12 July 2014

The National Security Agency in 2002

July 3, 2014

During the past year, a number of slides from a 2002 NSA presentation titled "National Security Agency: Overview Briefing" were disclosed as part of the Snowden-leaks.

This presentation as a whole would have been a great comprehensive overview of the structure and the mission of NSA at the start of this millennium, but until now only six slides were made public, widely scattered over a period of almost a year and media from 3 continents, almost as to prevent people getting to see the whole picture.

All slides from this presentation can be recognized by their rather overloaded blue background, combining the seals of NSA and CSS, a globe, numerous ones and zeros representing digital communications, and a fancy photoshopped lens flare. In a number of slides, the font type of the classification marking looks different, which could indicate that the presentation was altered and/or re-used several times.

This slide was published by Brasilian media in July 2013. A somewhat distorted version (pdf) was published by Der Spiegel on June 18, 2014. It shows a world map with all the locations where there's a satellite intercept station, which is used for the collection of foreign satellite (FORNSAT) communications.

Nine stations are operated by NSA, including two as part of an SCS unit (see below), and seven stations operated by 2nd Party partners, in this case Great Britain, Australia and New Zealand:

US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan) 
- LEMONWOOD, Thailand
- SCS, New Delhi (India) 

2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, Oman
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, ? (New Zealand)


All these satellite intercept stations were interconnected, and it was this network that became publicly known as ECHELON. Revelations about this eavesdropping system in the late 1990s led to public and political outrage and subsequent investigations very similar to what happened since the start of the Snowden-leaks.

Until the new millennium, international communications travelled via satellite links, which made ECHELON one of NSA's most important collection systems. But since then, international traffic has shifted almost entirely to fiber-optic cables, making this the agency's current number one source.

We have no slide about NSA's cable tapping capabilities in 2002, but from other sources we know that there were at least three programs operational outside the US:

- RAMPART-M for access to undersea cables
- RAMPART-T for land-based cables, in cooperation with CIA
- RAMPART-A for cable access in cooperation with 3rd Party partner agencies


This slide was published by the Italian paper L'Espresso on December 6, 2013. It once again shows a world map, this time with the names of over 80 cities where there's a joint NSA-CIA Special Collection Service (SCS) unit. These units operate covertly from inside a US embassy or consulate to get access to targets that are difficult to reach otherwise. The names of cities in countries that are hostile to the US are redacted by the paper.

There are also four "Survey Sites" and seven "Future Survey Sites", but at present it is not clear what that means. Finally, there are two Technical Support sites: PSA in Bangkok, Thailand, and RESC (Regional Exploitation Support Center?) at the US Air Force base in Croughton, UK. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

This slide was published by Der Spiegel on June 18, 2014. It shows a world map with the locations where there's a Cryptologic Support Group (CSG). These CSGs are part of the signals intelligence and cryptologic branches of the five US Armed Services (Army, Navy, Air Force, Marines, Coast Guard), which together form the Central Security Service (CSS) - the tactical part of NSA.

Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:

- STRATCOM: United States Strategic Command, Omaha
- TRANSCOM: United States Transportation Command, Belleville
- USSPACECOM: United States Space Command, Colorado Springs
- JSOC: Joint Special Operations Command, Spring Lake
- State Department, Washington
- NMJIC: National Military Joint Intelligence Center, Washington
- CIA: Central Intelligence Agency, Langley
- ONI: Office of Naval Intelligence, Suitland
- San Francisco
- FORSCOM: United States Army Forces Command, Fort Bragg
- JFCOM: United States Joint Forces Command, Norfolk
- SOCOM: United States Special Operations Command, MacDill AFB
- CENTCOM: United States Central Command, MacDill AFB
- Key West (Naval Air Station)
- SOUTHCOM: United States Southern Command, Doral
- EUCOM: European Command, Molesworth
- NAVEUR: United States Naval Forces Europe, London
- USAREUR: United States Army Europe. Wiesbaden
- USAFE: United States Air Forces in Europe, Ramstein
- EUCOM: European Command, Stuttgart
- USFK: United States Forces Korea, Seoul
- Japan
- Hawaii (United States Pacific Command)

This large number of CSG locations is one of the things that reflects the importance of NSA's military mission, which is almost completely ignored in the Snowden-reportings (the slide was published rather unnoticed as part of a batch of 53 NSA-documents)

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It shows what NSA saw as current threats in 2002, with an overlay that seems to have been added later and which lists a range of communication techniques. Greenwald says this slide shows that NSA also counts these technologies, including the Internet, as threats to the US, proving that the US government sees this global network and other types of communications technology as threats that undermine American power.*

This interpretation is rather far-fetched because in that case, pagers and fax machines would also be a threat to the US. It's obvious the list shows the means by which individuals and organisations that threaten the US can communicate - which of course is important to know for a signals intelligence agency like NSA. 

The actual threats listed in the slide are:

- Hackers

- Insiders

- Traditional Foreign Intelligence

- Foreign [...]

- Terrorists

- Criminal elements

- Developing nations

This slide was published in Greenwald's book No Place To Hide on May 13, 2014. It says that NSA has alliances with over 80 major global corporations supporting both missions (i.e. Signals Intelligence and Information Assurance) and presents the names of a number of big American telecommuncations and internet companies, along with pictures of some old-fashioned communication devices.

Greenwald's book says that in the original presentation, this slide follows some unpublished ones that are about "Defense (Protect U.S. Telecommunications and Computer Systems Against Exploitation)" and "Offense (Intercept and Exploit Foreign Signals)".*


This slide was also published in Greenwald's book on May 13, 2014. It shows the three main categories of "customers" of NSA, which are government and military organizations that can request and receive intelligence reports. Besides other major US intelligence agencies, we see that NSA works for civilian policy makers as well as for military commanders, from the Joint Chiefs of Staff (JCS) and the Commanders-in-Chief (CINCs) down to tactical commanders.

Greenwald uses this slide to point to the Departments of Agriculture, Justice, Treasury and Commerce, the mentioning of which he sees as proof for an economic motive of NSA's spying operations.* Although almost all countries (try to) spy in order to get information that can be usefull for their national economic interests, Greenwald is doing as if this kind of intelligence is somehow off limits, and thereby discrediting NSA.


Links and Sources

- National Security Agency: Transition 2001 (pdf)
Geplaatst door P/K op 01:00 3 comments: 

June 24, 2014


(Updated: July 7, 2014)

Earlier this month, it was the one year anniversary of the Snowden-leaks, by far the biggest disclosure ever of highly secret documents from the US National Security Agency (NSA). Edward Snowden and Glenn Greenwald are using these documents to show how eager NSA is to collect every bit of communication that travels around the world.

But by taking a close and careful look at the original slides and reports which have been published so far it comes out that they contain no hard evidence for a massive abuse of power or violation of the law, not even for the alleged monitoring of "every single conversation and every single form of human behavior".




Headquarters of the National Security Agency at Fort George G. Meade
(screenshot from PBS Frontline - United States of Secrets)

No Place To Hide

Edward Snowden and Glenn Greenwald claim that NSA wants to collect, store, monitor and analyse the electronic communications of innocent citizens all over the world, which would be an unprecedented abuse of power and a violation of the American constitution. This is how the story is told over and over in numerous media reports worldwide, and also in Greenwald's book 'No Place To Hide', which was published in over twenty countries on May 13, 2014.

After a year of countless revelations, people might have expected that this book would provide a detailed and comprehensive explanation of all those confusing NSA programs, tools, and operations. But although it contains a range of new documents, these go without any proper explanation. Greenwald just uses them for picking a phrase or a number to illustrate his own argumentation. 

Libertarianism

Both Snowden and Greenwald are acting from points of view that are based onLibertarianism, a political ideology which encompasses minimizing the influence of government and maximizing the freedom and liberties of individual citizens. They argue that state surveillance is a big evil, not at least because when people are knowing that they are being watched and followed, most of them will going to behave compliant to the existing powers all by themselves.

But for that, people first have to know that they are being monitored, and NSA actually did everything to keep the extent of its spying operations secret from the public. Only after the documents taken by Edward Snowden were published, people actually learned about how massive that spying is - through the eyes of Snowden and Greenwald.

NSA's military tasks

The Snowden-leaks of the past year learned us a lot about NSA, but there are also some important aspects that were ignored. One is the fact that NSA is a military signals intelligence agency: it falls under the US Deparment of Defense (DoD), is led by a high-ranking military officer and plays an important role in supporting the US armed forces. 

For that, NSA is not only intercepting communications that are of strategic or tactical importance, but also collecting and analysing many other types of electromagnetic radiation, like from radar, which is called ELINT. All five US Armed Services have dedicated signals intelligence and cryptologic units, which together form the Central Security Service (CSS), the tactical part of NSA:

Neither Snowden, nor Greenwald, nor the vast majority of the media reports even came close to mentioning the true extent of NSA's military job. One indication that can be put together from the numbers from the BOUNDLESSINFORMANT tool is that 54% of the data that NSA collects globally comes from countries in the Middle East plus India.

Because also no NSA activities related to US military operations, like for example in Afghanistan, have been revealed, most people will now think that NSA is only spying on civilians. One of the very few exceptions was the Dutch newspaper NRC Handelsblad, which revealed how the Dutch military intelligence service MIVD cooperated with American troops in Afghanistan and helped mapping a network of Somali pirates.


One example of where the military aspect seems to have been withheld deliberately, was the revelation by The Guardian and the New York Times of the 9-Eyes and the 14-Eyes, groups in which a number of European countries closely cooperate with NSA. Later it became clear that both groups are for exchanging data and intelligence for military purposes.

NSA spying in Europe?

And then there was the case of BOUNDLESSINFORMANT, the tool used by NSA for counting and visualizing its worldwide data collection activities. Initially, Glenn Greenwald reported in various European newspapers that charts from this tool show that tens of millions of phone calls of citizens from Germany, Spain, France, Norway and Italy were intercepted by NSA.

But then, military intelligence services from various European countries declared that this interpretation was wrong and that the charts actually show metadata that were not collected by NSA, but by them. These statements are supported by the fact that the related BOUNDLESSINFORMANT charts show the DRTBox technique, which is primarily used in tactical military environments.

The metadata were derived from foreign communications in crisis zones and collected in support of military operations abroad. Subsequently these data were shared with partner agencies, most likely through the SIGDASYS system of the SIGINT Seniors Europe (SSEUR or 14-Eyes) group, which made them also available for NSA.

In the end, the disclosures about various European countries did not proof massive spying by NSA, but rather show how close European agencies are cooperating with the Americans in the field of military intelligence.

Chart from the BOUNDLESSINFORMANT tool that was released by Der Spiegel on June 18, 2014
It shows that SIGADs related to European countries are actually part of 3rd Party collection
(click to enlarge)

NSA's goals

One thing that Snowden en Greenwald are repeating over and over is that NSA wants to have all digital communications from all over the world: "Collect it All". But the evidence they present is very thin and not very convincing. According to Greenwald's book, that alleged goal is from a memo about the satellite intercept station Misawa in Japan and from a few slides about the Menwith Hill satellite station in the UK:


About the Foreign Satellite Collection (FORNSAT)
at Menwith Hill Station (MHS) in the UK


NSA Director Keith Alexander talking about FORNSAT
during a 16 June 2008 visit to MHS

Since international telecommunications shifted to undersea fiber-optic cables after the year 2000, satellite links nowadays carry only a small share. It could be possible to collect all of that, but that aim can't be applied to the entire collection effort of NSA, which is so much larger. Furthermore, if "Collect it All" really was NSA's ultimate goal, then it certainly would have been in more high-level policy documents for the entire organization - which have not been presented so far.

Strategic Mission List

The real and far more specific goals for NSA can actually be found in the 2007Strategic Mission List (pdf). This document was revealed by The New York Times in November 2013, but got hardly any attention. 

Besides the strategically important countries China, North-Korea, Iraq, Iran, Russia and Venezuela, which are enduring targets, the document also lists 16 topical missions. The most important ones are: winning the war against terror; protecting the US homeland; supporting military operations; preventing the proliferation of weapons of mass destruction by countries like China, India, Iran and Pakistan.

Some of the non-military goals for NSA are: anticipating state instability; monitoring regional tensions; countering drug trafficking; gathering economic, political and diplomatic information; ensuring a steady and reliable energy supply for the US. All these are goals that are quite common for a large (signal) intelligence agency.

Economic espionage

The US government insists that it's intelligence agencies are not spying on foreign companies for the benefit of individual American corporations: economic intelligence is only used to support policies, lawmaking and negotiations that benefit the US economy as a whole. Greenwald doesn't make that distinction, so every reference in NSA documents to economic goals is interpreted in the worst possible way. 

He also tried to proof economic espionage by publishing a slide that shows the names of companies like Petrobras, Gazprom and Aeroflot. But the slide clearly says "Many targets use private networks", which indicates that NSA is focussing at specific targets, more than at the companies themselves:

Just like in many other publications based upon the Snowden-documents, conclusions are drawn from a very selective reading of a single slide, out of its context and with parts of the content redacted. Such can not be sufficient evidence for the far-reaching claims and accusations that Greenwald and Snowden are making.

End-reports

For getting certainty about whether NSA conducted the unwanted economic espionage, or about the results from its eavesdropping operations are in general, we should see the end-product intelligence reports that NSA analysts write after having analysed the collected data. But apparently access to these reports is more strictly controlled, or else Snowden would have taken them too.

This indicates that NSA actually has internal access control systems that do work. Which contradicts the alleged uncontrolled access that analysts have to virtually anyone's communications - according to Snowden, who also hasn't provided any documents that prove that claim, for example by showing deficiencies of NSA's user authentication system CASPORT.

At first sight it looks very impressive that almost all documents he leaked are stamped TOP SECRET//COMINT, but inside NSA information at that classification level is actually available to virtually everyone. Really sensitive secrets are in compartments like those for Exceptionally Controlled Information (ECI) of which often not even the codeword is known.

UPDATE:

On July 5, 2014, The Washington Post revealed that Snowden actually did had access to reports containing full internet messages that were intercepted under FISA/FAA authority and that he was able to exfiltrate some 160.000 of them. The article suggests that he could do this because he had authorized access to at least the RAGTIME compartment.

Some other ECI-codewords that have been disclosed are REDHARVEST (RDV) and WHIPGENIE (WPG), and also details about the scope of the STELLARWIND (STLW) control system came out.


Hacking operations

Misleading are also the press reports about NSA hacking into smartphones and computers, whether through the telephone networks, the internet or by bridging the "air gap". Without mentioning for what kind of targets these methods are used, and by using general terms like "internet users" instead of "targets", people get the idea that it can effect everyone.

This is illustrated by the story that NSA has facilities where they intercept shippings of commercial computer hardware in order to covertly install spying implants. A scary idea if NSA would do that randomly with hundreds of thousands of shipments, but as we can see in this internal report, the method is used to "Crack Some of SIGINT's Hardest Targets" - in which case it seems legitimate and proportionate:

Damaging disclosures

It may not have been that lives of American officials or specific operations have been endangered, but there's no doubt that disclosing these methods damaged NSA's ability to get access to communications which are otherwise impossible to intercept. Both friends and enemies will now check every new computer shipment and all of their sensitive existing computer and telephone systems in order to remove every piece that resembles those shown in the media.

Snowden said he doesn't want to harm the US and also not to constrain bilateral relations with other countries. But as the opposite has happened, it seems that some journalists to whom he gave his documents are not always publishing them according to his intentions. 

For example, the German magazine Der Spiegel revealed details about the computerspying implants and the eavesdropping on chancellor Merkel, while Greenwald did the same regarding the presidents of Mexico and Brasil, which put their relationship with the US under severe pressure.

Similar were disclosures about the NSA eavesdropping on the communications of the UN, the European Union, a number of foreign embassies, international conferences and some large private companies. It was embarrasing for the US having these activities exposed, although it's nothing more or less than the core business of every foreign intelligence agency. 

GCHQ operations

Looking at the legal framework and official tasks also helps to better understand the disclosures about the British signals intelligence service GCHQ. From various documents, it seems this agency is especially eager and agressive, like for example in collecting webcam images and planning "disruption" operations against hackers associated with Anonymous.

These activities would fit the broader mandate and the less legal restrictions which the British service has compared to the NSA. For example, GCHQ is allowed to operate domestically and assist the security service MI5 as well as law enforcement, where activities of NSA are strictly limited to foreign intelligence. The examples of GCHQ's domestic activities show that ordinary people have to fear more direct consequences from law enforcement than from intelligence. 

GCHQ also wants to be a major player in the field of foreign intelligence. As such it has access to 200 fiber-optic cables, and is able to intercept 46 cables of 10 gigabits per second at a time. This makes that 21 petabytes of data flow past these systems every day.

To filter and search this traffic, there's a system codenamed TEMPORA, which incorporates NSA's XKEYSCORE machines and is thereby able to preserve all content for 3 days and all metadata for 30 days in a rolling buffer. TEMPORA is located at three GCHQ processing centers and is 10 times larger than the next biggest XKEYSCORE site:

Explanation of the TEMPORA system used by GCHQ

NSA collection worldwide

One of the major accusations of Snowden and Greenwald is that NSA is indiscriminately gathering and storing electronic communications from all over the world. From quite a number of leaked internal documents we now have a lot more information about NSA's global interception capabilities.

They tell nothing about the tactical systems for military purposes, but we learned a lot about various ways to tap into general telecommunication channels like satellite links and fiber-optic cables, both submarine and landbased. NSA's access to them can be unilateral or in cooperation with 2nd Party partners (the WINDSTOP program) and 3rd party agencies (the RAMPART-A program).

Some numbers

From the BOUNDLESSINFORMANT tool and some other charts we know that NSA collects billions of data a day. That sounds like a huge number, but remarkably enough there was not one press report that provided numbers on the telecommunication traffic in general for comparison.

The NSA itself issued a statement (pdf) in August 2013 saying that about 30 petabytes a day pass their collection systems, which filter out and store about 7,3 terabyte. Cisco estimates that in 2013 there was some 181 petabyte of consumer web, email, and data traffic a day, which means that roughly 16% passes through NSA systems, which eventually store 0,00004% of it.

XKEYSCORE

At 150 sites where NSA intercepts cables, satellites and other communication channels, the agency has installed the XKEYSCORE (XKS) system, which is able to store a "full take" of the communications that flows past, but only 3 to 5 days of content and 30 days of metadata. At some sites, the amount of data exceeds 20 terabyte a day, which can only be stored for 24 hours:

With this temporary buffer, XKEYSCORE provides NSA analysts with the opportunity to search these data for "soft selectors" like keywords and for other target related characteristics like the use of encryption, virtual private networks, the TOR network or a different language. This enables analysts to use data that otherwise would have been dropped by the front-end collection systems, this in order to find internet activities that are conducted anonymously and therefore cannot be found by just looking for a target's e-mail address. 

Before XKEYSCORE was installed, there were only the more traditional systems that automatically filter out content that comes with so-called "strong selectors" like e-mail and IP addresses. This is less than 5% of the internet communications that passes NSA's front-end filters.

Both the traditional filters and the XKEYSCORE system are picking out a relatively small number of communications in a targeted and focussed way. Traffic that is not of interest is only stored for a few days and then automatically disappears as it's overridden by new data. So, although these NSA systems "see" a huge amount of data, there's no "Store it All".

Entire countries

XKEYSCORE is only used for searching and analysing internet communications, but a similar function for telephone calls is available under the MYSTIC program, which was revealed on Greenwald's website The Intercept on May 19, 2014. Under MYSTIC, NSA has access to the entire mobile phone traffic of five or six countries.

But also in this case, the storage of communication data is limited to thirty days and from the networks of three countries (Mexico, Kenya and the Philippines) this only applies to metadata. Content of phone calls is only stored from two countries: from the Bahama's in order to test this system, and it's probably Afghanistan where it eventually went live.

For these countries NSA's collection effort comes close to a mass surveillance, but strangely enough, the SOMALGET program that comprises the content collection, onlyaccounts for less than 2% of NSA's cable tapping programs, which could indicate the program is used in a very focussed way.

Bulk collection of metadata

Probably even more misleading and exaggerated are what most Snowden-stories say about the collection of metadata, which is the information needed for the technical and administrative handling of communications. This matter is important, first because NSA collects far more metadata than content, probably up to several trillion records a month. 

Chart showing the volumes and limits of NSA metadata collection
(the domestic metadata collection seems to be excluded)

Secondly, the collection of metadata is even more controversial than storing contents. Not only Snowden and Greenwald, but also most civil liberties organizations say that "bulk collection" equals "mass surveillance", because analysing metadata is more intrusive and thus a bigger violation of privacy than looking at the content of phone calls or e-mail messages. 

That might be correct in theory and in potential, but in reality the collection of huge amounts of data doesn't automatically mean that equal numbers of individuals are being actively tracked and traced. From the documents that have been disclosed by Snowden and from those that have been declassified by the US Director of National Intelligence (DNI), we learn that NSA uses metadata in two ways:

1. To discover new suspects through a method called "contact chaining". Starting with say the phone number of a known foreign bad guy, a specialized tool presents the numbers with he was in contact with, which by cross-referencing can point to conspirators that were previously unknown. 

In 2012, NSA used 288 phone numbers as a "seed" for starting such a query in its domestic phone record database and this resulted in a total of twelve "tips" to the FBI that called for further investigation. In 2013 the number of selectors had raised to 423. This domestic collection is legally authorized under section 215 of the Patriot Act and is additionally regulated by the FISA Court, so under the existing legal framework this is not illegal spying on Americans. 

2. Only for people who are identified as legitimate foreign intelligence targets, the metadata of their phone numbers are pulled from the databases to be used for creating a full "pattern-of-life" analysis. There's no evidence that NSA is randomly querying the metadata they collected for some kind of profiling without any specific lead. 

Most of what we know about the domestic collection of US telephone metadata comes from declassified court orders, because Snowden hasn't revealed any internal NSA documents about this so-called Section 215 program. At least in this case, NSA seems to be able to "Store it All", even though there's no "Analyse it All".

Collection inside the US

Probably Snowden's biggest disclosure was the existance of the PRISM-program, through which NSA collects communications from major American internet companies like Facebook, Google, Microsoft and Apple. However, the initial claim that NSA had direct access to the servers of these companies proved to be misleading, and also PRISM is not used for spying on ordinary citizens, but for gathering information about a wide variety of foreign intelligence topics, like mentioned before.

Slide from the PRISM-presentation that shows NSA has no direct
relationship with communication providers - only through FBI

The disclosure that had the biggest impact on the American public was that large telecommunication providers like Verizon are handing over all their telephone records to NSA. Apparently Americans became only fully aware of this after being revealed by Snowden, as the collection of domestic telephony metadata was already revealed in 2006. 

Upstream collection

Also in 2006 it was disclosed that NSA had installed intercept devices at switching stations of major fiber-optic cables inside the United States. This equipment is used to filter the phone and internet traffic, but because this was done inside the US, it looked like NSA was eavesdropping on Americans, something that is strictly prohibited.

Sensationalist headlines of many press reports following the Snowden-leaks also suggested that NSA was "listening on American phone calls" and "reading American e-mails". This however is only the case for people in the US who are known associates of terrorist groups or foreign governments.

UPDATE:

On July 5, 2014, The Washington Post revealed that Snowden exfiltrated some 160.000 internet messages collected under FISA/FAA authority and that almost 90% of them were from persons, both American and foreign, who were not listed as a foreign intelligence target. A large number were correctly minimized and there's no evidence the overcollected messages were actually read or used, but they also weren't deleted.

The domestic cable tapping is part of NSA's Upstream collection program, which is primarily used for access to communications between foreigners or foreign targets and possible conspirators inside the US. Most surprising is probably how close the cooperation with American telecommunication companies is. 

The codenames for these domestic programs are FAIRVIEW, BLARNEY and STORMBREW, and under OAKSTAR, American telecoms are providing cable intercept facilities abroad.

In filtering the traffic from these cables, it proved to be impossible for NSA to fully separate communications of approved foreign targets from those of uninvolved Americans. Up to 10.000 of the latter landed in NSA databases each year and the agency was repeatedly critized for this overcollection by the FISA Court.*

This shows that this oversight mechanism isn't the mere "rubber stamp" as Snowden and Greenwald continuously call it. The fact that the FISA Court decides behind closed doors is also not a scandalous exception, as the same applies to grand juries in ordinary crime cases. 

Whistleblowing?

Except for some other similar minor violations of internal rules and legal requirements, the documents published so far don't contain evidence of large scale abuse of power, mismanagement or deliberate illegal behaviour. Therefore, it seems that Edward Snowden can not be considered a whistleblower in the traditional and official sense of the word. Snowden himself said that he lacked whistleblower protection because he was just a contractor, but actually it seems more like the formal whistleblowing criteria won't apply to his case.

US Federal Government whistleblower
awareness poster

Of course, not everything that is legally allowed is always right, and many people don't agree with the actual scope of NSA's spying operations. Snowden additionally warns against the (future) misuse that can be made from this kind of systems in general, also in other countries worldwide. That's a legitimate cause, but a personal disagreement with current policies and practices alone doesn't constitute whistleblowing. It's rather a political and/or moral issue.

Conclusion

In the past year we really learned a lot about the methods and the collection programs of the NSA. But in the media, the facts that arise from the original documents have often been instrumentalized for the ideological fight between Snowden and Greenwald on one side and the NSA and the US government at the other side. Latter parties are being accused of trying to eliminate all forms of privacy, but in the documents that have been disclosed, there's no hard evidence that proofs that claim. 

The documents show that NSA has a large, worldwide network of data collection systems, but these systems are not capable of collecting, let alone storing all the communications that occur all over the world. Instead, NSA tries to collect it's data as targeted and focussed as possible, in order to fulfill it's foreign intelligence tasks, many of which are of a military nature.

The NSA is trying to do this carefully and complient to the laws and the policies, although it is sometimes operating on the edge of what is legally and politically acceptable. Preventing those borders being crossed can only be done by taking a very close look at what NSA is actually doing. The documents leaked by Snowden give us some insight into that, but the myth of an agency that is able to know everything we are doing, saying, thinking and planning is just distracting.

(The conclusion about the legality of NSA's operations may have to be changed partially, as Glenn Greenwald has announced that he soon will publish details showing that NSA does eavesdrop on ordinary American citizens)

Links and Sources

- Heise.de: Was war. Was wird.
- DavidSimon.com: We are shocked, shocked...
- All the leaked documents: IC off the Record

Today it's exactly one year ago the Snowden-leaks started. Among the many highly classified documents which were disclosed during the past year are various charts that provide us with actual numbers about the amount of data the National Security Agency(NSA) is collecting.

Here we will take a look at those numbers and see what we can learn from them by comparing various sources and from breaking them down into NSA-divisions, countries and collection programs. As still only fragmented parts have been published, this overview cannot provide completeness or full accuracy (estimates are shown as round numbers).

Numbers related to:









BOUNDLESSINFORMANT

The most detailed numbers about NSA's data collection are from theBOUNDLESSINFORMANT tool, which is used by NSA officials to view the metadata volumes collected from specific countries or by specific programs.

A worldwide overview is provided by a heat map which was published by The Guardianon June 11, 2013. It displays the figures over a 30-day period ending in March 2013:

NSA worldwide total:

Internet records (DNI):

Telephony records (DNR): 

221.919.881.317

97.111.188.358

124.808.692.959 

This total of 221 billion telephony and internet records a month equals 2,6 trillion a year and 7,3 billion a day. However, the actual number of what NSA collects worldwide might be higher - see the update below.

The BOUNDLESSINFORMANT worldwide overview for March 2013
(click to enlarge)

NSA volumes and limits

The BOUNDLESSINFORMANT tool seems to be very accurate, but there's another chart that gives different numbers. It's from a 2012 presentation for the SIGINT Development conference of the Five Eyes community and shows the volumes and limits of NSA metadata collection. The chart was published by The Washington Post on December 4, 2013 and again in Greenwald's book 'No Place To Hide' on May 13, 2014.

Chart showing the volumes and limits of NSA metadata collection
between January and June 2012
Redactions by Greenwald or the press, explanations added by the author
(click to enlarge)

This chart shows the numbers of:

- telephony metadata which are received by FASCIA, which is NSA's main ingest processor for telephony metadata;

- internet metadata that are transferred to MARINA, which is a huge NSA database that can store internet metadata for up to a year;

- internet metadata that had to be deleted because there was apparently not enough storage space.

Except for the deleted metadata, the charts shows ca. 10,4 billion internet metadata (DNI) a day, which makes 312 billion a month or 3,7 trillion a year. There are ca. 4,5 billion telephony metadata (DNR) a day, which makes 135 billion a month or 1,6 trillion a year. If we compare these numbers with those from BOUNDLESSINFORMANT, we see a big difference:

Internet metadata (DNI):

Telephony metadata (DNR): 

Volumes and Limits

(a month, 1st half 2012)

312.000.000.000

135.000.000.000 

BOUNDLESSINFORMANT

(a month, 1st half 2013)

97.111.188.358

124.808.692.959 

There's a difference of 11 billion telephony metadata between both charts, but an even bigger gap exists between the internet metadata: the Volumes and Limits chart shows 215 billion more than BOUNDLESSINFORMANT. This discrepancy wasn't noticed in the press reportings, nor in Greenwald's book, so at the moment there's no clear explanation for this.

UPDATE:

A possible explanation for the discrepancies between these numbers can be found in aFAQ document for the BOUNDLESSINFORMANT tool, which says the numbers shown in the "map view" are lower than in the so-called "org view" of the tool. This because for the latter, also records are counted that doesn't contain the country identifiers which are needed to be counted in the "map view".

Whether this also explains the big difference between the numbers of internet metadata isn't yet clear, but in general, the numbers are likely to be higher than the 97 billion internet and 124 billion telephony metadata mentioned in the heat map overview.

Telephony metadata

After being processed by FASCIA, the telephony metadata go to MAINWAY, which is another huge NSA database that keeps these kind of data for at least five years. In 2006 it was estimated that MAINWAY contained 1,9 trillion (1.900.000.000.000) call detail records.

For comparison: in 2007, AT&T's Daytona system, which is used to manage its call detail records (CDR's) supported 2,8 trillion records. In 2012, T-Mobile USA Inc. upgraded to an IBM Netezza 1000 platform with a capacity of 2 petabytes. This is used for loading 17 billion records a day, making 510 billion a month and more than 6 trillion a year. 

If we assume the telecom providers and NSA use "records" in the same sense, than this shows that the telecommunication companies produce far more phone call metadata than NSA collects. As T-Mobile USA alone apparently creates 4 times more records as presented in NSA's BOUNDLESSINFORMANT tool, the domestic telephone metadata collection under section 215 Patriot Act cannot be included in the numbers we've seen so far. 

GCHQ metadata collection

Even more metadata seem to be collected by NSA's British partner agency GCHQ, which according to this slide from 2011 collects 50 billion metadata per day. This makes 1,5 trillion a month and an astonishing 18 trillion (18.000.000.000.000) a year!


This (partial) slide was published in Greenwald's book No Place To Hide, but without any further explanation, so we don't know whether GCHQ is able to actually store everything or has to delete large amounts, like NSA. From the slide itself it seems that the number of 50 billion refers to internet metadata alone, which would make this number even more remarkable.

According to a report by The Guardian, GCHQ also collects 600 million telephony metadata a day, which makes 18 billion a month - a small number compared to the internet metadata this agency receives:

Internet metadata per month:

Telephony metadata per month: 

BOUNDLESS
INFORMANT

97 bln.

124 bln. 

Volumes 
and Limits

312 bln.

135 bln. 

GCHQ

1500 bln.

18 bln. 

For indexing and searching the content of internet communications, GCHQ uses theTEMPORA system, which is capable of processing the traffic from 46 fiber-optic cables of 10 gigabits per second. This makes that 21 petabytes of data flow past these systems every day.

NSA collection by country

The main BOUNDLESSINFORMANT interface with the heat map also lists the names of the countries which provide the highest numbers of data. These can be sorted in three different ways: Aggregate, DNI (internet) and DNR (telephony), each resulting in a slightly different top-5. The following aggregated totals (so both DNI and DNR) are known:

NSA worldwide total:

Pakistan:

Afghanistan:

Iran:

Jordan:

India:

Saudi Arabia:

Iraq:

Egypt:
...

United States:
...

Brazil: 

221.919.881.317 (100%)

27.275.944.618 (12%)

24.293.973.693 (11%)

15.834.475.801 (7%)

14.374.155.469 (6%)

12.616.915.557 (5%)

11.367.867.117 (5%)

10.487.011.026 (4%)

9.064.623.040 (4%)
... 

3.095.553.478 
... 
2.300.000.000 

These numbers indicate from which countries NSA gathers most data, but the exact meaning of the numbers has still not been clarified. We do know that BOUNDLESSINFORMANT counts metadata records, but what these records exactly are (for example: how many records are created by one phone call?), and how they are attributed to a specific country is not clear.

Communications by definition have two ends: the originating and the receiving end. When both ends are in the same country, it's easy to attribute it to that particular country. But when the originating and the receiving ends are in a different country, how is such a communication registered? Maybe for both countries, although that would make many of them appear in these numbers twice.

United States

Edward Snowden saw the heat map with the 3 billion attributed to the United States as a proof that NSA was conducting domestic surveillance, although the heat map itself cannot provide sufficient evidence for that. The 3 billion could very well relate to foreign communications which are just transiting the US or to the American end of for example phone calls where the other end is a foreign suspect. Somewhat more information could have been provided by the bar charts for the US, but these haven't been published.

The number of 3.095.553.478 for the United States is the aggregated total. The number of internet records (DNI) for the US is 2.892.343.446, which leaves just 203.210.032 telephony records (DNR) or 0,065% of the aggregated total. In a table this looks like this:

United States total:

Internet records (DNI):

Telephony records (DNR): 

3.095.553.478 per month

2.892.343.446 per month

203.190.032 per month 

This tiny share for telephone metadata is rather strange given the fact that NSA is collecting all American phone records, but does not so with internet metadata. This seems to indicate that these domestic phone records are not counted by BOUNDLESSINFORMANT and that the internet records are from communications with at least one end foreign. 

NSA collection by division

With a BOUNDLESSINFORMANT chart about the NSA's Special Source Operations (SSO) division published in Greenwald's book, we can also compare the number of data collected by this division with the total number of NSA data collection. We see that SSO, which is responsible for tapping the world's main fiber optic cables, accounts for 72% of all data:

NSA worldwide total:

Special Source Operations (SSO):

Other NSA divisions: 

221.919.881.317 (100%)

160.168.000.000 (72%)

61.751.000.000 (28%) 

This leaves the remaining 28% of the data to be collected by NSA's other main divisions: Global Access Operations (GAO), which operates mobile collection platforms like satellites, planes, drones and ships, and Tailored Access Operations (TAO), which collects data by hacking into foreign computer networks. The remaining 28% could also encompass data collected by the joint NSA/CIA Special Collection Service (SCS) units and by 3rd Party partner agencies.

BOUNDLESSINFORMANT chart about the SSO division
(click to enlarge)

SSO Collection programs

From the BOUNDLESSINFORMANT chart about Special Source Operations we can see how the total number of data collected by this division breaks down into the 5 biggest collection programs. From other charts we also know the numbers collected by some other programs, and these are added here too:

SSO worldwide total:

DANCINGSOASIS (US-3171):

SPINNERET (US-3180, part of RAMPART-A):

MOONLIGHTPATH (US-3145, part of RAMPART-A):

INCENSER (DS-300, part of WINDSTOP):

AZUREPHOENIX (US-3127, part of RAMPART-A):
...

FAIRVIEW (US-990):
...

SOMALGET (US-3310, part of MYSTIC):
...

ACIDWASH (part of MYSTIC):
...

MUSCULAR (DS-200B, part of WINDSTOP):

Other programs in total: 

160.168.000.000 (100%)

57.788.148.908 (36%)

23.003.996.216 (14%)

15.237.950.124 (9%)

14.100.359.119 (9%)

13.255.960.192 (8%)
... 

6.142.932.557 
... 

3.000.000.000 
... 

1.050.000.000 
... 

181.280.466 

26.412.000.000 

This listing shows that roughly one third of the data from telecommunication cables are collected by just on single program: DANCINGOASIS. Another third part is intercepted by the programs ranking second, third and fourth, but despite their weight, we still don't know more about them than just their names. Finally, the last third part of this type of collection is divided into numerous smaller and very small programs, a number of which have been disclosed through the Snowden-documents.

UPDATE:

On June 18, 2014 the Danish website Information.dk and Greenwald's The Interceptbroke a story saying that SPINNERET, MOONLIGHTPATH and AZUREPHOENIX are all part of the RAMPART-A program, which encompasses access to fiber-optic cables abroad in cooperation with 3rd Party partner agencies from at least five different countries.

According to a FAQ document, the BOUNDLESSINFORMANT tool doesn't count data which are collected under FISA authority, so numbers about the famous PRISM program are excluded. However, anothersource (pdf) says that under PRISM, more than 227 million "internet communications" are collected annually, which is ca. 19 million a month, but it is not known whether these "internet communications" are the same kind of records as presented by 
BOUNDLESSINFORMANT.

Processing and storing

Metadata from a number of big and important SSO collection programs are processed by a system codenamed SHELLTRUMPET. As can be read in the document below, this system processed almost 500 billion metadata records in 2012, which gives an average of 41,6 billion a month, but by the end of 2012 SHELLTRUMPET was already processing 2 billion call detail records a day, which would make 60 billion a month:

MUSCULAR contributes 60 gigabyte of data to the PINWALE database for internet content every day, which is 1,8 terabyte a month. As BOUNDLESSINFORMANT counts 181 million records for MUSCULAR, this would mean that 1 million internet metadata records represent almost 10 gigabyte of (content) data.

This correlation can be used to make a very rough estimate of the total amount of internet data collected by NSA. The worldwide total of 97 billion internet records a month would then equal some 961 terabyte of data each month or 11,5 petabyte a year (some numbers to compare are here; the new NSA data center in Bluffdale, Utah can store an estimated 12 exabytes, which is 12.000 petabytes).

Shared by 2nd party partner agencies

The very close working relationship between NSA and the 2party partner agencies from the Five Eyes community leads to a regular exchange of data, of which the most productive facilities can be seen in a BOUNDLESSINFORMANT chart that was published by Der Spiegel:

DS-800: 

DS-204A: 

UKC-302A: 

UKC-215:
...

DS-200B (MUSCULAR): 

4.412.803.504

1.691.419.171

1.245.109.650

937.317.036
... 

181.280.466 

The SIGAD codes starting with DS denote some kind of joint collection program, those starting with UKC stand for civilian operated facilities of the British signals intelligence agency GCHQ.

Shared by 3rd party partner agencies

NSA also gets data provided by 3rd Party partner agencies. These are counted by the BOUNDLESSINFORMANT tool too, as we know from charts about a number of European countries:

Germany (US-987LA):

? (US-985HA)

Germany (US-987LB):

Poland (US-916A):

France (US-985D):

Spain (US-987S):

Italy (US-987A3005):

Norway (US-987F):

Denmark (?):

The Netherlands (US-985Y): 

471.258.864

181.115.922

81.786.967

71.819.443

70.271.990

60.506.610

45.893.570

33.186.042

23.000.000

1.831.506 

The total number of data received from these nine countries is slightly more than 1 billion a month, which is just a tiny 0,0045% of NSA's overall collection as counted by the BOUNDLESSINFORMANT tool.

Initially, Glenn Greenwald reported in various European newspapers that these numbers represented the phone calls of European citizens intercepted by NSA. But gradually it came out that his interpretation was wrong.

The charts actually show numbers of metadata that were collected from foreign communications by European military intelligence agencies in support of military operations abroad. These data were subsequently shared with partner agencies, most likely through the SIGDASYS system of the SIGINT Seniors Europe (SSEUR) group, which is led by NSA.

Links and Sources


May 24, 2014


On May 13, Glenn Greenwald published his book 'No Place To Hide' about the Snowden-disclosures. It doesn't contain substantial new revelations, but from one of the original documents in it we can determine that NSA's largest cable tapping program is codenamed DANCINGOASIS, something which was not reported on earlier.

Here we will combine information from a number of other documents and sources to create a somewhat more complete picture of the DANCINGOASIS program.

Special Source Operations

In Greenwald's book and on his website, the following chart from NSA's BOUNDLESSINFORMANT tool was published. Although these charts are not always easy to interpret, we can rather safely assume that this one gives the overview for NSA'sSpecial Source Operations (SSO) division, which is responsible for collecting data from major telephony and internet cables and switches.

During the one month period between December 10, 2012 and January 8, 2013, a total of more than 160 billion metadata records were counted, divided into 93 billion DNI (internet) data and 67 billion DNR (telephony) data:

In the "Most Volume" section we see that the program which collects most data is identified by the SIGINT Activity Designator (SIGAD) US-3171, a facility that is also known under the codename DANCINGOASIS, which is sometimes abbreviated as DGO.

During the one month period covered by the chart, this program collected 57.7 billion data records, which is more than twice as much as the program that is second: US-3180, which is codenamed SPINNERET. Third is US-3145 or MOONLIGHTPATH and fourth DS-300 or INCENSER. This chart will be analysed in general in a separate article.

Numbers

Previously it seemed that it was INCENSER that collected the biggest number of data. A BOUNDLESSINFORMANT chart published in November 2013 said that this program gathered some 14 billion metadata a month. Now we know that DANCINGOASIS is collecting almost 4 times as much: more than 57 billion records each month, or 684 billion every year. 

Comparing some numbers learns us that DANCINGOASIS (57 bln.) accounts for more than a third of everything the SSO division collects (160 bln.). It is also far more than what is collected under FAIRVIEW (6 bln.), which is one of the big domestic cable tapping programs that NSA operates in cooperation with US telecom providers. 

Comparing DANCINGOASIS with the total number of data that is collected worldwide during one month early 2013 (221 bln.), as presented in the BOUNDLESSINFORMANT heat map, we see that DANCINGOASIS alone seems to account for almost a quarter of the entire NSA data collection.

Given this large share, it could be that DANCINGOASIS is an umbrella program which encompasses various smaller sub-programs. However, DANCINGOASIS is different from MYSTIC, which is an umbrella program containing facilities that monitor at least five entire countries, as was revealed recently by The Intercept. The part of MYSTIC that stores all phone calls of two countries, codenamed SOMALGET, processes only about 3 billion telephony metadata every month.

Whereabouts

Strangely enough we haven't (yet) read about DANCINGOASIS in media reports, nor in the book of Glenn Greenwald, and also we haven't seen any slides or documents that specifically deal with this program.

But in the book 'Der NSA Komplex' written by two journalists from the German magazine Der Spiegel, there's more information. It says that the DANCINGOASIS program started in May 2011 and monitors a fiber optic cable between Western Europe and the Far East.*

It is not clarified what kind of targets DANCINGOASIS collection is used for, but given the enormous amounts of data (57 billion), it has to be from top priority countries from the Middle East. According to the BOUNDLESSINFORMANT heat map, NSA collected more than 27 billion data a month from Pakistan, 24 billion from Afghanistan, 15 billion from Iran and 13 billion from Jordan - all countries that are along the fiber optic cables between Europe and the Far East. 

Blocking address books

Such a huge collection of communications inevitably comes with data that are useless, like for example address books from e-mail accounts that are not related to target persons. Because the number of these address books grew steadily, NSA started to block these from being ingested by installing the SCISSORS selection system. 

This is shown in slides published by The Washington Post on October 15, 2013. We see that SCISSORS was enabled for DANCINGOASIS (US-3171) on March 13, 2012:






The slide on the right shows two codes associated with content collected under DANCINGOASIS: DGOT and DGOD. Similar codes for metadata are written reverse: TOGD and DOGD respectively. 

Processing

The systems which are used to process the data from DANCINGOASIS are listed in the "Top 5 Tech" section of the SSO chart. Of the four most important systems, three are used for processing internet data: XKEYSCORE (42 bln.), TURMOIL (23 bln.) and FALLOUT (12 bln.), with LOPERS (41 bln.) being a system for processing data derived from telephone networks. 

This means that there are two options regarding what kind of data are collected under the DANCINGOASIS program:

- Either 100% derived from the internet and then being processed by a combination of the XKEYSCORE, TURMOIL and FALLOUT systems;

- Or a mix of internet and telephony data, which are processed partly by the internet processing systems and partly by LOPERS.

Clarity about this can be provided by the BOUNDLESSINFORMANT chart about the DANCINGOASIS program specifically, which hasn't been published yet.

Data filtering

The cable intercepted by DANCINGOASIS transfers 25 petabyte of communications data each day. Between 3 and 6 petabyte of them are being scanned by NSA computers. These systems search the data for keywords that are determined by NSA's targeting offices and are derived from the topics in the Strategic Mission List (pdf) and theNational Intelligence Priorities Framework, as approved by the White House.

Based upon an unpublished NSA presentation from March 22, 2013 titled "Cyber Threats and Special Sources Operations", the Spiegel book says that between 10 and 40 percent of the data (both content and metadata) collected under the DANCINGOASIS program are filtered out and stored in two databases: 43 gigabyte in one and 132 gigabyte in another database, every day.*

This means that 175 gigabyte of data is stored daily, which is 0,000007% of the 25 petabyte that is transmitted by the cable. The 175 gigabyte makes 5,2 terabyte a month and 63 terabyte a year. Whether the 57,7 billion records collected under DANCINGOASIS also equal 5,2 terabyte of digital storage space seems a bit questionable however.

The book doesn't provide the names of the databases, so probably it aren't the known ones like PINWALE, MAINWAY and MARINA. Therefore, the data from DANCINGOASIS might be stored in the NSA's new cloud systems, the names of which NSA likes to keep secret for some reason or another. 

Because of similar capacity limits across a range of collection programs, the NSA is leaping forward with cloud-based collection systems and a huge new "mission data repository" in Utah.

Metadata processing

According to the excerpt of an NSA document published in the book of Glenn Greenwald, metadata records from DANCINGOASIS are processed by a system codenamed SHELLTRUMPET. This system "began as a near-real time metadata analyser in December 2007 for a CLASSIC collection system": 

On December 21, 2012 SHELLTRUMPET had processed its 1 trillionth metadata record. Almost half of this volume was processed during 2012, and half of that volume, so one quarter of a trillion (250 billion) metadata records, came from DANCINGOASIS.*

Reporting

A system that collects a huge amount of data does not automatically contribute to equal numbers of intelligence reports. We can see this in a slide about results from NSA's Upstream collection during the fiscal year 2010/2011. 

In the chart, US-3171, the SIGAD of DANCINGOASIS, ranks 6th with some 5452 so called "Serialized Product Reports". Data collected under section 702 FAA authority (PRISM and the domestic Upstream cable tapping) led to almost 4 times more reports:

With a blue bar, DANCINGOASIS is listed as a "SSO Non-Corporate Program", which means the collection is done without cooperation of a commercial telecommunications company. Although this does not exclude foreign government or foreign partner agency cooperation, it's remarkable that NSA is able to collect these huge amounts of data from a fiber optic cable without the help of the operating companies. 

May 6, 2014


(Updated: June 12, 2014)

The German foreign intelligence agency Bundesnachrichtendienst (BND) is moving to a brand new headquarters in Berlin. Here we show some unique pictures from inside the former headquarters in the village of Pullach and also give an impression of what the new building looks like.

Unlike for example the United States and the United Kingdom, Germany has no separate agency for collecting Signals Intelligence (SIGINT) - this is done by the BND, and as such this agency is a 3rd Party partner of NSA since 1962 and also participates in theSIGINT Seniors Europe or 14-Eyes group.

The former Pullach headquarters

Since its formal creation in 1956, the Bundesnachrichtendienst had its headquarters at a 68-hectare compound in Pullach, a village near Munich in the southern province of Bavaria, which was initially build as a model village for staff members of the Nazi party in the years 1936-1938. On the eastern part of the compound there are nowadays also a number of modern office blocks:

As a farewell to this old headquarters, the German photographer Martin Schlรผter was allowed to take pictures of almost every corner of the complex, but only at night, when there were no employees present. His pictures now available in a book called "Nachts schlafen die Spione" (at night the spies are sleeping), published by the Sieveking Verlag.

Pictures from the book were shown in the German television magazine TTT - Titel, Thesen, Temperamente, which made it possible to take the following screenshots of those that show some of the telecommunications equipment used by the BND (click the pictures to enlarge).

One picture shows a larger room which is used as an operations center with all the common stuff, like various computers, large video screens and teleconferencing equipment:

In the next picture we see a smaller operations center room with desks and a lot of computer screens: 


We see that every monitor has its own keyboard and mouse, which seems not very practical. In the US for example, military and intelligence agencies use so-called KVM-switches, which allows users to work on multiple computers and/or terminals of physically separated networks with just one keyboard, video screen and mouse.

A close up of the previous picture gives a somewhat more detailed view of the equipment: 

On the left there are computer screens which show content inside a red and with a blue border. This most likely indicates the classification level of the network they're connected to:


- Blue: VERSCHLUSSSACHE (which equals Confidential)

- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)

Content without such a border is apparently unclassified.

In the center we see two telephones: at the left a Cisco Unified IP Phone 7961 and at the right a rather common looking but yet unidentified office telephone, which can be seen in the other pictures too. The Cisco phone is for a Voice over IP (VoIP) network, where the other one is probably part of a traditional Private Branch eXchange (PBX) internal telephone system.

In these pictures we see no secure telephones, ones that are capable of encrypting calls by themself, like the ELCRODAT 5-4, made by the German manufacturer Rohde & Schwarz. Probably BND uses network encryptors to secure the calls before they leave the internal network.

That there's also some amount of crazyness, can be seen in this picture of an office room, used by a BND employee who cleary is a hardcore fan of Elvis Presley:

The new Berlin headquarters

The new BND headquarters is a huge office building at the ChausseestraรŸe in the centre of Berlin. The construction started in 2006 and the overall costs for the building and moving the inventory of some 6000 employees are estimated at 1,3 billion Euro.

The architecture expert Niklas Maak points to a striking difference between the former and the new headquarters: in the past, the enemy was known, the communists from the Warsaw Pact, it was known where they came from, and hence the intelligence agency was hidden in the Bavarian woods. Nowadays, enemies like terrorists and hackers are unvisible and could be everywhere, but the BND is now as visible as it can be, almost as to scare them off.

The new BND headquarters building in Berlin

In the new building each employee has a desk with two computers and a telephone, as can be seen in this picture:

(photo: Franz Solms-Laubach/BZ-Berlin.de)

There are two wide-screen monitors, each one with its own keybord and mouse connected to a computer device. Apparently the BND still doesn't want to use KVM switches.

Update:

Initially, the computer devices looked like thin clients, which just create a virtual desktop environment. All files are stored at centralized servers, which also makes it more easy to control and limit the access to sensitive and secret documents. But later, a reader recognized them as being Fujitsu ESPRIMO Q910 mini PC's, which are fully equipped personal computers in a small and stylish housing. They also have usb-ports, which would allow to connect thumb drives to them.

One of the thin clients mini PC's has a red and the other one a blue sticker, which probably once again denotes the classification level of the network to which it connects:

- Blue: VERSCHLUSSSACHE (which equals Confidential)

- Red: GEHEIM (Secret) or STRENG GEHEIM (Top Secret)

The telephone on the desk is a Alcatel-Lucent 4068 IP Phone or a smiliar model, which is a high end full-featured office telephone for Voice over IP networks. Alcatel was a major French telecommunications company which merged with the American telephone manufacturer Lucent Technologies in 2006. 

It seems somewhat strange for an intelligence agency to use telephones that are made by a foreign company, as for example the German company Siemens manufactures telephony equipment for almost a century.

Links and sources

- Internal NSA presentation: Structure of the BND (pdf)
- More pictures of the Berlin headquarters: Erรถffnung der BND-Zentrale
- A 2006 photobook about BND Standort Pullach

No comments: