December 24, 2013

The British classification marking STRAP

(Updated: November 26, 2014)

Most of the documents leaked by Edward Snowden are from the American signals intelligence agency NSA, but there are also quite a number from their British counterpart GCHQ. Documents from both countries are classified as TOP SECRET and often have additional markings to further restrict their dissemination.

Where on American documents we see markings like COMINT (Communications Intelligence) and NOFORN (No Foreign Nationals), the British have the mysterious term STRAP followed by a number.

Information about American classification and dissemination markings can rather easily be found on the internet (see also The US classification system on this weblog), but there are hardly any details about the British classification system.

But luckily, there's one source available which describes STRAP and other British classification practices in detail: the extensive Defence Manual of Security from 2001. Chapter 17 (page 1131-1135) of Volume 1 gives an overview of the STRAP Security Guidelines.


In the manual, STRAP is described as a set of nationally agreed principles and procedures to enhance the "need-to-know" protection of sensitive intelligence (and related operational information) produced by the British intelligence agencies, including military sources.

It adds additional procedures to the standard security measures employed for intelligence matters. STRAP is therefore comparable with the American system of protecting the most sensitive information by control systems with separate compartments, which are generally designated by codewords.

Although on some websites it's suggested that STRAP might stand for "STRategic Action Plan", the Defence Manual clearly states that STRAP is a codeword, not an acronym. The STRAP codeword itself is not classified.

Some intelligence information, handled within the STRAP System, require more stringent protection than others. To assure this, there are three levels of STRAP protection. These levels are designated, in ascending order of sensitivity and, hence, access control: STRAP 1, STRAP 2 and STRAP 3.

Examples of STRAP documents

An example of a document from the least sensitive category, marked STRAP 1, is a slide from a powerpoint presentation about the BULLRUN program aimed at breaking encryption methods used on the internet:

Information that is somewhat more sensitive is marked STRAP 2, like this presentation slide about operation SOCIALIST, which infiltrated the network of the Belgian telecommunications provider Belgacom:

From the category of most sensitive documents, marked STRAP 3, there are no actual examples available. STRAP 3 for example protects the precise locations where these interceptions takes place. The real names of the telecommunication companies that cooperate with GCHQ are classified one level below this, at STRAP 2.

As several of these real names have been published, Snowden must somehow got access even to STRAP 3 documents. Probably because they are so sensitive, Greenwald and the papers may have decided not to publish them, but only use some of the information they contain.

STRAP protection measures

The STRAP system is designed to protect information against threats that are specific for sensitive intelligence. A principal threat is when a target becomes aware of an intelligence attack against him, so he can initiate countermeasures. Therefore, the STRAP system aims to minimise the risk of leakage of sensitive intelligence operations and products into the public domain - whether by accidental exposure or deliberate intent. This is done through the following measures:

- Restricting access to sensitive intelligence material on a strict "need-to-know" basis;
- Agreeing the appropriate facilities for its protection in transit ("STRAP Channels") use, storage and disposal;
- Providing explicit briefings and guidance for individuals who handle this type of material.

Information that requires protection under the STRAP system has to be clearly defined and labelled with the appropriate STRAP level marking. It has to be carried by authorized couriers during transit, and signed receipts have to be obtained at all stages of handover.

Within the British Ministry of Defence, the implementation of the approved STRAP security measures is overseen by individually appointed STRAP Security Officers (STRAPSOs). The overall responsibility for the review and formulation of STRAP policy and guidelines is with the STRAP Management Board.

December 15, 2013

14-Eyes are 3rd Party partners forming the SIGINT Seniors Europe

(Updated: September 16, 2017)

On December 11, the Swedish public television channel SVT published a range of new NSA-documents from the Snowden-collection. One is a text which for the first time proves that intelligence agencies of nine European countries are 3rd Party partners of NSA.

These countries are: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. Earlier, these nations were identified as forming the 14-Eyes group, for which we now also have a real name: SIGINT Seniors Europe or SSEUR.

(Click for a bigger version)

Unfortunately only this very small excerpt was published, so we don't know what the rest of the document is about. But as small as it is, it reveals some interesting new things, which will be explained in this article:
- The 3rd Party status of a number of European countries
- The existance of a group called SIGINT Seniors Europe
- More clarity about the mysterious 14-Eyes

3rd Party countries

This is probably the first time that an official NSA document is published in which several 3rd Party countries are named. Until now, we only had documents proving this status for only a few separate countries, and we had a range of countries that were suggested to be 3rd Party partners by intelligence experts.

From the countries mentioned in the fragment published by Swedish television, only France, Germany, Norway, Italy, Belgium and probably Spain were supposed to be 3rd Party partners. Sweden, Denmark and especially The Netherlands were not listed as such, so with this new disclosure, we now know for sure that the intelligence agencies of all these nations have the 3rd Party status.

Being a 3rd Party means that there's a formal bilateral agreement between NSA and a foreign (signals) intelligence agency. Probably the main thing that distinguishes this from other, less formal ways of cooperating, is that among 3rd party partners, there's also exchange of raw data, and not just of finished intelligence reports or other kinds of support. Also both parties have a Special Liaison Officer (SLO) assigned at each others agency.

It's not quite clear what the initial 3rd Party agreements are called, but we know that later on specific points are often laid down in a Memorandum of Understanding (MoU). An example is the Memorandum of Understanding between NSA and the Israeli signals intelligence unit, which was published by The Guardian on September 11, 2013.

SIGINT Seniors Europe

As the newly published fragment starts with an asterisk, it seems to be a footnote in a document about intelligence training, explaining which countries are "SSEUR members": the Five Eyes (United States, Great Britain, Canada, Australia and New Zealand) and nine other European countries: France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden.

The abbreviation SSEUR is seen here for the first time, and luckily Swedish television also published another document which says that SSEUR stands for SIGINT Seniors Europe (SIGINT is an acronym for Signals Intelligence):

Fragment of an NSA document mentioning SIGINT Seniors Europe (SSEUR)
(Names whited out are replaced by black bars for better readability)

Apart from this, we have no further information about the SIGINT Seniors Europe. But there's an explanation, provided to this weblog by our French counterpart Zone d'Intérêt, which probably comes very close to what this group could be:

The term "SIGINT Senior" may designate the highest ranking SIGINT officer of a foreign (signals) intelligence agency, rather than a country as a whole. For example, in France, the Directeur Technique (DT) inside the foreign intelligence agency DGSE is called "le Senior SIGINT" exactly.

Intelligence agencies aren't organized the same way in each country. Some countries have intelligence agencies inside police forces, military intelligence in the field, defense agencies which collect both for military operations and counterterrorism, etc. Also the laws aren't the same in every country.

Therefore, it's obviously more convenient to have one single point of contact in each country, to discuss SIGINT-related issues, or even for actually passing signals intelligence, with maybe some pre-processing already done, instead of having to do this with different people from different agencies and units in each country.

This explanation fits the fact that the document mentions SSEUR together with the NATO Advisory Committee on Special Intelligence (NACSI), which is also a platform for discussing SIGINT-related issues.

From the nine European countries of SSEUR, only Sweden is not a member of NATO, but as mentioned earlier, Sweden is often cooperating with NATO countries. More interesting is that Belgium is part of this group too. Belgium is a small country and reportedly has hardly any SIGINT capabilities. That is to say: domestically, but maybe there's some more substantial SIGINT collection by Belgian troops participating in military operations abroad.

With SSEUR containing European 3rd Party partners, it's very well possible that there are also similar groups of partner agencies in other parts of the world, with the East-Asian/Pacific Rim region being the most likely.

The 14-Eyes

The SIGINT Seniors Europe comprise 14 countries, and when we look at their names, we see that they are identical to the nations of which The Guardian in November said they form a group called 14-Eyes.

As this latter group was also never heard of, we looked for some possible explanations in an article on this weblog last month. But by then we didn't know exactly and for sure which countries were 3rd Party partners, so it was hard to get things clarified.

Now that we know that all nine European countries, including Sweden, Denmark and The Netherlands, have 3rd Party status, it's clear that our option "A" came closest: 14-Eyes stands for a number of 3rd Party countries who have something in common - likely having a 'SIGINT Senior' officer as single point of contact for NSA and the Five Eyes.

As explained in our earlier article, an 'Eyes' designation is most often used as a handling instruction for restricting dissemination of sensitive information among a certain group of countries. In this case, 14-Eyes apparently serves as dissemination marking for information authorized for release to the 14 members of the SIGINT Seniors Europe group.


An article from 2001 about the history of Dutch signals intelligence clarifies that SIGINT Senior Meetings (SSMs) are attended by the heads of agencies responsible for signals intelligence, like NSA, GCHQ, the German BND, the French DGSE, the Italian SISMI, and the military intelligence services of Norway, Denmark, Belgium and other countries.

The SIGINT Senior Meetings coordinate the military intelligence needs for the participating countries, resulting in the actual exchange of data and information through the Signals Intelligence Data System (SIGDASYS). Originally this was some kind of computer system that acted as a back-up in case one of the countries lost its own SIGINT capacity.

Later, SIGDASYS became a database in which all participating nations poured military SIGINT and other information, and, on a quid pro quo basis, could get out the intelligence they needed themselves. In this way, SIGDASYS decreased the overlap in data collection and played an important role during the 1990-1991 Gulf War. The system is managed by the multinational SIGDASYS Committee which reports to the SIGINT Seniors meeting.

Update: an internal NSA SIDtoday newsletter from June 14, 2005, says that work was started for standardizing formats to facilitate the exchange of call chaining diagrams via SIGDASYS too.

The article says that for the Netherlands, it was the head of the former military intelligence agency MID (1988-2002) who participated in the SIGINT Seniors meetings, often accompanied by the director of TIVC, a unit which processed Dutch signals intelligence.

On Twitter, a Dutch journalist working on the Snowden-papers added that initially it was the head of the former Dutch navy intelligence agency MARID who attended the SIGINT Seniors meetings and nowadays it's a senior official of the Military Intelligence and Security Agency MIVD. He also said that membership of this 14-Eyes group is not fixed and can change over time.

According to the book 'The NSA Complex', which was published by Der Spiegel in March 2014, the Sigint Seniors Europe (SSEUR) group was established in 1982 for more efficiently monitoring the Soviet Union.*


All this makes clear that 14-Eyes is the designator for information that is restricted to the 14 nations participating in a group called SIGINT Seniors Europe (SSEUR), which apparently exists for some 30 years. SSEUR meetings are attended by the heads or senior officials of the signals intelligence agencies of the 14 countries, who coordinate the sharing of military intelligence. The actual data and information exchange takes place through a regional database of the Signals Intelligence Data System (SIGDASYS).

Links and Sources
- Cees Wiebes, "Dutch Sigint during the Cold War, 1945-94", in: Matthew M. Aid & Cees Wiebes, "Secrets of Signals Intelligence during the Cold War and Beyond", London, 2001, p. 276-277.
- Over Five Eyes en Third Parties - Met wie werkt de NSA samen (2013)
- Läs dokumenten om Sverige från Edward Snowden (2013)
- Paper 1: Echelon and its role in COMINT (2001)

December 8, 2013


(Updated: January 3, 2014)

A previous article on this website showed that the charts in the NSA's BOUNDLESSINFORMANT tool are not so easy to interpret as it may seem. Screenshots from this tool were published by a number of European newspapers saying that they are proving that NSA is intercepting phonecalls from these countries. This article will show and examine a new image which literally provides context to these screenshots.

In a less known follow-up article from November 4 on the website of the spanish paper El Mundo there are four slides from a powerpoint presentation about BOUNDLESSINFORMANT. Three of the slides were published earlier, but the fourth one was never shown before. This new slide shows a screenshot of an Internet Explorer browser window with the BOUNDLESSINFORMANT tool in it:

For the first time, this screenshot reveals what the actual BOUNDLESSINFORMANT interface looks like. It shows that the bar charts and the details below it, as published by the newspapers, appear in a pop-up window above the world map of the global overview.

The global overview window

The presentation slide shows that the main screen of this tool is the global overview, which was initially published by The Guardian in June and later by some other media too. Here's a high resolution version of this screen (click for a bigger version):

On the left side we see the overall numbers for DNI (internet), DNR (telephony), SIGADs, Case Notations and Processing Systems for the last 30 days. This time period can be changed, probably by using the slide button underneath this list, next to the dark grey box. It seems that 30 days is its maximum. In the slide screenshot this time period is 7 days, which can be seen in the pop-up window and explains the smaller numbers in the list at the left side of the map.

The lower part of the screen shows a Top 5 of countries and their total numbers of DNI and DNR records. These total amounts of data can be sorted in three different ways: Aggregate, DNI and DNR, which can be selected with the radio buttons above the map. Each option results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map. These three versions were published by the Indian paper The Hindu last September.

Next to these radio buttons is a search box with a button named "Country View", which is maybe for entering a country name. Finally, there are two buttons in the upper right corner to switch between the two main viewing modes of this tool:

- The Map View, which "allows users to select a country on a map and view the metadata volume and select details about the collection against that country".

- The Org View, which "allows users to view high level metrics by organization [NSA divisions] and then drill down to a more actionable level - down to the program and cover term".

According to a Frequently Asked Questions (FAQ) paper for BOUNDLESSINFORMANT from June 2012, this tool can graphically display information about collected metadata in a map view, bar chart and simple table. The map view can be seen in the main window with the global overview, the bar charts appear in a pop-up window. How the simple table view looks like is not known.

The Map View pop-up window

In the Map View, users can click on a country from the world map and then a pop-up window appears. According to the BOUNDLESSINFORMANT FAQ paper this window shows "the collection posture (record counts, type of collection, and contributing SIGADS or sites) against that particular country in addition to providing a graphical display of record count trends". These elements are in the screenshot of this window:

Unfortunately the resolution of the slide is too low to make everything readably, but still we can see that in this screen there's a lot more than in the images which were published by the various newspapers. For comparison, here's the screenshot that was shown in Norwegian media (click for a bigger version):

Comparing these two screenshots reveal that the images shown in the papers are just a part of the actual pop-up window. We recognize the four sections with the different charts, but there are also some minor differences. The slightly different layout may have been caused by the different time period: 30 days gives in a much wider bar chart than 7 days.

Apart from that, we see that in the screenshots from the newspapers the whole frame is missing. The example from the presentation has "SIGAD" with a symbol next to it in the upper left corner, but we don't know if that's standard, or that it indicates a specific view mode.

Below this are a search box and a scroll box with a relatively long list of options - unfortunately impossible to read, but it's not a list of SIGADs. The display section has two tabs, the active one white, the other one black, indicating that there are apparently two main options for presenting the information.

Left of the bar chart there's a section that could be titled "Active Summary" and seems to contain symbols and headers very similar to those below the bar chart. Probably one can select different kinds of details about the data collection to be shown. The images from the papers have "Top 5 Techs" in the lower section at the right side, but in the pop-up example something different is shown, ineligble again.

Another small difference is in the "Signal Profile" section: the pop-up screen shows four different types of communication systems (maybe DNI, DNR and two others), but the screenshots from the papers have seven. As the presentation is from July 2012 and the images in the papers are from early 2013, maybe during that period more options were added to the tool.

Screenshot from a Brazilian television report, showing some files opened in a TrueCrypt window on the laptop of Glenn Greenwald. In the upper left corner we see an unpublished screenshot from BOUNDLESSINFORMANT with three bar chart sections, apparently about Computer
Network Exploitation (CNE), which is computer hacking by the TAO division
(click to enlarge)

Multiple options

All this shows that in the Map View alone there are more options to select than just clicking a country and getting one standard overview of NSA's collection against that country - that's how Glenn Greenwald and the newspapers brought it.

The fact that there are more ways to select and present the information already became clear by analysing the screenshots published by the papers. For at least five countries (France, Spain, Norway, Afghanistan and Italy) the charts only show one technique, DRTBOX.

If NSA really spies on these countries, it's unlikely they use only one system and collect only telephone (meta)data. Therefore, it seems more as if in this case DRTBOX was used as the primary selector, resulting in charts showing how many data this system processed from different SIGADs and different countries.

A more complete overview of data collection against a country is given by the screenshot for Germany, which shows multiple systems collecting both internet and telephone data. Also interesting to see is that there are not only such charts about countries, but also about collection programs like WINDSTOP (which could be from the 'Org View' mode).


Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection.

The screenshots published in various European newspapers were cut out from their original pop-up windows, which makes that we are missing their context. We can't see what options there were and which selections were made to present the information as we see it.

We don't know who cut out the charts: was it Edward Snowden, or someone else at NSA (for preparing a presentation), or was it Glenn Greenwald? These questions are of some importance, because these screenshots are used as evidence for rather grave accusations.

Until now, neither Glenn Greenwald, nor editors of some of the involved newspapers were willing to answer any questions about the origins of these screenshots. Instead, Greenwald still sticks to his own initial interpretation and lets papers publish that over and over.

Links and Sources
- The Guardian: BOUNDLESSINFORMANT - Frequently Asked Questions
- Wikipedia: Boundless Informant

December 3, 2013

NSA's global interception network

(Updated: August 29, 2017)

On November 23, the Dutch newspaper NRC Handelsblad published a new slide from the Snowden documents. The slide is from a Top Secret NSA management presentation from 2012 and shows the agency's worldwide information collection capabilities.

As the slide is titled "Driver 1: Worldwide SIGINT/Defense Cryptologic Platform" there must be more slides with "Drivers", but unfortunately these were not published.

This article will take a close look at the map and tries to provide an explanation of the various interception locations of what is NSA's new ECHELON network for the internet age:

Click the map for a bigger version - it opens in a new tab or window,
so you can keep the map stand-by while reading this article

The slide shows five types of data collection, called "Classes of Accesses". These correspond to the organizational channels through which NSA gathers it's intelligence:
- 3rd PARTY/LIAISON - Intelligence sharing with foreign agencies
- REGIONAL - SCS units, a joint venture between NSA and CIA
- CNE - NSA's Tailored Access Operations (TAO) division
- LARGE CABLE - NSA's Special Source Operations (SSO) division
- FORNSAT - NSA's Global Access Operations (GAO) division

Besides the collection capabilities shown in this map, NSA also collects data through a range of tactical collection systems that support military operations, as well as through drones, planes and satellites (called Overhead Collection). Ground stations for spy satellites are at Menwith Hill in the UK and in Pine Gap in Australia.

3rd PARTY/LIAISON (Intelligence sharing)

As the first class of access, the slide lists the so-called 3rd Party liaisons with partner agencies in other countries with which NSA has formal agreements for the exchange of raw data and end product reports.

The legend designates 3rd Party Liaisons with a green dot, but there are no green dots on the map, which seems strange. One possible explanation could be that the different colored dots appear one by one after clicking the original powerpoint presentation, but according to a tweet of one of the NRC journalists, there were no green dots on the original map.

Another possible explanation is that 3rd Party stands for countries, whereas all other dots represent specific facilities. This however could have been solved by simply listing the nations just like the Regional and Fornsat lists at the top of the map.

With that not being the case, the most likely reason seems to be that NSA considers the names of these 3rd Party nations to be too sensitive to be mentioned in a TOP SECRET//COMINT document. Probably they may only be in documents classified within the Exceptionally Controlled Information (ECI) control system, just like the names of the telecommunication companies cooperating with NSA (the exact locations and even the codenames of the cable tapping facilities are also not mentioned in the map's legend).

This makes that it's still a big secret which 30 countries are NSA's 3rd party partners. Based upon the Snowden-documents, the German magazine Der Spiegel only published the names of these six European countries:
- Germany
- France
- Austria
- Denmark
- Belgium
- Poland
Some other sources also named the following countries as 3rd party partners:
- Norway
- Italy
- Greece
- Turkey
- Israel
- South-Africa
  - Thailand
- Malaysia
- Singapore
- Japan
- South-Korea
- Taiwan
NRC Handelsblad reported that The Netherlands is a 3rd party partner too, but presented no evidence for that. According to an article (pdf) by Dutch scolars it's not very likely that Dutch agencies are a formal 3rd party partner of NSA, as they have different political and cultural views. Nonetheless, the Netherlands has always been a loyal partner in military operations and so there is regular information sharing on that level.

An NSA slide published in May 2014 in Glenn Greenwald's book No Place To Hide revealed the names of all 33 Third Party countries for the very first time:

Slide from an NSA presentation titled 'Foreign Partner Review'
from 2013, showing the 2nd and 3rd Party partners

On October 30, 2013 the Spanish paper El Mundo published an undated document showing cooperation with various countries on four different levels. The first group is called "Tier A" which is "Comprehensive Cooperation" with the UK, Australia, Canada and New Zealand (the Five Eyes). The second group is "Tier B" and is about "Focused Cooperation" with some 20 countries. The third group of "Limited cooperation" consists of countries such as France, Israel, India and Pakistan. Finally, the fourth group is about "Exceptional Cooperation" with countries that the US considers to be hostile to its interests.

The general interpretation of this document is that is shows countries with which NSA is cooperating for Computer Network Operations (CNO), with the Tier B countries probably being a subset of the Third Party nations.

The list has no date, but it does have a declassification date (20291123), which minus 25 years (the standard classification period) would mean the document is from 2004. That opens up the possibility that Tier B might actually show that in 2004 there were just 20 Third Party countries, a number which then might have raised to 30 by 2012.
A strange thing about the list is that it's only classified as CONFIDENTIAL, where the text document itself is SECRET//COMINT.

REGIONAL (Special Collection Service)

Under "Regional" the map shows over 80 locations of the joint NSA-CIA Special Collection Service (SCS) units. These units are covertly based in US embassies and consulates all around the world and are charged with eavesdropping on high-level targets in difficult-to-reach places, such a foreign embassies, communications centers, and foreign government installations.

The names of 88 locations are listed at the top of the map, but 46 of them are blacked out. According to NRC Handelsblad, Glenn Greenwald asked them to do so, because of "protection of the source and the agreement we have with him: it's not really newsworthy". But Snowden apparently also insisted on this in order to protect his legal interests and therefore he provided Greenwald a "clear list" about categories of information that should not be published.

Earlier, a map showing SCS locations worldwide was published by the German magazine Der Spiegel. Initially an unredacted map was put online by accident, but before it was replaced, it was already copied onto several websites. This map showed 74 staffed SCS locations, 14 unmanned remote controlled locations and 8 other locations as of August 2010. Except for the SCS locations in Europe, the names of all other cities were blurred by Der Spiegel:

If we compare the European cities in this map from 2010 with those in the NRC map from 2012, we see that the latter doesn't show the following places: Baiku, Croughton, Kiev, Madrid, Moscow, and Tbilisi.

This could mean these SCS activities were terminated in the meantime, but also that their names were simply blacked out, which is definitely the case for Moscow and Madrid (having a dot on the map but not being mentioned in the legend) and seems likely for the technical SCS support facility at the US Air Force base in Croughton (or might this be "RESC" if it stands for something like Regional Exploitation Support Center?).
The latter option was confirmed in a slide showing a map of all SCS locations as of January 1, 2002, which was published by the Italian paper L'Espresso on December 6:

Also interesting is that the legend of the 2012 map reveals SCS locations in the US:
- Langley, Virginia, where the CIA headquarters is
- Reston, Virginia, where there's a small CIA facility too
These two locations are most likely not for eavesdropping, but rather serve as technical, training or support facilities. The headquarters of the Special Collection Service (SCS) itself is in Beltsville, Maryland.

CNE (Computer Network Exploitation)

The yellow dots on the map give some indication of where NSA has placed over 50.000 implants in computer networks as part of it's Computer Network Exploitation (CNE) operations. These operations are conducted by NSA's highly specialized and secretive Tailored Access Operations (TAO) division.

In 2004 NSA was managing a small network of only 100 to 150 implants. But over the next six to eight years, (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. Based on the secret budget of the American intelligence agencies, the Washington Post reported that NSA installed an estimated 20,000 computer implants as early as 2008.

Other reports indicate that meanwhile the agency has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

Compared to these numbers of implants, there's only a very small number of yellow dots on the map, so they probably provide only an indication of the regions where NSA placed most of them. As such we see India, China, Mexico, the northern part of South-America, north-east Africa, eastern Europe, the European part of Russia and the Middle-East.

It was probably TAO, maybe in collaboration with Israeli intelligence services, that developed the Stuxnet computer worm, which was discovered in 2010 and was supposedly created to attack Iranian nuclear facilities.

From the Snowden-leaks we know that Tailored Access Operations uses a wide variety of sophisticated hacking tools to gain access to foreign computer networks. For example, they operate a network of secret internet servers, codenamed FOXACID, which is used to attract the traffic of targets, in order to install spying software on their computers.

Under codenames like ERRONEOUSINGENUITY and EGOTISTICALGIRAFFE, TAO is also trying to get access to the TOR network, which enables full anonymity while using the internet.

Slide from a TAO presentation about exploiting the TOR network

LARGE CABLE (Access to the Internet Backbone)

The big blue dots represent 20 major "covert, clandestine, or cooperative large accesses" to "high speed optical cable" links which form the internet backbone. It's this way that the Special Source Operations (SSO) division collects the largest share of NSA's intelligence. Maybe therefore the blue dots are the biggest ones.

The map itself shows just 16 blue dots, but as the legend says "20 Access Programs" it's possible that there are 20 programs and only 16 actual intercept locations, or that not all locations are marked on the map (which is also the case for the FORNSAT locations).

The 16 Cable Access locations marked on the map seem to be in:
- Indonesia
- South Korea
- Guam
- Caroline Islands?
- Hawaii
- 4 locations at the US West coast
- 2 locations at the US East coast
- Cornwall, UK
- France (Marseille?)
- Djibouti
- Oman
- Afghanistan?

In most of these countries there's an American military base, which probably makes it easier to get covert and clandestine access to internet backbone cables. But as we know from earlier reports, NSA and GCHQ also have secret cooperation arrangements with major American, British and foreign telecommunication and internet providers, in order to get access to internet traffic.

One supposed cable tapping location that's missing on the map is the Ayios Nikolaos station, which is part of the British Sovereign Base Area of Dhekelia on Cyprus. This station was identified by the Italian paper L'Espresso as a major cable intercept facility run by GCHQ.

The main NSA programs for intercepting internet cables are:
- Through corporate partners inside the US:
- BLARNEY (collection under FISA authority, since 1978)
- FAIRVIEW (cooperation with AT&T, since 1985)
- STORMBREW (cooperation with Verizon, since 2001)
- Through corporate partners outside the US:
- OAKSTAR (cooperation with 7 telecoms, since 2004):
- ORANGECRUSH (through PRIMECANE partner)
- YACHTSHOP (through BLUEANCHOR partner)
Most of these OAKSTAR sub-programs are "foreign access points", so maybe they, or some of them are represented by the blue dots on the map.

Besides cable access through corporate partners, the SSO division also taps internet traffic in two other ways, which are shown in the presentation slide below:
- Through unilateral operations:
- RAMPART-M (undersea cables, since 1986)
- RAMPART-T (land-based cables, with CIA, since 1991)
- RAMPART-I/X (Iraq/Afghanistan, since 2001)
- DANCINGOASIS (since 2011)
- MYSTIC (since 2009), including:
- DUSKPALLET (GSM metadata from Kenya)
- EVENINGEASEL (GSM metadata from Mexico)
- VENATOR (GSM metadata from the Phillippines)
- SOMALGET (audio content buffer), including:
- BASECOAT (Bahamas)
- SCALAWAG (Afghanistan)
- OILYRAG (Afghanistan)
- LOLLYGAG (Afghanistan)
- ACIDWASH (Afghanistan)
- Through foreign partners:
- WINDSTOP (2nd Party), including:
- Two undisclosed programs
- RAMPART-A (3rd Party), with at least 5 sites:

If we add up all these Corporate, Unilateral and Foreign cable access programs, we get a total of around 20 programs, which equals the number of 20 Major Accesses mentioned in the legend of the map.

A slide from a 2010 presentation of the Special Source Operations (SSO)
division about access to "high-capacity telecommunication systems"

Slides from more recent years reveal the names of the programs that were redacted in the slide above, as well as additional programs that subsequently became operational:

Slide about NSA's cable tapping programs from 2011 and 2013
(click to enlarge)

FORNSAT (Foreign Satellite interception)

Finally, the orange dots on the map represent locations where there are stations for intercepting the signals of foreign communication satellites. The orange dots are the second biggest ones, so maybe this indicates that FORNSAT collection provides the second largest share of intelligence.

The legend in the bottom right corner says there are "12 + 40 Regional" FORNSAT stations, but on the map there are only 6 dots and the list in the upper right corner lists only 10 codenames. The six locations on the map can be identified as:
- INDRA - Khon Kuen (Thailand)
- ? - (Philippines)
- LADYLOVE - Misawa (Japan)
- TIMBERLINE - Sugar Grove (US)
- CARBOY - Bude, on the map combined with:
- MOONPENNY - Menwith Hill (Great Britain)
- ? - Skibsbylejren (Denmark)

Five FORNSAT stations have their codename listed, but are, for reasons unknown, not marked on the map:
- STELLAR - Geraldton (Australia)
- IRONSAND - Waihopai (New Zealand)
- JACKKNIFE - Yakima (US)
- SOUNDER - Ayios Nikolaos (Cyprus)
- SNICK - near Seeb (Oman)

The locations in the map published by NRC Handelsblad can be compared to those on a map shown by Brazilian media, which is about Primary FORNSAT Collection:

In this map, which is said to be from 2002, we see the following satellite intercept stations:
US Sites:
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)
  2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, New Zealand

If we compare both maps, we see some notable differences. First of all, four stations from 2002 are not on the 2012 map, nor in its legend:
- CORALINE - Sabena Seca (Puerto Rico)
- GARLICK - Bad Aibling (Germany)
- SCAPEL - Nairobi (Kenya)
- SHOAL BAY - Darwin (Australia)

The station in Sabena Seca was closed down and the same has probably happened to the one in Nairobi.

NSA's large satellite intercept station Bad Aibling was closed in 2004, but most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to the German foreign intelligence agency BND. In return, BND had to share the results from the satellite collection with the NSA. For this cooperation, the Joint SIGINT Activity (JSA, 2004-2012) was set up, located in the nearby Mangfall Barracks.

The Australian intercept facility near Darwin, Shoal Bay Receiving Station, is not in the 2012 map, but as we can see in this picture, it seems to be still operational. The same applies to the big satellite station Pine Gap. Therefore we should be careful in treating information in presentation slides and maps like this as perfectly accurate.

Regional FORNSAT stations

The map from 2002 also shows two SCS locations: one in Brasilia and one in New Delhi. Apparently those Special Collection Service units also had a satellite intercept capability. This is most likely also the explanation for the number of "40 regional" FORNSAT stations mentioned in the legend of the 2012 map - which means that meanwhile half of all SCS units worldwide also conduct some kind of foreign satellite interception.

This could also explain the device shown in a slide published earlier by Der Spiegel: an SCS antenna system codenamed EINSTEIN and its corresponding control device codenamed CASTANET. Der Spiegel said this device may be used to intercept cell phone signals, but as a dish antenna, it actually looks more like a receiver for satellite signals (see the comments down below):

Unidentified stations

The map from 2012 as published by NRC Handelsblad also has orange dots for a FORNSAT station at the Philippines and in Scandinavia. These locations were not in the map of 10 years earlier, so it seems that these are new intercept stations build somewhere between 2002 and 2012. The Scandinavian station is probably the SIGINT facility in Skibsbylejren in Denmark, which was build in 2002 (there's also a smaller and older Danish satellite station in Aflandshage).

Unfortunately we don't have their codenames, because in the list in the upper right corner, there's no codename which was not already in the 2002 map. But as this list has only 10 names, and some don't fit on one line, it's possible that two names (coincidentally those of the new stations?!) dissappeared because of bad rendering.

The INDRA station

A final difference between the FORNSAT stations shown in the maps of 2002 and 2012 is the station in Thailand, which was codenamed LEMONWOOD in 2002. The location near the city of Khon Kaen was identified as being an intercept facility since 1979, but with a different codename: INDRA.

This facility fell into disrepair in the 1990s and seems to have been closed somewhere before 2002. In the years following 9/11, the old station apparantly has been reactivated and expanded to an important satellite intercept mission, and appeared again under its old codename INDRA in the 2012 map. Why this place (or another one?) was called LEMONWOOD in 2002 remains a mystery.

A recent Google Earth image of the INDRA
facility near Khon Kaen, Thailand

World map reconstruction

Analysing the NSA world map published by NRC Handelsblad has shown that some interception facilites and channels are missing in the map and/or the legend: most notable the 3rd party countries and some satellite stations. In order to see all additions and corrections at a glance, we modified the NSA original map, which results in this reconstruction:

Reconstruction of the NSA global interception network map
(click for a bigger version)

Links and Sources
- Hoe onderschept de NSA ons dataverkeer?
- NSA infected 50,000 computer networks with malicious software
- The embassy spy centre network (updated)
- ECHELON Satellite stations
- N.S.A. Report Outlined Goals for More Power

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties