores data from 702 FAA collection in the same repositories as data from its own traditional FISA monitoring and physical searches. This means that these data are searched and queried many times for other than national security purposes too, but the section 702 data can only be viewed by agents or analysts with the proper training and access rights.

Given the fact that the initial collection under section 702 FAA is aimed at foreign targets, it is "extremely unlikely" that this collection contains data that are of interest to FBI agents who are investigating criminal cases. Even as, inevitably, a relatively large amount of unrelated American communications are pulled in, the chance that they are useful for a particular criminal case is just very very small.

Besides that, by far the most FBI searches on section 702 data are for national security investigations, which means about foreign espionage, terrorism and Weapons of Mass Destruction (WMD). It's not clear whether FBI has similar restrictions for content queries as NSA.


On January 11, 2018, the House of Representatives voted to extend section 702 FAA for another six years, which is until the end of 2023.

This means that the US Person or backdoor searches can continue without individualized warrants, except for a "narrow warrant requirement that applies only for searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens."

The renewal of section 702 also allows the restart of the "about" collection under the Upstream program, which was ended by NSA in April 2017, after being criticized by the FISA Court.

The bill went to the Senate, which voted to invoke so-called cloture on January 16. This means there will be no further debate or amendments - a disappointing end for liberal Democrats and libertarian Republicans who tried to limit the scope of intelligence collection under section 702.

By a vote of 65-34, the Senate passed the bill to renew section 702 FAA on January 18, 2018. The next day, president Trump signed the bill into law.

Links and sources
- Bruce Schneier: After Section 702 Reauthorization
- Politico: Five years after Snowden, security hawks notch landmark win
- Lawfare: FISA Section 702 Reauthorization Resource Page
- Wired.com: Congress is Debating Warrentless Surveillance in the Dark
- New York Times: Warrantless Surveillance Can Continue Even if Law Expires, Officials Say
- Emptywheel.net: The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion
- The Washington Post: In NSA-intercepted data, those not targeted far outnumber the foreigners who are + The Debrief - An occasional series offering a reporter’s insights
- B. Hanssen: Why the NSA’s Incidental Collection under Its Section 702 Upstream Internet Program May Well Be Bulk Collection, Even If The Program Engages In Targeted Surveillance
- NSA Director of Civil Liberties and Privacy Office Report: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702
- Privacy and Civil Liberties Oversight Board: Surveillance Program Operated Persuant to Section 702 FISA

November 27, 2017

Trump's communications equipment outside the White House

(Updated: December 9, 2017)

On the fourth Thursday of November, Americans celebrate Thanksgiving Day and one of the traditions is that the US president addresses members of the military services that are deployed abroad.

President Trump did so for the first time last Thursday, speaking to the five branches of the US military by video teleconference from his residence Mar-a-Lago in Florida.

The press photos released for this occasion offer a clear view of the communications equipment that is used by the president when being outside the White House or travelling.

President Trump addresses the military from Mar-a-Lago, November 23, 2017
(click to enlarge)

Video teleconferencing

The big screen for video teleconferencing (VTC) is the Cisco TelePresence System EX90 with high-definition video screen and camera. The device has been modified for TEMPEST protection by CIS Secure Computing: we can see that the screen has an additional metal encasing with silver labels to prevent and detect tampering. The VTC system includes a smaller touchscreen device which is used to control the video teleconference calls and can be seen right in front of the big screen.

During the videoconference, Trump was connected to members of the military services at oversea bases in Afghanistan, Iraq, Turkey, the USS Monterey at sea, and the US Coast Guard vessel Wrangell in Kuwait. Accordingly, the video screen was divided into six segments, with the President Of The United States (POTUS) himself in the lower middle section, surrounded by a red border. He also has a note that says who's who:

President Trump addresses the military from Mar-a-Lago, November 23, 2017
On the phone displays, the names associated with the direct line buttons were blacked out
(White House Photo/Shealah Craighead - click to enlarge)

Secure telephones

On both sides of the video teleconference screen, there are telephone sets which can be recognized as common Cisco 7975 unified IP phones, which are also modified by the communications security company CIS Secure Computing. Most visible is that instead of the standerd silver bezel or faceplate, these phones have a bright yellow one, which is the color code for the highest classification level: Top Secret/SCI.

This color shows that these phones are part of the highly secure Executive Voice over Secure IP-network, which connects the US president with all major decision makers, like the secretaries of State, Defense and Homeland Security as well as the Director of National Intelligence. The phones themselves have no encryption capability - they are connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

Also clearly visible is that these Cisco IP phones have a custom molded plastic housing, which provides TEMPEST protection against the leaking of electromagnetic emanations, but also includes two 1 Gigabit SC Fiber ports so the phone can be used in a fiber-optic network. These phones also meet Telephone Security Group (TSG) standards to make sure that they cannot by any means be caused to produce or transmit audio when the handset is on-hook.

The data stream of the video teleconference seems to be routed through the phone on the left, which has no handset and has the red "microphone mute" light on. As can be seen in a high-resolution photo, the VTC screen has an icon that shows that the connection was not encrypted:

Other locations

The same modified Cisco telephone sets can be seen in the photo below, which is from a room in the Lotte New York Palace Hotel, where Trump was staying last September for the UN General Assembly and meetings with leaders from Africa and the Middle East. Additionally, there's a newer Cisco 8841 IP phone, which is modified by Advanced Programs, Inc. (API) to provide on-hook security for the handset and the speakerphone. This phone is for any non-secure calls and is also used in the White House.

President Trump in a phone call with FEMA Director Brock Long regarding
Hurricane Maria's impact on Puerto Rico, September 20, 2017
Note the bulletproof glass plates in front of the windows
(White House Photo/Shealah Craighead - click to enlarge)

When former president Obama was on vacation, the same "yellow" Cisco phones were installed, although without the fiber-optic connections and the TEMPEST-proof encasing:

President Obama talking with his national security advisor Susan Rice following
foreign leader phone calls at Martha's Vineyard, August 11, 2014
(White House Photo - click to enlarge)

When Obama was staying in more hostile environments, these phones for the presidential telephone network were equipped with the additional security features we already saw in the Trump pictures:

President Obama talks on the phone with Russian president Putin while in Riyadh,
Saudi Arabia, with John Kerry and Susan Rice listening in, March 28, 2014
(White House Photo/Pete Souza - click to enlarge)

No Mar-a-Lago SCIF?

For the Thanksgiving photo op, the communications equipment was set up in the large living room of the Mar-a-Lago estate, most likely to provide a grand, if not to say regal decor for the press photos, but it may also indicate the absence of a dedicated secure communications room. At least it seems to show that the White House Communications Agency (WHCA) considers Trump's vacation residence less secure than Obama's.

President Trump addresses the military from Mar-a-Lago, November 23, 2017
(photo: Greg Lovett/The Palm Beach Post - click to enlarge)

Ever since Trump started using Mar-a-Lago regularly as his "Winter White House", there was speculation whether a Sensitive Compartmented Information Facility (SCIF) was created, which means a room that is protected in such a way that classified Sensitive Compartmented Information (SCI) can be stored, processed, viewed and/or discussed without being intercepted from the outside.

In April of this year, the White House press secretary tweeted a photo showing president Trump meeting with his national security staff in a provisionary situation room at Mar-a-Lago, which was apparently intended to look like a SCIF but may actually just have been a temporary set-up. The mysterious devices seen in that photo were discussed here earlier.

Links and sources
- ShallowNation.com: [Video & Transcript] President Donald Trump Thanksgiving Message to the Military via Video Teleconference

October 3, 2017

The hotline between Washington and the former German capital Bonn

Today, it's the German Unity Day or Tag der Deutschen Einheit, which commemorates the anniversary of the reunification of East and West Germany in 1990.

In recent years, Germany's relationship with the United States had some tough times after it was revealed that chancellor Angela Merkel had been on an NSA targeting list, and a 3-year parliamentary inquiry showed a close cooperation between the NSA and the German foreign intelligence agency BND.

One part of the relationship between Germany and the US that was never reported before, is the existance of a hotline between the White House and the office of the German chancellor. Described for the first time is also the telephone equipment that was used for this kind of top level communications links.



The hotline (German: heißer Draht) between Washington and Bonn was established on Marz 16, 1962, after German chancellor Konrad Adenauer had met US president John Kennedy in Washington in November 1961. Apparently it was Kennedy who came up with the idea, maybe inspired by the secure telephone line with the British prime minister that already existed since World War II. The famous hotline between Washington and Moscow was established more than a year later, in August 1963.

In October 1966, the newspaper General Anzeiger reported that besides their initial call, Kennedy and Adenauer never used the hotline, and that at the American embassy, no one was aware of this telephone link.

This had led to the strange situation that on September 27, 1966, chancellor Ludwig Erhard and US president Lyndon Johnson, unaware of the hotline established under Kennedy, also agreed to set up a direct telephone line between the White House and Palais Schaumburg, which was the German chancellor's office (Kanzleramt) from 1949 till 1976.

After the press had reported about this agreement, Adenauer said that such a hotline already existed: he had used it for four years and had calls with Kennedy quite frequently. Multiple government spokesmen then claimed that the former chancellor was wrong, until an eye-witness was found who finally confirmed what Adenauer had said.

It's not clear how often Erhard and Johnson used the hotline: one source says they used it several times, another one that it was never used, neither by Johnson and Erhard, nor by Johnson and Kurt Georg Kiesinger, who succeeded Erhard in December 1966.* Under Adenauer and Erhard, the hotline consisted of a normal telephone line without encryption.

Secure teletype

In March 1969, US president Nixon offered chancellor Kiesinger to set up a secure teletype link between the White House and Palais Schaumburg. Were they again unaware of the earlier hotline, or was an encrypted link considered more secure? In those days it was much easier to encrypt teletype messages than a telephone channel.

We don't know whether this secure link was actually established and what equipment was used, but if so, it probably consisted of the same devices used for the hotline between Washington and Moscow: a standard teleprinter made by Teletype Corp. with the encryption being performed by an Electronic Teleprinter Cryptographic Regenerative Repeater Mixer II (ETCRRM II, see photo).

The ETCRRM II used the Vernam stream cipher, in which the plain text message is mixed with a random stream of data of the same length to generate the ciphertext. If used correctly, this method has been proved to be unbreakable.

There are no reports or other sources that mention the hotline between Bonn and Washington after 1969. But a close look at some photos of the chancellor's office show dedicated American telephone sets that enable a direct and secure communications link with the White House.

STU-I telephone

The secure teletype hotline was replaced by a secure telephone link, probably by the end of the 1970s, after the German chancellor had moved his office to the newly built Federal Chancellery in 1976. This modern, dark brown office building with lots of glass is located near the Rhine, right next to Palais Schaumburg.

Office of chancellor Helmut Kohl in the Kanzleramt building in Bonn, 1985
(photo: Archiv Friedrich/Interfoto - click to enlarge)

On the shelf beneath the painting on the right side of the wall we see two telephone sets: at the left a common gray phone without rotary dial, which was probably part of a dedicated telephone network for government (Bonner Behördennetz?) or military communications. On the right there's a standard American telephone set with some additional buttons, which can be recognized as the STU-I secure telephone:

The STU-I was developed by the NSA and introduced in 1977. It was the first secure telephone system that used a central Key Distribution Center (KDC), as well as Linear Predictive Coding (LPC) for better speech quality. Encryption was conducted through the (classified) SAVILLE algorithm, which was developed in the late 1960s by GCHQ in cooperation with NSA for cryptographic devices used by NATO and NATO countries.

It was intended that STU-I would be as compact as possible, but in the end it became a system that consisted of two units: a converted Western Electric telephone set as voice and control terminal, and the actual encryption unit which still had the size of a small refrigerator. Therefore it was often placed in an adjacent room, with a thick gray cable leading to the voice terminal. The price of one STU-I system was 35.000,- US Dollar.

STU-I voice and control terminal
(photo: Cryptomuseum.com)

In the US, the STU-I system was replaced by the STU-II and in 1987, NSA introduced the STU-III. This one-piece secure telephone became very successful and widely used throughout the US government and military. For use by NATO forces and governments of friendly nations there was a modified version designated STU-II/B.

It seems that for the hotline with Bonn though, the old STU-I was kept operational, as its voice terminal can still be recognized in this picture of Helmut Kohl's office in 1991:

Office of chancellor Helmut Kohl in the Kanzleramt building in Bonn, 1991
(photo: picture alliance/Ulrich Baumg - click to enlarge)

IST telephone

Eventually, the hotline between Bonn and Washington did get an upgrade, and the STU-I was replaced by the Integrated Services Telephone (IST). Unlike the STU phones, which are able to encrypt the voice audio themselves, the IST has no encryption capability. Instead, it is connected to a central switch, which separates secure and non-secure traffic, after which the secure traffic is encrypted in bulk by a network encryptor.

On the far right of this photo of the chancellor's office, we can recognize an IST telephone on almost the same spot as where the STU-I phone set was:

Guided tour in the chancellor's office in the Kanzleramt building in Bonn, 1999
(photo: Wikimedia Commons/Ziko-C - click to enlarge)

The phone we see here is about half the size of the standard IST: instead of the 40 direct line buttons, there are just 6, replacing some of the special function buttons above the AUTOVON keypad with the four red keys for the Multilevel Precedence and Preemption (MLPP) function:

The IST was designed by Electrospace Systems Inc. (ESI) and manufactured by Raytheon as a dedicated device for the Defense Red Switch Network (DRSN) - hence it was called a "red phone". The DRSN is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

The small version of the IST is rarely seen, but it was in the collection of the JKL Museum of Telephony in Mountain Ranch, California, which unfortunately was completely destroyed by a wildfire two years ago:

The small version of the IST displayed
in the JKL Museum of Telephony

It is interesting to see that a secure telephone system that was developed for the internal communications of the United States military was also used for links to foreign government leaders. For this purpose the small IST phone was only seen at the German Chancellery, as well as in the office of British prime minister Tony Blair in 2003 - just like there was also an STU-I in the office of Margaret Thatcher in 1987.

Besides the hotline with Washington, there was a direct facsimile communications link between Bonn and Moscow, which was established in 1989.* The Soviet Union also had a hotline with Erich Honecker as leader of the former East-German Republic (DDR) and during a short period before East and West Germany were united in 1991, there was a hotline between Honecker and Helmut Kohl.*



On October 3, 1990, East and West Germany were reunited and it was decided to make Berlin the capital again. After being elected chancellor late 1998, Gerhard Schröder moved to Berlin in 1999 and occupied the brand new Chancellery building in May 2001. With over 300 office rooms, this is said to be the largest government headquarters building in the world.

There are several pictures available of the chancellor's office in the Berlin Kanzleramt building, but no one in which equipment for the hotline can be recognized. If this telephone link is still operational, it will be part of the "Head of State network", which is used by the US president to communicate with foreign leaders and was upgraded to an IP-network by the White House Communications Agency (WHCA) in 2009.

Angela Merkel in her office in the new Chancellery building in Berlin, 2016
On her desk there are two regular high-end office phones,
apparently one for secure and one for non-secure calls
(photo: Reuters - click to enlarge)

In October 2013 it was revealed that NSA had tried to eavesdrop on chancellor Merkel's non-secure cell phone. This target was set in 2002, when Merkel was CDU party leader and because then Bundeskanzler Gerhard Schröder refused to join the US in the war against Iraq, the US government was probably interested in knowing the position of his main political opponent.

Although Merkel was an obvious espionage target, the fact that the Americans did so too made her angry: "Spying among friends - that simply isn’t done." She expressed this to president Obama in a phone call on October 23, 2013 and already on July 3, she had talked to him about the Snowden-revelations about Germany. It's not known whether these calls were made using the hotline of the Heads of State network.

This would have been rather ironic, but also typical for the world of espionage and signals intelligence, that on one hand, NSA tried to eavesdrop on chancellor Merkels cell phone, while on the other hand, the US provided highly encrypted equipment for the hotline between both countries.

Links and sources
- Der Westen: Diplomatie am Telefon - Der kurze Draht der Mächtigen
- Telefon Forum: Helmut Kohls Telefone