Some older articles on this weblog that are of current interest:

June 29, 2019

The NSA's regional Cryptologic Centers

For many years, the US National Security Agency (NSA) was identified with its almost iconic dark-glass cube-shaped headquarters building at Fort Meade in Maryland.

Only when Edward Snowden stepped forward in 2013, the public learned that there's also a large NSA facility in Hawaii - which is actually one of four regional centers spread across the United States.

- History of the NSA's Cryptologic Centers

- Cryptologic Centers inside the US: Hawaii - Georgia - Texas - Colorado

- Cryptologic Centers outside the US: Europe - Afghanistan

History of the NSA's Cryptologic Centers

The history of the NSA's regional operation centers is described in the 60th Anniversary Book of the agency from 2012:

"In the 1970s and 1980s, NSA leadership grew concerned over the centralization of functions at Fort Meade. Partially prompted by the need to find adequate space for its personnel and equipment, the Agency began to look at moving some assets away from the Fort Meade area.

In this light, in 1980 a Remote Operating Facility (ROF) at Kunia was established on the Hawaiian island of Oahu. Although living costs were high there, Kunia had the advantage of proximity to the Commander in Chief, Pacific (CINCPAC).

In the late 1980s, the cryptologic leadership began developing the Regional Security Operations Center (RSOC) concept. Proven computer and communications technology allowed NSA to delegate SIGINT authority to these regional centers, thus avoiding an overconcentration in the Washington area.

Under the RSOC doctrine, each center would be "hosted" by one of the military services so that all services could be represented.

In 1995 the centers opened and NSA began to transfer missions to them. The Kunia facility was given a new status as an RSOC.

Over the next decade, the RSOCs evolved from limited operations centers into mini "regional NSAs" in Georgia, Texas, Hawaii and Colorado with the following mission benefits:
• Consolidation of cryptologic operations
• Dispersion of facilities from the Washington, D.C. area
• Capability of serving as alternate communications centers
• Representation of all military services.
The concept of "regional NSAs" was reinforced when NSA suffered a massive computer outage early in 2000, and the RSOCs, as components that could operate independently, picked up the essential missions until NSA was back in full operation. Today all four centers, now known as Cryptologic Centers, are operational, expanding, and provide redundancy in the event of an emergency.

Cryptologic Centers inside the US

Officially acknowledged and listed on the NSA's official website are the four Cryptologic Centers which are located inside the United States. Especially those in Hawaii, Texas and Georgia are fairly large facilities with a few thousand employees each and consisting of both operations and data centers.

The Cryptologic Centers in Hawaii, Texas and Georgia each cover a geographically defined part of the earth, while the Cryptologic Center in Colorado is responsible for air and space based collection systems.


- Established in 1980 as a Remote Operating Facility (ROF), which was turned into the Kunia Regional Security Operations Center (KRSOC) in 1995 and became a Cryptologic Center in 2005. Initially located in the Kunia Tunnel complex in Honolulu, Hawaii.

- Currently located in the Joseph J. Rochefort building, a $ 358 million and 250,000 square-foot complex near Wahiawa in Honolulu that was opened in January 2012.

- Hosted by the US Navy.

- About 3300 military and civilian employees.

- Area of responsibility: the Pacific Rim and Far East, Southeast and Southwest Asia.

- Supports the Indo-Pacific Command of the US Armed Forces.

- SIGAD: USJ-750

- See also: Wikipedia - Cryptome - Cryptome - CBS News

The Joseph J. Rochefort Building of NSA/CSS Hawaii in Honolulu, Hawaii (2019)
(still from CBS News - click to enlarge)

NSA/CSS Georgia (NSAG)

- Established in 1995 as the Ft Gordon Regional Security Operations Center (GRSOC) and turned into a Cryptologic Center in 2005. Initially located at Fort Gordon in Augusta, Georgia.

- Currently located in the John Whitelaw building, a $ 286 million and 604,000 square foot complex that was opened in March 2012.

- Hosted by the US Army

- Some 4000 employees

- Area of responsibility: Europe, North Africa, the Middle East, the Near East and the Persian Gulf.

- Supports the European Command and the Central Command of the US Armed Forces

- NSAG also includes the alternate National Security Operations Center (NSOC, project DECKPIN) which serves as a back-up for the NSOC at NSA headquarters.

- SIGADs: USN-18 and USJ-800

- See also: Wikipedia - Cryptome - SIDtoday

The John Whitelaw Building of NSA/CSS Georgia at Fort Gordon (2012)
(photo: NSA - click to enlarge)


- Established in 1995 as the Medina Regional Security Operations Center (MRSOC) and turned into a Cryptologic Center in 2005. Initially located on the Medina Annex of Lackland Air Force Base near San Antonio, Texas.

- In 2005, the NSA acquired a former Sony chip fabrication plant in the Northwest Side of San Antonio for $ 30.5 million and invested as much as $ 300 million to transform the 470,000 square feet complex into the current Texas Cryptologic Center (TCC).

- Hosted by the US Air Force.

- Probably some 6000 military and civilian employees.

- Area of responsibility: Middle and South America, the Caribbean and the Atlantic littoral of Africa.

- Supports the Southern Command and the Central Command of the US Armed Forces.

- SIGADs: USN-26 and USJ-783

- See also: Wikipedia - Cryptome - Cryptome

NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)

NSA/CSS Colorado (NSAC)

- Established around 2002 as the Denver Security Operations Center (DSOC) and turned into a Cryptologic Center in 2005.

- Initially located in temporary buildings at the Aerospace Data Facility at Buckley Air Force Base in Aurora, near Denver, Colorado. In 2012, a new $ 141 million building was planned to provide space for 850 NSA employees .

- NSA's primary production center for Weapons and Space (W&S) targets and Technical Signals Intelligence (TechSIGINT).

- Co-located with the joint NSA-NRO Overhead Collection Management Center (OCMC) which manages spy planes and spy satellites.

- SIGAD: USJ-751

- See also: Wikipedia - SIDtoday - SIDtoday

The Aerospace Data Facility at Buckley Air Force Base in Aurora, Colorado
(click to enlarge)

Shore support

According to a document from the Snowden cache, the Cryptologic Centers in Hawaii, Texas and Georgia also have a Fleet Information Operation Centre (FIOC), each of which include a Maritime Cryptologic Integration Centre (MCIC).

These MCICs are responsible for so-called cryptologic shore support: providing technical SIGINT information to cryptologic teams embarked in mobile sea, air and land units. A fourth MCIC is based at RAF Digby in Lincolnshire in the United Kingdom.

Cyber defense

The Cryptologic Centers not only process and analyze collected data, but also include a regional NSA/CSS Threat Operations Center (NTOC). These combine the NSA's Signals Intelligence (SIGINT) and Information Assurance (IA) missions in order to detect cyber threats against vital computer networks of the US Defense Department.

It was at the NTOC of the Cryptologic Center in Hawaii that Snowden had his last and only analytical job as an infrastructure analyst tracking Chinese hackers.

Hacking operations

As described in several editions of the internal newsletter SIDtoday, the NSA's hacking division TAO started to conduct Computer Network Exploitation (CNE) operations also from the cryptologic centers, first in 2004 in Hawaii, followed in 2006 by Texas and Georgia. In 2008, NSA/CSS Texas had some 60 TAO operators, a number that was planned to rise to 270 in 2015.

The TAO hacking unit at the NSA/CSS Texas Cryptologic Center
(source: NSA Texas presentation - click to enlarge)

Cryptologic Centers outside the US

Not officially acknowledged are the Cryptologic Centers which are located outside the United States. From the Snowden revelations we know the existance of the following two centers, which are much smaller than those inside the US and also process and disseminate data and information from the NSA's Second and Third Party partners.

European Cryptologic Center (ECC)

- Established in April 2004 as the European Security Center (ESC) and turned into the European Security Operations Center (ESOC) in July 2006. In May 2011 it became a Cryptologic Center and got its own NTOC.

- Initially located at the Dagger Complex of the US Army outside Griesheim, near Darmstadt in Germany.

- In 2016, the ECC moved to the newly built $ 91 million Consolidated Intelligence Center (CIC) with a $ 30.4 million Information Processing Center (IPC) at the Lucius D. Clay Barracks near Wiesbaden in Germany.

- Hosted by the US Army Intelligence and Security Command (INSCOM).

- Some 240 military and civilian personnel (in 2011).

- Operations focused at counter-terrorism and supporting military operations in the Middle East and North Africa (MENA).

- Supports the European Command and the Africa Command of the US Armed Forces.

- SIGADs: USM-44 (ESC) and USJ-753

- See also: Wikipedia -

The European Cryptologic Center (ECC) near Griesheim in Germany (2014)
(Photo: AP - click to enlarge)

Afghanistan Remote Operations Cryptologic Center (A-ROCC)

- Established in October 2009 and fully operational in the Winter of 2010.

- Located in 17,000 square-foot office spaces at Area 82 of Bagram Airfield near Kabul in Afghanistan.

- Over 250 employees, 120 of whom linguists (in 2009), including personnel from all countries participating in the Afghanistan SIGINT Coalition (AFSC).

- Supports US and Coalition forces throughout Afghanistan.

- See also: SIDtoday - The Intercept

The buildings of the A-ROCC at Area 82 of Bagram Airfield near Kabul (2010)
(source: GCHQ presentation - click to enlarge)

There may be other, smaller Remote Operations Cryptologic Centers (ROCCs) as before the large A-ROCC was established there was a ROCC in place since 2005 mainly supporting the Regional Command-East of ISAF.

May 17, 2019

Daniel Hale arrested for being the source of The Drone Papers

(Updated: May 21, 2019)

Since the start of the Snowden revelations in June 2013, there have been more than 25 publications based upon classified documents provided by other leakers than former NSA contractor Edward Snowden.

Now, former intelligence analyst Daniel E. Hale has been identified as the source of six of these non-Snowden leaks. He was arrested on May 9 and charged with providing classified documents to the website The Intercept.

The case is highly remarkable, first because the FBI already found out Hale's identity almost five years ago and did not even arrest him when The Intercept published The Drone Papers in October 2015. Secondly, Hale did just as little to stay out of the picture: he featured in a documentary around the time the FBI raided his home.

Some of the slides and documents which Daniel Hale leaked to The Intercept
The abbreviations in the center slide are explained here
(click to enlarge)

Intelligence career

Daniel Everette Hale was born in 1987, is now 31 years old and living in Nashville, Tennessee. Despite his ideological disagreements with the military, he joined the US Air Force in July 2009 out of desperation because he was homeless. At the Air Force, he became a language analyst and was assigned to work at the National Security Agency (NSA) from December 2011 to May 2013.

From March to August 2012, Hale was deployed as an intelligence analyst in support of a task force of the Joint Special Operations Command (JSOC) at Bagram Airfield in Afghanistan, where he was mainly responsible for identifying and tracking targets for the drone program. He left the Air Force in July 2013.

From December 2013 to August 2014, he worked for the defense contractor Leidos (formerly SAIC), for which he was assigned to the National Geospatial-Intelligence Agency (NGA), which derives intelligence from geographical data and aerial and satellite imagery. There, Daniel Hale worked as a political geography analyst, for which he held a Top Secret/SCI clearance, just like for his previous job.

The 1.8 billion US dollar headquarters building for the ca. 16,000 employees of
the National Geospatial-Intelligence Agency in Fort Belvoir, Virginia
(photo: Marc Barnes/U.S. Army Corps of Engineers)

Contact with Scahill

Already in April 2013, almost two months before the start of the Snowden revelations, Hale used his unclassified work computer at the NSA to search for information on Jeremy Scahill, who then worked for Amy Goodman's news program Democracy Now!. In October 2013, Scahill would join Glenn Greenwald and Laura Poitras to establish the investigative website The Intercept.

On April 29, Hale attended a presentation of Scahill's book "Dirty Wars: The World Is a Battlefield" about the drone killings program under president Obama. The next day, Hale used his Top Secret NSA computer to search for classified information about people and issues about which Scahill wrote, according to the indictment.

Investigators had been able to retrieve Hale's text messages and found one which he sent to a close friend in May 2013, which read: " [Scahill] wants me to tell my story about working with drones at the opening screening of his documentary about the war and the use of drones."

On June 8, Hale was again present at a book presentation, where he was seen and recorded on video (see below) sitting right next to Scahill. In the next months they contacted eachother by phone and by e-mail.

Although Hale had already used his classified work computer for searching about related topics, there are no indications that he was already planning to steal and leak classified documents, at least before September 2013, when Scahill asked him to set up a Jabber account for encrypted chat conversations.

Book presentation at Busboys & Poets in Washington, DC on June 8, 2013,
with Jeremy Scahill (center) and Daniel Hale (right)

Printing classified documents

According to the indictment, Daniel Hale used his classified work computer at the National Geospatial-Intelligence Agency (NGA) to print classified documents for the first time on February 28, 2014 and he continued to do so until August 5, 2014.

In total, he printed 36 documents, including four duplicates. Nine documents were related to his work at NGA, but 23 did not. Hale provided at least 17 of these 23 documents to Scahill and/or The Intercept, which published them in whole or in part between July 2014 and December 2016:

A table from the indictment listing the 23 documents that Daniel Hale
printed at the NGA and were not related to his work.
(click to enlarge)

In an earlier posting on this weblog, I listed 28 revelations at various media platforms, accompanied by one or more leaked documents that were not attributed to Edward Snowden.

Trying to identify their source, I assumed that a then unknown "source nr. 3" was responsible for the documents that were scanned from paper and with a more or less military content:

Source nr. 3 (someone from US military intelligence?)
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
- FBI & CBP border intelligence gathering

Comparing the dates of these six publications with those in the table from the indictment leads to the following conclusions:

- Daniel Hale provided the documents for the first five revelations I attributed to Source nr. 3: from the "NCTC watchlisting guidance", which was published by The Intercept on July 23, 2014, to the "Cellphone surveillance catalogue" from December 17, 2015.

- The 14 original documents about "FBI & CBP border intelligence gathering", which I assumed could also have been provided by source nr. 3, are actually not among those that Hale printed out. Therefore, those files have to be leaked by someone else, probably an FBI or CBP employee.

- The indictment lists four unclassified documents (O, P, Q and R) and says these were published in December 2016, but so far no one seemed aware of a similar intelligence or national security revelation in that month.

Clapper's blog

Looking for articles that Jeremy Scahill published in December 2016 led me to a short story about James Clapper's blog called Intercept. It's indeed based upon four unclassified documents, which are again scanned from paper: a screenshot of a blog post from May 29, 2013, handwritten letters to and from Clapper and a few comments on that blog post.

This blog post is just a curiosity compared to the other documents, so it seems the only reason that Hale printed this out, is that the main comment, posted under the nickname "Wormy", is his own. The comment warns against increasing restrictions on civil liberties, with arguments based upon the US Constitution and the Bill of Rights - it reminds of how Snowden usually argues.

The documents leaked by Daniel Hale and published by The Intercept
(click to enlarge)

Raided by the FBI

On August 8, 2014, right after Daniel Hale's assignment at the NGA had ended, the FBI raided his home. This was just three days after he had printed out his last document at the NGA and some two weeks after The Intercept published its first article based upon his material, which means the FBI identified and found him rather quickly.

At his home, FBI agents found a thumb drive with the TOR software and the TAILS operating system, both used for anonymous internet communications. Also found was the unclassified (and unpublished) document T on his computer and one page of document A, which was classified Secret and published in October 2015, on a thumb drive.

Why Hale brought these files in digital form to his home, after having already printed the documents at his work place at the NGA, is not clear, but it was careless and unnecessarily risky.

It is not known how exactly Hale was traced, but a tweet from his lawyer, Jesselyn Radack seems to suggest that The Intercept failed at their source protection. That would be their third time, because NSA linguist Reality Winner and former FBI agent Terry Albury had already been arrested due to The Intercept's sloppyness.

But Daniel Hale was bad at operational security (OPSEC) too and did little to stay out of the picture: already in November 2013 he began speaking out publicly against the government's drone program at the "Ground the Drones" summit organized by Code Pink, where he apologized for his own participation in the program.

In January 2014, Hale also spoke at a rally outside the White House against the Guantanamo Bay prison camp. Again very similar to Snowden, who organized a Crypto Party while he was working for the NSA in Hawaii.

The big difference is that Hale just took a handful of selected documents that he thought were in the public interest, while Snowden (and Manning) acted just like the NSA: "collect before you select."

Featuring in National Bird

And just like Edward Snowden was being recorded on camera when his leaks came out in Laura Poitras' film Citizenfour, Daniel Hale was being interviewed for the drone whistleblower documentary National Bird around the time the FBI raided his home.

In National Bird it's mentioned that Hale was being investigated under the Espionage Act, allegedly because he was seen as a source for information about the drone program. The Intercept had already begun publishing the files he stole at the NGA, but of course Hale did not admit that on camera.

He just pretended that he didn't knew the reason for the investigation: it might had to do with the fact that he had worked for intelligence agencies and that he was politically active, which could have made the government suspicious.

Right after the release of National Bird in February 2016, at least some people must have noticed that Daniel Hale would make a perfect fit for being the source of The Drone Papers, but it seems they all kept quiet.

The full version of the 2016 documentary National Bird with German voice-over

Featuring in Citizenfour

Almost two years before Hale himself could be seen in National Bird, the information he leaked already appeared in Laura Poitras' film Citizenfour, which was released in October 2014. It shows Glenn Greenwald visiting Snowden in Moscow, telling him about a new source and writing the most sensitive details on sheets of paper.

When the camera zoomed in on the notes, it could be seen that the new source provided information about the chain of command for the drone strikes, the fact that their signals are relayed through Ramstein AFB in Germany (which would cause "a huge controversy") and that some 1.2 million people are in one way or another on a government watch list.

When Snowden expressed his concerns about the safety of the source, Greenwald reassured that they were "very careful in handling the source." Maybe they tried during the time Hale was handing over the documents, but given their prior non-secure contacts and Hale's public appearances, it was already too late for a sufficient source protection.

Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)

Interesting is that just before the scene in the Moscow hotel room, Citizenfour shows Jeremy Scahill talking to Bill Binney, former technical director of the NSA's World Geopolitical and Military Analysis Reporting Group, about how to handle confidential sources.

Binney gives the advice that the best way to talk to such sources is like Bob Woodward and Deep Throat did: meet physically in the basement of a parking garage.

We can assume that Daniel Hale met in a similar way with Scahill to hand over the documents he had printed out at the NGA. It's not clear though whether the conversation with Binney was recorded before or after these meetings, so at least Binney's advice was also meant for any future leakers.


For the relation between Hale and The Intercept the advice had come too late, and both must have known that, so apperently both were too eager to go along with publishing the files.

For The Intercept, the drone program seems to present the most clear and direct link between the NSA and actual illegal killings - despite the fact that these operations were actually run by the CIA, before Obama tried to transfer them to a military command.

Also, one of the slides leaked by Hale says that drone strikes will only occur when the presence of the target is based upon two forms of intelligence and all parties involved, being the local Task Force, the Geographic Combatant Command, the US Ambassador, the CIA Station Chief and the government of the host nation, have to concur or no strike occurs.

For Daniel Hale it may have become a moral mission to inform the public about the secret details behind the drone program and maybe this was also his way of making up his own involvement in the program during his time in Afghanistan.


Hale will appear before a judge on May 17. Under the Espionage Act of 1917, which doesn't distinguish between providing information to enemies or to the press, he can be sentenced to up to a maximum of 50 years imprisonment.

At least he has one of the best (and expensive) defense attorneys: Abbe Lowell, who recently represented Trump's son-in-law Jared Kushner(!), and who apparently does Hale's case pro bono.

Links and sources

- Intercepted Podcast: The Espionage Axe: Donald Trump and the War Agianst a Free Press
- Emptywheel: On the Curious Timing of Daniel Everette Hale’s Arrest
- Mint Press News: Another Whistleblower Bites the Dust as The Intercept Adds a Third Notch to Its Burn Belt
- The Washington Post: Former intelligence analyst charged with leaking drone details to news outlet
- Lawfare Blog: German Courts Weigh Legal Responsibility for U.S. Drone Strikes
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations
- The Drone Papers: Acronyms, abbreviations, and initialisms

April 27, 2019

The Snowden files: where are they and where should they end up?

(Updated: May 30, 2019)

Last month, The Intercept shut down access to the Snowden documents both for internal and external research. But where are these files in the first place, and what should be their future destination? During a podcast interview last Monday, Snowden himself also commented on this issue.

Screenshot from a Brazilian television report, showing some of the Snowden files
opened in a TrueCrypt window on the laptop of Glenn Greenwald.
(screenshot by koenrh - click to enlarge)

The Intercept

The Intercept is a website that was launched in February 2014 by Glenn Greenwald, Laura Poitras and Jeremy Scahill. It was the first digital magazine of First Look Media (FLM), a hybrid for-profit and non-profit media organization set up in October 2013 by eBay-founder Pierre Omidyar.

(Greenwald already came up with the idea for a dedicated website in June 2013 in case that The Guardian would not publish his first Snowden story)

The short-term mission of The Intercept was to "provide a platform and an editorial structure in which to aggressively report on the disclosures provided to us by our source, NSA whistleblower Edward Snowden."

For the long term, The Intercept wants to provide "aggressive and independent adversarial journalism across a wide range of issues, from secrecy, criminal and civil justice abuses and civil liberties violations to media conduct, societal inequality and all forms of financial and political corruption."

External research

For its short-term mission, The Intercept had a special team of several researchers to maintain and examine the Snowden files in a secure way. Initially, documents were only published alongside the articles written by Glenn Greenwald, Jeremy Scahill, Ryan Gallagher and other reporters.

In May 2016, The Intercept also began publishing NSA documents in bulk, starting with all editions of SIDtoday, the internal newsletter of the NSA's Signals Intelligence division, which are available from 2003 to 2012. So far, a total of 1861 editions have been published in seven batches. It's not clear whether this series will be completed.
Update: On May 29, 2019, The Intercept published an eighth and final batch consisting of 287 SIDtoday articles from late 2006, bringing the total to 2148 editions of this newsletter.

Also in may 2016, it was decided to "invite outside journalists, including from foreign media outlets, to work with us to explore the full Snowden archive", to begin with journalists from the French newspaper Le Monde:
"Le Monde worked directly, during several days, in collaboration with The Intercept, on the Edward Snowden archive given to Glenn Greenwald and Laura Poitras: tens of thousands of documents exfiltrated by the former agent from the NSA servers, and safely stored by The Intercept."

As a result of this collaboration, Le Monde published a series of six articles in December 2016, mainly about GCHQ spying operations against Israel and in Africa. It seems there have been no similar collaborations with other foreign journalists.

The decision

With its first mission apparently accomplished, The Intercept will now move forward with its long-term mission: "For five years, the company expended substantional resources to continue to report on the Snowden archive, but The Intercept has now decided to focus on other priorities" - according to First Look Media CEO Michael Bloom.

How this decision was made can be learnt from a reconstruction made by Barrett Brown, which includes a timeline written by Laura Poitras:
On Tuesday March 12, on a phone call with Glenn [Greenwald] and the CFO, I am told that Glenn and Betsy [Reed, editor-in-chief of The Intercept] had decided to shut down the archive because it was no longer of value to The Intercept. This is the first time I am heard about the decision. On the call, Glenn says we should not make this decision public because it would look bad for him and The Intercept. I objected to the decision. I am confident the decision to shut the archive was made to pave to fire/eliminate the research team.

The next day, March 13, Poitras sent an e-mail to Michael Bloom saying she was "sickened" and in a memo she called on the board to review the decision: "This decision and the way it was handled would be a disservice to our source, the risks we’ve all taken, and most importantly, to the public for whom Edward Snowden blew the whistle."

This e-mail was leaked to the news website The Daily Beast, which reported about it the same day. This was likely the way how Edward Snowden heard of it, as in the Motherboard podcast interview from April 22 he said that he learnt about The Intercept's decision from the news.

On March 14, Snowden was called by Laura Poitras: "He had not been informed by Glenn or Betsy about their decision to shut down the archive. I apologize to him."

The reason

Given that firing The Intercept's research team saves only 1.5% of First Look Media's non-profit budget, some people suspected that there may be other reasons for shutting down the Snowden archive. Pierre Omidyar, for example, could have preferred to keep his good relations with the US government.

Michael Bloom however says that the remaining documents aren't interesing enough anymore, and points to the fact that other major media outlets "ceased reporting on it years ago. Many decided that the resources required to continue to work on the archive were not justified by the journalistic value the remaining documents provide, as those documents have aged."

In 2013, The Guardian, The Washington Post and Der Spiegel each had between 10 and 30 reports based upon the NSA files, but that number declined to just a few in 2015 and since 2016 it was basically only The Intercept that continued with new reports, but these were mainly background stories without significant revelations.

Office of First Look Media (FLM) in New York City

Copies of the Snowden files

The actual number of documents that Snowden took away from the NSA is still unclear and disputed. According to the 2016 report from the US House Intelligence Committee, he removed more than 1.5 million documents from two classified networks: NSANet and JWICS.

(Strangely enough, the House Intelligence report says that JWICS stands for "Joint Warfighter Information Computer System" while the actual name of the network is Joint Worldwide Intelligence Communications System)

Glenn Greenwald said that the number of 1.5 million was "pure fabrication" and probably he could agree with former NSA director Keith Alexander who in November 2013 estimated that Snowden had exposed only between 50,000 and 200,000 documents.

Full copies of the files

As far as we know, complete sets of these documents are in the hands of:
- Glenn Greenwald (received from Snowden in Hong Kong)
- Laura Poitras (received from Snowden in Hong Kong)

Greenwald and Poitras agreed that no one other than they would ever have access to the full set of documents. And to "keep media organizations on a leash" they would only provide them with files and information on a story-by-story basis.

Four other people also received copies of the full archive, because on May 10, 2013, so more than a week before he left Hawaii, Snowden had sent backup copies of the NSA files in postal packages to four individuals:
- Jessica Bruder in New York, who had her package hidden by Dale Maharidge in North California
- Trevor Timm of the Freedom of the Press Foundation (of which Snowden became board member in 2014 and president in 2016)
- One person who wants to remain private
- One unknown person

The existence of these packages, which was only revealed in May 2017, confirms the story from late June 2013 about a "doomsday cache" which Glenn Greenwald said was Snowden's Plan B.

According to Greenwald, the people holding the backup files "cannot access them yet because they are highly encrypted and they do not have the passwords." But "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives."

During a television interview shortly afterwards, Greenwald said that backup copies might also be somewhere out on the internet, but given Snowden's fear of putting sensitive things online that may have been a slip of the tongue, or deliberately deceiving.

There are also people who have not been in possession of any documents, but who were temporarily granted full access to the whole cache, like James Bamford, The Intercept's research team and some others.

Glenn Greenwald working with the Snowden files outside his house in Rio de Janeiro
(screenshot from a television report by Fantastico)

Partial copies of the files

Besides the complete sets of Snowden files, there are several parties that keep, or have kept partial copies:
- The Guardian (received from Snowden by Ewan MacAskill)
- ProPublica (received from The Guardian)
- The New York Times (received from The Guardian)
- The Washington Post (received from Snowden by Barton Gellman)
- Der Spiegel (received from Laura Poitras)*

Being under threat from the British government, The Guardian rescued their set of documents by providing copies to The New York Times and the investigative journalism platform ProPublica, where they would be better protected under the First Amendment of the US constitution.

The Guardian's own set was eventually physically destroyed in front of GCHQ technicians on July 20, 2013:

Video showing the destruction of the laptop containing The Guardian's Snowden files

The German magazine Der Spiegel published a total of 89 documents from their share of the Snowden trove, including ones that were not disclosed as part of earlier reporting. A first set of 53 documents was released on June 18, 2014 and a second set of another 36 documents on January 17, 2015.

Besides the news outlets with their own partial copies, Greenwald and The Intercept also shared selected documents from the Snowden cache with teams of journalists of more than two dozen media outlets in as many different countries.

> It should be noticed that a range of highly classified NSA documents have been published which came from other sources than Edward Snowden; see: Leaked documents that were not attributed to Snowden.

Protection of the files

In order to protect the Snowden files, only brand new laptops with no connection to the internet are used to search, sort and read them. It's not clear whether the files themselves are also stored on these laptop computers, or only on removable storage devices, like a thumb drive or an SD card.

In a 2013 Brazilian television report, Glenn Greenwald was seen using some thumb drives and a standard SD card while working with the Snowden documents.

In another television report we could even see the screen of Greenwald's laptop with several of the BOUNDLESSINFORMANT documents being opened in a TrueCrypt window. TrueCrypt was a software application used to fully or partially encrypt hard drives and removables drives using the AES, Serpent and Twofish ciphers.

Data on the external hard drive that Greenwald's partner David Miranda was carrying when he was detained at Heathrow Airport in August 2013 was reportedly also encrypted with TrueCrypt.

Glenn Greenwald working with the Snowden files outside his house in Rio de Janeiro
(screenshot from a television report by Fantastico)

The future of the files

What can or should happen with the Snowden files? Wikileaks, Cryptome and many others demanded that all the documents should be released to the public. But Snowden did not want an indiscriminate dump like how Manning's files were eventually published on Wikileaks. Instead, he insisted on responsible disclosures by independent journalists.

Accordingly, Glenn Greenwald stressed that the NSA files should "be released in conjunction with careful reporting that puts the documents in context and makes them digestible to the public, and that the welfare and reputations of innocent people be safeguarded."

The reality has actually been somewhat different: in many cases, press reports lacked a proper context, were sensationalist or even misleading because of misinterpretations. And while protecting the reputations of individuals, that of the NSA seemed "fair game".

First Look Media's CEO Michael Bloom hoped "that Glenn and Laura are able to find a new partner - such as an academic institution or research facility - that will continue to report on and publish the documents in the archive consistent with the public interest" and Greenwald tweeted that he was already looking for "the right partner [...] that has the funds to robustly publish."

But money seems not the problem: if there's one place with enough money than it's First Look Media, which was funded by eBay billionaire Omidyar with some 87 million US Dollar between 2013 and 2017 (of which Greenwald earned more than 1.6 million USD from 2014 to 2017).

In the Motherboard interview, Snowden said that "what remains in the archive is stuff that requires much more substantial effort" which would be better for a book. He said that The Intercept wasn't meant for that and that it was up to academic institutions, but they didn't dare because they depend on grants from the federal government.

Snowden also argued that handing over the files to a foreign academic institute was also not an option because then the US government would come up with the accusation of providing classified information to foreigners.

But when it's so hard to find a well-funded institution for further research and responsible publications and the final option of deleting all the files comes closer, it's also not unthinkable that someone will try to "rescue" the archive by putting everything online. After all, there have been other disclosures that were not in accordance with Snowden's intentions.

Links and sources
- Justice Integrity Project: Snowden archives at great risk — As alarming as Assange's arrest
- Barrett Brown: Why The Intercept Really Closed the Snowden Archive
- Tim Shorrock: Why Did Omidyar Shut Down The Intercept’s Snowden Archive? - Part 2 - Part 3
- Bruce Schneier: First Look Media Shutting Down Access to Snowden NSA Archives
- Columbia Journalism Review: The Intercept, a billionaire-funded public charity, cuts back
- The Daily Beast: The Intercept Shuts Down Access to Snowden Trove
- The Intercept: The Intercept is Broadening Access to the Snowden Archive. Here's why

March 25, 2019

The phones of former FBI Director Robert Mueller

(Updated: March 30, 2019)

Last Friday, March 22, special counsel Robert S. Mueller ended his investigation on possible Russian influence in the 2016 United States presidential elections.

Before he was appointed special counsel in May 2017, Mueller served 12 years as director of the FBI, from September 2001 to September 2013.

Here we take a look at the telecommunications equipment used by Robert Mueller when he was leading the FBI, based upon some rare photos of his office.

The office of former FBI director Robert S. Mueller, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images)

The FBI Director's office

The office of the Director of the FBI is on the seventh floor of the FBI headquarters, the brutalistic J. Edgar Hoover Building in Washington D.C. Pictures of this room are very rare, but in 2010, The Washington Post provided some views of Robert Mueller in his office, which appeared to be rather small and with remarkably old-fashioned furniture.

Next to the director's office is a small executive conference room, also with 19th century furniture and a sign that looks as if it's from a Western movie, saying "Director of the Federal Bureau of Investigation". On the wall there's large world map, where for a domestic security service like the FBI one would rather expect a map of the United States:

The conference room next to the director's office, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images - click to enlarge)

Telephone systems

In the photos we can see that in the office of FBI director Mueller there were four phones, which belong to three different telephone systems, two for secure and one for non-secure calls:

IST phone

The first phone from the left is a big white Integrated Services Telephone (IST), which was designed by Electrospace Systems Inc. (ESI) and manufactured by Raytheon. This is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Although this IST phone looks very futuristic, it has already been replaced by the newer IST-2, which was introduced in 2003. The new IST-2 was also on the president's desk in the Oval Office, before it was replaced by a Cisco IP phone for the new Executive Voice over Secure IP-network, which provides a highly secured link between the President and his senior cabinet members.

It's interesting to see that there's no such new IP telephone in the office of the director of the FBI, which means that he has no direct line to the president - according to the fact that FBI falls under the Department of Justice and the director of the FBI reports to the Attorney General.

STE phone

Next to the IST there's a big black telephone called Secure Terminal Equipment (STE). It's made by the American defense contractor L-3 Communications (since 2016: L3 Technologies) and is capable of encrypting phone calls up to the level of Top Secret/SCI. There's also an STE phone at the small drawer chest in the director's conference room.

STE phones can be used to make encrypted calls to anyone with a similar or compatible device and there are an estimated 400.000 STE users. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

These STE phones can be used for secure communications with everyone working for the US government, the military, its contractors, and also foreign partners who can not be reached through a more select secure telephone network, like the aforementioned DRSN.

Nortel M5216

Finally, there were two Nortel M5216 Meridian telephones in former director Mueller's office: one with two additional 22 button key expansion modules on the desk, and one without these modules on the standing desk alongside the wall. These phones were used for any non-secure calls inside and outside the FBI headquarters.

The M5216 telephone sets were manufactured by the former Canadian company Northern Telecom or Nortel and look rather outdated as they are probably from the mid-1990s. The Nortel telephone system itself is even older: it goes back to the SL-1 PBX from 1975, which was gradually enhanced and renamed Meridian-1 in the late 1980s.

The system provides advanced voice and data features for applications ranging from 60 to 16.000 lines and also has Centrex capability. It became the first fully digital PBX on the global market and it was one of the most widely used business telephone systems, with an estimated number of 43 million installed users worldwide.

Computer networks

Besides the four telephone sets, there's also a computer in the office of former FBI director Mueller, which can be seen right behind the ubiquitous Aeron office chair. A KVM-switch allows him to use a single set of Keyboard, Video and Mouse to access multiple FBI networks on different classification levels, like:

- Law Enforcement Online (LEO), which is a web-based system for sharing information among the law enforcement community that is running over the internet, classified For Official Use Only.

- Federal Bureau of Investigation Network (FBINet), which is the FBI's intranet and can only be accessed through an FBI computer.

- FBI Secret Network, which can be accessed from any US government computer that is connected to the Intelligence Community's INTELINK-S network that is running on the Defense Department's SIPRNet infrastructure, classified up to Secret.

- Sensitive Compartmented Information Operational Network (SCION), which is the FBI's designation of the Intelligence Community's INTELINK-TS network that is running on the Defense Department's JWICS infrastructure, classified up to Top Secret/SCI.

Former FBI director Mueller working in his office, June 4, 2010.
(photo: Melina Mara/The Washington Post/Getty Images - click to enlarge)

Links and sources
- The Washington Post: Federal government cancels costly, decade-long search for a new FBI headquarters (2017)
- Office of the Director of National Intelligence: IATCG Intelligence Guide (2011)

See also:
- The phones of US Director of National Intelligence James Clapper
- NSA director Alexander's phones
- US State Department red phones
- Commander Petraeus' phones