July 14, 2018

Collection of domestic phone records under the USA FREEDOM Act

(Updated: July 15, 2018)

One of the most controversial NSA programs revealed by Edward Snowden was the bulk collection of domestic telephone records under the authority of Section 215 of the USA PATRIOT Act. A detailed analysis of the workings of this program was published on this weblog earlier.

In 2015, Section 215 was replaced by the USA FREEDOM Act, which prohibited the collection in bulk and provided more safeguards. The NSA became much more transparant about this program, which gives the opportunity for the following explanation of how the domestic phone records program currently works.

NSA is also more transparant about things going wrong: last month it revealed that it had to delete all the telephone records collected since 2015 due to technical irregularities.



Screenshot from 60 Minutes from December 15, 2013, showing an NSA contact chaining tool
used for the telephone records collected under Section 215.



Collection under Section 215 USA PATRIOT Act


The NSA started its bulk collection of domestic telephone metadata as part of the President's Surveillance Program (PSP), which president George W. Bush authorized in secret right after the 9/11 attacks. Its purpose was not to spy on random Americans, but to find connections between foreign terrorists and conspirators inside the US.

In May 2006, this bulk collection was brought from the president's authority under that of the FISA Court, based upon a very extensive interpretation of Section 215 of the USA PATRIOT Act. Internally, NSA refers to this kind of collection as BR FISA, with BR for Business Records.


Under Section 215, NSA collected domestic phone records from the three biggest American telecommunication companies: AT&T, Verizon and Sprint. According to government officials, the data provided by these companies consisted mostly of landline phone records, which meant that NSA actually got less than 30% of the total amount of US telephone metadata.

However, as of August 29, 2011, AT&T started to provide cell phone metadata too: ca. 1,1 billion records a day, which would make over 30 billion records each month. Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders that don't allow the collection of location data. Verizon was apparently not able or not willing to strip the location metadata, so their cell phone records could not be acquired by NSA.

To put these numbers in perspective: with a wireless communications market share of 32% for AT&T, the total number of cell phone metadata for the US would equal roughly 94 billion a month. During the first half of 2012, the NSA's total collection of foreign telephone metadata was 135 billion records a month. In January 2013, mobile phone calls in the Netherlands generated some 7.65 billion records a month.


At NSA, the domestic phone records were forwarded to MAINWAY, which is a centralized system for "contact chaining to identify targets of interest." MAINWAY not only contains domestic telephone metadata, but also foreign telephone and internet metadata, collected both inside and outside the US. Putting both foreign and domestic metadata in one system, allows finding as many connections as possible.

See for more:
- How NSA contact chaining combines domestic and foreign phone records
- Section 215 bulk telephone records and the MAINWAY database




Collection under the USA FREEDOM Act


Because the bulk collection under Section 215 was often regarded unconstitutional, the program was terminated as of November 2015 and replaced by the USA FREEDOM Act (USAFA), which was incorporated in Title V of the Foreign Intelligence Surveillance Act (FISA). Under this new authority, bulk collection of domestic phone records is not allowed anymore.

Instead, NSA can request only those records that contain phone numbers that have been in contact with an approved "seed" number. This means that all the American telecoms now have to hand over the matching results from both landline and cellphone calls, so it's a much larger pool compared to the situation under Section 215.


How this current domestic phone records program works is explained in remarkable detail in the transparancy report of the NSA Civil Liberties and Privacy Office (CLPO) from January 2016, as well as in the Annual Statistical Transparancy Report from the Office of the Director of National Intelligence (ODNI).

The statistical report for 2017 was published last April and also contains a lot of information about traditional FISA and Section 702 FAA (PRISM and Upstream) collection.



Overview of NSA's collection of domestic phone records under the USA FREEDOM Act
(source: NSA Transparancy Report - click to enlarge)


Seed numbers

The process starts with selecting specific targets and the phone numbers ("selectors") they use. Through the FBI and the Department of Justice, these selectors are submitted to the FISA Court (FISC), which determines whether there's a Reasonable, Articulable Suspicion (RAS) that these numbers are associated with foreign intelligence agents or people engaged in international terrorism. Under Section 215, the RAS was determined by one of 22 designated NSA officials.

After the FISC has approved these numbers, it issues individual orders approving the submission of these specific selectors to the telecommunications providers, and directing those providers to hand over the associated metadata to the proper government agency. According to the ODNI statistical report for 2017, the FISC issued orders for 42 targets in 2016 and for 40 targets last year.

The report doesn't mention the total number of selectors used by these targets. It's these selectors, phone numbers and maybe similar identifiers, that NSA uses as a "seed" to start creating a so-called contact chain. For earlier years, the total numbers of seed selectors were as follows (it's not known how many of these belonged to Americans):

2012 2013 2014 2015
288 423 161 56


Business records

At NSA, the RAS-approved selectors are entered into what is publicly called the "Enterprise Architecture", but which actually must be the MAINWAY contact chaining system. This returns any selectors from NSA's existing metadata collection that have been in direct contact with the RAS-approved seed selector.

Both the RAS-approved seed selectors and the connected ones from NSA's existing collection are then submitted to the telecommunications providers. They will query their databases of business records for those that contain any of the submitted phone numbers. The results are returned to the NSA, which lets them pass various validation steps, applies data tags and forwards them to the MAINWAY system.

Because a FISC order is valid for up to 180 days, the selectors can be submitted multiple times during that period in order to caputure any new matching records. These business records, or Call Detail Records (CDRs) are defined as "session identifying information" and include:
- Originating telephone number
- Terminating telephone number
- International Mobile Subscriber Identity (IMSI) number
- International Mobile Station Equipment Identity (IMEI) number
- Telephone calling card number
- Time and duration of a call
NSA is not allowed to receive the content of any communication, the name, address, or financial information of a subscriber or customer, or the cell site location or Global Positioning System (GPS) coordinates.
 

Contact chaining

The ODNI statistical transparancy report from April has a nice graphic that shows how to count the number of business records that the telecoms provide to the NSA:



Example of contact chaining of telephone metadata under the USA FREEDOM Act
(source: ODNI Transparancy Report - click to enlarge)


We see that the RAS-approved seed phone (number) can be in direct contact with a certain number of other phones, which is called the "first hop". Additionally, the providers also have to look for the phones that have been in contact with those first hop phones. This step is called the "second hop". A third hop is prohibited by law, but NSA analysts also determined that a third step is not analytically useful.

This way of contact chaining by linking phone numbers that have been in contact with each other may already be familiar from the reportings about the Section 215 program.

But the graphic also shows something that was rarely made clear: the business records collected by NSA are not just the phone numbers. Two phone numbers that have been in contact with eachother will usually have done so more than once (except for so-called "burner phones" that are intentionally used for one call only).

So for each pair of phone numbers, there can be a lot of records, at least one record generated per phone call or text message, both for the person calling and the person called. The example in the graphic shows 7 phones that produce 6000 call detail records (CDRs) during a certain period of time. This is something to keep in mind when it comes to the huge numbers of metadata collected by NSA.


Number of records

The ODNI transparancy report also provides the real numbers of telephone records collected by NSA under the authority of the USA FREEDOM Act. Although NSA is required by law to provide the annual number of "unique identifiers", the agency doesn't has the technical ability to isolate these unique identifiers within records received from the providers. This means that every single record is counted, even if the same record is received multiple times from one or multiple providers.

The report also explicitly says that the results of contact chaining will likely include both foreign and domestic phone numbers: "while the records are received from domestic communications service providers, the records received are for domestic and foreign numbers." Also, the targeted seed number could be a foreign number, which in the first hop could have called a foreign number, that in its turn could have called another foreign number in the second hop.


With that in mind, the report says that in 2016, the telecommunications providers handed over 151.230.968 phone records to NSA. In 2017 they did so for 534.396.285 records, which is not only a dramatic increase compared to the previous year, but also a probably unexpectedly high number for the just 40 targets approved by the FISA Court.

However, if each of these 40 targets called 50 numbers, and those numbers were also in contact with 50 numbers, we get some 100.000 phone numbers. Let's assume each pair of numbers was involved in 500 calls (or text messages), we already have 50.000.000 records. And this is still without duplicate records, like from multiple providers or recurring requests.


The large increase compared to 2016 may have been caused by a variety of factors, according to Alex Joel, ODNI's chief civil liberties officer: changes in the amount of historical data companies are choosing to keep; the number of phone accounts used by each target and changes to how the telecommunications industry creates records based on constantly shifting technology and practices.


Retention

These domestic call detail records may not be stored for more than 5 years after they were initially delivered to NSA. In addition, the minimization procedures require NSA to destroy promptly any records that are determined not to contain foreign intelligence information. Phone records that have been "the basis of a properly approved dissemination of foreign intelligence information" may be retained by NSA indefinitely.

After these records have been received and stored, they may also be queried, including using search terms associated with US persons. In 2016, NSA used ca. 22.360 search terms for such queries, while in 2017 that number had risen to 31.196.


Deletion

Recently, it turned out that the practical implementation of the collection of domestic phone records under the USA FREEDOM Act is apparently not that easy: in a remarkable public statement from June 28, 2018, NSA revealed that several months earlier, "analysts noted technical irregularities in some data received from telecommunications service providers."

These irregularities occurred in a number of Call Detail Records (CDRs), which meant that NSA was not legally authorized to receive them in that form. It appeared infeasible to identify and isolate the properly produced data, so NSA concluded that it should not use any of these records.


Subsequently, the agency began deleting all the phone records they had acquired since 2015. According to the statement, NSA meanwhile addressed the root cause of the problem for future CDR acquisitions. Civil liberties blogger emptywheel suggests that the records may have contained content or location data, but NSA spokesman Chris Augustine said that the problem did not result in any collection of location records from cellphone towers.

According to the NSA's general counsel, Glenn S. Gerstell, the irregularities were caused by one or more providers who sent NSA data sets that also included some numbers of people the targets had not been in contact with. When the agency then fed those phone numbers back to the telecoms to get the "second hop" records, NSA acquired metadata of people with no connection to the approved targets.


Senator Ron Wyden, a longtime NSA critic who for years tried to get the Section 215 program disclosed, now blamed the providers instead of NSA for the technical problems: "Telecom companies hold vast amounts of private data on Americans," Wyden said. "This incident shows these companies acted with unacceptable carelessness, and failed to comply with the law when they shared customers’ sensitive data with the government."

Former assistant attorney general for national security David Kris said that these "errors illustrated how new problems can sometimes crop up when the government makes systems more complex in an effort to better balance security and privacy."


Speculations

In the public statement it is said that the massive metadata deletion follows from the NSA's "core values of respect for the law, accountability, integrity, and transparency" but outsiders speculated about other motives: were these records destroyed before the Trump administration could misuse them? President Trump also tweeted about this issue and saw it as part of the "Witch Hunt" against him:


David Kris, former assistant attorney general for national security, replied to Trump that "This NSA program is only for international terrorism, not spying or clandestine intelligence activity, so unless your collusion included terrorism, it should be no problem for you personally!"



Links and sources
- TheMarketsWork.com: A Strange & Unsettling Day (2018)
- NYTimes.com: N.S.A. Purges Hundreds of Millions of Call and Text Records (2018)
- Emptywheel.net: AT&T Pulled Cell Location for its "Mobility Cell Data" (2015)
- HuffingtonPost.com: The NSA’s Telephone Metadata Program Is Unconstitutional (2014)

February 14, 2018

The hotlines between North and South Korea

(Updated: April 22, 2018)

The current 2018 Winter Olympics, held in PyeongChang, South Korea, led to a charm offensive by neighbouring North Korea, which included the reopening of a border hotline with the South, that had been closed for almost two years.

The reopening came with new photos of the fancy-looking communications equipment, which will be described here, as well as the fact that there's not just one phone line, but over 40. Unlike other hotlines, the ones between North and South Korea are mostly used for low-level practical issues.




A South Korean liaison officer speaks with his North Korean counterpart over the
inter-Korean communications channel at Panmunjom, January 3, 2018
(photo: Unification Ministry - click to enlarge)


The Red Cross hotline

The first hotline between North and South Korea became operational on September 22, 1971. The link was the result of the first inter-Korean Red Cross meeting held on September 20, which resulted in an agreement to establish two lines for direct telephone calls between the two countries.

It was also agreed to construct a liaison office inside the Joint Security Area (JSA) of Panmunjom, which is in the heavily-fortified Demilitarized Zone (DMZ). The direct telephone link between the liaison offices is therefore often called the Red Cross or border hotline.


Equipment of the hotline

On the South Korean side, the hotline equipment is located in the communication office on the second floor of the Freedom House, which was built in 1998. On the North side, the line ends at a desk in the Panmungak building, which is less than 100 meters (328 feet) away. In the Panmunjom area, the hotlines connect the inter-Liaison Office, the inter-Korean Red Cross Talks Liaison Office and the Front Office of the inter-Korean Talks Headquarters.

The current equipment, which is seen in the most recent photos, was installed in 2009 and consists of a large, wood-panelled console on a desk. On top is a sign that says "South-North Direct Telephone". The system features two disk drives, two sets of USB ports and one computer screen, which shows the Windows XP user interface. It's not clear what the function of the screen is, as there's no keyboard visible.



Equipment of the Red Cross or border hotline on the South Korean side
(photo: YTN News - click to enlarge)


Update: As noted on Twitter, the computer screen appears to show the user interface of a VoIP softphone client, maybe an ancient version of X-Lite, but that hasn't been confirmed yet. Probably this setup made it easier to have the calls recorded, for example by using the CD-stations.


Most important parts are however two telephone handsets, one red and one green. The red one is for incoming calls from North Korea, while the South uses the green handset to make outgoing calls to the North. However, both phone sets are capable of sending and receiving, but there have been installed two of them just in case one fails.

Since 2015, the console has two digital clocks on top, as in that year North Korea shifted to UTC+08:30 or Pyongyang Time (PYT), while South Korea stayed in the UTC+09:00 or Korea Standard Time (KST) zone. In the photo below, the green clock shows 3:34 for South Korea and the orange/red one 3:04 for North-Korea.

At the left of the hotline console there's a Samsung SF 530 fax machine through which North Korea sometimes sends messages about topics that range from logistics to threats.




Operation of the hotline

The hotline phones at the Inter-Korean Red Cross Liaison Office and the Inter-Korean Liaison Office on the South side are operated by officials from the Unification Ministry. They are experts in diplomatic protocol and have in the past played roles in face-to-face talks as well.

To resolve the problem of who calls first, it was decided that the South calls the North on odd dates, while on even dates it's the other way around. The daily routine for weekdays is that communication officials make a phone call everyday at 9:00 AM and again at 4:00 PM. No routine calls are made on Monday morning, Saturdays and Sundays and on bilateral holidays, except for when there are special requests.

The government can instruct to use the hotline for the exchange of official messages, which come in the form of a 'telephone notice' which means that a liaison officer calls the other side and reads a document carrying a proposal or official position on a proposal of the other side. All this is very similar to how the hotline between Washington and Moscow is operated, although that one is just for written communications.

Finally, when a document with official seals has to be delivered to either North or South Korea, a call is made to arrange a face-to-face meeting at a certain time on the demarcation line.


Earlier hotline equipment

The earlier equipment that was used on the hotline of inter-Korean Liaison Office can be seen in a series of photos published on the occasion of its reopening on August 14, 2000, after having been closed since November 1996:



South Korean minister of Unification, Park Jae-kyu using the hotline, August 14, 2000
(photo: The Korea Times - click to enlarge)



The South Korean minister of Unification using the hotline, August 14, 2000
(photo: eHistory - click to enlarge)


This earlier hotline device, with the size of a small refrigerator, has two telephone handsets, one in yellow and one in some kind of light green. In the upper section there's a tape recorder for each of the phone lines. It seems that after the new equipment was installed in 2009, the old device was kept as a remembrance, covered by a blue cloth with a golden fringe:



The old (left) and the new (right) hotline equipment
(photo: Unification News - click to enlarge)



More hotlines between the Koreas

After the Red Cross border hotline at Panmunjom was established, more lines would follow. On April 29, 1972, a direct line between Seoul and Pyongyang was secretly set up to prepare the visit of high-ranking officials to Pyongyang. Following this visit, the director of the CIA contacted North Korean president Kim Il-sung and they agreed upon a direct telephone line for the Inter-Korean Control Committee.

There are no reports about a phone line that connects the presidents of North and South Korea, like for example the famous Washington-Moscow Hotline, or the hotlines between the American president and several other heads of government. (See Update!)




The Joint Security Area (JSA) between North en South Korea, with the
North Korean Panmungak building, seen from the South
(photo: iStock - click to enlarge)


33 hotlines through Panmunjom

More lines were established throughout the 1990s and 2000s and since December 2010 there are 33 direct phone lines which connect North and South Korea through Panmunjom. Five of them are intended for daily communications, 21 for negotiations between the two countries, two for handling air traffic, two for sea transport and three for economic co-operation:

- 2 lines in Panmunjom for the Red Cross, since September 22, 1971.

- 1 line between Seoul and Pyongyang to prepare a high-level visit, since April 29, 1972.

- 20 lines between Seoul and Pyongyang for inter-Korean Red Cross talks, including 2 lines for the Central Red Cross Organisation, since August 18, 1972.

- 1 line between Seoul and Pyongyang for economic talks, since December 20, 1984.

- 2 lines between the newly established inter-Korean Liaison Office in the Panmunjom Freedom House and the Panmokgak building for inter-agency business talks, since May 18, 1992.

- 2 lines between Daegu (since September 18, 2001: Incheon) and Pyongyang for air traffic control, since November 19, 1997.

- 2 lines between Seoul and Pyongyang for the inter-Korean Maritime Authority, since August 12, 2005.

- 3 lines between Seoul and the Kaesong Industrial Complex for the inter-Korean Economic Cooperation Consultation Office, since November 1, 2005.

Several of these direct phone lines through Panmunjom have lost their original function, such as the one for economic talks, but these lines are now for example used as a fax line for communications between the North and South Korean Red Cross Liaison Office, which was opened on April 11, 2004.


The Joint Security Area (JSA) between North en South Korea, with
the new South Korean Freedom House, seen from the North
(photo: jaytindall.asia - click to enlarge)


15 hotlines outside Panmunjom

There are also 15 inter-Korean direct telephone lines which, due to geographical reasons, are not connected to Panmunjom:

- 3 lines between military authorities for the Donghae Bukbu Line, since December 5, 2003 (ultimately terminated in October 2010)

- 6 lines between military authorities for the Gyeongui Line, since August 15, 2005.

- 6 lines between Dorasan Station in the South and Panmun Station in the North for the inter-Korean railroad, since May 14, 2007.


Military hotlines

Besides the aforementioned telephone ines, there are also several military hotlines. In accordance with bilateral agreements, a West Sea communications link was established in September 2002 and an East Sea link in December 2003, each consisting of a phone line, a reserve phone line and a fax line (these lines may well be identical with those for the Gyeongui and the Donghae Bukbu railroads respectively).

Another military hotline was agreed upon in June 2004, in a step towards easing tensions and avoid accidental clashes. On the internet there are at least two photos that apparently show military hotlines between North and South Korea. We see ordinary military field telephones, which don't seem to have encryption capability, but it's possible that they are connected to separate encryption units:



South Korean Lieutenant Choi Don-Rim (left) communicates with a North Korean officer
at a military office near the Demilitarized Zone (DMZ) in 2005.
(photo: AFP - click to enlarge)



A South Korean military official communicates with his North Korean
counterpart through a military hotline, September 6, 2013.
(photo: Yonhap - click to enlarge)



Interruptions of the hotlines

Since the establisment of the first hotline in 1971, the direct communication links between North and South Korea were interrupted seven times, each time by North Korea:

1976:
On August 30, shortly after the Panmunjom ax attack, the hotline was shut down by the North. It was resumed on February 7, 1980 following a first working-level agreement to discuss the inter-Korean prime ministerial talks.

1980:
North Korea unilaterally declared to cease contact on September 24. The hotline was reopened again on September 29, following an agreement with the North Korean Red Cross for consultation on North Korean flood assistance.

1996:
The direct phone lines were aborted immediately after a North Korean submarine ran aground near Gangneung in the South in an attempted infiltration mission. Communications resumed on August 14, 2000 following the first agreement on inter-Korean ministerial talks.

2008:
North Korea declared the hotline "disconnected" after Seoul proposed a resolution about human rights in North Korea during the General Assembly of the United Nations in November. Communications resumed on August 25, 2009 with the visit of President Kim Dae-jung's special envoy to Seoul and inter-Korean Red Cross talks.

2010:
After the Cheonan incident, North Korea shut down all communications channels with the South on May 26. The air control phone line was re-established on October 18, 2010, while the lines at the inter-Korean Red Cross liaison office were reconnected on January 12, 2011.

2013:
On March 11, North Korea had stopped responding to calls on the Red Cross hotlines and also shut down the communication line with the American military command in South Korea, as well as the military telephone and fax lines used to coordinate cross-border travel to the joint industrial park in Kaesong. The North connected the Red Cross hotline again on June 7. A hotline used by military officials regarding travels to Kaesong was restored on September 6, 2013.

2016:
In February, Pyongyang stopped responding to South Korea's calls in the Panmunjom office after Seoul suspended a joint economic project at the Kaesong Industrial Complex over Pyongyang's nuclear tests. The military West Sea hotline was also closed, just like all other hotlines through Panmunjom, except for the two air traffic controle lines.


Most recent reopening

On January 3, 2018, North Korean leader Kim Jong Un gave the order to reopen the Panmunjom border hotline at 3:00 PM local time. According to South Korea's Unification Ministry, the North Koreans made first contact at exactly the time ordered.

Both sides were on the phone from 3:30 PM to 3:50 PM local time and during this initial 20-minute conversation, the two nations "checked technical issues of the communication line," according to a statement from South Korea's Unification Ministry.

The Ministry said North Korea phoned for a second time several hours later, suggesting the two sides wrap up business for the day. Other than checking that the link was operational, it is unclear what was discussed. According to a ministry spokeswoman there was no mention of future talks or the Olympics.

 
Update

A top-level telephone hotline between the presidents of North and South Korea was established on April 20, 2018, in preparation of a summit between both leaders later that month in the border town of Panmunjum. Before this meeting, both presidents are expected to have a talk over the phone, but no date has been set for the call.

According to the Yonhap news agency, the new hotline connects the desk of South Korean president Moon Jae-in at the presidential Blue House with North Korea's State Affairs Commission, which is headed by Kim Jong-un. South Korean officials were the first to pick up the phone, then took a return call from their North Korean counterparts to make sure the line was working in both directions.



A South Korean official talks on a phone for testing the new hotline
at the presidential Blue House in Seoul, April 20, 2018
(photo: Yonhap - click to enlarge)



A telephone set that is used for the hotline between
the presidents of North and South Korea
(photo: AFP - click to enlarge)


Links and sources
- Reuters: Unique 'hotline' sets stage for new North and South Korea talks (2018)
- Korea Exposé: Call Me Maybe: How N. and S. Korea Actually Communicate (2017)
- Huffington Post Korea: 남북 직통전화 개설과 중단의 간략한 역사 (2014)
- Ministry of Unification: 남북관계 지식사전

December 31, 2017

Section 702 FAA expires: what are the problems with PRISM and Upstream?

(UPDATED: January 20, 2018)

Two important NSA programs, PRISM and Upstream, are based upon section 702 of the FISA Amendments Act (FAA), a law that was originally scheduled to expire today. Now the US Congress has to decide whether to continue or to reform this crucial legal authority.

Although PRISM became almost synonymous for NSA's alleged mass surveillance, it's actually, just like the Upstream program, targeted collection aimed at specific foreign targets. Still, many people think that these programs pull in way too many data (incidental collection) to be subsequently queried in an illegal way (backdoor searches).

Here we'll show some of the complexities of these two collection programs and that there are various internal procedures and methods in order to keep collection and analysis as focussed as possible.



Slide from the PRISM presentation that for the first time revealed PRISM
and Upstream as part of section 702 FAA collection.


Until recently, US lawmakers were too involved with president Trump's tax reform to devote enough attention to section 702 FAA. Therefore, on December 21, Congress extended the authority of this law through January 19, 2018. Lawyers from the Trump administration even concluded that the intelligence agencies can lawfully continue to operate under the FAA through late April (because the current FISA Court certification for the program actually expires late April 2018).

This leaves Congress some extra months to either reform or strengthen this important authority. There are several proposals, spanning from making the existing law permanent without changes, to imposing significant new limits to safeguard the privacy rights of Americans.

Meanwhile, the Office of the Director of National Intelligence (ODNI) came with additional information about data collection under section 702 FAA, and published for example a Section 702 Overview, which includes some nice infographics:



Diagram from ODNI about section 702 FAA collection. Click to enlarge.


702 FAA collection

The Snowden-revelations have shown that under the legal authority of section 702 FAA, NSA conducts two types of data collection:

- Upstream collection, for both internet and telephone communications, which are filtered out based upon specific selectors at major telephone and internet backbone switches. This takes place under the collection programs FAIRVIEW and STORMBREW.

- Downstream collection, only for internet (including internet telephony) communications, based upon specific selectors, which are acquired from at least 9 major American internet companies. This takes place under the collection program PRISM.

The Upstream and Downstream programs are different from eachother in many ways, but the thing they have in common is that collection take place inside the United States, while being aimed at foreign targets, although just one end of their communications has to be foreign. This means these programs also pull in communications between targeted foreigners and Americans - which is one of the main purposes of these programs: finding connections between terrorists inside and outside the US.



Slide showing the main differences between PRISM and Upstream
Published on October 22, 2013. Click to enlarge.


Upstream filtering

Although Upstream collection is based upon specific selectors, the American Civil Liberties Union (ACLU) presents it as "bulk surveillance", because in their opinion, the automated filtering actually means that NSA is "searching the contents of essentially everyone’s communications." Therefore they call these searches extraordinarily far-reaching and unprecedented and unlawful.

The Electronic Frontier Foundation (EFF) has a similar position and says that splitting internet cables is "unconstitutional seizure", while the subsequent search for selectors is an "unconstitutional search."

These judgements seem based upon comparing digital filtering with intercepting letters or telegrams (like what happened under project SHAMROCK from 1945-1975), but this ignores the differences with computer technology: NSA does copy entire data streams, but at virtually the same moment the filter system picks out the communications associated with the selectors, the other data are gone.

Searching through data packets of innocent people means at the same time destroying them - except when they contain one of the selectors which NSA is interested in.



Diagram from the EFF about Upstream collection. Click to enlarge.


Storage and classification

Under section 702 FAA, only data that are associated with a specific selector are stored. For Upstream collection, this means only the communications that remain after the filtering proces. These are processed (decoded, formatted, etc.) and stored in NSA databases for a maximum of only 2 years.

Downstream collection under the PRISM program results in all the data associated with specific selectors that the big internet companies hand over to the FBI, which then forwards them to NSA. These are also processed and then stored for a maximum of 5 years.
 
Data from FAA collection are usually stored in separate database partitions and are protected by the Exceptionally Controlled Information (ECI) compartment RAGTIME (RGT). Only analysts who are cleared for RAGTIME, have the specific need-to-know and who are authorized by the data owner have access to these data.

Already a few months before the start of the Snowden-revelations a book revealed that RAGTIME has 4 components:
- RAGTIME-A: foreign-to-foreign counterterrorism (CT) data
- RAGTIME-B: data from foreign governments (FG) transiting the US
- RAGTIME-C: data related to counterproliferation (CP) activities
- RAGTIME-P: domestic bulk collection of internet metadata*
Note that the first three components correspond to the first three FISA Court certifications that authorize section 702 FAA collection.

Last November, ZDNet reported about a leaked NSA document that lists a total of 11 components of RAGTIME. Besides the 4 known ones, the document also mentions RAGTIME-BQ, F, N, PQ, S, T and USP, but so far, we don't know what kind of data they protect.



On August 26, 2013, Der Spiegel published the so far only document from the RAGTIME (RGT)
compartment: the floorplan of the EU mission to the United Nations in New York.
Note the PINWALE ID (PWID): PWZA20120551215230001427125
 


Incidental collection

As almost every NSA target will communicate with at least some individuals who are not involved in terrorism or other threats to national security, it's inevitable that even targeted interception will result in storing communications of innocent (American) people too - NSA calls this "incidental collection".

The share of this incidental collection as part of the overall collection is not known: early 2017, NSA agreed to provide some information about how many American citizens may be impacted, but later, Director of National Intelligence (DNI) Dan Coats said that it "remains infeasible" for the government to cite a meaningful number.


Actual intercepts

Edward Snowden was also eager to draw public attention to this issue, and maybe he took his last job for Booz Allen at NSA in Hawaii for the sole purpose of getting access to raw data collected under section 702 FAA. In his view, the PRISM and Upstream programs "crossed the line of proportionality."

He succeeded in his effort and was able to exfiltrate a cache of ca. 22.000 collection reports, containing 160.000 individual conversations (75% of which instant messages), which were intercepted by NSA between 2009 and 2012 - a much more substantive leak than the usual internal powerpoint and sharepoint stuff.

Snowden handed them over to The Washington Post, which reported about this cache on July 5, 2014. After a cumbersome investigation, it found that the intercepted communications contained valuable foreign intelligence information, but also that over 9 out of 10 account holders were not the intended surveillance targets and that nearly half of the files contained US person identifiers.



Breakdown of the intercepted messages collected under 702 FAA authority
that were reviewed by The Washington Post. Click for a larger version.


Targeted interception

The numbers from The Post do sound like a massive overcollection, but we should keep in mind that this still is targeted collection, something that privacy advocats always prefer rather than bulk collection.

NSA's Upstream program will likely result in just as many communications of innnocent people as when the police taps phone numbers and IP addresses under a warrant, although NSA targets may be more careful in conducting private telecommunications than ordinary criminals.

From the dataset examined by The Washington Post, it becomes clear that innocent people can be affected in two ways: first, when they communicate directly with (or about) a foreign target, and second, by "joining a chat room, regardless of subject, or using an online service hosted on a server that a target used for something else entirely."

This shows that even with targeted interception, the technical configuration of certain internet platforms make it apparently quite difficult, or even impossible to isolate the conversations in which a target is personally involved.

As the dataset that Snowden exfiltrated seems to be derived from both Upstream and PRISM collection, it's hard to say which of these programs is more intrusive. Upstream became a less useful source since the most common communication services have been encrypted, while PRISM may also not be as productive as before, after it was exposed by the press.




Dataflow diagram for Upstream collection under the FAIRVIEW program.
Published on November 16, 2016. Click to enlarge.
(More FAIRVIEW dataflow diagrams)
 

Backdoor searches

On August 9, 2013, The Guardian disclosed the so-called "backdoor searches". This is a method used by NSA analysts that was approved by the FISA Court in October 2011, so these searches are not illegal like the term "backdoor" suggests.

Apparently these backdoor searches were introduced as a replacement for the bulk collection of domestic internet metadata under the PR/TT program, which NSA terminated by the end of 2011.

These backdoor searches are not about collecting new data by tapping telephone and internet cables or acquiring data from internet companies, but about conducting searches in data that have already been collected.

While in general, NSA is only allowed to collect new data when they are related to foreign targets, these backdoor searches may also involve identifiers (like names, e-mail addresses and phone numbers) of US citizens, hence they are now officially called "U.S. person queries".

Initially, these searches were only allowed for data from PRISM, because Upstream not only collected communications "to" and "from", but also "about" targets, which made it more sensitive than PRISM collection (Upstream appeared to pull in tens of thousands of purely domestic e-mails each year).

In April 2017, NSA halted this "about" collection, after which the FISA Court allowed NSA to also conduct US person queries on data collected through the Upstream program - something that had already happened since at least mid-2013.


Risks and safeguards

NSA analysts retrieving communications of Americans is of course something that reminds of the notorious project MINARET (1967-1973), under which NSA targeted 1.650 US citizens, including civil rights leaders, journalists and even two senators.

After Glenn Greenwald tried, but failed to proof that NSA is still monitoring American citizens in that way, it's now these backdoor searches which are considered the biggest privacy violations under section 702 FAA - the ACLU says that they allow "spying on U.S. residents without a warrant."

Even former NSA director Michael Hayden was aware of the privacy risks of these queries, but the PCLOB report about section 702 explains that NSA has procedures and requirements to limit these US person queries, although they are different for content and for metadata:

- Queries of content are only permitted for US person identifiers that have been pre-approved (i.e. added to a white list) through one of several processes, including other FISA processes. Such approvals are for example granted for US persons for whom there are already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA's Office of General Counsel after showing that using a certain US person identifier would "reasonably likely return foreign intelligence information."

- Queries of metadata may only be conducted in a system that requires analysts to document the basis for their metadata query (a Foreign Intelligence (FI) justification) prior to conducting the query. An oversight report adds that "analysts are not required to check any specific database or seek any internal approvals prior to executing a query against [702 FAA] metadata."

Relevant queries

In general, NSA analysts are required to create queries that are as focussed as possible so they return information that is most useful and relevant for their foreign intelligence mission. According to the PCLOB report, analysts receive "training regarding how to use multiple query terms or other query discriminators (like a date range) to limit the information that is returned in response to their queries of the unminimized data."

In the Section 702 Overview that was published by ODNI on December 20, it is explained that US person queries on metadata are useful as they are often the fastest and most efficient way to check whether and how a certain US person (either suspect or victim) is connected to foreign actors. The overview also provides some remarkably concrete examples:
- Using the name of a US person hostage to cull through communications of the terrorist network that kidnapped her to pinpoint her location and condition;
- Using the e-mail address of a US victim of a cyber-attack to quickly identify the scope of malicious cyber activities and to warn the U.S. person of the actual or pending intrusion;
- Using the name of a government employee that has been approached by foreign spies to detect foreign espionage networks and identify other potential victims;
- Using the name of a government official who will be traveling to identify any threats to the official by terrorists or other foreign adversaries.



Dataflow diagram for Downstream collection under the PRISM program.
Published on June 29, 2013. Click to enlarge.


Numbers of queries

While NSA and the Office of the Director of National Intelligence (ODNI) were apparently not able to provide numbers about the "incidental collection" under section 702 FAA, they do better when it comes to numbers about the backdoor searches.

In a letter to senator Wyden, then DNI Clapper wrote that in 2013, NSA approved 198 US person identifiers for querying the content, and that there had been ca. 9.500 queries on metadata from data collected under the PRISM program, but of the latter ca. 36% were duplicative or recurring queries.

ODNI's annual transparancy report also provides numbers of US person queries. In 2016, there were 5.288 content queries, but this also includes CIA queries and NSA searches of content from Upstream collection, something that was actually unauthorized until April 2017 (see above), but which the agency is now trying to make visible.

The rise of the number of US person queries on metadata is even higher, as it went up from 9.500 in 2013, to 30.355 in 2016. The total presented in the ODNI report is supposed to apply to NSA, CIA and FBI, but actually it only shows the number for NSA, as the CIA isn't yet able to count such queries and the FBI isn't required to do so (see below).

It should be noted that for content, it's the particular identifier that is counted, not the number of times such an identifier is actually used to query the databases. For metadata this is different, as the agencies count each time a certain identifier is queried, which of course results in far higher numbers.



Numbers of US person queries on metadata, 2013-2016. Click to enlarge.


FBI searches

Besides NSA and CIA, the FBI is also allowed to conduct backdoor or US person searches on data that NSA collected under the PRISM program - something that is considered even more problematic, given the risk of parallel construction. The FBI doesn't need individual warrants for these searches either, but its agents should "design their queries in such a way that they will return evidence of a crime."

The FBI stores data from 702 FAA collection in the same repositories as data from its own traditional FISA monitoring and physical searches. This means that these data are searched and queried many times for other than national security purposes too, but the section 702 data can only be viewed by agents or analysts with the proper training and access rights.

Given the fact that the initial collection under section 702 FAA is aimed at foreign targets, it is "extremely unlikely" that this collection contains data that are of interest to FBI agents who are investigating criminal cases. Even as, inevitably, a relatively large amount of unrelated American communications are pulled in, the chance that they are useful for a particular criminal case is just very very small.

Besides that, by far the most FBI searches on section 702 data are for national security investigations, which means about foreign espionage, terrorism and Weapons of Mass Destruction (WMD). It's not clear whether FBI has similar restrictions for content queries as NSA.


UPDATE:

On January 11, 2018, the House of Representatives voted to extend section 702 FAA for another six years, which is until the end of 2023.

This means that the US Person or backdoor searches can continue without individualized warrants, except for a "narrow warrant requirement that applies only for searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens."

The renewal of section 702 also allows the restart of the "about" collection under the Upstream program, which was ended by NSA in April 2017, after being criticized by the FISA Court.

The bill went to the Senate, which voted to invoke so-called cloture on January 16. This means there will be no further debate or amendments - a disappointing end for liberal Democrats and libertarian Republicans who tried to limit the scope of intelligence collection under section 702.

By a vote of 65-34, the Senate passed the bill to renew section 702 FAA on January 18, 2018. The next day, president Trump signed the bill into law.



Links and sources
- Bruce Schneier: After Section 702 Reauthorization
- Politico: Five years after Snowden, security hawks notch landmark win
- Lawfare: FISA Section 702 Reauthorization Resource Page
- Wired.com: Congress is Debating Warrentless Surveillance in the Dark
- New York Times: Warrantless Surveillance Can Continue Even if Law Expires, Officials Say
- Emptywheel.net: The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion
- The Washington Post: In NSA-intercepted data, those not targeted far outnumber the foreigners who are + The Debrief - An occasional series offering a reporter’s insights
- B. Hanssen: Why the NSA’s Incidental Collection under Its Section 702 Upstream Internet Program May Well Be Bulk Collection, Even If The Program Engages In Targeted Surveillance
- NSA Director of Civil Liberties and Privacy Office Report: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702
- Privacy and Civil Liberties Oversight Board: Surveillance Program Operated Persuant to Section 702 FISA

November 27, 2017

Trump's communications equipment outside the White House

(Updated: December 9, 2017)

On the fourth Thursday of November, Americans celebrate Thanksgiving Day and one of the traditions is that the US president addresses members of the military services that are deployed abroad.

President Trump did so for the first time last Thursday, speaking to the five branches of the US military by video teleconference from his residence Mar-a-Lago in Florida.

The press photos released for this occasion offer a clear view of the communications equipment that is used by the president when being outside the White House or travelling.



President Trump addresses the military from Mar-a-Lago, November 23, 2017
(click to enlarge)



Video teleconferencing

The big screen for video teleconferencing (VTC) is the Cisco TelePresence System EX90 with high-definition video screen and camera. The device has been modified for TEMPEST protection by CIS Secure Computing: we can see that the screen has an additional metal encasing with silver labels to prevent and detect tampering. The VTC system includes a smaller touchscreen device which is used to control the video teleconference calls and can be seen right in front of the big screen.

During the videoconference, Trump was connected to members of the military services at oversea bases in Afghanistan, Iraq, Turkey, the USS Monterey at sea, and the US Coast Guard vessel Wrangell in Kuwait. Accordingly, the video screen was divided into six segments, with the President Of The United States (POTUS) himself in the lower middle section, surrounded by a red border. He also has a note that says who's who:



President Trump addresses the military from Mar-a-Lago, November 23, 2017
On the phone displays, the names associated with the direct line buttons were blacked out
(White House Photo/Shealah Craighead - click to enlarge)



Secure telephones

On both sides of the video teleconference screen, there are telephone sets which can be recognized as common Cisco 7975 unified IP phones, which are also modified by the communications security company CIS Secure Computing. Most visible is that instead of the standerd silver bezel or faceplate, these phones have a bright yellow one, which is the color code for the highest classification level: Top Secret/SCI.

This color shows that these phones are part of the highly secure Executive Voice over Secure IP-network, which connects the US president with all major decision makers, like the secretaries of State, Defense and Homeland Security as well as the Director of National Intelligence. The phones themselves have no encryption capability - they are connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

Also clearly visible is that these Cisco IP phones have a custom molded plastic housing, which provides TEMPEST protection against the leaking of electromagnetic emanations, but also includes two 1 Gigabit SC Fiber ports so the phone can be used in a fiber-optic network. These phones also meet Telephone Security Group (TSG) standards to make sure that they cannot by any means be caused to produce or transmit audio when the handset is on-hook.

The data stream of the video teleconference seems to be routed through the phone on the left, which has no handset and has the red "microphone mute" light on. As can be seen in a high-resolution photo, the VTC screen has an icon that shows that the connection was not encrypted:



Other locations

The same modified Cisco telephone sets can be seen in the photo below, which is from a room in the Lotte New York Palace Hotel, where Trump was staying last September for the UN General Assembly and meetings with leaders from Africa and the Middle East. Additionally, there's a newer Cisco 8841 IP phone, which is modified by Advanced Programs, Inc. (API) to provide on-hook security for the handset and the speakerphone. This phone is for any non-secure calls and is also used in the White House.



President Trump in a phone call with FEMA Director Brock Long regarding
Hurricane Maria's impact on Puerto Rico, September 20, 2017
Note the bulletproof glass plates in front of the windows
(White House Photo/Shealah Craighead - click to enlarge)


When former president Obama was on vacation, the same "yellow" Cisco phones were installed, although without the fiber-optic connections and the TEMPEST-proof encasing:



President Obama talking with his national security advisor Susan Rice following
foreign leader phone calls at Martha's Vineyard, August 11, 2014
(White House Photo - click to enlarge)


When Obama was staying in more hostile environments, these phones for the presidential telephone network were equipped with the additional security features we already saw in the Trump pictures:



President Obama talks on the phone with Russian president Putin while in Riyadh,
Saudi Arabia, with John Kerry and Susan Rice listening in, March 28, 2014
(White House Photo/Pete Souza - click to enlarge)



No Mar-a-Lago SCIF?

For the Thanksgiving photo op, the communications equipment was set up in the large living room of the Mar-a-Lago estate, most likely to provide a grand, if not to say regal decor for the press photos, but it may also indicate the absence of a dedicated secure communications room. At least it seems to show that the White House Communications Agency (WHCA) considers Trump's vacation residence less secure than Obama's.



President Trump addresses the military from Mar-a-Lago, November 23, 2017
(photo: Greg Lovett/The Palm Beach Post - click to enlarge)


Ever since Trump started using Mar-a-Lago regularly as his "Winter White House", there was speculation whether a Sensitive Compartmented Information Facility (SCIF) was created, which means a room that is protected in such a way that classified Sensitive Compartmented Information (SCI) can be stored, processed, viewed and/or discussed without being intercepted from the outside.

In April of this year, the White House press secretary tweeted a photo showing president Trump meeting with his national security staff in a provisionary situation room at Mar-a-Lago, which was apparently intended to look like a SCIF but may actually just have been a temporary set-up. The mysterious devices seen in that photo were discussed here earlier.



Links and sources
- ShallowNation.com: [Video & Transcript] President Donald Trump Thanksgiving Message to the Military via Video Teleconference