September 21, 2022

The highly classified documents found at Trump's residence Mar-a-Lago

(Updated: September 28, 2022)

This weblog is not only about signals intelligence, communications security and top level telecommunications equipment, but also about the US Classification System, which is equally fascinating in all its complexities.

Recently, an unprecedented photo from the FBI provided a unique look at highly classified documents which former US president Donald Trump stole from the White House and stored at his private residence Mar-a-Lago in Florida.

Here I'll provide a detailed explanation of these documents, as well as where they apparantly came from.

Classified documents which the FBI found in Trumps office at Mar-a-Lago

Moving to Mar-a-Lago

On January 20, 2021, former president Donald J. Trump left the White House and moved his belongings to his residence Mar-a-Lago in Palm Beach, Florida. The National Archives and Records Administration (NARA) subsequently learned of approximately two dozen boxes of presidential records that had not been returned to it as required under the Presidential Records Act (PRA).

Late 2021, officials at the archives warned Trump's team that there could be a referral to the Justice Department or an alert to Congress if he continued to refuse to comply with the PRA. Apparently, Trump ultimately went through several boxes at Mar-a-Lago himself and late December, his lawyers informed the NARA that they had found 12 boxes of documents and that they were ready for retrieval.

Donald Trump's residence Mar-a-Lago in Palm Beach, Florida, March 2019
(White House photo - click to enlarge)

15 boxes retrieved

On January 18, 2022, the NARA finally retrieved 15 boxes of records from Mar-a-Lago, containing presidential records and other sensitive material, along with various news clippings and other miscellanea. In its initial review of the materials within those boxes, NARA identified classified documents marked up to the level of Top Secret, including Sensitive Compartmented Information (SCI) and Special Access Programs (SAP).

On February 9, NARA told the Department of Justice (DOJ) that the 15 boxes contained highly classified records that were "unfoldered, intermixed with other records and otherwise unproperly identified." President Biden granted the FBI access to the boxes for examination and by May, the bureau had identified classified documents in 14 of the 15 boxes. In total, there were 184 classified documents, 67 of which were marked Confidential, 92 Secret and 25 Top Secret.

Criminal investigation

Former president Trump then attempted to delay the DOJ's review of the materials by asserting executive privilege over the documents. After the Assistant Attorney General for the Office of Legal Counsel rejected this claim, the FBI launched a criminal investigation to determine:

- How these classified documents were removed from the White House;
- Whether Mar-a-Lago was an authorized storage location for those documents;
- Whether additional classified documents had been removed from the White House;
- Which individuals were involved in the removal and storage of the documents at Mar-a-Lago.

A grand jury was installed and the FBI began interviewing several of Trump's personal aides as well as three former White House lawyers who had been among Trump's representatives to the archives.

Classification markings

On May 11, former president Donald J. Trump was served with a grand jury subpoena which ordered him to hand over any and all documents bearing at least the following classification markings:

These classification markings contain a lot of lesser-known abbreviations, which are explained in my earlier overview of the US Classification System. They are, in order of appearance:

- SI = Special Intelligence (intelligence from intercepted communications)
- G = GAMMA (sensitive communication intercepts)
- NOFORN = No Foreign Nationals
- ORCON = Originator Controlled
- HCS = HUMINT Control System (intelligence from human sources)
- HCS-O = HCS Operations (HUMINT operations and methods)
- HCS-P = HCS Product (HUMINT intelligence reports)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)
- TS = Top Secret (release would cause exceptionally grave damage to national security)
- SAP = Special Access Program (non-intelligence equivalent of SCI)
- NF = NOFORN (see above)
- OC = ORCON (see above)
- FRD = Formerly Restricted Data (about nuclear weapons)
- NATO = Releasable to NATO partners
- S = Secret (release would cause serious damage to national security)
- C = Confidential (release would cause damage to national security)

This list may have been based upon the classification markings that the FBI found on the documents in the boxes that had already been retrieved by the National Archives, but according to a source of The Washington Post, the goal of the list was to ensure recovery of all classified records, and not just those that investigators had reason to believe might be at Mar-a-Lago.

Nuclear weapons information?

It was probably the marking FRD on this list that later led to press reports saying that among the things that Trump was still hiding were documents about nuclear weapons. Given that the FRD marking is only listed once, there may have been only very few if not just one single document with nuclear weapons information, with many more about signals intelligence (SI) and human intelligence (HCS).

In an affidavit from August 5, the FBI listed the statutory authorities upon which it based its application for a search warrant:

- 18 USC 793(e), the Espionage Act
- 18 USC 1519, obstruction
- 18 USC 2071, willfully removing information
- 44 USC 2201, the Presidential Records Act
- 44 USC 3301(a), the Federal Records Act
- EO 13526, the Executive Order governing classified information

Not listed was the Atomic Energy Act (AEA), so apparently the FBI didn't expect to find classified documents about American nuclear weapons. However, on September 6, it was reported that among the thousands of documents which the FBI eventually seized at Mar-a-Lago, there was one document that described a "foreign government's military defenses, including its nuclear capabilities".

A misleading statement

On June 3, the DoJ's Chief of Counterintelligence Jay Bratt and some FBI agents visited Mar-a-Lago where they received 38 additional classified documents, including 17 labeled Top Secret, in "a single Redweld envelope, double-wrapped in tape". One of Trump's lawyers signed a statement asserting that they had conducted a diligent search of the boxes from the White House and handed over the remaining classified material.

The FBI was informed that all of the records from the White House had been kept in one particular storage room and that "there were no other records stored in any private office space or other location at the Premises and that all available boxes were searched." However, government personnel was "explicitly prohibited from opening or looking inside any of the boxes that remained in the storage room."

Secret Service agents stand outside an entrance to Trump's Mar-a-Lago estate
(Photo: Terry Renna/Associated Press - click to enlarge)

The search at Mar-a-Lago

On August 5, 2022, a federal judge signed a search warrant for Mar-a-Lago on the grounds that "National Defense Information" (NDI) had been found in the boxes NARA retrieved from Mar-a-Lago and that there was probable cause to believe that additional documents containing such information remained at Trump's estate.

Three days later, FBI agents searched the Mar-a-Lago estate and seized what initially appeared to be 12 boxes of documents. Classified material was recovered from a storage room in the basement and from a container on the floor of a closet in a former dressing room of the bridal suite above the ballroom, which now serves as Trump's office, also known as the "45 office".

Items seized by the FBI

The result of this search is described in a form called "Receipt for Property" which lists 33 items, mostly boxes, which were (discontinuously) labeled A-1 to A-73. Besides the boxes there were also some separate documents, notes and binders of photos. A detailed discussion of these seized materials can be found at the emptywheel weblog.

According to a DoJ filing from August 31, these boxes contained over a hundred classified records spread over 11 boxes. In the receipt they are seperately listed and marked with an additional A, for example: "13 - Box labeled A-18" which contained "13A - Miscellaneous Top Secret Documents", etc.

Highly classified documents

The most sensitive kind of documents, classified as Sensitive Compartmented Information (SCI), were only found in item #2, a "Leatherbound box of documents". Apparently they appeared so sensitive that "even the FBI counterintelligence personnel and DOJ attorneys conducting the review required additional clearances before they were permitted to review them."

On August 30, a filing by the Justice Department included an unprecedented photograph which shows the classified documents from the leatherbound box from Trump's office:

Classified documents marked as item #2A spread on the floor of Trumps office in Mar-a-Lago
(Photo via the US District Court for the Southern District of Florida - click to enlarge)

This photo was taken by the FBI in order to document the evidence they found, which explains the ruler and a marker that says that this is item #2A. To counter the impression that Trump had them lying on the floor like this, he said that it had been FBI agents who "took [these documents] out of cartons and spread them around on the carpet".

The documents were spread on a carpet with a classic flower motif, with on the right side a cardboard box with five picture frames, one of which shows a Time magazine cover from March 4, 2019, showing all the Democratic candidates who hoped to challenge Trump in the 2020 election.

On the left there's a small part of fringed dark-blue fabric, probably a curtain, and a white scalloped cabinet, which was identified as a $3679.- Birkdale File Chest - most likely from the time that this room was part of Mar-a-Lago's bridal suite.

Cover sheets

Most eye-catching are the colorful cover sheets for classified information. In the photo we can recognize four types, three of which were never seen before. Already known and publicly available are the standard cover sheets (SF704) with the broad borders in red, which are used to protect documents classified as Secret.


In the front of the photo there's a cover sheet which looks brownish but may also be red with the text "SECRET//SCI - Contains Sensitive Compartmented Information up to HCS-P/SI/TK". Unlike the common cover sheets for Secret documents, this one was never seen before. It's also more rare, because usually information from an SCI compartment is classified Top Secret.

The cover sheet for a document classified as Secret/SCI
(click to enlarge)

SCI is sometimes called "above Top Secret" but officially that's not correct: SCI encompasses compartments of information that provide additional protection within the level Top Secret. In the same way these compartments can exist within the level Secret and actually a particular SCI compartment may contain information at any classification level:

Top Secret/SCI

In the FBI photo we also see five cover sheets for documents classified as Top Secret/SCI. While the standard cover sheet for Top Secret information (SF703) is also publicly available, this one was never seen before. It has a broad border in yellow, which is the color code for Sensitive Compartmented Information (SCI), and text in orange, which may refer to the color code for Top Secret:

Cover sheets for documents classified as Top Secret/SCI
(click to enlarge)

A White House cover sheet

Finally, there's a fourth cover sheet, which is only partially visible because it's folded back, probably to show the classification marking on the document. On the cover sheet we can only read some fragments, like "THIS", "PLEASE STORE IN" (a GSA Approved Security Container which is depicted right above these words) and "UNAU[THORIZED]".

In the upper right corner it has a seal which can be identified as that of the Executive Office of the President of the United States (EOP), which includes a range of offices and bodies like the National Security Council (NSC), the White House Military Office (WHMO) and the staff of the West Wing.

The custom White House cover sheet
(click to enlarge)

This document is classified Top Secret, but interestingly, the rest of the classification line has been redacted by the FBI. Usually that happens when a particular program or compartment has not been declassified. Given that it has a custom White House cover sheet, the document may be about a sensitive plan or program from the president or the NSC.

Classification markings

The various cover sheets not only hide the content of the particular documents, but also their mandatory classification line at the top and the bottom of the document. Therefore we don't know which kind of intelligence they contain and how sensitive they actually are.

The cover sheets for Secret/SCI and Top Secret/SCI both have the warning "Contains Sensitive Compartmented Information up to HCS-P/SI/TK", which means the documents may contain information from one, two or even all three of the following SCI control systems:

- HCS-P = Humint Control System - Product (intelligence from human sources)
- SI = Special Intelligence (intelligence from intercepted communications)
- TK = TALENT KEYHOLE (intelligence from satellite collection platforms)

It's not clear whether these cover sheets are also used for documents with information from compartments or sub-compartments of these control systems, i.e. even more sensitive and closely guarded secrets.

Dissemination markings

Besides the documents with a cover sheet, the FBI photo shows 12 classified documents without such a colorful protection and therefore they redacted all the content. One document (between the yellow Top Secret/SCI cover sheets) is fully redacted, on the others we see the following classification markings:

- SECRET with additional markings redacted (1 document)
- SECRET NOFORN (1 document)
- SECRET and something illegible (1 document)

Distinctive here are the so-called dissemination markings, which are added to the classification level to restrict the dissemination of information among only those people who have the appropriate clearance level and the need to know the information. The dissemination markings seen here are:

- ORCON, which means the originator of the information controls to whom it is released. It allows originators to maintain knowledge, supervision, and control of the distribution of the information beyond its original dissemination. Further dissemination of this information requires advance permission from the originator.

- ORCON-USGOV, which means the information "has been pre-approved for further dissemination without originator approval to the US Government's Executive Branch Departments and Agencies." It's not allowed to use this marking with information classified as SI-G or HCS-O.

- NOFORN, which means the information may not be disclosed or released to foreign nationals, foreign governments, or international organizations of governments without permission by the originator.

- LIMITED ACCESS seems not a registred dissemination marking as it's not part of the classification line and is also not listed in the 2016 manual for the Intelligence Community Markings System nor in the list of CUI dissemination markings from 2021, which suggests that it's an internal White House marking.

This brings to mind US Director of National Intelligence Dan Coats who in February 2018 warned that presidential aides with interim security clearances should only have limited access to classified information. Not much later a bill to the same effect was introduced, but didn't pass the House of Representatives.

Shortly before it had come out that Trump's former staff secretary Rob Porter and his son-in-law Jared Kushner were working under an interim security clearance and more than 30 of Trump's aides had their clearance downgraded from Top Secret to Secret.

In total, the FBI photo of item #2A shows 22 classified documents: 1 Confidential, 14 Secret and 7 Top Secret.

The detailed property inventory

As if the photo of the classified documents wasn't enough, the court also unsealed the Detailed Property Inventory, which happened on September 2, 2022. This inventory lists in more detail all the things the FBI seized at Mar-a-Lago:

Here we see the other documents which the FBI found in the leatherbound box that was marked as item #2. We also learn that there were actually 24 classified documents: 2 Confidential, 15 Secret and 7 Top Secret, which is 1 Confidential and 1 Secret document more than could be seen in the photo, maybe because some were stacked together.

Overall the FBI found 103 classified documents: 31 Confidential, 54 Secret and 18 Top Secret, dispersed in 13 boxes from the storage room as well as in the leatherbound box from Trump's office, where one separate classified document (item #1) was found as well.

Empty folders

According to the detailed inventory, item #2 also included 43 "Empty Folders with "CLASSIFIED" Bannners" as well as 28 empty folders labeled "Return to Staff Secretary/Military Aide". These kind of folders are used in the White House to bundle (and cover) the actual classified documents for the president. From Obama's presidency there are several photos of such folders:

A folder holding classified information on president Obama's desk, June 2009
(White House photo - click to enlarge)

There even appeared a photo on Twitter of such an empty folder which is on display among other memorabilia from Trump's presidency in the 45 Wine & Whiskey bar on the lobby floor of Trump Tower in Manhattan:

In total, the detailed inventory lists 48 of these empty folders, so it's possible that they originally contained the 103 classified documents which the FBI found "unfoldered" and scattered among the various boxes. Interesting though, is that 43 of those empty folders were in the box with the (much smaller number of) classified documents in Trump's office.

At the White House such folders and their content had to be returned to the staff secretary, just like how the empty folders for unclassified documents were labeled. This didn't bother Trump, who had the habit of simply ripping up any papers he was no longer interested in or had finished reviewing.

He did so with papers ranging "from routine documents to classified material, and leaving the pieces strewn around the floor or in a trash can. Officials would have to rummage through the shreds and tape them back together to recreate the documents in order to store them as required under the Presidential Records Act."

On September 26, 2022, the Justice Department filed a slightly revised version of the Detailed Property Inventory. It shows small differences in the number of press clippings and unclassified government documents and that in box 33 there were only 2 empty "Return to Staff Secretary" folders and no empty folders for classified documents, so in total there are just 46 instead of 48 empty classified folders.

Trump's boxes

According to the Detailed Property Inventory, the FBI also found a huge number of "US Government Documents/Photographs without Classification Markings" - over 1400 in Trump's office and over 9700(!) in the various boxes from the storage room. According to Trump's lawyer, these over 11.000 unclassified documents amount to some 200,000 pages.

Also interesting is that most of the 26 boxes from the storage room contain a mix of:

- Magazines, newspapers, press articles, other printed media (1,673 in total)
- Classified US government documents (103 in total)
- Unclassified US government documents/photographs (11,179 in total)
- Miscellanea (clothing, books, gifts and empty folders)

Trump's way of working

This more or less similar composition can be explained by Trump's routine at the White House, where he used to work in the small dining room near the Oval Office. On the dining table he made piles of paper, which included everything from news articles to highly classified government documents. These were stacked into cardboard boxes, while "staffers kept swapping out the boxes as they filled up."

Trump also had material sent "up to the White House Residence, and it was not always clear what happened to it. He sometimes asked to keep material after his intelligence briefings, but aides said he was so uninterested in the paperwork during the briefings themselves that they never understood what he wanted it for."

The boxes followed him wherever he went as they contained "all the save-for-later items that Trump would spend long flights going through: articles that he wanted to scribble Sharpie messages on before mailing them off to close friends; gossipy stories about West Wing drama that he would hate-read as he sought to identify leakers; and, occasionally, important memos on any number of policy topics or budding crises."

Disorderly piles of paper on president's Trump desk in the Oval Office, January 28, 2017
(photo: Drew Angerer/Getty - click to enlarge)

The boxes that went to Florida

The papers that Trump had accumulated in his last several months in office had been dropped into roughly two dozen boxes, which had apparently been in the White House Residence and thus were packed up with Trump's personal belongings.

As such, they not only contained some highly classified documents, but also several personal mementos, including the "love letters" from the North Korean dictator Kim Jong-un and the letter which former president Obama left on his last day in office.

Although the White House Counsel's Office had told Trump's chief of staff Mark Meadows that these boxes in the Residence needed to be turned over to the National Archives, they were actually shipped to Mar-a-Lago.

Eventually, at least 42 boxes arrived in Florida. 15 of them were retrieved by the National Archives on January 18, 2022, 38 classified documents were handed over to the FBI on June 3, while the rest was seized during the search on August 8.

However, as emptywheel noticed, the press clippings date back to 1995, but there are none that postdate November 2020, which may indicate that the FBI still has not all the documents that Trump took with him.

Overview of the boxes and classified documents which Trump stored at Mar-a-Lago
(click to enlarge)

Links and sources

- Emptywheel: Trump Document Theft Resources
- LegalEagle: Videos about the Mar-a-Lago search case
- Wikipedia: FBI search of Mar-a-Lago

- The Washington Post: Material on foreign nation’s nuclear capabilities seized at Trump’s Mar-a-Lago (Sept. 6, 2022)
- The New York Times: F.B.I. Found 48 Empty Folders That Had Contained Classified Documents at Trump’s Home (Sept. 2, 2022)
- Lawfare: A Justice Department Show of Force in the Mar-a-Lago Case (Aug. 31, 2022)
- The Washington Post: The photo of classified documents at Trump’s Mar-a-Lago resort, annotated (Aug. 31, 2022)
- Politico: Trump team likely sought to conceal classified docs at Mar-a-Lago, DOJ tells judge (Aug. 30, 2022)
- Indian Express: Inside the 20-month fight to get Trump to return Presidential material (Aug. 28, 2022)
- The New York Times: Another Trump Mystery: Why Did He Resist Returning the Government’s Documents? (Aug. 18, 2022)
- The Guardian: FBI searched Trump’s Mar-a-Lago home for classified nuclear weapons documents (Aug. 12, 2022)
- CNN: Former White House officials describe Trump’s habit of ripping up documents and haphazard record-keeping (Febr. 8, 2022)
- US State Department: Storing and Safeguarding Classified Material (Febr. 24, 2022)

March 28, 2022

The phones of Ukrainian president Zelensky

Ever since Russia invaded Ukraine on February 24, Ukrainian president Zelensky bravely leads his country in the fight against the Russian armed forces. As in any war, communications are of vital importance here too.

Among Zelensky's communication systems are some interesting telephone sets, which he also uses for frequent phone calls to foreign leaders, while there are separate secure phones that function as a hotline with US president Biden.

Ukrainian president Zelensky making a phone call

Office of the President of Ukraine

In 2019, former actor and comedian Volodymyr Zelensky became the sixth president of Ukraine since the country's independence in 1991. As president he is supported by the Office of the President of Ukraine, or Presidential Administration, which is located in a massive office building on Bankova street in the center of the capital Kyiv.

The ceremonial residence of the Ukrainian president is the baroque Mariinskyi Palace, located in the Pechersk district of Kyiv. Other presidential residences include the House with Chimaeras and the House of the Weeping Widow, which are both in Art Nouveau style and are used for official visits by foreign representatives.

The building of the Office of the President of Ukraine on Bankova street
(photo: Håkan Henriksson/Wikimedia Commons - click to enlarge)

Two different offices

As president, Zelensky works in the building of the Presidential Administration, where he apparently has two offices, both richely decorated: one with green pilasters and a desk with a desktop and chair in green leather, the other office with wooden paneling and a desktop and chair in brown leather.

The function of these two offices is probably similar to those of the Russian president in the Kremlin, who has a very large and elaborate office for receiving foreign dignitaries and a somewhat smaller and a bit less ornate one for talks with domestic visitors and government officials.

Zelensky in his "brown" office at the Presidential Administration building, June 19, 2019.
(photo: Valentyn Ogirenko/Reuters - click to enlarge)

Phones large and small

Another similarity is the telephone system, which in the Kremlin consists of some old-fashioned white telephone sets without any buttons and somewhat newers models with key pads, as well as a large gray telephone device with numerous direct line buttons to government officials, lawmakers and heads of major companies.

The old white phones each connect to a separate network with only a select number of subscribers. They are a distinct feature of the Russian bureaucracy, but they can also be seen in the presidential offices of other countries that had been part of the former Soviet Union, like that of former president Nursultan Nazarbajev of Kazakhstan.

Dmitri Medvedev on his first day as Russian prime minister, May 8, 2012.
(photo: Russian government - click to enlarge)

A huge phone console

The eye-catcher in the office of the Ukrainian president is also an extremely large telephone, which is ivory-colored and has a rather small display, indicating that it may be over 20 years old.

The left part, next to the handset, has several function keys and direct line buttons, while the dialing pad is in the central black section, in which there's also a gold ornament that could be the trident from the Ukrainian coat of arms.

The right part of the phone is filled with 80 direct line buttons, so the president can make a call to almost anyone by pressing just a single button.

This phone console is most likely part of the internal telephone network of the Presidential Administration and can be used for all regular (non-secure) phone calls.

But as the phone is probably custom made it may also provide access to secure lines, just like the slightly smaller but still impressive telephone consoles of the US Defense Red Switch Network (DRSN).

In Zelensky's more recent video messages from his "green" office the huge white phone seems to have been removed, which is a bit strange as one of its functions is to symbolize the command and control authority of the president (update: meanwhile the white phone has been put back).

President Zelensky in his "green" office with the huge white telephone
(photo: Valentyn Ogirenko/Reuters - click to enlarge)

A phone without buttons

The Ukrainian president also has an old-fashioned telephone set without a key pad, similar to the ones used in the Kremlin. In Ukraine this phone is part of a special network that provides direct lines to a select group of top-level government officials, like the president, the prime minister and the speaker of the Verkhovna Rada, the Ukrainian parliament.

In November 2019, the young minister of the Cabinet of Ministers, Dmytro Dubilet, proposed to abandon this old Soviet phone system, which is managed by the State Service for Special Communications and Information Protection (SSSCIP), as it costs the state "literally billions of hryvnias" - at that time at least some 40 million US dollar.

Dubilet proposed that instead of these "ancient" secure landline phones, the leaders of the country should be given customized smartphones with a special app that encrypts voice and text communications with post-quantum cryptography algorithms. These phones should access the telephone network via secure wifi.

A phone of the dedicated network for the president of Ukraine
(photo: Telegraf - click to enlarge)

"It is more efficient to do peer-to-peer encryption (preferably without a transit server). We could encrypt data simultaneously with two algorithms (for example, Ukrainian Kalyna and foreign AES), which guarantees confidentiality even if one of the two is compromised" - according to Dubilet, who said that the old system could be left behind for military communications.

Dubilet continued: "Why do you need to issue special smartphones and not install an app on ordinary ones? To rule out hardware-level hacking as well as infection through other applications. [...] It's no secret that now top politicians mainly use standard messengers for their communication (including sensitive topics). Such [a secure] application could be an alternative to at least WhatsApp / Telegram."

It's not clear whether Dubilet's proposal has been realized, but in 2020, the SSSCIP began modernizing the government's communications system. This included expanding the functionality of the National Telecommunication Network (NTN) to "ensure the integration of existing special communication systems and unification of secure electronic communications of various government agencies in the general security circuit using modern digital technologies."

Oleksandr Potiy from the SSSCIP with at least six phones
for dedicated networks, November 13, 2020
(photo: Instagram - click to enlarge)

Videoconferencing systems

Already in 2016, the SSSCIP had developed a new system of secure videoconferencing. When he tested this new system, former president Petro Poroshenko explained:
"In late 2013 and early 2014, the situation was terrible. We had completely Russian software. We had completely open access of the aggressor country to all our state secrets and, in fact, from scratch, we had to develop technical and software tools for protecting information, to provide a radical re-equipment and reboot of confidential communication systems."

Current president Volodymyr Zelensky uses both a commercial Cisco DX80 videoconferencing system and the custom-made secure one, which includes quite bulky equipment, indicating that it is TEMPEST-shielded to prevent electromagnetic emanations:

President Zelensky using the secure videoconferencing system, May 12, 2020.
(photo: Presidential Administration - click to enlarge)

Addressing foreign parliaments

Another kind of videoconferences are the virtual addresses to foreign parliaments which Zelensky started to deliver and included the British House of Commons and the US Congress. In these addresses he dramatically pointed out their responsibility to support the people of Ukraine in their fight against the Russian military agression.

Zelensky usually delivered these speeches from a nondescript room, probably in a bunker. The photo below shows him in a very improvised setting, with the Cisco DX80 videoconferencing screen, an Avaya B149 conference phone, an Apple MacBook, camera equipment and an old-fashioned Soviet-style telephone without rotary dial:

President Zelensky delivering a speech from an unknown location
(photo: DPA vía Europa Press - click to enlarge)

Calls with foreign leaders

In February 2022, when the Russian military threat became imminent, president Zelensky had phone calls with a range of foreign presidents and prime ministers in which he urged them to impose sanctions against Russia and requested arms to defend his country.

For these calls he either used the huge white phone console or a commercial Avaya B149 conference phone, like in the photo below, showing Zelensky when he was talking to Dutch prime minister Mark Rutte on February 23:

President Zelensky talks to Dutch prime minister Mark Rutte, February 23, 2022
(photo via Instagram - click to enlarge)

Calls with US president Biden

Zelensky also spoke to US president Joe Biden several times, but for these calls a different telephone set was used: a Cisco 7975G Unified IP Phone. This is a common high-end executive phone which was also used for the secure telephone network of the White House until it was replaced by a newer model from Cisco's 8800-series in 2017.

President Zelensky during a phone call with US president Biden, January 27, 2022.
(photo: Ukrainian Presidential Press - click to enlarge)

In the photo we see Zelensky during a long telephone conversation with Biden on January 27, 2022, discussing diplomatic efforts on de-escalation of the Russian threat. A close look at the Cisco phone shows that the wallpaper of the display has an image of the White House, clearly indicating that it's for calls to the president of the United States:

So here we have a rare occasion in which we can see dedicated telephone equipment for a hotline between heads of state. The connection between Zelenksy's office and the White House was probably relayed by the US embassy in Kyiv, like other secure communications between the Ukrainians and US officials, as was reported by CNN.

Secure satellite phones

In February 2022, as fears mounted about the Russian invasion, the US prepared to evacuate its embassy and provided the Ukrainian government with a secure satellite phone to maintain regular contact with president Zelensky, who now moves around to multiple locations in Kyiv that are protected with a significant security presence.

On March 5, Zelensky used this satellite phone for a 35-minute call with his American counterpart on what more the US could do to support Ukraine without entering into direct combat with Russian forces. A similar phone had been provided to Ukrainian foreign minister Dmytro Kuleba.

CNN reported that these satellite phones require electricity but can operate off of a generator or energy from a car if needed. Initially it took a few days for the Ukrainians to get the satellite phones up and working because the instructions on how to use them were in English.

The US embassy in the Ukrainian capital Kyiv.
(photo: Andrew Kravchenko/AP)

Zelensky's smartphone

Finally, Ukrainian president Zelensky also has a smartphone, which he uses to record some of the messages to his people, like the famous one in which he showed that he hasn't left the capital and can still stay in the building of the Presidential Administration on Bankova street (see below).

For a president and other top government officials, a smartphone imposes the risk of being hacked and tracked, but in Zelensky's case we can assume that, besides other security measures, it only connects to a secure base station or a secure wifi router that merely provides access to a sufficiently secured internal network.

Video message by Ukrainian president Zelensky, March 7, 2022.

Links and sources
- CNN: US in contact with Zelensky through secure satellite phone given to him by the US (March 1, 2022)
- The Guardian: The phone has become the Ukrainian president’s most effective weapon (February 28, 2022)
- Telegraf: Страна в смартфоне: как чиновники перейдут со спецсвязи на приложение в телефоне (November 11, 2019)

See also: Comments at Hacker News

February 2, 2022

Head of Danish military intelligence arrested but independent inquiry finds no wrongdoing

(Updated: April 5, 2022)

Unprecedented developments in Denmark: a former defense minister as well as the head of the military intelligence service FE have been charged for disclosing highly classified information, for which the latter has even been imprisoned.

Here I will provide more details about the arrest of FE head Lars Findsen and the charges against defense minister Claus Hjort Frederiksen, followed by a summary of how the crisis has developed, the recent conclusions of an independent investigation and finally the similarities to the Snowden case.

FE head Lars Findsen (left) and former defense minister Claus Hjort Frederiksen
(photos: Liselotte Sabroe/EPA-EFE & Johannes Jansson/Norden)

FE head Lars Findsen arrested and imprisoned

On January 10, the Danish broadcaster DR reported that Lars Findsen had been arrested on Copenhagen Airport on December 8, 2021, after he had been under surveillance by the Danish police intelligence service (Politiets EfterretningsTjeneste or PET).

It's a wry turn of fate as Findsen himself had been the head of the PET from 2002 to 2007. Since 2015 he led the Danish military intelligence service (Forsvarets Efterretningstjeneste or FE), before he was suspended in August 2020.

On April 4, 2022, DR reported that the PET had apparently bugged Findsen's house in order to find out whether he revealed classified information to family members, which is a very intrusive method that is only used in the most serious cases.

According to DR, the PET set up a special investigation after on September 30, 2020 the Danish newspaper Berlingske published a long piece with unprecedented details about the cooperation between the FE and the NSA. The investigation intensified when in May 2021 news media from several European countries provided additional details based upon nine sources with access to classified information (see below).

On the same day as Lars Findsen, the PET arrested three other current and former employees of the FE and the PET. Just like Findsen, they are accused of the unauthorized disclosure of highly classified information in violation of section 109(1) of the Danish criminal code, which is punishable with up to 12 years in prison.

This came quite unexpected because section 109 was only used once before, as it is meant for cases of treason and espionage, comparable to the American Espionage Act of 1917. In Denmark, leaks by government employees were usually charged under a much less strict law which can lead to imprisonment for only up to two years.

The headquarters of the Danish police intelligence service PET

The exact charges against Findsen haven't been made public, but according to DR News it's about leaking information to the press. Just before a hearing behind closed doors at Copenhagen magistrate's court on January 10, Findsen exclaimed to the press: "I want the charges brought forward and I plead not guilty. This is completely insane". Findsen has to stay in prison at least until February 4, the other three have been released on bail.

On February 4, the court gathered behind closed doors again and decided that Findsen has to stay in custody for another four weeks. Highly unusual was the fact that it took some 8 hours to reach that decision. Findsen appeared in court carrying the 2017 war novel All the Light We Cannot See by Anthony Doerr.

On February 17, an appeals court ordered that Findsen had to be released from prison because although there's "a well-founded suspicion" that he violated Danish law by disclosing intelligence information, the court "didn’t find that the conditions for a pre-trial detention are met."

Already in December 2021, the head of the PET and the acting head of the FE visited the main Danish media outlets and warned that their editors could also be charged under section 109. On January 4, eight journalists from six media were summoned for questioning as part of the police investigation into the leaks about the FE.

A possible explanation for this intimidation could be that the Danish government wants to demonstrate that they will punish leakers severely and do everything to prevent any further leaks in an attempt to comfort the FE's foreign partners, especially the Americans, who are likely highly disturbed by the recent developments.

This could risk the continuation of the intelligence cooperation, for which mutual trust is the most important factor: intelligence agencies will only be willing to share their secret information when they are convinced that the other side will keep the information just as secret and will not misuse it in any way.

Lars Findsen in his office as head of the FE, with two Cisco 7900-series IP phones,
apparently one for secure and one for non-secure calls
(photo: Ritzau/Jens Dresling - click to enlarge)

Charges against former Defense minister Frederiksen

The current crisis didn't stop at the imprisonment of Lars Findsen though: on January 14, it was reported that Claus Hjort Frederiksen, who was defense minister from November 2016 to June 2019, is also charged under section 109. This was made public in a brief press release which the Liberal or Venstre Party sent to Danish media.

As a member of parliament, Frederiksen has immunity, but the Liberal Alliance party doesn't want to lift it unless the Danish parliament gets full insight into a possible criminal case against him. In the press release he said that he never had the intention to harm Denmark or Danish interests.
On February 4, 2022, Frederiksen issued a statement on Facebook in which he said that the day before he got insight into the charges against him and that they are only based on newspaper articles and public debates.

During two interviews in December 2021 (with the television programs Deadline and Lippert), Frederiksen had been remarkably talkative about the FE's cooperation with the NSA, but he was also angry about how his successor as defense minister, Trine Bramsen, handled the case by suspending Findsen and some other officials, including a general responsible for the relations with the Americans.

Just recently it was revealed that on February 28, 2019, Frederiksen had arranged a meeting with the Oversight Board to convince them to drop their investigation into the FE in order to not endanger the cooperation with the NSA - a controversial move given the independent position of the Oversight Board, which accordingly continued its investigation that eventually sparked the current intelligence crisis.

Current Danish defense minister Trine Bramsen (left) and her predecessor
Claus Hjort Frederiksen (photo: Linda Kastrup/Scanpix)

After the revelations in the media, Frederiksen apparently felt free to explain and stress that the FE did nothing wrong: that spying on European countries is common practice and that to protect Danish citizens (i.e. to keep within the law) the FE had installed filter systems.

He was especially concerned about the relationship with the NSA, because in recent years, Denmark had reached almost the same level as the Five Eyes partnership, an achievement that his successor had put at risk now, according to Frederiksen.

There are actually several countries that claim a position very close to the Five Eyes, but fact is that Denmark is a so-called Third Party partner of the NSA already since 1954 and, as such, a member of the SIGINT Seniors Europe (SSEUR) and, between 2009 and 2014, of the Afghanistan SIGINT Coalition (AFSC).

Development of the intelligence crisis

The Danish intelligence crisis started on August 24, 2020, when the ministry of Defense issued a short statement saying that Lars Findsen and two other officials of the military intelligence service had been suspended from duty until further notice.

The same day, the Intelligence Oversight Board (Tilsynet med EfterretningsTjenesterne or TET) issued a press release with the unclassified results of an investigation that had been initiated by information provided by one or more whistleblowers. The main accusations were:
- The FE withheld key and crucial information and provided the Oversight Board with incorrect information;
- There were risks that the FE's collection activities led to unlawful collection against Danish citizens;
- The FE failed to investigate indications of espionage within the Ministry of Defense;
- There's a culture of insufficient legal awareness within the FE's management;
- There were activities in violation of the Danish law, including obtaining and sharing information about Danish citizens;
- The FE has unlawfully processed information about an employee of the Oversight Board.

On December 21, 2020 the Danish justice minister established the FE Commission (FE-kommissionen) to further investigate the allegations against the FE and to present a report within a year.

The Kastellet fortress in Copenhagen, the workplace of most of the FE's employees
(photo: Danish Air Force Photo Service)

The FE uses XKEYSCORE to process data from the cable tap

Meanwhile, Danish media came with unprecedented disclosures: on September 13, the newspaper Berlingske revealed how in the mid-1990s the FE, in cooperation with the NSA, started to tap a backbone cable containing communications from countries like China and Russia - very similar to Operation Eikonal (2004-2008) in which the NSA cooperated with the German foreign intelligence servce BND.

According to Berlingske, the communications of interest were extracted from the cable in Copenhagen and were then sent to the Sandagergård complex of the FE on the island of Amager. Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around".

On September 24, 2020, the Danish broadcaster DR reported that after 2008, NSA employees traveled to Denmark to build a data center for a new system to process the data from the cable tap. The heart of this system is formed by XKEYSCORE, the sophisticated processing and filtering system for internet data used by the NSA and GCHQ.

The Sandagergård complex of the FE on the island of Amager,
where a data center was built specifically to store data
from the joint NSA-FE cable tapping operation.
(Click to enlarge)

According to DR News, the FE tried to develop a number of filters to ensure that data from Danish citizens and companies is sorted out and not available for searches. Former defense minister Frederiksen confirmed the existence of such filters, but also admitted that there can be no 100% guarantee that no Danish information will pass through.

Berlingske had also identified the whistleblower as a young IT specialist of the FE, who in 2013 became increasingly concerned, after which then head of the FE Thomas Ahrenkiel ordered an internal investigation, which found no signs of abuse by the NSA. The IT specialist, however, was not satisfied with this result and informed the intelligence oversight board somewhere in 2018 and provided them with new information in November 2019.

The NSA tried to spy on Danish and other European targets

On November 15, 2020, the Danish broadcaster DR published a story about two internal assessments from the FE, one from 2012 and another one from 2015 (or 2014?), which contain an analysis of the phone numbers and e-mail addresses (also known as selectors) which the NSA sent to the FE for collecting information from the cable tap.
- According to the analysis from 2012, the NSA submitted selectors for Danish targets, including the ministry of Foreign Affairs and the ministry of Finance, as well as the Danish defense company Terma.

- The 2015 analysis of selectors showed that the NSA also used the cable tapping cooperation to spy on targets in European countries like Sweden, Norway, the Netherlands, Germany and France, according to DR News.
On May 30, 2021, joint reporting by DR, SVT, NRK, Süddeutsche Zeitung, NDR, WDR and Le Monde revealed that the internal investigation which FE boss Ahrenkiel initiated in 2014 was codenamed Operation Dunhammer and concluded in May 2015 that the NSA had provided telephone selectors for Norwegian, Swedish, German, Dutch and French politicians and officials, including former German chancellor Angela Merkel and then foreign minister Frank-Walter Steinmeier.

This outcome is actually not very surprising, because from the German parliamentary investigation (2014-2017) into the cooperation between the NSA and the BND it also became clear that, among hundreds of thousands of identifiers for legitimate targets, the NSA had provided the BND with thousands of selectors related to European and even German targets, which in 2015 resulted in the "Selector Affair".

The FE Commission finds no wrongdoing

On December 13, 2021, the independent FE Commission finally presented its report about the accusations against the FE. Surprisingly, the commission found no evidence of wrongdoing by the FE and also found no basis to hold the former and current head of the FE, Ahrenkiel and Findsen, accountable.

The report from the FE Commission is classified, but its conclusion have been published on the commission's website. Because they are only available in Danish, I made a preliminary translation using Google Translate with some manual corrections, which can be found here.

Focusing on the most important accusations, the commission found no evidence that the FE provided incorrect information to the subsequent defense ministers nor to the Intelligence Oversight Board. The commission also found no basis for assuming that the FE has generally obtained and passed on information about Danish citizens in violation of the law.

Given everything that emerged from the various revelations by Danish media this conclusion came as a surprise, but it can probably be explained by the fact that spying on other European governments is not prohibited by Danish law, how embarrassing it may be when it becomes public.

And if the FE has a similar filter system as used by the German BND, then the Danish selectors which the NSA provided to the FE would have been blocked before they were entered into the actual collection system (see diagram below). This means no Danish data were selected and so there was also no violation of the law.

It's unclear whether the commission found any minor deficiencies at the FE. As we have seen during the German parliamentary investigation, employees of the BND's signals intelligence units often had little feeling with political sensitivities, while government officials didn't know about the complexities and limitations of the collection systems. Similar issues may have been the case at the FE.

Similarities to the Snowden case

Most recently, Edward Snowden also commented on the Danish intelligence crisis in an interview with the newspaper Politiken from January 22, 2022. In the interview, however, Snowden acted as if the cooperation between the NSA and the FE is a mass surveillance program that "violates the rights of hundreds of thousands, if not millions, of people every single day" while it's actually about selectors for individual and generally legitimate targets.

Snowden also seems convinced that "Danish communication will be intercepted in these programs. No country possesses the capabilities to filter out all the information of its citizens", but according to previous press reports, the controversial selectors were telephone numbers and those are quite easy to filter, because they include a country code. For internet communications this is much more difficult.

In the interview, Snowden said, again with maximum exaggeration, that he is impressed by the young IT specialist at the FE who started the current crisis: "it is hard not to be inspired by this person's courage and ability to do so. The person has investigated the investigators and caught them in breaking the law and the rights of everyone in Denmark and the whole world."

Edward Snowden during the interview with the
Danish newspaper Politiken, January 22, 2022

Unlike Snowden, the FE's IT specialist didn't go straight to the press when he became concerned about certain things at his work place, but initially followed the proper channels and addressed his concerns to the FE management. However, an internal investigation found no abuse of the cable tapping operation by the NSA.

Then the IT specialist acted very similar to Snowden: because he was not satisfied with this result he secretly started to gather internal information on his own: he "smuggled a recorder into his workplace, arranged meetings with colleagues and bosses for several months and recorded them in secret". In November 2019 he provided this to the intelligence oversight board, which also started an investigation.

Then defense minister Claus Hjort Frederiksen (now 74 and liberal conservative) tried to keep this behind closed doors in order not to endanger the longstanding cooperation with the NSA - which is the common way governments handle such intelligence issues.

What made the Danish case different is that his successor Trine Bramsen (40 and social democrat) followed the concerns of the oversight board and suspended FE chief Findsen. At that moment it seemed the IT specialist was right and that things were wrong at the FE.

But Frederiksen and maybe Findsen and other FE officials fought back by telling the press about the joint cable tapping operation in an apparent attempt to convince the public of the importance of the cooperation with the NSA.

Several months later it was revealed that the NSA had tried to spy on European and even on some Danish targets - highly classified information that may have been leaked by insiders hat shared the concerns of the IT specialist.

This fight through press leaks seriously threathened Denmark's intelligence position and therefore the government apparently saw only one option left, that of unprecedented tough measures against leakers, even when they defended the cooperation with the NSA.


Ultimately, the whole issue in Denmark boils down to the same positions we saw earlier in other countries that were affected by the Snowden revelations:
- People close to the intelligence agencies claim that their interception operations are strictly within the law, particularly by using filter systems to protect the communications of their own citizens.

- Outsiders usually think that bulk cable tapping is wrong anyway and that spying on governments and companies of friendly countries is also wrong, even when that's not prohibited by law.

Despite being seen as a former insider, Snowden represents the outsider position by claiming that cable tapping automatically means bulk collection and mass surveillance. In reality, bulk collection is usually limited to metadata, which are not used to monitor as many people as possible, but to find targets that were not yet known. Selectors for individual targets are then used to pick their communications from the cable just as targeted as a traditional wiretap.

It's likely that the NSA also acquired metadata from the cable tap in Copenhagen, but the Danish press reports didn't provide further information on this. During the similar operation Eikonal in Germany, the BND made sure the NSA only got 'technical metadata' and no 'personal metadata' like phone numbers and e-mail addresses (see diagram below).

All this shows once more that in order to make a good judgment about signals intelligence operations it's often necessary to look at even the smallest details of the technical systems that are involved.

Overview of the joint NSA-BND operation Eikonal (2004-2008)
(Click to enlarge)

Links and sources

- Politiken: Edward Snowden: Det, der foregår i Danmark lige nu, er en demokratisk skandale (Jan. 22, 2022)
- Peter Kofod: FindsenGate 1½ | Anbefaling & forbehold (Jan. 21, 2022)
- DR: Claus Hjort ville beskytte spionsamarbejde: Forsøgte at bremse kulegravning af Forsvarets Efterretningstjeneste (Jan. 21, 2022)
- Politiken: Eksperter: Claus Hjort afslørede meget dårligt bevarede statshemmeligheder (Jan. 19, 2022)
- De Volkskrant: Staat de veiligheid en geloofwaardigheid van Denemarken op het spel nu de inlichtingenchef in de cel zit? (Jan. 18, 2021)
- BBC: Danish spy scandal: Ex-minister accused of state secrets leak (Jan. 15, 2022)
- Intel News: Ex-director of Danish spy agency charged with treason in ‘unprecedented’ case (Jan. 12, 2022)
- DR: Hemmelig PET-taskforce aflyttede spionchef Lars Findsen i månedsvis for at afsløre læk til medierne (Jan. 10, 2022)
- DW: Danish spy chief detained over 'highly sensitive' leak (Jan. 10, 2022)
- Politiken: Kommission afviser alle anklager mod spiontjeneste og hjemsendte chefer (Dec. 13, 2021)
- DR: Forsvarets Efterretningstjeneste lod USA spionere mod Angela Merkel, franske, norske og svenske toppolitikere gennem danske internetkabler (May 31, 2021 - including timeline)

Some older articles on this weblog that are of current interest: