November 27, 2013

DRTBOX and the DRT surveillance systems

(Updated: June 14, 2018)

In recently published charts from NSA's BOUNDLESSINFORMANT tool about France, Spain, Norway and Afghanistan we see the mysterious term DRTBOX. For example, the screenshot for Norway presents 33 million telephony metadata, which were collected from mobile phone networks by a facility designated US-987F and processed/analysed by DRTBOX:

(Click for a bigger version)

Unlike what it seems, DRTBOX is not a codename, but part of a wireless surveillance system, made by a company generally known as DRT. This article will show that this company manufactures a range of sophisticated surveillance and tracking devices, used by US law enforcement and signals intelligence agencies.

Digital Receiver Technology, Inc.

DRT is the abbreviation of Digital Receiver Technology, Inc. This company was formerly known as Utica Systems, Inc. and founded in 1980 in Frederick, Maryland, to produce devices for what was called the "Communications Surveillance Community". The company developed a solid reputation for communication equipment based on Digital Signal Processing (DSP).

In October 1997, the company adopted its current name and moved to a new plant in Germantown in April 1998. DRT was purchased by Boeing in December 2008 and is now a wholly-owned subsidiary of this major US military contractor. DRT continued its production of state-of-the-art DSP-based equipment and was described as a "key supplier in the growing SIGINT market" in 2009.

In 2010, Boeing also acquired Argon ST and combined with DRT this created a "SIGINT powerhouse", giving Boeing a competitive advantage in the SIGINT market, according to market analysts. In 2011, both acquisitions were consolidated into the new Electronic & Mission Systems (E&MS) division of the Boeing company.

In fall 2012, DRT moved to a new facility in the Milestone area of Germantown. This facility comprises 135,000 sq. ft. with approximately 50,000 sq. ft. dedicated to equipment manufacture, and the remainder dedicated to offices and engineering development laboratories:

The headquarters of Digital Receiver Technology, Inc. in Germantown, MD.

Currently, the company's homepage only advertises miniature multi-format wireless communications scanners to be used by the wireless industry for measurement and testing purposes. As an example, the website shows two products from the 4300-series.

But: "Due to the sensitive nature of our work, we are unable to publicly advertise many of our products". This is followed by contact information for commercial customers and for "all other" customers, which are obviously government agencies. Latter can contact DRT through a mail address and also by calling toll free: "(866) DIRTBOX" - a clear hint to the DRTBOX mentioned in the NSA screenshots.

Just like many other military contractors in recent years, DRT also removed information about national security related products from its website. Between 2003 to 2009, earlier versions of DRT's homepage frankly said:
"DRT designs and manufactures advanced electronic equipment to support the missions of the US Signals Intelligence (SIGINT) and law enforcement communities. The current product line includes a variety of portable and rack-mounted wireless communications receivers capable of processing a variety of modern wireless protocols. For more information about these products, please contact DRT."

Law enforcement

A good example of the devices which DRT manufatures and develops for use by law enforcement agencies is given by the company itself, in trying to open new markets.

In 2010, Boeing, on behalf of its subsidiary DRT, submitted a statement (pdf) before the National Telecommunications and Information Administration (NTIA) in reaction to an inquiry regarding contraband cell phone use in prisons. The statement says that:
"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use. During this registration process calls are not disrupted. All calls, including 911 calls, are released, including those made from the contraband cell phones. The DRT device identifies cell phones as “not of interest” or “of interest” (i.e., the contraband cell phones).

Cell phones not of interest, such as those belonging to prison personnel or commercial users in the area, are returned to their local network. Cell phones of interest are forced to transmit so that the DRT device can locate them by calculating a line of bearing.

In one mode of operation, the DRT device then returns the cell phone to its network, permitting it to send and receive calls. In another mode of operation designed for use by federal law enforcement entities, the cell phone can be locked onto the DRT device, preventing its contraband use."

Boeing wanted NTIA to recommend to Congress that the Communications Act of 1934 should be modified in order to allow prison officials and state and local law enforcement to use these kinds of cell phone management, prevention or location technologies. Currently, only federal agencies, like the FBI, are allowed to use devices that jam or block wireless communications. Federal Communications Commission (FCC) licensing should also apply, for which Boeing delivered a similar statement in 2012.

A similar device (also known as IMSI Catcher, Cell-site Simulator or Digital Analyzer) used by American law enforcement agencies for tracking and intercepting cell phones is called StingRay, which is manufactured by the Harris Corp. The price of a StingRay device is between 60.000,- and 175.000,- USD. Harris also provides related equipment under the nicknames AmberJack, KingFish, TriggerFish and LoggerHead.

Prison pilots

In December 2010, DRT participated in a pilot at the Maryland Correctional Institution-Jessup (MCIJ). After sensors were placed, DRT collected data showing when cell phones were turned off, turned on and registered with the nearest cell phone tower. Data were send to a laptop used to record the data and the company then analyzed the time and length of messages over the course of the pilot. A portable sensor was used to identify particular cells that had a high probability of cell phone usage within.

In 2012, DRT was selected to develop and implement a Managed Access System (MAS) for the California State Prison system. A MAS is used to allow authorized cell phones to connect to the standard carrier networks, while preventing unauthorized cell phones (like from inmates) from connecting to the carrier networks.

Other usage

The aforementioned Boeing statement claimed that DRT's cell phone management, prevention and location technologies could also provide important benefits in a wide variety of law enforcement situations outside the prison context. For example, Special Weapons and Tactics (SWAT) teams and other paramilitary tactical units could effectively control wireless communications by suspects in a building during a raid.

Boeing carefully described only those future applications for which regulations have to be changed - trying not to admit that DRT systems are already used at the federal level for decades. They provide agencies like FBI with some powerful tools (DRT devices can be used to perform a man-in-the-middle attack), although they are expensive and must be operated by highly trained law enforcement personnel.

At the FBI, the DRT systems are likely operated by the Data Intercept Technology Unit (DITU), which is a highly secretive division specialised in intercept technology. DITU is also responsible for collecting data from US internet companies under NSA's PRISM program. For these federal agencies, a presentation about DRT devices was given at the 10th FED TECH Interagency Technical Training Conference, held in San Diego in January 2010:

In this schedule we see "DRT Box" again, but apart from a LinkedIn-profile, this term is rarely found and therefore it's not really clear what it stands for. At first glance it seems that DRTBox simply refers to box-like surveillance devices, but if we look at the BOUNDLESSINFORMANT screenshots, we see that the actual data collection is done by facilities designated by SIGADs and that DRTBOX is in the same section as for example XKEYSCORE, which means DRTBOX is probably an integrated indexing and analysing system for wireless communications data, just like XKEYSCORE is for internet data.

On November 13, 2014, the Wall Street Journal broke a story saying that since 2007, the Technical Operations Group of the US Marshals uses "dirtboxes" aboard Cessna aircraft operating from at least five metropolitan-area airports. The DRTBoxes mimic cell towers and trick cellphones to collect identity and location information on cell phone users, this in order to track and catch criminals like drug-traffickers.

The FBI is apparently using the similar Stingray devices only to collect phone metadata, not content, for which individual warrants would be required.

Signals Intelligence

Where the FBI uses systems from Digital Receiver Technology domestically, the NSA is most likely the main customer for use abroad. On a website for Signals Intelligence (SIGINT) and Electronic Warfare (EW), DRT is listed as a provider of:
- SIGINT Design Engineering Services
- SIGINT Consulting Services
- Communications ESM Systems
- COMINT Systems
- RF Receivers

DRT products for signals intelligence missions include high performance Software Definable Receiver (SDR) and transceiver products, including multi-channel platforms for man-portable, mobile and airborne applications, aboard RC-135 Rivet Joint, Combat Sent or Cobra Ball aircraft.

From various public job descriptions it becomes clear that DRT devices are widely used in tactical ground operations, where they are part of the equipment used by SIGINT/EW collection teams assigned to field deployed Special Forces Groups. These are so-called Low Level Voice Intercept (LLVI) devices.

DRT systems are also used as remote controlled collection systems, with the surveillance devices installed at fixed locations, like in areas where there's widespread hostile cell phone or radio use. The collected data go to ONEROOF, which is NSA's main tactical SIGINT database, containing raw and unfiltered intercepts.

Low Level Voice Intercept equipment being used during a field operation.
It's not clear whether the device in the video is from DRT,
but it's certainly very similar.

DRT SIGINT products

A job description for a SIGINT Systems Engineer (job location: Fort Meade) requires "experience working with SIGINT systems, especially on systems utilizing Digital Receiver Technology (DRT) Series 1000 and 2000 equipment" and also familiarity "with the software used to control the DRT systems". Software used for the 1000 series product line is called Alaska.

More specific designations of DRT devices from the 1000-series can be found in various other job resumes, reading like "SIGINT/EW collection and exploitation systems, to include the DRT-1101A/1301B/1501, MINI-EXPIATION, HIDRAH, LOGGERHEAD, Harris Suite (STINGRAY, KINGFISH, BLACKFIN, GOSSAMER), AR-8200, Explorer/Scout, and the PRD-13v2/ISSMS".

The DRT 1101A was a second generation wireless communications receiver developed by DRT around the year 2000. DRT's former website described the device as follows:
"The DRT 1101A provides a compact, yet powerful, test and measurement capability for a variety of first and second generation wireless standards. The system also possesses the capability to detect and extract cellular FAX signals. The system is based on an industry-standard bus format, and uses the latest in digital signal processing (DSP) and microprocessor technology."

Another device from the 1000-series is the DRT 1301C, which is used by Special Operations Forces:
"The DRT 1301C, manufactured by Digital Receiver Technology, Inc., is a portable, ruggedized radio designed for operations in tactical and/or harsh environments. It provides a miniature yet powerful surveillance capability. The radio has a frequency range of 20-3000 MHz and operates against a variety of analog and digital wireless standards. The transmitter has a power output range of 1 W (standby) to 75 W (48 channels, 3 tuners); it weighs 10.5 lb and measures 3 in. (H) by 8.5 in. (W) by 11.2 in. (D)."

An example of a DRT device from the 2000-series is the DRT 2101A, which was described as:
"a compact wideband tuner system consisting of up to eight wideband tuner modules, each covering the 0.5 MHz to 3 GHz frequency band. Each tuner module has a 30-MHz instantaneous bandwidth and can be operated in either an independently or coherently tuned mode under software control. The tuner module is factory configured to provide a high-level analog baseband output."
The Internet Archive also contains this picture of the DRT 2101A device as it looked in 2003:

A close look at the device shows that it consists of separate modules (here in a vertical position) which can be added depending on the specific needs. See for example this description of the Wireless Processor Module 2 (WPM2).

The Military Intelligence School's System Training Plan (pdf) from October 2013 about the Prophet Electronic Support System says that DRT devices are used in the Prophet Sensor vehicles, which are the ground-based tactical SIGINT collection components of the Prophet system:
- A DRT 1201B receiver is in the Prophet Spiral 1 Sensor (military designation: AN/MLQ-40(V)4), which is a M1102 tactical trailer, pulled by a M1165 B3 three-seat, fully armored High-Mobility Multipurpose Wheeled Vehicle (HMMWV or Humvee). Two Panasonic Toughbooks CF29 or CF30, running mission and communications software packages, control the DRT 1201B and enable the reporting and processing of intelligence. An AN/VRC-99 line-of-site radio provides data access to NSANET.

- A second DRT 1301C receiver-processor for man-packable operations is in the Prophet Enhanced Sensor.

- A DRT 1201 receiver is in the fixed-site version of the Prophet Enhanced Sensor, which also contains a BAT-1214 SATCOM terminal and a DF90/DF80/MS Antenna, among other equipment.

- A DRT 1301C is in the Mobile-At-the-Halt configuration, along with a DF90 antenna, and BAT-750 SATCOM terminal. Here, the DRT 1301C can also be reused in a man-packed configuration.

- A DRT 1201C replaces the DRT 1201B in a fourth variant of the Prophet Enhanced Sensor in stationary fixed-site configuration. The DRT 1201C device is described as a next generation receiver-processor that increases collection capability and enables future upgrades.

(similar SIGINT equipment for the Prophet system is developed by the Linkabit division of L-3 Communications)

A Prophet Spiral M1165 Humvee

The tactical deployed DRT systems are mainly used for operations in Iraq and Afghanistan, but it's very well possible that the equipment was also used at the joint NSA-CIA Special Collection Service (SCS) unit in the US embassy in Berlin, which intercepted the mobile phone of German chancellor Merkel.

Update I:
On May 5, 2015, the website The Intercept published a 2006 NSA presentation about the RT10 collection effort, which was part of the Real Time-Regional Gateway (RT-RG) for Iraq, and later also for Afghanistan. This presentation includes a slide which shows that DRT (like MATTERHORN and EXPIATION) is used for the tactical interception of wireless GSM traffic:

Diagram showing tactical and national interception efforts for GSM communications
In the bottom left corner DRT is mentioned as one of the tactical systems
(JUG = JUGGERNAUT, a cell phone network interception system)
(G-Box = GARUDA, an airborne geo-location system for GSM)
(Click to enlarge)

Update II:
On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment. Included are illustrated entries for six different DRT devices: DRT 1101B, 1183B, 1201C, 1301C, 1301B3 and 4411B. Some of them are able to intercept and record of up to 24 voice channels and support target lists of up to 10.000 entries. Their price ranges from 40.000,- to 100.000,- USD. According to The Intercept, these DRT boxes can "track more than 200 phones over a wider range than the Stingray".

The DRT 1101B device for direction-finding and interception and
recording of up to 16 voice channels (with modules in a horizontal position)
(photo from the surveillance catalogue)

Foreign usage

Of course not only American agencies are using this kind of interception equipment. The FBI reportedly removed from several cell phone towers in the Washington DC area transmitters that fed all data to wire rooms at foreign embassies.*


On December 13, 2014, it was reported that DRT-like cell phone interception devices were found near important government offices and buildings in the city center of the Norwegian capital Oslo. In March 2015, it came out that these devices were actually placed by the Norwegian police and the Police Security Service PST, without properly informing the country’s National Communications Authority.

Besides by DRT and Harris, IMSI-catchers are also manufactured by some foreign companies, like for example the German high-tech firm Rohde & Schwarz (which patented such equipment in 2003), and the Israeli company Ability, which openly advertises their IMSI-catchers.

An internal NSA newsletter published in April 2017, revealed that NSA equipped its HOVER HAMMER steerable airship (blimp) with a DRT 1301 for intercepting international shipping data emanating from the Long Island, New York area.

Already in 2013, an NSA Information Assurance exercise revealed that a range of IMSI catchers were illegally installed around the White House and downtown Washington DC, likely installed by foreign intelligence agencies. The existence of such devices was officially acknowledged by the Department of Homeland Security in the Spring of 2018.

Links & sources

- The Team House: Tactical Signals Intelligence with SOT-A (2023)
- Vice Motherboard: Here's a Picture of a Phone-Tracking Device That We've Never Seen in the Wild (2016)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (2015)
- Here Is the Spy Equipment That Powers the FBI's Secret Dragnet
- Harvard Law review article: Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy
- Solange keiner meckert - Wie IMSI-Catcher unauffällig legalisiert wurden
- Matt Blaze: How Law Enforcement Tracks Cellular Phones
- New documents show how the NSA infers relationships based on mobile location data
- NSA Phone Tracking
- De DRT2101A: het apparaat waarmee de NSA telefoons afluistert
- List of 217 part numbers from Digital Receiver Technology, Inc.
- Presentation about Digital receiver technology for RWR, ESM and ELINT applications (pdf)
- Washington Institute: Stabilizing Iraq: Intelligence Lessons for Afghanistan
- Journal of Electronic Defense: What's New in SIGINT software?
- Overview: Toward a Universal Radio Frequency System for Special Operations Forces (pdf)

November 23, 2013

Screenshots from BOUNDLESSINFORMANT can be misleading

(Updated: January 23, 2017)

Over the last months, a number of European newspapers published screenshots from an NSA tool codenamed BOUNDLESSINFORMANT, which were said to show the number of data that NSA collected from those countries.

Most recently, a dispute about the numbers mentioned in a screenshot about Norway urged Snowden-journalist Glenn Greenwald to publish a similar screenshot about Afghanistan. But as this article will show, Greenwald's interpretation of the latter was wrong, which also raises new questions about how to make sense out of the screenshots about other countries.

Norway vs Afghanistan

On November 19, the website of the Norwegian tabloid Dagbladet published a BOUNDLESSINFORMANT screenshot which, according to the paper, showed that NSA apparently monitored 33 million Norwegian phone calls (although actually, the NSA tool only presents metadata).

The report by Dagbladet was almost immediatly corrected by the Norwegian military intelligence agency Etteretningstjenesten (or E-tjenesten), which said that they collected the data "to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad" and that "this was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans".

Earlier, a very similar explanation was given about the data from France, Spain and Germany. They too were said to be collected by French, Spanish and German intelligence agencies outside their borders, like in war zones, and then shared with NSA. Director Alexander added that these data were from a system that contained phone records collected by the US and NATO countries "in defense of our countries and in support of military operations".

Glenn Greenwald strongly contradicted this explanation in an article written for Dagbladet on November 22. In trying to prove his argument, he also released a screenshot from BOUNDLESSINFORMANT about Afghanistan (shown down below) and explained it as follows:
"What it shows is that the NSA collects on average of 1.2-1.5 million calls per day from that country: a small subset of the total collected by the NSA for Spain (4 million/day) and Norway (1.2 million).

Clearly, the NSA counts the communications it collects from Afghanistan in the slide labeled «Afghanistan» — not the slides labeled «Spain» or «Norway». Moreover, it is impossible that the slide labeled «Spain» and the slide labeled «Norway» only show communications collected from Afghanistan because the total collected from Afghanistan is so much less than the total collected from Spain and Norway."

Global overview

But Greenwald apparently forgot some documents he released earlier:

Last September, the Indian paper The Hindu published three less known versions of the BOUNDLESSINFORMANT global overview page, showing the total amounts of data sorted in three different ways: Aggregate, DNI and DNR. Each results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map.

In the overall (aggregated) counting, Afghanistan is in the second place, with a total amount of over 2 billion internet records (DNI) and almost 22 billion telephony records (DNR) counted:

The screenshot about Afghanistan published by Greenwald only shows information about some 35 million telephony (DNR) records, collected by a facility only known by its SIGAD US-962A5 and processed or analysed by DRTBox. This number is just a tiny fraction of the billions of data from both internet and telephone communications from Afghanistan as listed in the global overview.


With these big differences, it's clear that this screenshot about Afghanistan is not showing all data which NSA collected from that country, not even all telephony data. The most likely option is that it only shows metadata from telephone communications intercepted by the facility designated US-962A5.

That fits the fact that this SIGAD denotes a sub- or even sub-sub-facility of US-962, which means there are more locations under this collection program. Afghanistan is undoubtedly being monitored by numerous SIGINT collection stations and facilities (like US-3217, codenamed SHIFTINGSHADOW which targets the MTN Afghanistan and Roshan GSM telecommunication companies), so seeing only one SIGAD in this screenshot proves that it can never show the whole collection from that country.

This makes that Greenwald's argument against the data being collected abroad is not valid anymore (although there maybe other arguments against it). Glenn Greenwald was asked via Twitter to comment on the findings of this article, but there was no reaction.

More questions

The new insight about the Afghanistan data means that the interpretation of the screenshots about other countries can be wrong too. Especially those showing only one collection facility, like France, Spain and Norway (and maybe also Italy and The Netherlands), might not be showing information about that specific country, but maybe only about the specific intercept location.

This also leads to other questions, like: are this really screenshots (why is there no classification marking)? Are they part of other documents or did Snowden himself made them? And how did he make the selection: by country, by facility, or otherwise?

There are many questions about NSA capabilities and operations which Snowden cannot answer, but he can answer how exactly he got to these documents and what their proper context is. Maybe Glenn Greenwald also knows more about this, and if so, it's about time to tell that part of the story too.

During a hearing of the German parliamentary investigation commission on January 19, 2017, former BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from training course material. This was said here for the first time and given the problems these charts caused for BND, it's possible that they asked NSA for more details after which this explanation came up. However, this still doesn't explains why the charts were interpreted incorrectly.

> See also: The BOUNDLESSINFORMANT interface

Links and Sources
- Le Monde/BugBrother: La NSA n’espionne pas tant la France que ça
- Bespioneerde de NSA ons of hebben wij zelf afgeluisterd?
- Greenwald’s Interpretation of BOUNDLESSINFORMANT NSA Documents Is Oftentimes Wrong
- NSA-files repeatedly show collection of data «against countries» - not «from»
- Europeans Shared Spy Data With U.S.
- Some thoughts and explanations about the BOUNDLESSINFORMANT numbers

November 15, 2013

Five Eyes, 9-Eyes and many more

(Updated: January 22, 2014)

On November 2, The Guardian published a lenghty article about the Snowden-leaks, which said that besides the close intelligence-sharing group of the US, Britain, Canada, Australia and New-Zealand, known as 5-Eyes, there are also groups called 9-Eyes and 14-Eyes.

According to The Guardian, the first consists of the 5-Eyes countries plus Denmark, France, the Netherlands and Norway and the latter adding another five European nations. This caused some embarrassment, as especially France and The Netherlands were heavily opposed to NSA's eavesdropping operations.

For almost everyone the existance of these 'Eyes' came as a surprise, but as this article will show, there are also 3-, 4-, 6-, 7-, 8-, 9- and 10-Eyes communities. They were created for restricting access to military and intelligence information to respective numbers of coalition nations. These 'Eyes' are used as handling instructions and often supported by dedicated communication networks.

Many new 'Eyes'

First we take a look at what The Guardian wrote about the 9-Eyes and other intelligence-sharing groups:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

In a similar article, The New York Times also mentioned these two new Eyes-groups, but without naming the participating countries, and instead of the 41-Eyes, adding NACSI, the NATO Advisory Committee for Special Intelligence:
"More limited cooperation occurs with many more countries, including formal arrangements called Nine Eyes and 14 Eyes and Nacsi, an alliance of the agencies of 26 NATO countries".

These new revelations seem to be confirmed by what is said in an informative 2012 paper (pdf) about Canada and the Five Eyes Intelligence Community:
"The Five Eyes sigint community also plays a ‘core’ role in a larger galaxy of sigint organizations found in established democratic states, both west and east. Five Eyes ‘plus’ gatherings in the west include Canada’s NATO allies and important non-NATO partners such as Sweden. To the east, a Pacific version of the Five Eyes ‘plus’ grouping includes, among others, Singapore and South Korea. Such extensions add ‘reach’ and ‘layering’ to Five Eyes sigint capabilities."

This text suggests that there are several western Five Eyes 'plus' groups, one of which sounds like the 14-Eyes mentioned by The Guardian. The eastern Five Eyes 'plus' refers to the 10-Eyes group, which will be described down below.

The existance of these hitherto unknown Eyes-groups came as a surprise, because it was generally assumed that NSA only had two kinds of partners for sharing signals intelligence:

- 2nd Party: the Five Eyes based upon the UKUSA-Agreement of 1946
- 3rd Party: a range of countries that have bilateral agreements with NSA

The CFBL Network

The term 9-Eyes could already be found in some other sources. One is an extensive article by the French weblog Zone d'Intérêt about the NATO exercise Empire Challenge 2008 (EC08), in which a number of operational and testing networks were used. One of them is the Combined Federated Battle Laboratories Network (CFBLNet), which is for research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.

The CFBL network consists of an unclassified (black) backbone network (the Blackbone) with transporting the encrypted traffic of several classified and unclassified enclaves as its main purpose. The main secure domains on the CFBL Blackbone are:
- The CFBLNet Unclassified Enclave (CUE), which is unclassified, but traffic is secured using 128 bit Advanced Encryption Standard (AES) encryption.

- The Four-Eyes Enclave (FEE), which is a classified enclave at the SECRET level, accessible for USA, GBR, CAN and AUS only. This enclave was moved from behind the BLUE enclave to the Blackbone in 2006.

- The 6-Eyes or BLUE Enclave, which is a classified enclave at the SECRET level, accessible for the Five Eyes plus NATO (see paragraph about 6, 8 and 10-Eyes)

- The 9-Eyes or NATO RED Enclave, which is also a classified enclave at the SECRET level, accessible for the NATO members of the Five Eyes plus France, Germany, Italy, Spain, The Netherlands and Norway. This enclave was established in 2006 for classified initiatives among NATO members.

- The Initiative Enclaves, which are created temporarily to support specific initiatives and are classified according to the initiative requirements.

We can see these parts of the CFBL Network mentioned in this slide about the networks used in the EC08 exercise:

The various networks involved in Empire Challenge 2008 (EC08)
(COI = Community of Interest, CFE = CENTRIXS Four Eyes,
DDTE = Distributed Development and Test Enterprise)
(full presentation: EC08 Networks (pdf), May 2008)

The 9-Eyes countries are also listed in a table in a NATO standardization document (pdf) from 2010. There we see that from the 4-Eyes only the US, the UK and Canada are part of the 9-Eyes, which makes sense, as Australia is not a NATO partner:

This table lists the groups of nations to which some specific multi-national intelligence and reconnaissance information can be released. This is shown by using the dissemination markings or handling instructions: REL NATO, REL 4-EYES, REL 9-EYES.

The famous Five Eyes term also has its origins in the former NSA dissemination marking EYES ONLY, which defined which 'eyes' may see certain material. Accordingly, documents authorized for release to the five UKUSA-countries were initially marked as AUS/CAN/NZ/UK/US EYES ONLY.

In conversations, allied intelligence personnel adopted the term "Five Eyes" as a shorthand because it was much easier to say. This term became widely used and even got its own abbreviation: FVEY, which is now used in REL FVEY, after the EYES ONLY marking was being replaced by the REL TO [country/coalition designator] format.

A classification line showing the REL FVEY marking

Two different 9-Eyes?

If we compare the nine members of the CFBLNet NATO domain with the 9-Eyes countries mentioned in The Guardian article, we see some differences:


The Guardian:

From the European NATO countries, France, The Netherlands and Norway are in both lists. The Guardian adds Denmark and the non-NATO members of the Five Eyes, which leaves Germany, Italy and Spain out.

Especially Germany and Italy not being included in this apparently close alliance seems strange, as both countries participate in other coalition groups and are both considered to be 3rd party partners of NSA. Maybe this explains Germany being "a little grumpy at not being invited to join the 9-Eyes group" as The Guardian read in GCHQ documents.

Unfortunately, The Guardian failed to provide any context or even a time period for their 9-Eyes and 14-Eyes listings, which makes it quite difficult to find an explanation for the different membership countries of these groups.

At first sight it seems there are two different 9-Eyes groups: one apparently closely related to NSA, and another one as a sharing group in the CFBLNet environment. But as 9-Eyes is used as a handling instruction for classified information, it has to be perfectly clear to which group of countries information marked REL 9-EYES may be released. Therefore we have to assume there can be only one 9-Eyes group at a time.

The 9-Eyes NATO group of the CFBL network was first mentioned in 2008 and still comprised the same nations in 2012. In the meantime, Sweden also became a full member of CFBLNet, but not being a NATO member, it wasn't included in the 9-Eyes sharing group.

The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)

One option to explain the differences between the two 9-Eyes could be changing membership, with countries added or removed on an annual basis depending on their participation in the CFBLNet. But this also wouldn't fit with the Guardian's list, as Australia and New Zealand are no NATO-members and Denmark is not a fully participating member nation of the CFBL network.

Unless The Guardian misinterpreted the Snowden-documents, it seems quite unlikely that their 9-Eyes could be the same as the NATO 9-Eyes on the CFBL network, but it seems also unlikely that there are two groups called 9-Eyes at the same time. The best guess at this moment would be that the Guardian's 9-Eyes was a group that only existed somewhere before the NATO group was formed.

From remarks made on Twitter by a Dutch journalist who works on the Snowden-papers, it seems that the 9-Eyes is a group for exchanging military signals intelligence related to operations in Afghanistan.

There's also the Multinational Interoperability Council (MIC), which is a forum for identifying interoperability issues and articulating actions to enhance coalition operations. It started in 1999 as the Six Nation Council and now has seven members: the US, Canada, Australia, Britain, France, Germany and Italy. It might be this group which is called 7-Eyes.

Also interesting is Alliance Base, which was the cover name for a secret Counterterrorist Intelligence Center (CTIC) that existed between 2002 and 2009. It was based in Paris and was a cooperation between six countries: the US, Canada, Australia, Britain, France and Germany. There's no indication this group was designated by a number of 'Eyes'.

The 14-Eyes and 3rd and 4th party partners

Now let's take a look at the 14-Eyes community, which was revealed for the first time by The Guardian. Looking at the number and the participating countries, it comes very close to CFBLNet, which had 13 full members (12 nations + the NATO organization) since 2010. But there are also some differences again:

CFBLNet members:

The Guardian:

These lists are very similar, except that Denmark and Belgium, which are on the Guardian's list, are not a (full) member of CFBLNet. Maybe these two countries joined CFBLNet only very recently, and in that case the 14-Eyes could refer to this group. It does show though that these NATO countries (and Sweden) are cooperating in additional information-sharing initiatives.

The exact purpose of such a cooperation in the 14-Eyes group isn't clear. The New York Times only says that the nations comprising the 9-Eyes and 14-Eyes groups have formal arrangements with NSA, which is something that also makes a country a traditional 3rd party partner.

According to Snowden-documents, about 30 countries have this status, but so far only the names of Germany, France, Austria, Denmark, Belgium and Poland were published. Some other sources say that Norway, Italy, Greece, Turkey, Thailand, Malaysia, Singapore, Japan, South-Korea, Taiwan, Israel and South Africa are 3rd party partners too.

If we compare this to the 14-Eyes, we see that only France, Germany, Norway, Italy, Belgium and probably Spain are known 3rd party partners. Sweden, Denmark and The Netherlands are not, but it's assumed they had or have less formal arrangements for exchanging SIGINT and cryptologic information with NSA. This also applies to Finland and Taiwan, and therefore these countries are sometimes called 4th party partners.

It seems there are roughly three possibilities:

A. All countries of the 14-Eyes (and subsequently those of the 9-Eyes) are actually 3rd party partners, because of having formal arrangements with NSA. Which means Sweden, Denmark and The Netherlands must have acquired that position in recent years. Grouping them in two 'Eyes' would only make sense if that's for some specific initiatives.

B. Countries belonging to the 9-Eyes and 14-Eyes have a more close relationship with NSA and are therefore somewhere in between the 2nd party and the 3rd party nations. This is what both papers suggest, but it seems not very likely that relationships like these allow that much of (formal) refinement.

C. The 9-Eyes and 14-Eyes are groups created for specific goals and consist of the Five Eyes with some additional 3rd and 4th party nations, depending on whether their participation is needed for achieving those goals.

A newly disclosed document has shown that all countries of the 14-Eyes are 3rd Party partners of NSA and that the actual name of this group is SIGINT Seniors Europe (SSEUR). More about this: 14-Eyes are 3rd Party partner forming the SIGINT Seniors Europe

In 2010, France was apperently ready to join the Five Eyes, but at the last moment the Obama White House said no.

The CFBL Network

The Combined Federated Battle Laboratories Network (CFBL or CFBLNet) is a distributed Wide Area Network (WAN), which allows for the testing of new multinational information-sharing capabilities before they're transitioned to the actual operational networks which are used worldwide to support Combatant Command operations. CFBLNet enables the sharing and exchange of information on experimentation and interoperability testing.

Each member nation operates several "Battle Lab" sites which are hook into the CFBLNet backbone at a national Point-of-Presence (PoP). In 2012 there were 247 sites divided over 12 countries. The backbone traffic is secured with TCE621 (in Europe) and TACLANE E100 (or KG-175 in the US) network encryptors. The Multinational Information Sharing Program Management Office (MNIS PMO) maintains day-to-day control and coordination of the network.

Every year, also several other NATO countries participate or observe as guest nations in one or more CFBLNet initiatives at existing lab sites.

The CFBLNet grew out the network designed to support the US Joint Warfighter Interoperability Demonstrations (JWID), which used to build a support network for the period of the demonstrations and tear it down afterwards. In 1999, the JWID exercise used, for the first time, a permanent infrastructure that became what is now called the Combined Federated Battle Lab Network (CFBLNet), as established by the NATO Consultation, Command and Control Board (NC3B) in 2001.

The 6, 8 and 10 Eyes

Creating separate access groups for coalition operations, and describing them with a certain number of 'Eyes' can be traced back to the early years of this century. The first occasion seems to have been the Joint Warrior Interoperability Demonstration 2003 in which also non-traditional partner countries were added to the communications network used by the UKUSA and NATO coalition.

Information sharing between different groups of coalition partners required that separate domains had to be created within one network: in 2003, the 5-Eyes countries and the NATO organization comprised the 6-Eyes domain, while these six members plus four Pacific Rim nations (Japan, South Korea, Thailand and Singapore) comprised the 10-Eyes domain. Each domain had its own Type-2/3DES-encrypted Virtual Private Network (VPN) which ran over a network secured by classified Type-1 encryption algorithms.

Slide with an overview of the 6-Eyes and 10-Eyes network domains
(full presentation: Agile Coalition Environment (pdf), 2003)

The 2004 edition of the Joint Warfighter Interoperability Demonstration also involved South-Korea, officially known as the Republic of Korea (ROK). To this end, three separate domains within CFBLNet were created and organized into two classification levels named 6-Eyes and 8-Eyes. The 8-Eyes domain consisted of the 6-Eyes countries plus NATO and ROK. The ROK domain was cryptographically isolated from the rest of CFBLNet by using TACLANE encryptors with Type-1 algorithms.

The 5, 4 and 3 Eyes

The long-standing and close intelligence-sharing community of the Five Eyes was downsized on two occasions. First in 1985, when New Zealand refused US nuclear-armed or nuclear-powered ships to visit its ports. As a result, the island was cut out of most intelligence arrangements led by the US. Some SIGINT was still being shared, but New Zealand got no American HUMINT or military intelligence anymore, except for operations in which it's actually participating.

Things not to be shared with New Zealand, were 4-Eyes only now. Staying outside most of the allied military operations, New Zealand was also not connected to the CENTRIXS Four Eyes (CFE) network (also called X-Net), which was created in 2001 and is extensively used for operational coordination between the remaining four partners: Australia, Canada, Great Britain and the US. Sites on this network have addresses in the format

For information sharing and exchange between these nations, there's also a separate network codenamed STONEGHOST, which is maintained by the US Defense Intelligence Agency (DIA). This network was previously called Intelink-C, which runs over it, and is now sometimes referred to as Q-Lat or Quad link. Information restricted to the 4-Eyes partners is marked with their respective country codes or the abbreviation thereof: ACGU.

A document showing the REL TO USA ACGU marking (source)

For collaborative planning at the strategic level there's another network called Pegasus (until 2010: GRIFFIN), which provides secure e-mail, chat and VoSIP communications for the 5-Eyes partners, as the military cooperation between the US and New Zealand was restored again in 2007. Probably by then, a separate network called CENTRIXS-NZ was set up, which connects the Four Eyes with New Zealand. Sharing intelligence information between the US and the Five Eyes is done through NSANet, which is a TS/SCI network controlled by NSA.

Another sub-group of the Five Eyes was formed when Canada didn't join the US in the 2003 war against Iraq. With New Zealand also not formally engaging, the 5-Eyes were now reduced to just 3-Eyes: the United States, Great Britain and Australia.
The relationship between these three countries became closer as both Britain and Australia were granted an upgrade of their intelligence access by president George W. Bush: both countries were granted (temporary and limited) access to America's classified SIPRNet for certain joint missions. This also reflects their bigger SIGINT collecting capabilities, compared to those of Canada and New Zealand.

> See for the latest: NSA's foreign partnerships

CENTRIXS networks

The main US-led multinational coalition networks are called CENTRIXS, which stands for Combined ENTerprise Regional Information eXchange System. It's a secure wide area network (WAN) architecture, which can be established according to the demands of a particular coalition exercise or operation. CENTRIXS supports intelligence and operations information sharing at the SECRET REL TO [country/coalition designator] level. Some notable CENTRIXS networks are:

- CENTRIXS Four Eyes (CFE) for the US, Britain, Canada and Australia.
- CENTRIXS-NZ for the Four Eyes plus New Zealand.
- CENTRIXS-JPN for the United States and Japan.
- CENTRIXS-K for the United States and South-Korea.
- CENTRIXS-PHI for the United States and the Philippines.
- CENTRIXS-CNFC for the Combined Naval Forces CENTCOM (VPN within GCTF).
- CENTRIXS-MCFI for the Multinational Coalition Forces Iraq.
- CENTRIXS-ISAF (CX-I) which is the US component of the Afghan Mission Network to share critical battlefield information among 50 coalition partners.
- CENTRIXS-GCTF (CX-G) for the Global Counter Terrorism Forces, which is the US coalition network in Afghanistan to share information among more than 80 Troop Contributing Nations.

The countries connected to CENTRIXS-ISAF can be recognized as the 41-Eyes of the allied coalition in Afghanistan mentioned by The Guardian. This group grew slowly and was called 43-Eyes in 2010, when the NATO exercise Empire Challenge 2010 (EC10) changed its "main participating security domain" to "an International Security Assistance Forces (ISAF) equivalent 43-Eyes domain".

Probably also because of the steadily increasing number of coalition partners, shareable information is not marked with REL [..] EYES anymore, but with REL ISAF and REL GCTF.

Slide showing the complexity of multi-national information sharing
(full presentation: MultiNational Information Sharing (pdf), 2011)


We have seen that designations consisting of a number of 'Eyes' are used as a dissemination marking or handling instruction showing among which group of countries specific military or intelligence information may be shared.

The Guardian and the New York Times listed various 'Eyes' and some other groups in a way that suggests a hierarchy of how close their relationship with NSA would be: first the Five Eyes community, followed by 9-Eyes, 14-Eyes, NACSI, and with the 41-Eyes Afghanistan coalition being the loosest kind of cooperation.

A scheme like this looks attractive, but is at least partially misleading. For sure the Five Eyes are cooperating in the closest way, but the other groups have different scopes. NACSI is more like an advisory working group of NATO than an alliance of signal intelligence agencies, and the 41/43-Eyes community is for sharing battlefield information between members of the Afghanistan coalition.

Regarding the 9-Eyes and 14-Eyes communities, it's now up to journalists who have access to the Snowden-documents to provide more detailed information about whether they really represent more close alliances with NSA, or whether they're just 'working groups' of selected 3rd and 4th party nations, like most of the other 'Eyes' communities.

Update #1:
A newly disclosed document has shown that all countries of the 14-Eyes are 3rd Party partners of NSA and that the actual name of this group is SIGINT Seniors Europe (SSEUR). More about this: 14-Eyes are 3rd Party partner forming the SIGINT Seniors Europe

Update #2:
From remarks made on Twitter by a Dutch journalist who works on the Snowden-papers, it seems that the 9-Eyes is a group for exchanging military signals intelligence related to operations in Afghanistan.

Summary of all known 'Eyes'

- 3-Eyes: USA, GBR, AUS (TEYE)
- 4-Eyes: USA, GBR, CAN, AUS (ACGU)
- 5-Eyes: USA, GBR, CAN, AUS, NZL (FVEY)
- 7-Eyes: USA, GBR, CAN, AUS, FRA, DEU, ITA (MIC?)
- 8-Eyes: USA, GBR, CAN, AUS, NZL, NATO, ?, South-Korea
- 9-Eyes: Five Eyes + FRA, DNK, NLD, NOR (Guardian)
- 10-Eyes: USA, GBR, CAN, AUS, NZL, NATO, Japan, South-Korea, Thailand, Singapore
- 14-Eyes: Five Eyes + FRA, DNK, NLD, NOR, DEU, ESP, ITA, BEL, SWE (SSEUR)
- 41-Eyes: ISAF-countries in ? (Guardian)
- 43-Eyes: ISAF-countries in 2010

Links and Sources
- Over Five Eyes en Third Parties - Met wie werkt de NSA samen (2013)
- Privacy International report: Eyes Wide Open (pdf)
- How the NSA ranks its international spying partners
- Multinational Information Sharing (MNIS)
- Article in French about Empire Challenge 2008
- The 2004 listing of Country Code Trigraphs and Coalition Tetragraphs (pdf)
- About Canada and the Five Eyes Intelligence Community (pdf)
- Far-Reaching Scenario Reflects Changing World (2003)
- Article about CENTRIXS-Maritime: connecting the warfighter
- Combined Operations Wide Area Network (COWAN)/Combined Enterprise Regional Information Exchange System (CENTRIXS) (pdf)
- The 1999 DMS GENSER Message Security Classifications, Categories, and Marking Phrase Requirements (pdf)

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties