October 26, 2022

A new secure red telephone for German chancellor Scholz

(Updated: October 30, 2022)

In December last year, Olaf Scholz succeeded Angela Merkel as chancellor of Germany. Since about half a year ago, he has a remarkably large red telephone at his desk, which appears to be the SINA Communicator H. This is a brand new device to conduct secure phone calls at different classification levels and part of the widely-used SINA architecture.


German chancellor Scholz with his new red telephone for secure calls
(photo: Jesco Denzel - click to enlarge)



The chancellor's office

When the German government moved back to Berlin in 1999, a new Federal Chancellery was being built that was opened in May 2001 by chancellor Gerhard Schröder. Built in a postmodern style, it is said to be one of the world's largest government headquarters, with nine floors in the central part and over 300 offices in the wings.

On the 4th floor of the main building there's a room shielded against eavesdropping for meetings of the crisis staff (Krisenstab) and the weekly meeting of the heads of the secret services with the head of the chancellery (there's no bunker underneath the building).


The small situation room in the federal Chancellary (source)
with at least three Alcatel 4039 office telephones


Next to the secure conference room is a small situation room (Lage und Krisenzentrum) where information from all over the world is collected 24/7, a selection of which is put in a folder titled Nachrichtenlage which the chancellor finds on his desk every morning, similar to the President's Daily Brief for the American president.

The chancellor's office is on the 7th floor and is very spacious, with a seating area, a conference table and a large, almost 4 meter long black desk. Chancellor Merkel didn't like this desk and used it only for phone calls to foreign leaders. For her daily work she preferred the small conference table at the opposite end of the room.




Video impression of the chancellor's office (December 2021)


The chancellor's telephones

When Olaf Scholz took over the office from Angela Merkel in December 2021, he found two Alcatel 4039 telephone sets on his desk, one of them with an extension module providing 14 additional direct line buttons. The Alcatel 4039 is a high-end IP office phone with a tiny alphabetic keyboard as a distinctive feature.

Alcatel was the telecommunications branch of the French conglomerate Compagnie Générale d’Électricité (CGE), which in 1986 was merged with the telephone equipment part of ITT Corp. from the United States. This made Alcatel NV the world's second-largest telecommunications company. In Germany, Standard Elektrik Lorenz (SEL) had become an Alcatel subsidiary as well, with 20 percent of Germany's telephone equipment market in the early 1990s, second only to Siemens AG. In 2006, Alcatel merged with the American manufacturer Lucent Technologies to become Alcatel-Lucent, which was acquired in 2016 by the Finnish company Nokia and merged into their Nokia Networks division.

Note that in the video we see that one of the phones has a red label and the other one a blue label. This likely indicates which phone is for classified conversations and which one for unclassified calls, according to the color codes of the German classification system:
- Blue: up to Confidential (VS Vertraulich)
- Red: Secret (Geheim) and Top Secret (Streng Geheim)

Ultimately by February 2022, the Alcatel 4039 with the blue label had been replaced by a stylish new IP phone, probably the IP232, made by Innovaphone. This is interesting, because Innovaphone is just a small manufacturer, but as a German company its products may be considered less risky than those of foreign manufacturers.


The IP232 made by Innovaphone (click to enlarge)



The new red telephone

The first time the new red telephone on chancellor Scholz's desk was seen was during an interview with T-Online that was published on May 15, 2022. The phone got broader attention by a photo posted on Scholz's Instagram account on September 13, 2022, during or after a 90-minute phone call with Russian president Putin.

This was picked up by the German tabloid paper BILD, which in a video report (see below) suggested that Scholz had used his new red telephone ("back from the days of the Cold War") to make the phone call with Putin. However, on its website, BILD stated that for conversations with for example the Kremlin, Scholz uses another secure line.

The latter is most likely because for a secure phone line, both parties have to use the same encryption system, and in this case it's not very likely that the Germans would provide Putin with their newest secure voice encryption technology. In the United States, a "red phone" is also used for internal command and control communications and, despite widespread popular belief, not on the famous Hotline between Washington and Moscow.






secunet Security Networks AG

BILD had also identified Scholz's new red telephone as the so-called SINA Communicator H. This device is manufactured by the German cybersecurity company secunet Security Networks AG, which is headquartered in Essen and was founded in 1997 as an offspring of the venerable testing association TÜV.

In 2004, secunet became a partner in the IT Security Partnership (Sicherheitspartnerschaft) with the federal Interior Ministry, which by then also included Rohde & Schwarz, Deutsche Telekom, Siemens, IBM Deutschland and Infineon.

Until recently, German government and military departments used voice encryption systems for ISDN, which was very popular in Germany. But German telecommunication providers are phasing out their ISDN service one by one, replacing it by Voice over IP (VoIP) via DSL. This made it urgent for the government to replace their existing voice encryption systems.


The SINA Communicator

Hence, secunet developed the SINA Communicator, for which it already had years of experience when it came to the hardware. For the necessary software for encrypted voice and video communications, secunet acquired the German company Stashcat GmbH, which in 2016 launched the Stashcat secure smartphone messenger that is used by some 50.000 German soldiers, as well as by schools, companies and local governments.

The name "SINA Communicator H" signifies that the device is part of the Secure Inter-Network Architecture (SINA) product family for securing digital data and communications (see below), in this case up to the classification level Secret. The latter is indicated by the letter H, as the last letter of the SINA product designations indicates their maximum classification level:
- S: up to VS-Nur für den Dienstgebrauch (Restricted)
- E: up to VS-Vertraulich (Confidential)
- H: up to Geheim (Secret)

As such, the SINA Communicator H was certified by the Federal Office for Information Security BSI in July 2021. Certification for organizations of the European Union and NATO has been requested.




The SINA Communicator is a fairly large and heavy device (weight ca. 5,5 kg) and despite the bulky look of its backside it won an iF Design Award earlier this year. Unlike common telephones, the SINA Communicator only has four buttons (for mute, up, down, and headset); all other functions are accessible through the 10,1" LCD touchscreen.

It seems that currently, the device can only be used for secure phone calls. A secure messenger, video telephony and the integration of thin client functionality will be part of future upgrades. Other options such as web clients, fax support, file and document transfer and multi-party messaging can also be added.

A special feature of the SINA Communicator is the Multi Level Data Separation, which means that users can communicate at different classification levels by selecting one of the approved levels via the touchscreen display. This will make it possible to use the same device to communicate with foreign partners as well.




The SINA Communicator supports up to three different networks, depending on the need of the user, which enable them to communicate at various German classification levels, or at (classified) networks of European and NATO partners, up to the level Secret.

For access to a particular network at a particular classification level, users get a hardware token in the form of a small key for each network they are authorized to. The key for each network has to be plugged into the phone to provide two-factor authentication:




The SINA Communicator can be used on dedicated government networks or directly on the public internet and is also compatible with the modernized command and control systems (Harmonisierung der Führungsinformationssysteme or HaFIS) of the German armed forces.

The Communicator uses standard VoIP protocols, including the Session Initiation Protocol (SIP) for common commercial systems and the Secure Communications Interoperability Protocol (SCIP) for secure communications with NATO partners.

Encryption is conducted with a "type A cryptographic suite" and key management through a Public Key Infrastructure (PKI) or the Internet Key Exchange version 2 (IKEv2), which can be upgraded to provide resistance against attacks by future quantum computers (PQC).


Update:

The SINA Communicator comes standard in black; the version in red seems to be for German government users to communicate up to the classification level Secret. It's not clear why this is signified with an almost completely red device, instead of with a less-eyecatching marking.

In the US, for example, the phones for calls at the highest level simply have a bright yellow bezel surrounding the display, but for the Oval Office apparently even that was standing out too much, so there the phone for secure calls looks almost identical to the one for regular phone calls, similar to the two Alcatel 4039 phones that had been on Scholz's desk.


Introduction of the SINA Commnicator H in red
(source - click to enlarge)


The SINA architecture

The SINA Communicator is the latest addition to the Sichere Inter-Netzwerk Architektur or Secure Inter-Network Architecture (SINA) to protect classified information and communications. Following a tender by the BSI, secunet started developing the SINA architecture in 1999.

SINA enables the secure processing, storage, transmission and documentation of classified information and consists of a range of terminals and network encryption devices, including:

- SINA L2 Box: Encryption at OSI layer 2 with data throughput of up to 100 GBit/s.

- SINA L3 Box: IPSec encryption at OSI layer 3 with data throughput of up to 5 GBit/s.

- SINA Workstation: Providing secure access to both classified and unclassified networks.

- SINA Workflow: Dedicated document management system for classified information




SINA encryption

At the lower classification levels, message encryption was initially conducted via the classified cryptographic algorithm CHIASMUS, but this has been replaced with the publicly available AES block cipher. The SINA products also use the Elliptic-curve Diffie-Hellman (EC-DH) for key exchange and the Elliptic-curve German Digital Signature Algorithm (EC-GDSA).

At the higher classification levels, SINA products used the classified cryptographic algorithm LIBELLE, which was stored on the PLUTO crypto processor made by Infineon. This chip was integrated in a Hardware Security Module (HSM) called PEPP1, which was manufactured by Rohde & Schwarz. LIBELLE was gradually replaced by a new classified encryption algorithm.


Usage of SINA products

In Germany, SINA products are installed at goverment departments, military facilities, companies working with classified information and critical infrastructures. Also secured by SINA encryption devices are the wide-area networks for Secret information of the German foreign intelligence service BND, as well as the global secure network connecting German embassies via the internet.

Data that are intercepted under Germany's lawful interception authorities are also secured by SINA network encryptors when they are transferred from the telecommunications provider to the appropriate government agency.

SINA devices are also certified by the responsible authorities of NATO and the European Union and used by public institutions and commercial enterprises in other countries as well. Meanwhile, some 170,000 SINA products have been installed in over 30 countries.

In the Netherlands, for example, the cybersecurity company Fox-IT equips SINA boxes with its RedFox encryption module, which comes in a commercial version and one with classified algorithms for government users.



Links and Sources
- secunet: SINA Communicator H factsheet
- BSI: SINA Broschüre (2016)
- BILD: Wenn beim Kanzler das rote Telefon klingelt (2022)
- Der Spiegel: Im Kanzleramt (2005)
- Verwaltungsvorschriften: Hinweise zur Handhabung von Verschlusssachen

October 12, 2022

Jareh Dalke arrested for offering NSA documents to the Russians


On September 28, the FBI arrested Jareh S. Dalke, who attempted to sell the Russians some highly classified documents which he exfiltrated within less than a month after he started working at the NSA. Court records provide a lot of interesting details about this case, but also raise a number of questions.



Union Station in Denver, Colorado, where Jareh Dalke provided highly
classified NSA documents to someone he assumed to be a Russian agent



A job at the NSA

At the time of his arrest, Jareh Sebastian Dalke lived in Colorado Springs, Colorado and was 30 years old. He had been a member of the US Army from 2015 to 2018 and obtained a bachelor in Cybersecurity and Information Assurance from Western Governor's University in 2019. According to his resume he also has a master's degree from Norwich University, which includes a focus on cyber policy and technical vulnerability analysis.

On June 6, 2022, Dalke became a civilian employee of the NSA and started as an information systems security designer assigned to an NSA facility in the Washington DC metro area. Not mentioned in the court records is why Dalke took a job more than 1600 miles or 2600 kilometers from where he lived, while the NSA also has a regional Cryptologic Center in Denver, which is just 70 miles or 110 km from his hometown.

It would have made more sense if Dalke only attended a training at the NSA facility near Washington, while his actual job would have been at the regional center in Denver - similar to Edward Snowden, who first attended a two-week training course at NSA headquarters before starting as an infrastructure analyst at the NSA's regional center in Hawaii.


Security clearance

For his new job at the NSA, Dalke's clearance for Secret information from his time at the Army was upgraded to a Top Secret/SCI clearance, which is common for almost everyone working at the NSA. This clearance requires the most rigorous vetting, which includes disclosing financial information like debts and bankruptcies going back seven years.

According to court records, Dalke had filed for bankruptcy in December 2017 when he had some 32,000 USD in student loan debt and 51,000 USD in other non-secured debt, primarily from credit cards. Usually things like these are a red flag, as it makes someone vulnerable to blackmail or willing to sell classified information - which was exactly what happened in this case.


Exploiting a misconfiguration

Once at the NSA, Dalke apparently soon got access to classified information beyond what he was allowed to see. This was due to "a misconfiguration in the system" as he later told his presumed Russian contact. It's asthonising that he found this flaw already within 10 days after he started his job: he printed one of the stolen classified documents already on June 17, 2022. Was this an extreme coincidence or was it orchestrated?

A highly speculative theory could be that the Russians had Dalke recruited early on and urged him to apply for a position at the NSA (which could explain why he took a job that was 1600 miles away). Once Dalke was inside, the Russians gave him the details about the misconfiguration and which information he should look for. In the court records there's nothing that hints at this option, but also not much that contradicts it.


Printing classified documents

Later, Dalke printed at least three additional documents with which he was able to walk out. Exfiltrating printed documents is easier than information in electronic form as the latter can be detected by detection gates. Earlier it had become clear that there were no pocket checks at the NSA and security guards only conducted random checks and used their discretion in order to keep and build the trust of the employees.

It's not clear how Dalke transferred the classified documents to his presumed Russian contact, but he could have known that making a scan or a photo of a printed document still makes it individually traceable.

That was painfully demonstrated by the case of former NSA employee Reality Winner, who printed a document which she provided to the investigative website The Intercept. Due to sloppyness of The Intercept, the document was recognized and traced by the NSA, after which the FBI arrested Winner on June 3, 2017.


The NSA document which Reality Winner leaked to The Intercept in 2017
(click to view the full document)



Contacting the Russians

According to the court records submitted by the FBI, Jareh Dalke abruptly left the NSA because of "a family illness that required him to be away for nine months, a period which the agency was unable to support." He submitted his resignation on June 28 and was debriefed from his TS/SCI clearance on July 1, 2022.

At the end of July, Dalke began communicating with someone he believed to be associated with the Russian government, but who actuallly was an undercover agent of the FBI, a so-called Online Covert Employee (OCE). According to the FBI they exchanged encrypted e-mail messages through a legitimate foreign e-mail provider, likely the Swiss company ProtonMail or a similar secure e-mail provider.

It's not known how Dalke came in contact with the undercover FBI agent, but he could have tried to contact for example the Russian embassy in Washington and was then detected by the FBI which closely monitors such communication channels. If so, the FBI could subsequently contact Dalke under the guise of being a Russian intelligence officer.

(Emptywheel noticed that on the same day that Dalke was arrested, the FBI also arrested Jamie Lee Henry and her wife Anna Gabrielian, who wanted to provide Russia with medical records of senior American military officers)


Dalke's motives

According to court records, Dalke told the undercover FBI agent that he "recently learned that my heritage ties back to your country, which is part of why I have come to you as opposed to others". Although he had already left the NSA, he said that he worked for the US government because he "questioned our role in damage to the world in the past and by mixture of curiosity for secrets and a desire to cause change."

Dalke then told his contact that he had "exfiltrated some information that is of a very high level" which was related to foreign targeting of US systems and information on cyber operations, among other topics.

He added that at the moment he was on a temporary assignment elsewhere that didn't allow him access to such information, but that he planned to return to a position that would give him access to information from both the NSA and another government agency.


Proof of willingness

Dalke offered the information in exchange for a specific kind of cryptocurrency, stating, "there is an opportunity to help balance scales of the world while also tending to my own needs."

On August 5, the undercover FBI agent asked him for some proof, after which Dalke sent him three excerpts, two from Top Secret documents and one from a document classified as Secret. According to NSA records, Dalke had printed these documents on June 17, 22 and 23 and was also the only NSA employee to have printed all of these documents.

On August 10, Dalke also sent his covert contact a full document from another US government agency, as a "show of good faith" and that he was "willing to provide full documents without reservation." This four-page document contained information about a foreign government leader and was classified SECRET//NOFORN.


Request for verification

In two e-mails from August 23 and 24, Dalke requested his covert contact to verify that he was truly a representative of the Russian government. According to court records, Dalke claimed that he had reached out through "multiple published channels to gain a response. This included submission to the SVR TOR site."

The SVR is the Russian foreign intelligence agency, which apparently has a website on the anonymous TOR network as well. Dalke requested a verification by a posting on an official website or through a report in a government-controlled Russian media outlet. It's not clear whether or how this was conducted, but the e-mail communications between Dalke and the undercover FBI agent continued.


The website of the Russian foreign intelligence agency SVR on the public internet


Seeking additional information

On August 26, Dalke claimed that his total debt was already some 237,000 USD and that 93,000 USD was coming due very soon. Accordingly, he requested 85,000 USD in return for all the classified information he had in his possession - a remarkably risky way of solving debts, given the high salaries which Dalke, with his TS/SCI clearance, could have expected when he would take a job in the private sector.

Dalke even told his contact that he would share additional information in the future, once he returned to the Washington DC area. And indeed, on August 11 he had applied to an external vacancy at the NSA again. The NSA's Human Resources Department was unaware of the FBI investigation into Dalke and conducted a telephonic interview with him on August 24, in which he expressed his desire to return to the agency.

This is very similar to Snowden, who took his last job at the NSA to get even more access. But while Snowden was looking for additonal information about NSA collection efforts, Dalke was apparently primarily interested in the money and appeared much less careful in hiding his digital traces.

On August 25, the undercover FBI agent sent a second amount of cryptocurrency to an address that Dalke had provided. A few days later, Dalke deposited a similar amount of the same type of cryptocurrency on an account in his true name at the cryptocurrency exchange Kraken, from which he withdrew the same amount in US dollars (ca. 4,500 USD) and deposited it at his bank account.


Final transfer and arrest

After much back and forth, Dalke and the undercover FBI agent agreed to transfer the full documents in Denver, Colorado. Dalke was told that a secure connection would be available at Union Station, on September 28, 2022, between 11:30 a.m. and 3:30 p.m., during which time he could transmit the classified material.

We don't know how this electronic dead drop worked, but a likely option would be a secure wifi connection. That allows communicating at a certain distance without meeting in person or using the telephone network or the internet.

On September 28, Dalke arrived at Union Station and used his laptop to transfer five documents via the secure connection. Right after that he was arrested by the FBI.


Union Station in Denver, Colorado



Highly classified documents

In Denver, Dalke had sent the undercover FBI agent the following five documents:

1. A letter in which he wrote that he was very happy to provide the information and asked whether there were any desired documents which he was willing to find when he returned to his main office.

2. A ten-page typed document containing additional information related to the threat assessment of the military offensive capabilities of a foreign government (source of excerpt 1 which Dalke had sent his covert contact earlier on).
Classification: TS//SI-G//OC/REL TO USA, CAN, GBR/FISA

3. A fourteen-page typed document containing additional information related to sensitive US defense capabilities, a portion of which relates to a foreign government (source of excerpt 3).
Classification: TS//SI-G//OC/NF

4. A fourteen-page typed document containing additional information regarding plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF

5. A fourteen-page typed annex containing additional information related to the plans to update a certain cryptographic program (source of excerpt 2).
Classification: TS//SI-G//OC/NF


The abbreviations in these classification markings stand for:

- TS = Top Secret (release would cause exceptionally grave damage to national security)

- SI = Special Intelligence (intelligence from intercepted foreign communications)

- G = GAMMA (highly sensitive communications intercepts)

- OC = ORCON (the originator of the information controls to whom it is released)

- NF = NOFORN (the information may not be disclosed to foreign nationals)

- REL TO USA, CAN, GBR (Releasable to the US, Canada and the United Kingdom)

- FISA (information derived from FISA collection inside the US)


The GAMMA compartment

It is remarkable that all four documents which Jareh Dalke eventually transferred to his covert contact have the classification marking GAMMA, which is a compartment of the Special Intelligence (SI) control system to provide additional protection for highly sensitive communication intercepts.

Such documents are of course closely guarded and even among the more than thousand documents published during the Snowden revelations, there were none from the GAMMA compartment. The Snowden trove did include 12 entries of the NSA's internal WikiInfo platform which has the maximum classification level TOP SECRET//SI-GAMMA/TALENT KEYHOLE, but these particular entries have no GAMMA information in them.

In 2015, however, Wikileaks had published a number of intelligence reports from the GAMMA compartment about the French president, the German chancellor and the UN secretary general. They were part of a series of documents, provided by a still unknown source, which were even more embarrassing for the US government than most of the Snowden files.




Intelligence report classified TOP SECRET//COMINT-GAMMA,
published by Wikileaks in 2015
(click to enlarge)



Conclusion

Almost ten years after Snowden left the NSA with several hundred thousand files, it's remarkable and surprising that it's apparently still possible that someone gets a job there and just walks out with highly sensitive documents - within less than a month!

However, as the court records leave several key questions unanswered, we don't known whether Jareh Dalke was just "lucky" to find a way to solve his debts, or whether he was part of a more sophisticated Russian spying operation.

As former NSA general counsel Rajesh De explained back in 2016, it is unlikely "you’re going to be able to stop every incident of somebody taking documents if they’re determined to do so. But the real question is how quickly can you detect it, how quickly can you mitigate the harm of any such incident." That at least seems to have gone well in this case.



Links and sources
- Court records: Affidavit (Sept. 27) - Indictment (Oct. 7)
- Schneier on Security: NSA Employee Charged with Espionage (Oct. 4, 2022)
- Clearancejobs: Ex-NSA Employee Arrested by FBI for Attempted Espionage (Sept. 30, 2022)
- Emptywheel: FBI Seems to Be Collecting Offers to Spy for Russia (Sept. 30, 2022)
- The New York Times: Former National Security Agency Employee Charged With Espionage (Sept. 30, 2022)

September 21, 2022

The highly classified documents found at Trump's residence Mar-a-Lago

(Updated: October 21, 2022)

This weblog is not only about signals intelligence, communications security and top level telecommunications equipment, but also about the US Classification System, which is equally fascinating in all its complexities.

Recently, an unprecedented photo from the FBI provided a unique look at highly classified documents which former US president Donald Trump stole from the White House and stored at his private residence Mar-a-Lago in Florida.

Here I'll provide a detailed explanation of these documents, as well as where they apparantly came from.



Mar-a-Lago and the highest classified documents which the FBI found in Trumps office



Moving to Mar-a-Lago

On January 20, 2021, former president Donald J. Trump left the White House and moved his belongings to his residence Mar-a-Lago in Palm Beach, Florida. The National Archives and Records Administration (NARA) subsequently learned of approximately two dozen boxes of presidential records that had not been returned to it as required under the Presidential Records Act (PRA).

Late 2021, officials at the archives warned Trump's team that there could be a referral to the Justice Department or an alert to Congress if he continued to refuse to comply with the PRA. Apparently, Trump ultimately went through several boxes at Mar-a-Lago himself and late December, his lawyers informed the NARA that they had found 12 boxes of documents and that they were ready for retrieval.


Donald Trump's residence Mar-a-Lago in Palm Beach, Florida, March 2019
(White House photo - click to enlarge)


15 boxes retrieved

On January 18, 2022, the NARA finally retrieved 15 boxes of records from Mar-a-Lago, containing presidential records and other sensitive material, along with various news clippings and other miscellanea. In its initial review of the materials within those boxes, NARA identified classified documents marked up to the level of Top Secret, including Sensitive Compartmented Information (SCI) and Special Access Programs (SAP).

On February 9, NARA told the Department of Justice (DOJ) that the 15 boxes contained highly classified records that were "unfoldered, intermixed with other records and otherwise unproperly identified." President Biden granted the FBI access to the boxes for examination and by May, the bureau had identified classified documents in 14 of the 15 boxes. In total, there were 184 classified documents, 67 of which were marked Confidential, 92 Secret and 25 Top Secret.


Criminal investigation

Former president Trump then attempted to delay the DOJ's review of the materials by asserting executive privilege over the documents. After the Assistant Attorney General for the Office of Legal Counsel rejected this claim, the FBI launched a criminal investigation to determine:

- How these classified documents were removed from the White House;
- Whether Mar-a-Lago was an authorized storage location for those documents;
- Whether additional classified documents had been removed from the White House;
- Which individuals were involved in the removal and storage of the documents at Mar-a-Lago.

A grand jury was installed and the FBI began interviewing several of Trump's personal aides as well as three former White House lawyers who had been among Trump's representatives to the archives.


Classification markings

On May 11, former president Donald J. Trump was served with a grand jury subpoena which ordered him to hand over any and all documents bearing at least the following classification markings:




These classification markings contain a lot of lesser-known abbreviations, which are explained in my earlier overview of the US Classification System. They are, in order of appearance:

- SI = Special Intelligence (intelligence from intercepted communications)
- G = GAMMA (sensitive communication intercepts)
- NOFORN = No Foreign Nationals
- ORCON = Originator Controlled
- HCS = HUMINT Control System (intelligence from human sources)
- HCS-O = HCS Operations (HUMINT operations and methods)
- HCS-P = HCS Product (HUMINT intelligence reports)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)
- TS = Top Secret (release would cause exceptionally grave damage to national security)
- SAP = Special Access Program (non-intelligence equivalent of SCI)
- NF = NOFORN (see above)
- OC = ORCON (see above)
- FRD = Formerly Restricted Data (about nuclear weapons)
- NATO = Releasable to NATO partners
- S = Secret (release would cause serious damage to national security)
- C = Confidential (release would cause damage to national security)

This list may have been based upon the classification markings that the FBI found on the documents in the boxes that had already been retrieved by the National Archives, but according to The Washington Post, the goal of the list was to ensure recovery of all classified records, and not just those that investigators had reason to believe might be at Mar-a-Lago. This becomes clear from the fact that the list contains all possible combinations of the various markings.


Nuclear weapons information?

Therefore the markings in the list don't say whether or not certain kinds of information were present at Mar-a-Lago. That especially applies to press reports saying that among the things that Trump was still hiding were documents about nuclear weapons, which was likely based upon the FRD marking in the list. Given that this marking is only listed once, there may have been only very few if not just one single document with nuclear weapons information, with many more about signals intelligence (SI) and human intelligence (HCS).

In an affidavit from August 5, the FBI listed the statutory authorities upon which it based its application for a search warrant:

- 18 USC 793(e), the Espionage Act
- 18 USC 1519, obstruction
- 18 USC 2071, willfully removing information
- 44 USC 2201, the Presidential Records Act
- 44 USC 3301(a), the Federal Records Act
- EO 13526, the Executive Order governing classified information

Not listed was the Atomic Energy Act (AEA), so apparently the FBI didn't expect to find classified documents about American nuclear weapons. However, on September 6, it was reported that among the thousands of documents which the FBI eventually seized at Mar-a-Lago, there was one document that described a "foreign government's military defenses, including its nuclear capabilities" - which is much less secret and sensitive than information about American weapons.


Secret Service agents stand outside an entrance to Mar-a-Lago, August 8, 2022
(Photo: Terry Renna/Associated Press - click to enlarge)


A misleading statement

On June 3, 2022, the DoJ's Chief of Counterintelligence Jay Bratt and some FBI agents visited Mar-a-Lago where they received 38 additional classified documents, including 17 labeled Top Secret, in "a single Redweld envelope, double-wrapped in tape". One of Trump's lawyers signed a statement asserting that they had conducted a diligent search of the boxes from the White House and handed over the remaining classified material.

The FBI was informed that all of the records from the White House had been kept in one particular storage room and that "there were no other records stored in any private office space or other location at the Premises and that all available boxes were searched." However, government personnel was "explicitly prohibited from opening or looking inside any of the boxes that remained in the storage room."

Updates:

According to court records, the FBI agents and the DOJ counsel who were permitted to see the storage room on June 3, 2022, observed that there were approximately 50 to 55 boxes in that room, besides a coat rack with suit jackets, as well as interior decor items such as wall art and frames.

An unknown number of those boxes may have come from five (later repacked to six) pallets with about 85 document boxes which in July 2021 were shipped from a temporary office space used by Trump's staff in Arlington, Virginia to Mar-a-Lago (2 pallets) and a facility of Life Storage (4 pallets) in West Palm Beach, Florida.


Five pallets of boxes ready for shipment from Virginia to Florida, July 2021
(photo: GSA via FOIA request by Bloomberg)



The search at Mar-a-Lago

On August 5, 2022, a federal judge signed a search warrant for Mar-a-Lago on the grounds that "National Defense Information" (NDI) had been found in the boxes NARA retrieved from Mar-a-Lago and that there was probable cause to believe that additional documents containing such information remained at Trump's estate.

Three days later, FBI agents searched the Mar-a-Lago estate and seized what initially appeared to be 12 boxes of documents. Classified material was recovered from a storage room in the basement and from a container on the floor of a closet in a former dressing room of the bridal suite above the ballroom, which now serves as Trump's office, also known as the "45 office".


Items seized by the FBI

The result of this search is described in a form called "Receipt for Property" which lists 33 items, mostly boxes, which were (discontinuously) labeled A-1 to A-73. Besides the boxes there were also some separate documents, notes and binders of photos. A detailed discussion of these seized materials can be found at the emptywheel weblog.




According to a DoJ filing from August 31, these boxes contained over a hundred classified records spread over 11 boxes. In the receipt they are seperately listed and marked with an additional A, for example: "13 - Box labeled A-18" which contained "13A - Miscellaneous Top Secret Documents", etc.


Highly classified documents

The most sensitive kind of documents, classified as Sensitive Compartmented Information (SCI), were only found in item #2, a "Leatherbound box of documents". These appeared so sensitive that "even the FBI counterintelligence personnel and DOJ attorneys conducting the review required additional clearances before they were permitted to review them."

On August 30, a filing by the Justice Department included an unprecedented photograph which shows the classified documents from the leatherbound box from Trump's office:


Classified documents marked as item #2A spread on the floor of Trumps office in Mar-a-Lago
(Photo via the US District Court for the Southern District of Florida - click to enlarge)


This photo was taken by the FBI in order to document the evidence they found, which explains the ruler and a marker that says that this is item #2A. To counter the impression that he had them lying on the floor like this, Trump said that it had been FBI agents who "took [these documents] out of cartons and spread them around on the carpet".

The documents were spread on a carpet with a classic flower motif, with on the right side a cardboard box with five picture frames, one of which shows a Time magazine cover from March 4, 2019, showing all the Democratic candidates who hoped to challenge Trump in the 2020 election.

On the left there's a small part of fringed dark-blue fabric, probably a curtain, and a white scalloped cabinet, which was identified as a $3679.- Birkdale File Chest - most likely from the time that this room was part of Mar-a-Lago's bridal suite.



Cover sheets

Most eye-catching are the colorful cover sheets for classified information. In the photo we can recognize four types, three of which were never seen before. Already known and publicly available are the standard cover sheets (SF704) with the broad borders in red, which are used to protect documents classified as Secret.


Secret/SCI

In the front of the photo there's a cover sheet which looks brownish but may also be red with the text "SECRET//SCI - Contains Sensitive Compartmented Information up to HCS-P/SI/TK". Unlike the common cover sheets for Secret documents, this one was never seen before. It's also more rare, because usually information from an SCI compartment is classified Top Secret.

The cover sheet for a document classified as Secret/SCI
(click to enlarge)


SCI is sometimes called "above Top Secret" but officially that's not correct: SCI encompasses compartments of information that provide additional protection within the level Top Secret. In the same way these compartments can exist within the level Secret and actually a particular SCI compartment may contain information at any classification level:



Top Secret/SCI

In the FBI photo we also see five cover sheets for documents classified as Top Secret/SCI. While the standard cover sheet for Top Secret information (SF703) is also publicly available, this one was never seen before. It has a broad border in yellow, which is the color code for Sensitive Compartmented Information (SCI), and text in orange, which may refer to the color code for Top Secret:

Cover sheets for documents classified as Top Secret/SCI
(click to enlarge)


A White House cover sheet

Finally, there's a fourth cover sheet, which is only partially visible because it's folded back, probably to show the classification marking on the document. On the cover sheet we can only read some fragments, like "THIS", "PLEASE STORE IN" (a GSA Approved Security Container which is depicted right above these words) and "UNAU[THORIZED]".

In the upper right corner it has a seal which can be identified as that of the Executive Office of the President of the United States (EOP), which includes a range of offices and bodies like the National Security Council (NSC), the White House Military Office (WHMO) and the staff of the West Wing.

The custom White House cover sheet
(click to enlarge)


This document is classified Top Secret, but interestingly, the rest of the classification line has been redacted by the FBI. Usually that happens when a particular program or compartment has not been declassified. Given that it has a custom White House cover sheet, the document may be about a sensitive plan or program from the president or the NSC.


SCI compartments

The various cover sheets not only hide the content of the particular documents, but also their mandatory classification line at the top and the bottom of the document. Therefore we don't know which kind of intelligence they contain and how sensitive they actually are.

The cover sheets for Secret/SCI and Top Secret/SCI both have the warning "Contains Sensitive Compartmented Information up to HCS-P/SI/TK", which means the documents may contain information from one, two or even all three of the following SCI control systems:

- HCS-P = Humint Control System - Product (intelligence from human sources)
- SI = Special Intelligence (intelligence from intercepted communications)
- TK = TALENT KEYHOLE (intelligence from satellite collection platforms)

The documents found at Mar-a-Lago at least don't contain the most sensitive human intelligence information, which is protected by the HCS-O(perations) compartment.

It's not clear whether these cover sheets are also used for documents with information from compartments or sub-compartments of these control systems, i.e. even more sensitive and closely guarded secrets.

Update:
On October 21, 2022, The Washington Post reported that among the most sensitive documents seized by the FBI describes Iran's missile program. Others describe highly sensitive intelligence work aimed at China, according to anonymous sources, who also said that many of the more sensitive documents are "top-level analysis papers that do not contain sources' names. But even without individual identifiers, such documents can provide valuable clues to foreign adversaries about how the United States may be gathering intelligence, and from whom."


Dissemination markings

Besides the documents with a cover sheet, the FBI photo shows 12 classified documents without such a colorful protection and therefore they redacted all the content. One document (between the yellow Top Secret/SCI cover sheets) is fully redacted, on the others we see the following classification markings:

- SECRET//ORCON-USGOV/NOFORN and LIMITED ACCESS (2 documents)
- SECRET//ORCON-USGOV/NOFORN (6 documents)
- SECRET with additional markings redacted (1 document)
- SECRET NOFORN (1 document)
- SECRET and something illegible (1 document)
- CONFIDENTIAL and LIMITED ACCESS (1 document)

Distinctive here are the so-called dissemination markings, which are added to the classification level to restrict the dissemination of information among only those people who have the appropriate clearance level and the need to know the information. The dissemination markings seen here are:

- ORCON, which means the originator of the information controls to whom it is released. It allows originators to maintain knowledge, supervision, and control of the distribution of the information beyond its original dissemination. Further dissemination of this information requires advance permission from the originator.

- ORCON-USGOV, which means the information "has been pre-approved for further dissemination without originator approval to the US Government's Executive Branch Departments and Agencies." It's not allowed to use this marking with information classified as SI-G or HCS-O.

- NOFORN, which means the information may not be disclosed or released to foreign nationals, foreign governments, or international organizations of governments without permission by the originator.

- LIMITED ACCESS seems not a registred dissemination marking as it's not part of the classification line and is also not listed in the 2016 manual for the Intelligence Community Markings System nor in the list of CUI dissemination markings from 2021, which suggests that it's an internal White House marking.

This brings to mind US Director of National Intelligence Dan Coats who in February 2018 warned that presidential aides with interim security clearances should only have limited access to classified information. Not much later a bill to the same effect was introduced, but didn't pass the House of Representatives.

Shortly before it had come out that Trump's former staff secretary Rob Porter and his son-in-law Jared Kushner were working under an interim security clearance and more than 30 of Trump's aides had their clearance downgraded from Top Secret to Secret.


In total, the FBI photo of item #2A shows 22 classified documents: 1 Confidential, 14 Secret and 7 Top Secret.



The detailed property inventory

As if the photo of the classified documents wasn't enough, the court also unsealed the Detailed Property Inventory, which happened on September 2, 2022. This inventory lists in more detail all the things the FBI seized at Mar-a-Lago:




Total number of classified documents

In this inventory we see the other documents which the FBI found in the leatherbound box (item #2), showing that it actually contained 1 Confidential and 1 Secret document more than seen in the photo, maybe because some were stacked together. In total, the leatherbound box contained 24 classified documents:

7 Top Secret, of which:
5 with Top Secret/SCI cover sheet
1 with EOP/White House cover sheet
15 Secret, of which:
1 with Secret/SCI cover sheet
2 Confidential

Overall, the FBI seized 103 classified documents: 31 Confidential, 54 Secret and 18 Top Secret, dispersed in 13 boxes from the storage room as well as in the leatherbound box from Trump's office, where one separate classified document (item #1) was found as well.


Empty folders

According to the detailed inventory, item #2 also included 43 "Empty Folders with "CLASSIFIED" Bannners" as well as 28 empty folders labeled "Return to Staff Secretary/Military Aide". These kind of folders are used in the White House to bundle (and cover) the actual classified documents for the president. From Obama's presidency there are several photos of such folders:


A folder holding classified information on president Obama's desk, June 2009
(White House photo - click to enlarge)


There even appeared a photo on Twitter of such an empty folder which is on display among other memorabilia from Trump's presidency in the 45 Wine & Whiskey bar on the lobby floor of Trump Tower in Manhattan:



In total, the detailed inventory lists 48 of these empty folders, so it's possible that they originally contained the 103 classified documents which the FBI found "unfoldered" and scattered among the various boxes. Interesting though, is that 43 of those empty folders were in the box with the (much smaller number of) classified documents in Trump's office.

At the White House such folders and their content had to be returned to the staff secretary, just like how the empty folders for unclassified documents were labeled. However, this didn't bother Trump, who had the habit of simply ripping up(!) any papers he was no longer interested in or had finished reviewing.

He did so with papers ranging "from routine documents to classified material, and leaving the pieces strewn around the floor or in a trash can. Officials would have to rummage through the shreds and tape them back together to recreate the documents in order to store them as required under the Presidential Records Act."

Update:
On September 26, 2022, the Justice Department filed a slightly revised version of the Detailed Property Inventory. It shows small differences in the number of press clippings and unclassified government documents and that in box 33 there were only 2 empty "Return to Staff Secretary" folders and no empty folders for classified documents, so in total there are just 46 instead of 48 empty classified folders.



Trump's boxes

According to the Detailed Property Inventory, the FBI also found a huge number of "US Government Documents/Photographs without Classification Markings" - over 1400 in Trump's office and over 9700(!) in the various boxes from the storage room.

In a dispute about possibly privileged documents, Trump's lawyer claimed that the over 11,000 unclassified documents amount to some 200,000 pages, but later a special master said they only contain 21,792 pages, which is an average of less than 2 pages per document.

Also interesting is that most of the 26 boxes from the storage room contain a mix of:

- Magazines, newspapers, press articles, other printed media (1,673 in total)
- Classified US government documents (103 in total)
- Unclassified US government documents/photographs (11,179 in total)
- Miscellanea (clothing, books, gifts and empty folders)


Trump's way of working

This more or less similar composition can be explained by Trump's routine at the White House, where he used to work in the small dining room near the Oval Office. On the dining table he made piles of paper, which included everything from news articles to highly classified government documents. These were stacked into cardboard boxes, while "staffers kept swapping out the boxes as they filled up."

Trump also had material sent "up to the White House Residence, and it was not always clear what happened to it. He sometimes asked to keep material after his intelligence briefings, but aides said he was so uninterested in the paperwork during the briefings themselves that they never understood what he wanted it for."

The boxes followed him wherever he went as they contained "all the save-for-later items that Trump would spend long flights going through: articles that he wanted to scribble Sharpie messages on before mailing them off to close friends; gossipy stories about West Wing drama that he would hate-read as he sought to identify leakers; and, occasionally, important memos on any number of policy topics or budding crises."



Disorderly piles of paper on president's Trump desk in the Oval Office, January 28, 2017
(photo: Drew Angerer/Getty - click to enlarge)



The boxes that went to Florida

The papers that Trump had accumulated in his last several months in office had been dropped into roughly two dozen boxes, which had apparently been in the White House Residence and thus were packed up with Trump's personal belongings.

As such, they not only contained some highly classified documents, but also several personal mementos, including the "love letters" from the North Korean dictator Kim Jong-un and the letter which former president Obama left on his last day in office.

Although the White House Counsel's Office had told Trump's chief of staff Mark Meadows that these boxes in the Residence needed to be turned over to the National Archives, they were actually shipped to Mar-a-Lago.

Eventually, at least 42 boxes arrived in Florida. 15 of them were retrieved by the National Archives on January 18, 2022, 38 classified documents were handed over to the FBI on June 3, while the rest was seized during the search on August 8.

However, as emptywheel noticed, the press clippings date back to 1995, but there are none that postdate November 2020, which may indicate that the FBI still has not all the documents that Trump took with him.

Overview of the boxes and classified documents which Trump stored at Mar-a-Lago
(click to enlarge)



Links and sources

- Emptywheel: Trump Document Theft Resources
- LegalEagle: Videos about the Mar-a-Lago search case
- Wikipedia: FBI search of Mar-a-Lago

- The Washington Post: Mar-a-Lago classified papers held U.S. secrets about Iran and China (Oct. 21, 2022)
- New York Intelligencer: Trump Was Betrayed by His Diet Coke Valet (Oct. 14, 2022)
- The New York Times: Justice Dept. Is Said to Believe Trump Has More Documents (Oct. 6, 2022)
- Business Insider: Court accidentally unsealed, then deleted, documents from the Mar-a-Lago case describing information the FBI seized from Trump (Oct. 6, 2022)
- Bloomberg: Trump Says US Agency Packed Top-Secret Documents. These Emails Suggest Otherwise. (Oct. 5, 2022)
- The Washington Post: Material on foreign nation’s nuclear capabilities seized at Trump’s Mar-a-Lago (Sept. 6, 2022)
- The New York Times: F.B.I. Found 48 Empty Folders That Had Contained Classified Documents at Trump’s Home (Sept. 2, 2022)
- Lawfare: A Justice Department Show of Force in the Mar-a-Lago Case (Aug. 31, 2022)
- The Washington Post: The photo of classified documents at Trump’s Mar-a-Lago resort, annotated (Aug. 31, 2022)
- Politico: Trump team likely sought to conceal classified docs at Mar-a-Lago, DOJ tells judge (Aug. 30, 2022)
- Indian Express: Inside the 20-month fight to get Trump to return Presidential material (Aug. 28, 2022)
- The New York Times: Another Trump Mystery: Why Did He Resist Returning the Government’s Documents? (Aug. 18, 2022)
- The Guardian: FBI searched Trump’s Mar-a-Lago home for classified nuclear weapons documents (Aug. 12, 2022)
- CNN: Former White House officials describe Trump’s habit of ripping up documents and haphazard record-keeping (Febr. 8, 2022)
- US State Department: Storing and Safeguarding Classified Material (Febr. 24, 2022)

Some older articles on this weblog that are of current interest: