November 20, 2019

Leaked report reveals security risks at the Austrian security service BVT

(Updated: November 22, 2019)

A classified report that was published by an Austrian newspaper has revealed a range of security risks at the Austrian security service BVT, especially regarding its internal computer network.

The classified report was prepared by an investigation team from the SOTERIA group of the secretive Club of Berne, a cooperation platform in which almost all European domestic security services collaborate.


Austria's security service BVT

The Austrian security service is officially called Office for the Protection of the Constitution and Counterterrorism (German: Bundesamt für Verfassungsschutz und Terrorismusbekämpfung or BVT) and was created in 2002 by merging the Austrian state police with various special task forces against terrorism and organized crime.

The BVT came into a crisis after on February 28, 2018 Austrian police forces raided its headquarters, seizing large amounts of data. In August 2018, The Washington Post reported that European security services didn't trust their Austrian counterpart anymore, apparently because the Austrian interior minister Herbert Kickl from the far-right FPÖ party was too close to the Russian government.

On November 6, 2018, an Austrian newspaper published a leaked document showing that the Finnish secret service didn't want to share counter-intelligence information with BVT. In April 2019 it was reported that British and Dutch agencies also heavily restricted their intelligence sharing with the BVT. Because of these concerns, the BVT's participation in the working groups of the Club of Bern was postponed.

The headquarters of the Austrian security service BVT at the Rennweg in Vienna
(photo: Tokfo/Wikimedia Commons - click to enlarge)

Club de Berne (CdB)

The Club of Berne (French: Club de Berne, or CdB) is an intelligence sharing forum for the domestic security services of the 28 states of the European Union (EU) plus Norway and Switzerland and is named after the Swiss city of Bern, where it was probably founded.

The Club started in 1971 with nine members and is based on voluntary exchange of information, best practices, experiences and views as well as discussing problems related to counter-intelligence, counter-proliferation and cyber threats.

After the attacks of 9/11, the Club of Berne created the Counter Terrorism Group (CTG) which is specifically aimed at counter-terrorism. Since July 2016, the CTG has a platform for the real-time sharing of information about terrorism suspects and there's also a database which makes information about foreign fighters more easily accessible. The Dutch secret service AIVD hosts a collaboration center where analysts from 23 of the 30 CTG members can share and analyse intelligence information.

The security assessment

Now, a classified internal report from the Club of Berne about the internal security of the BVT has been leaked to the press. It was published on November 11, 2019 on, the website of the Austrian newspaper ÖSTERREICH. They seemed to have received a copy of the 25-page report from an intelligence expert.

This isn't the first leak of intelligence information in Austria. Hardly noticed outside the German-speaking world was that in 2015, the Austrian member of parliament Peter Pilz published a range of highly sensitive documents about operation Eikonal, a cooperation between the NSA and the German BND for tapping fiber-optic cables of Deutsche Telekom.

Front page of the Club of Berne's security assessment of BVT
(click to enlarge)

Club of Berne's coat of arms

First, the leaked report shows that the Club de Berne has its own coat of arms and that its SOTERIA group has its own logo - both are on the front page of the report.

The Club of Berne coat of arms has a latin cross in red, with in three of the four quarters nine white stars on a green background. The fourth quarter is a variation on the coat of arms of Bern, with a walking bear.

It's likely that the white stars stand for the members of the Club of Berne, which started with nine members in 1971. It's not clear why there are just 27 stars, whereas, as far as we know, the Club has 30 members.

SOTERIA group's logo

Next to the coat of arms is the logo of the SOTERIA group. As indicated by the circle in an ancient decorative pattern, this group is named after Soteria, the Greek goddess or spirit of safety and salvation, deliverance, and preservation from harm. As we will see below, the networks and databases of the Club of Berne also have names from Greek mythology.

Given the topic of the report, the SOTERIA group is apparently responsible for internal security of the Club. It may not have been the intention, but the coat of arms with the big red cross, especially in combination with the Soteria-logo actually look quite esoteric.

The assessment team

The inspection of the BVT was conducted by an assessment team that visited the BVT headquarters at Rennweg 93 in Vienna on February 13, 2019. The team consisted of the following members:
- Team Leader, from the British MI5
- Team Coordinator, also from the British MI5
- Personnel security expert, from the Swiss Federal Intelligence Service (FIS) and the German Federal Security Service BfV
- Cyber security expert, from the Latvian State Security Department VSD
- Physical security expert, again from the British MI5

Deficiencies of BVT's network

During their inspection, the assessment team found a remarkable number of deficiencies. The main risk was that the BVT had just one single computer network, which was not accredited to handle and store any level of classified information.

This internal network also had connections to the public internet, which not only raised a threat to its own classified information, but also to that from the Club of Berne and to classified information of the other members of the Club. This is shown in one of the diagrams from the security assessment report:

From this diagram we learn that the computer network of the Club of Berne is called POSEIDON and that members of the Club are connected to it in various ways:

- A Voice-over-IP (VoIP) and Video Teleconferencing (VTC) capability.

- A terminal for access to the NEPTUNE network, which is accredited for classified information up to Secret and "may be used for future communications with Club members". The terminal has no connections with other networks, but data may be transferred between the NEPTUNE network and the BVT's internal network using "USB over airgap". This implies a security risk, but according to the investigators, it was "carried out by the assigned personnel in compliance with established procedures."

- A terminal for access to the PHOENIX database of the Counter Terrorism Group (CTG), which, according to the diagram, is a stand-alone machine with no connections to the BVT's network.

- Finally, yet another stand-alone terminal for NEPTUNE "web services".

With at least three computer terminals for the network of the Club of Berne alone, one can imagine how many different terminals there must be at intelligence and security services that also participate in other intelligence sharing groups, like the SIGINT Seniors Europe (14-Eyes).

Three pages from the SOTERIA group security assessment of the BVT
(screenshots from - click to enlarge)

Even more security risks

The security assessment report by the SOTERIA group identifies even more security risks. The BVT allowed its employees to take mobile phones or laptops in areas where classified information up to Secret is handled, so everyone could take photos of classified documents and bring them to the outside.

Another issue was that the BVT was using four antivirus programs and one of them was developed by the Russian company Kaspersky Lab. Other intelligence services, like those in the Netherlands, decided to remove this software from their systems already in May 2018, because the risk of espionage was deemed too high.

Regarding the personnel of the BVT, the assessment says: "The security vetting is repeated every three years and may theoretically result in the revocation of the security clearance. This has, however, never happened so far." Employees could also travel to countries with "aggressive intelligence organisations" without having to report that, something that is mandatory at many other agencies.

The headquarters building of the BVT was also not very well secured: although the windows on the ground floor were barred, those on the upper floors could be opened without triggering an alarm. This also applied to the fire exit doors. Finally, there are about 100 security cameras on the building, but there were only two officials to watch them on just two screens.

Security cameras at the BVT headquarters building
(screenshot from

Links & sources
- Wer trägt die Schuld am BVT-Chaos? (Nov. 19, 2019)
- Alarm: Verfassungsschutz BVT steht total blamiert da (Nov. 11, 2019)
- The Washington Post: Austria’s far-right ordered a raid on its own intelligence service. Now allies are freezing the country out. (Aug. 17, 2018)

November 11, 2019

Review of Snowden's book Permanent Record - Part I: At the CIA

More than 6 years after the first disclosure of Top Secret documents from the NSA, after numerous video appearances and more than 4000 tweets, Edward Snowden has now written an autobiography. It's titled Permanent Record and was published simultaneously in over 20 countries on September 17.

Here I will provide an extensive discussion of this book, in which I will focus on what Snowden shares about his experiences with Signals Intelligence and Communications Security. I will also fill in some gaps by adding details from other sources like the official report by the House Permanent Select Committee on Intelligence (HPSCI) from 2016.


The book in general

Permanent record isn't a very coherent book as it combines Snowden's coming-of-age story with a civil liberties and anti-surveillance manifesto. Only in between we learn something about the NSA's interception capabilities, but without any new revelations like those from the years after June 2013.


It seems that for Edward Snowden the manifesto was the most important part of his book. Already shortly after he had arrived in Hong Kong, Snowden asked Micah Lee from the Electronic Frontier Foundation (EFF) to help build a website to publish an anti-surveillance manifesto along with a petition that people could sign. Snowden also choose the domain name but eventually the site wasn't launched.

Micah Lee's design for the petition website, with the US Declaration
of Independence as a placeholder for Snowden's manifesto
(source - click to enlarge)

Among the first NSA documents that Snowden had sent to Glenn Greenwald was also a copy of his manifesto. In his book No Place to Hide Greenwald considered it "dramatic and severe" and he feared the editors of The Guardian would think it came from someone unstable, but they said: "ultimately, the documents are what matters, not him or his motives for giving them to us".

The problem, however, is that Snowden continued to speak out, so his motive, his fear for unrestricted global mass surveillance, shaped the public narrative even when his claims were not or just partly supported by what's in the original documents.

Ultimately, Snowden's manifesto was never published, but large parts of it may have found their way into his book. What signals this is the date of its release: September 17, which is Constitution Day in the United States. But according to his American lawyer Ben Wizner, Snowden was eventually "persuaded that people would be much more interested in his story than in his manifesto" and so he got the help of novelist Joshua Cohen.


Over the course of eight months, Cohen traveled to Russia to shape the book into a Bildungsroman, a literary genre that focuses on the psychological and moral growth from youth to adulthood. A review for The New Republic says: "Both Cohen’s and Snowden’s gregariousness can shade into garrulousness; their writing and speech teem with grandiosity and introspection."

They also seem to have in common that they confuse fact and fiction, especially when it's about mass surveillance: it's often not clear whether something is an existing situation, or whether it's something that might happen in the future. This already starts on page one, when Snowden says: "I helped make it technologically feasible for a single government to collect all the world's digital communications, store them for ages, and search through them at will."


Another deficiency of Permanent Record is that quite a number of things from Snowden's life and his (short) career in the Intelligence Community that we know from other sources are not mentioned in it, including some unanswered questions.

The book also provides a very limited and one-sided picture of the NSA because it doesn't explain that this is a military intelligence agency which spends much of its time supporting military operations and is therefore not solely trying to simply collect as much data as possible from ordinary citizens.

Another issue, not only in the book, but also in Snowden's numerous speeches and interviews, is that he constantly conflates (foreign) intelligence and (domestic) law enforcement. The latter brings people to justice who already committed a crime, the first gathers information for military and civilian decision makers in order to prevent damage to national security.


Permanent Record also lacks photos and, more importantly, an index, which makes it rather difficult to look things up. It almost looks as if Snowden didn't want to create metadata on the content, but the reason is probably more mundane, that is to say pushing people to buy the ebook too.

To compensate the lack of an index, everything that is derived from the book here will be followed by the relevant page numbers in gray.

The house in the Anne Arundel County neighborhood of Crofton, Maryland,
where Snowden lived with his parents from 1992 to 2001.
(photo: The Washington Post/Getty Images)

Snowden's early years

As most autobiographies, Permanent Record starts with a description of Snowden's youth, often a bit too detailed, which is somewhat in contrast to his contemplation that his generation was the last in American history for whom their childhood isn't digitally available in a cloud, but only in fragmented and analog ways. (p. 14)

For the young Ed, first the computer and then the early internet became a way to escape an often unfair society: he experienced that school is "an illegitimate system [that] wouldn't recognize any legitimate dissent" while computers were "consistent and fair, so unequivocally unbiased" compared to humans - an attitude that seems to explain much of his later actions and his strong faith in encryption. (p. 31, 52)

Clockwork Chihuahua

In 1998, at the age of 16, Snowden began working for Clockwork Chihuahua Studios, which in the book is called "Squirreling Industries". This was a small web design studio run from the house of its owner, which was at Fort Meade, the large military base where NSA headquarters are also located. It was there that Snowden learned of the 9/11 attacks and witnessed the chaos at the NSA compound. (p. 70-76)

Clockwork Chihuahua also maintained a website for anime fan art called Ryuhana Press, for which Snowden worked as a web editor from June 2002 to February 2004. This isn't mentioned in the book, aside from the fact that he was interested in anime and manga. The Internet Archive contains the old website of Ryuhana Press, including Snowden's profile, which combines facts and fiction:

Snowden's profile on the Ryuhana Press website (2002)
(source: Internet Archive - click to enlarge)


When it comes to his early online activities, Snowden says that "Half the things I'd said I hadn't even meant at the time - I'd just wanted attention". But he didn't want to delete those old and embarrassing postings either: "I didn't want to live in a world where everyone had to pretend that they were perfect, because that would be a world that had no place for me or my friends." (p. 96-97)

One forum on which he posted between December 2001 and May 2012, was that of the website Ars Technica, first under the username The One TrueHooha, which he later changed to TheTrueHOOHA. As such, he bragged about his life in Switzerland for example, which didn't seem very smart given the fact that he was working there under diplomatic cover for the CIA (see below).

In an attempt to prove to himself that he was not just a "brain in a jar", Snowden wanted to join the US Army in 2004, but this failed due to an accident during a physical exercise. He says that his initial support for the war against Al-Qaida is now "the greatest regret of my life". But because he still wanted to serve his country, he turned to the intelligence agencies, which were desperately looking for IT people. (p. 81-82, 93)

Sysadmin at CIA headquarters

A short job as a night-shift security guard at the Center for the Advanced Study of Language (CASL), set up as a partnership between the University of Maryland and the Department of Defense, provided Snowden with a security clearance at the highest level: Top Secret/SCI. Through a specialized job fair he then became employed by one of the many intelligence contractors: "the CIA had hired BAE Systems, which had hired COMSO, which hired me." (p. 116-118)

In the book, Snowden says that he didn't remember the exact chronology of his job contracts because he doesn't have a copy of his résumé anymore: it was on one of his home computers seized by the FBI. Much of this is available online though, like on Wikipedia or from this detailed timeline.

Snowden's first contractor job at the CIA was from November 2005 to August 2006. His workplace, a secure office called a "vault", was in "a grimy cinder-block-walled room with all the charm of a nuclear fallout shelter and the acrid smell of government bleach" in the basement of the New Headquarters Building (NHB) of the CIA in McLean, Maryland. (p. 114-121)

This NHB was opened in 1991 and is located right behind the Old Headquarters Building (OHB) from 1961 which can be seen in numerous films, television series and documentaries:

The CIA's New Headquarters Building (NHB), where Snowden worked from 2005-2006
Right behind it we see the Old Headquarters Building (OHB)
(click to enlarge)

Snowden describes how his team of contractors was attached to the CIA's Directorate of Support (DS), which among many other things, maintains the agency's computer servers. Half of the servers at the CIA headquarters were in the OHB, while the other half was in the NHB, both set up on the opposite sides of their buildings, minimizing the risk of being destroyed at the same time. (p. 125)

The CIA also had its peculiarities: Snowden recalls a colleague who appeared to be one of the very few who still knew how to maintain a tape recorder for the agency's Directorate of Operations (DO), which didn't trust modern servers and therefore wanted backups on magnetic tapes, which were stored in a safe. (p. 129-131)

According to the HPSCI-report Snowden was responsible for managing installations and application rollouts, which apparently required that he was "read into" SIGINT and HUMINT classification compartments as well as a COMSEC compartment "that allowed me to work with cryptographic key material". (p. 125)


Here at CIA, Snowden already started to do what would eventually lead to his massive data-theft at the NSA. After he moved to the quiet night shifts he tried to automate as many of his dull tasks as possible so he had a lot of time for himself. (p. 127-131)

He used this time to look for information both on the public internet and on the CIA's internal networks. He called this his "education", which would be nice in most other working places, but not at an intelligence agency, where you are only supposed to read things that you "need-to-know".

On the CIA's internal networks Snowden found hardly anything noteworthy: nothing about aliens or a 9/11 conspiracy and the agency's internal reports were often "very similar to the accounts that would eventually show up on network news, CNN, or Fox days later. The primary differences were merely in the sourcing and the level of detail." (p. 132-133)

Snowden had managed to get into the Intelligence Community, but he wanted to see more of the world and so he applied for a CIA tech job abroad. He changed his green badge for a blue badge, which means he went from contractor to government employee, and as such he "solemnly swore to support and defend the Constitution of the United States against all enemies, foreign and domestic." (p. 132-135)

Training at The Hill

His new job at the CIA was that of a Technical Information Security Officer (TISO), for which Snowden first had to attend the Basic Telecommunications Training Program (BTTP). For him, this took place from September 2006 to February 2007 at the Warrenton Training Center (WTC) in Virginia, nicknamed The Hill.

This facility was disguised as a training center for the State Department, but is also used by the CIA and not just for training purposes as it also serves as the heart of the CIA's global communications network:
"One drill involved lugging the "off-site package," which was an eighty pound suitcase of communications equipment that was older than I was, up onto a building's roof. With just a compass and a laminated sheet of coordinates, I'd have to find in all that vast sky of twinkling stars one of the CIA's stealth satellites, which would connect me to the agency's mothership, its Crisis Communications Center in McLean - call sign "Central"- and then I'd use the Cold War-era kit inside the package to establish an encrypted radio channel." (p. 143)


In his memoir, Snowden describes how his class mates at the Warrington Training Center complained about violations of federal labor laws and asked him to write an e-mail about it to the head of the school. He was told to let it go, but he couldn't and sent a second e-mail, this time to the director of the Field Service Group (FSG), and also to his boss. (p. 145-146)

He was then summoned to the office of the head of the school, where his superiors were also present. They told Snowden that his e-mail was regarded as an act of insubordination because he did not follow the chain of command. He saw it as a retaliation that he was then sent to Geneva - instead of to the Special Requirements Division (SRD) which serves the more dangerous CIA sites, like he had wanted. (p. 146-148)

This issue is also part of the HPSCI-report, which specifies that Snowden had sent his concerns to the "Deputy Director of CIA for Support - the head of the entire Directorate of Support" and adds that after the meeting with the superiors, he contacted the agency's Inspector General (IG) seeking guidance because he felt he was "being unfairly targeted" by his supervisor.

He told the IG that his superiors were "extremely hostile" and "seem[ed] to believe I have trouble bonding with my classmates". He wanted the IG to help protect him from "reprisal for speaking truth to power". Like similar things from the HPSCI-report, this correspondence with the CIA's IG is not mentioned in Permanent Record.

When this report was declassified in December 2016, Snowden said on Twitter that it was "rifled with obvious falsehoods", but instead of correcting things, the book completely ignores the HPSCI-report, just like many other facts that emerged after the start of the revelations in June 2013.

TISO at the CIA in Geneva

Edward Snowden's first job abroad was at the CIA station inside the permanent US mission to the United Nations in Geneva, Switzerland, where he worked as a Telecommunications Informations Systems Officer (TISO) from March 2007 to January 2009.

According to the book, a TISO works under diplomatic cover, usually as an attaché (Snowden's alias was Dave M. Churchyard), and is responsible for maintaining and repairing all the technical facilities at CIA stations abroad. The largest stations have 5 of them, larger ones maybe 3, but most stations only have one such technician. (p. 139-140)

In his book No Place to Hide, Glenn Greenwald says that Snowden "was considered the top technical and cybersecurity expert in Switzerland, ordered to travel throughout the region to fix problems nobody else could. He was hand-picked by the CIA to support the president at he 2008 NATO summit in Romania." Neither of this is in Snowden's book, which also doesn't mention that he worked at the CIA station in Milan for a couple of days.

The United States mission to the United Nations in Geneva, Switzerland,
where Snowden worked from March 2007 to February 2009
(image: Google Maps - click to enlarge)

Another incident described in the HPSCI-report but not in Permanent Record is that a "few months after starting in [Geneva], Snowden asked to apply for a more senior position in [Brussels] as a regional communications officer. [...] When he was not selected for that job, Snowden responded by starting a controversial e-mail exchange with very senior officers in which he questioned the selection board's professional judgment."

Something that Snowden was more eager to share is how he found out that the CIA had no workable method for anonymous searches on the public internet, so he taught the agency's rather old-fashioned case officers to use the Tor network. (p. 154-156)

Later he says that he had also been "introduced to the Tor Project in Geneva", which could point to early contacts with hacktivists. Since then Snowden used the Tor browser not only for his private web browsing, but also to do his professional work from home. Even when this was just for his unclassified work as a Dell consultant (see below), his employer may not have liked it. (p. 209)

The Swiss banker story

For their traditional HUMINT operations, the CIA's case officers often went to social events and on some occasions they let Snowden accompany them because he could be useful for contacting potential targets from research centers like CERN. It was at such an event that he became involved in the Swiss banker story, which was first described by The Guardian on June 9, 2013.

According to The Guardian, the CIA tried to recruit a Swiss banker to obtain secret banking information. This was achieved by purposely getting the banker drunk and encouraging him to drive home in his car. "When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment."

This story was received with scepticism and Swiss president Maurer stated "This would mean that the CIA successfully bribed the Geneva police and judiciary. With all due respect, I just can't imagine it." The Swiss police couldn't find any evidence for the story either.

A view of the city of Geneva and the lake in 2005
(photo via Wikimedia Commons - click to enlarge)

In Snowden's memoir, the story is less spectacular. First it wasn't a Swiss, but a Saudi private banker. Also, there was no bribing of Swiss officials: after the CIA officer wasn't able to recruit the banker by the usual means, he made a final move by letting him drive home drunk and get the Swiss police to arrest him.

The help offered by the case officer consisted of nothing more than lending the banker money to pay the high fine and driving him to work for some time. Eventually (and contrary to The Guardian's report) all of this didn't result in recruiting the banker as he refused to cooperate. He lost his job and had to return to Saudi Arabia. (p. 157-160)

According to The Guardian, Snowden said that "Much of what I saw in Geneva really disillusioned me about how my government functions and what its impact is in the world" but the book gives no clear substantiation for that. Snowden describes the operation to recruit the banker merely as a waste, after which "the prioritizing of SIGINT over HUMINT made all the more sense to me". (p. 160-161)

First concerns in Geneva?

The Swiss banker story isn't in the HPSCI-report, but it does say that several years after Snowden left the CIA, he "claimed that, while in [Geneva] he had ethical qualms about working for CIA. None of the memoranda for the record detailing his numerous counseling sessions mention Snowden expressing any concerns about [redacted]."

Greenwald's book says that it was "at the end of his stint in Geneva, that he first began to contemplate becoming a whistle-blower and leaking secrets that he believed revealed wrongdoing." Snowden didn't act at that time, first because he hoped that the election of Obama would change things, and secondly because "When you leak the CIA's secrets, you can harm people" but "when you leak the NSA's secrets, you only harm abusive systems."

In Oliver Stone's biographical thriller we see how the fictional Snowden already became concerned about the NSA's surveillance tools after an NSA hacker in Geneva, supporting the (fictionalized) operation to recruit a banker, showed him how intrusive the XKEYSCORE system was (although the examples were also from PRISM and Section 215).

In Permanent Record there's only a more realistic encounter: when he spoke to local personnel of the Special Collection Service (SCS, consisting of NSA and CIA officers specialized in intercepting the hardest targets), one of them told Snowden that when he would meet a potential target he should "just give us his email address and we'll take care of it". (p. 160)

In line with that, Snowden emphasizes that "the obvious [NSA being engaged in mass surveillance] didn't even become thinkable for me until some time after I moved to Japan in 2009 to work for the NSA". (p. 164)

A scene from Oliver Stone's movie in which NSA hacker Gabriel Sol
shows Snowden the NSA's surveillance capabilities
(click to enlarge)

Resignation from the CIA

According to the HPSCI-report, Snowden requested to leave Geneva in September 2008, but because this was before the scheduled rotation date, it was denied. "Disobeying orders, Snowden traveled back to the Washington, D.C., area for his and his fiancée's medical appointments. Because of his disobedience, Snowden's supervisors recommended he not return to [FSG service?]."

In January 2009, the CIA eventually assigned him to a position in the Washington, D.C. area so he could be available for any medical appointments. Snowden officially resigned from the CIA on April 16, 2009, after which the agency's Security Office updated his record in Scattered Castles, the central database of security clearance holders for the US Intelligence Community.

The report suggests that the CIA put a red flag or some derogatory information in Snowden's record, which the NSA Security Office missed when it had accessed the database 3 weeks earlier to verify Snowden's security clearance - because meanwhile he had applied for a systems administrator job with NSA contractor Perot Systems.

Nothing of the above is in Snowden's book. The only reason he gives for his job change is that his new job "was a dream job, not only because it was with the most advanced intelligence agency on the planet, but also because it was based in Japan, a place that had always fascinated Lindsey and me." (p. 164-165)

> Snowden's jobs at the NSA will be discussed in Part II

Solutions consultant for the CIA

In September 2010, Edward Snowden returned to Maryland, where he got a new job at Dell, the company for which he had already worked at the NSA facility in Japan since August 2009. In his memoir, Snowden says that someone had convinced him that he should shift to the sales side of Dell, where he could make much more money.

His new job title was solutions consultant and as such he was the technical adviser to the account manager who had to sell as much of Dell's equipment and expertise to the CIA as possible, especially its cloud computing system. (p. 189)

Once again, the HPSCI-report has a different version and says that Dell tried to move Snowden to a position where he would support IT systems at the CIA. But because of the remark in the Scattered Castles database, the CIA refused to grant him access to classified information.

Therefore, Dell put Snowden on leave for three months while waiting for a position that did not require a security clearance to open up. Eventually, one did and in December 2010, Snowden started to work in an uncleared "systems engineer/pre-sales technical role" for Dell's CIA contract.


One of the more personal things revealed in Permanent Record is how Snowden found out he has epilepsy, which was diagnosed somewhere in the Summer of 2011: "I felt defeated. The two great institutions of my life had been betrayed and were betraying me: my country and the Internet. And now my body was following suit." (p. 199-201)

Because of the epileptic seizures, Snowden had to take a disability leave from Dell and the HPSCI-report specifies that this was from August 31, 2011, to January 11, 2012: "His Dell co-workers offered conflicting accounts of how he spent his leave" which is followed by a sentence that is redacted, maybe to protect details of his medical situation.

Tor bridge relay

While Snowden was bound to his couch he witnessed and was moved by the Arab Spring, which resulted in reflections on the concepts of authoritarianism and privacy. He also wanted to help the protesters, but the only thing he could do was setting up a bridge relay for the Tor network to bypass the Iranian internet blockades. (p. 205-210)

This probably refers to the events from February 2012, when the Iranian government blocked Internet access to sites like Facebook, Twitter, and other foreign sites. It's not clear why Snowden chose to help Iranian dissidents as during the Arab Spring, internet access was blocked or limited in other countries too.

According to the weblog emptywheel, setting up the Tor bridge relay would require contact with the Tor developers, one of whom was Jacob Appelbaum. This means Snowden could have been in contact with a rather radical hacktivist already before he started his job at the NSA in Hawaii.

> To be continued!

Links & sources

- Emptywheel: Snowden Needs a Better Public Interest Defense, Part I - Part II (Nov.-Dec. 2019)
- Rolf's Blog: Review of Ed Snowden's "Permanent Record" (Oct. 10, 2019)
- The New York Review of Books: Snowden in the Labyrinth (Oct. 2019)
- Matthew Green: Looking back at the Snowden revelations (Sept. 24, 2019)
- The New Yorker: Edward Snowden and the Rise of Whistle-Blower Culture (Sept. 23, 2019)
- The New Republic: Edward Snowden's Novel Makeover (Sept. 17, 2019)
- Wired: After 6 Years in Exile, Edward Snowden Explains Himself (Sept. 16, 2019)
- The Guardian: Interview by Ewen MacAskill (Sept. 13, 2019)
- Der Spiegel: 'If I Happen to Fall out of a Window, You Can Be Sure I Was Pushed' (Sept. 13, 2019)
- House Permanent Select Committee on Intelligence: Review of the Unauthorized Disclosures of Former National Securitty Agency Contractor Edward Snowden (Sept. 15, 2016)
- Wired: Edward Snowden: The Untold Story (Aug. 2014)
- Vanity Fair: The Snowden Saga: A Shadowland of Secrets and Light (May 2014)

October 29, 2019

The communications equipment in Trump's Situation Room photo

Last Sunday, October 27, the White House released a photo showing president Trump and his national security team in the Situation Room of the White House.

The photo caused some discussion because people suggested that it might be staged, but here the focus will mainly be on the communications equipment.

President Trump and his national security team in the White House Situation Room, October 26, 2019
(White House photo by Shealah Craighead - click to enlarge)

The people in this photo are (from left to right): National Security Advisor Robert O’Brien, Vice-President Mike Pence, President Donald Trump, Secretary of Defense Mark Esper, Chairman of the Joint Chiefs of Staff US Army General Mark A. Milley, and Brig. Gen. Marcus Evans, Deputy Director for Special Operations on the Joint Staff.

According to the press secretary, they were monitoring developments as US Special Operations forces closed in on the compound of ISIS leader Abu Bakr al-Baghdadi in Syria. Baghdadi eventually killed himself (and three of his children) by detonating a suicide vest. Some 14 hours after the raid, Trump announced Baghdadi's death.

Telephone equipment

In the photo released by the White House we also see several different telephone sets: left of president Trump, at his right hand, is a Cisco IP phone (either the 8841, 8851 or 8861), which is part of the internal White House telephone network and can be used for all non-secure calls.

On the back of this phone is a black metal box, which is a modification by Advanced Programs, Inc. (API) in order to meet Telephone Security Group (TSG) standards, including measures to prevent the handset and the speakerphone from picking up and transmitting audio when the phone is on-hook.

A close-up of the telephones in the White House Situation Room
(White House photo - click to enlarge)

A similar Cisco IP phone can be recognized at the left side of Trump, in front of the Chairman of the Joint Chiefs of Staff. This telephone doesn't have the additional box on the back, but does have a bright yellow faceplate, which is the color code for the highest classification level: Top Secret/SCI.

Therefore, this telephone is for secure calls, through the dedicated Executive Voice over Secure IP-network, which connects the US president with all major decision makers. The phone itself has no encryption capability, as it's connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

The secure telephone is almost hidden behind an older Cisco 7975G IP phone. This phone seems to have the standard silver faceplate, but there's a red label on the handset, which often indicates a secure line. Maybe it was installed especially for this operation as in the White House these old Cisco phones should have been replaced by newer ones from the 8800-series

Computer equipment

Besides the telephones, there are also some computers in the Situation Room: a tablet computer and three black laptops, one of which has two yellow labels, showing that the device may be used for classified information up to the level of Top Secret/SCI.

In the middle of the table there's a mess of network cables, many of them color-coded according to the classification level of the network they may connect to: red for Secret and yellow for Top Secret/SCI networks. Given that the meeting was about a military operation, they probably used:
- SIPRNet for military information at the Secret level
- JWICS for Top Secret/SCI military intelligence.

Both networks also have Voice-over-IP and video streaming capabilities. The audio and video in the conference room can be controlled by the small AMX touchscreen right in front of the president.

Close-up of the AMX audio and video control panel on the conference table
(still from a White House video - click to enlarge)

Was the photo staged?

Immediately after its release there were speculations about whether the photo was staged. On twitter, former White House photographer Pete Souza initially wrote: "The raid, as reported, took place at 3:30 PM Washington time. The photo, as shown in the camera IPTC data, was taken at “17:05:24”."

The latest press reports however say the attack in Syria took place after midnight local time in Syria, which corresponds to 6:00 PM in Washington. President Trump had been out golfing and arrived back at the White House at 4:18 PM, well in time to be in the Situation Room around 5:00 PM - which would mean the photo was taken before the two-hour operation started.

The photo of Trump's Situation Room reminds of the one showing president Obama and his national security team following the operation in which Osama bin Laden was killed on May 1, 2011, a scene that is generally assumed to look more realistic:

President Obama and his national security team following the
mission against Osama bin Laden, May 1, 2011.
(White House Photo by Pete Souza - click to enlarge)

In the Obama photo most officials aren't wearing suit jackets and no one is looking at the camera. Everyone was focused on the dramatic events on the video screen of the room (which is one of the smaller meeting rooms, next to the main conference room seen in the Trump photo).

By contrast, Trump and his ministers are fully dressed up with the president himself right in the center. Everyone looks, or is supposed to look right into the camera, which means the photographer stood right in front of the main video screen as can be seen in an earlier photo of the room taken from another angle:

President Trump meets with Republican and Democratic leaders, January 2, 2019.
(White House Photo by Shealah Craighead - click to enlarge)

So it seems that just before the operation against Abu Bakr al-Baghdadi started, president Trump took the opportunity to have pictures taken showing him and his national security team in the way he likes it - which is opposite to Obama's much more informal style.

Links & sources
- Der Spiegel: The Hunt for the World's Most-Wanted Terrorist
- The Independent: Anomalies in Trump situation room photo spark online conspiracy theories it was staged
- Business Insider: Trump’s al-Baghdadi raid Situation Room photo has one big difference from Obama’s Osama bin Laden picture ⁠— and it tells you everything about their styles
- CNN: Photos highlight stark differences in Trump and Obama approaches

September 22, 2019

From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)

It was a mystery for over five years: the 9-Eyes intelligence cooperation, which was first revealed by The Guardian in November 2013. It was only an extensive new piece on the website The Intercept from last May that made clear that the 9-Eyes is actually the Afghanistan SIGINT Coalition (AFSC).

The main purpose of the AFSC was to collect GSM metadata using DRT interception devices and feeding them into the NSA's huge data analysis platform for Afghanistan operations called the Real Time Regional Gateway (RT-RG).

The AFSC started in 2009 with nine members but eventually grew to the same 14 countries that already cooperated in another intelligence exchange group called SIGINT Seniors Europe (SSEUR). The AFSC existed at least until the end of 2014.

Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)

Intelligence sharing coalitions

The existance of the 9-Eyes group was first revealed by the British newspaper The Guardian on November 2, 2013:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

This revelation caused some embarrassment, as especially France and The Netherlands had clearly expressed their anger about the NSA's alleged eavesdropping operations against their citizens (see below), but now it turned out they were also engaged in some close alliances with the Americans.

Other 9-Eyes: CFBLNet

The Guardian's revelation started speculation about the differences between these groups and their specific purposes. From open sources, a range of similar "Eyes" for sharing military and intelligence information were identified on this weblog in November 2013 in a posting titled Five Eyes, 9-Eyes and many more.

It turned out that the term 9-Eyes was already used since 2008 for exchanging classified information among the Five Eyes and nine NATO members of the Combined Federated Battle Laboratories Network (CFBLNet). This is a multilateral network for research, development and testing on C4ISR systems.

However, the members of the CFBLNet 9-Eyes were not fully identical with those in the Guardian article, so it seemed not likely that this was the mysterious 9-Eyes group mentioned in the Snowden documents.

The 9-Eyes of the CFBLNet listed in a NATO standardization document from 2010
(click to enlarge)

14-Eyes: SSEUR

In December 2013, Swedish television published a range of NSA-documents from the Snowden files which revealed that the 14-Eyes were also known as the SIGINT Seniors Europe (SSEUR) and consisted of the Five Eyes plus nine European partners: Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden:

(click to enlarge)

From various other sources it became clear that the SIGINT Seniors Europe is a group in which the heads of the participating military or signals intelligence agencies coordinate the exchange of military intelligence according to the needs of each member.

The SSEUR group was established in 1982 for more efficiently monitoring the Soviet Union* and a database system called SIGDASYS was set up so the participating agencies could exchange as much military SIGINT and other information as possible.* In the early 2000s, a sub-group for counter-terrorism was formed under the name SIGINT Seniors Europe Counter Terrorism coalition (SISECT).


Meanwhile, the function of the 9-Eyes remained unclear: the Dutch interior minister Ronald Plasterk refused to say anything about it, but there were rumours that it was for exchanging military signals intelligence related to operations in Afghanistan.

That could explain why no other documents about the 9-Eyes had been published, because apparently Glenn Greenwald had an agreement with Snowden not to disclose information that could endanger American troops in Afghanistan.

Nonetheless, information about NSA's involvement in Afghanistan did came out: in June 2014 for example, the German magazine Der Spiegel released an NSA paper from January 2013, which lists all the members of the Afghanistan SIGINT Coalition (AFSC). Its membership appeared identical with the SIGINT Seniors Europe or 14-Eyes.

NSA presentation slide showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 2014.

From 9-Eyes to 14-Eyes

But as was revealed in The Intercept's article from last May, the Afghanistan SIGINT Coalition not always had 14 members: the group started in 2009 with just nine members and was therefore called 9-Eyes. Besides the Five Eyes it included Denmark, France, the Netherlands and Norway.

In 2010, Sweden and Germany joined the Afghanistan SIGINT Coalition and by January 2013, Belgium, Italy, and Spain had also become members of the group. By then, the AFSC had exactly the same membership as the SIGINT Seniors Europe or 14-Eyes.

It is not known whether the number of "Eyes" increased with each new AFSC member, but it's clear that an "Eyes" designation is not always a unique designator and there can be multiple groups with the same number of Eyes at the same time. To avoid confusion, such multilateral partnerships can best be called by their actual names.


The Real Time Regional Gateway

The Afghanistan SIGINT Coalition was created because the NSA needed additional linguistic capabilities as well as data from regions in Afghanistan where they had little or no coverage themselves.

Therefore they turned to trusted coalition partners and provided them with wireless interception equipment known as DRT-boxes, which were first identified as such on this weblog in November 2013.

After Dutch, Danish, Norwegian, German and Spanish troops each got one, two or three DRT devices, they started feeding intercepted GSM metadata into a huge distribution and analysis system called Real Time Regional Gateway (RT-RG) as of Summer 2008.

This RT-RG system was first publicly mentioned in a Defense News article from October 2010 and in the book Top Secret America from 2011 it was described as follows:
"RTRG allows users to see all signal intelligence that collectors are working on in real time. This includes ground collectors, Air Force RC-135 Rivet Joint and Liberty planes, SIGINT-equipped drones, and SIGINT satellites operated by the NRO. RTRG has provided a tenfold increase in the speed with which intercepts are povided to operators on the ground."

This is already a pretty accurate description, except that it doesn't mention the participation of coalition partners, which governments always handle as something extremely sensitive.

Slide from an NSA presentation showing all the collection systems that fed the RT-RG platform
(click to enlarge)

RT-RG started as a project called RT-10, which was first deployed in Baghdad in 2007. An internal NSA newsletter says that in order to provide a comprehensive real-time view of the telephone and internet communications in Baghdad (with roughly 4 to 5 million residents), the RT-10 system had to be able to ingest each day:
- 100 million telephone metadata records
- 1 million pieces of telephone content
- 100 million internet metadata records

The success of the RT-RG system lay in the fact that these massive amounts of data were stored locally: in 2009, a large RT-RG data center was built at Area 82 of Bagram Airport north of Kabul. It was right next to the Afghanistan Regional Operations Cryptologic Center (A-ROCC), where analysts from the 9-Eyes countries worked side-by-side.

Previously, war-fighters in the field had to retrieve their intelligence from central databases at NSA headquarters. This costed time and bandwith, but it also meant that only data related to known targets was sent back and stored. But with storing the full-take collection in a regional repository, all data could be subjected to analytic algorithms in order to find new targets for the so-called Find, Fix, Finish operations.

In 2011, the Afghanistan RT-RG had a database of 27 terabytes, which could only store approximately one month of regional data (90% of the user queries were within a one-week timeframe though). A planned move to NSA's new cloud architecture would increase the storage space to up to 125 TB and would allow larger-scale analytics to be conducted.

Architecture of the Real Time Regional Gateway (RT-RG) in 2012
(source: NSA presentation - click to enlarge)


How many GSM metadata the countries from the Afghanistan SIGINT Coalition collected can be seen in charts from the NSA's data visualization tool BOUNDLESSINFORMANT. The available charts show that the following numbers were acquired through the DRTBOX system during a one month period between December 10, 2012 and January 8, 2013:
- France: 62 million metadata records
- Spain: 60 million metadata records
- Italy: 45 million metadata records
- Sweden: 33 million metadata records
- Norway: 33 million metadata records
- Denmark: 22 million metadata records

(The chart for the Netherlands shows the CERF CALL method through which cellphone metadata from Somalia were collected. DRTBOX is not mentioned, maybe because Dutch troops had left Afghanistan already by August 2010)

These numbers are very small compared to what NSA and American military units collected. They also, once again, show that "mass surveillance" of entire populations would require the collection of billions of metadata records rather than the millions that showed up in these particular charts (60 million would roughly be the number of metadata generated by 20.000 handsets).

In the second half of 2013, these charts were published in various major European newspapers saying that they proved that NSA monitored millions of phone calls in those countries. Soon it turned out this interpretation was completely wrong, something which co-author Glenn Greenwald only admitted in The Intercept's article from last May.

BOUNDLESSINFORMANT chart showing metadata collected by French intelligence,
including 62 million records through the DRTBOX system
(click to enlarge)

3rd Party partners

Interesting is that Polish troops in Afghanistan also got one DRT interception device and there's also a BOUNDLESSINFORMANT chart showing that in one month time they collected some 71 million cellphone metadata. But despite this effort, Poland did not become a member of the Afghanistan SIGINT Coalition.

Poland was also not a member of the SIGINT Seniors Europe, so it seems the AFSC was only meant for countries that were already part of the SSEUR. The slide at the top of this blog post shows that, together with several other NATO countries, Poland is listed in red as a "National SIGINT Partner".

Except for Slovenia, these National SIGINT Partners appear to be identical with the so-called 3rd Party partners, which are the (signals) intelligence agencies of over 30 countries with which NSA has a formal relationship. They are one level below the 2nd Party partners, or Five Eyes, who have a fully integrated signals intelligence cooperation.

Quid pro quo

The operations in Afghanistan show how many different levels of cooperation there can be: there were 3rd Party partners who did nothing more or less than ordinary NATO members. Among them, information is only shared up to the classification level SECRET.

Then there was Poland which collected and shared telephone metadata, but did not participate in the CENTER ICE platform through which the countries of the SIGINT Seniors Europe communicated and exchanged threat information at the level TOP SECRET/SI.

The closest cooperation for 3rd Party partners was in the AFSC, where they fed telephone metadata directly into the NSA's RT-RG system. Because cooperation between intelligence agencies is always based upon the principle of quid pro quo, these partners also got things in return, equal to their input.

For the members of the AFSC these returns included real-time data access, unique linguistic resources and joint counter insurgency operations - things that could have been crucial for the success of their operations or the safety of their troops, but which the Five Eyes did not make available to the (initially broader group of the) SIGINT Seniors Europe.


The latest document in which the Afghanistan SIGINT Coalition was mentioned is an NSA paper from April 2013. One month later there was an AFSC conference in Denmark at which would be discussed what to do after the ISAF mission would be disbanded in December 2014. It's not known whether there was any kind of continuation.

The Real-Time Regional Gateway proved to be so successful that already in 2012, NSA deployed the system at 11 locations around the world, including at its regional center in Texas to combat Mexican drug trafficking, as well as on board of the nuclear submarine USS Georgia, which collected mobile phone metadata around the Horn of Africa.

- Bug Brother: La NSA n’avait (donc) pas espionné la France (June 2019)
- The Intercept: Mission creep: How the NSA’s game-changing targeting system built for Iraq and Afghanistan ended up on the Mexican border (May 2019)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (Oct. 2015)