February 8, 2014

BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

(Updated: August 9, 2017)

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, can be read here!

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:

Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network. This is the traditional telephone infrastructure, consisting of telephone lines, (undersea) fiber optic cables, microwave transmission links, cellular networks, and communications satellites, all interconnected by switching centers.

In this case, MIVD collected the metadata from PSTN traffic using their satellite station near Burum, which is operated by the signals intelligence unit NSO. This station is conveniently situated next to a big commercial ground station operated by Stratos Global, which provides access to Inmarsat, and Castor, providing access to Intelsat, Eutelsat, Gazprom, RSCC, SES (Astra), Telesat, and Arabsat satellites.

Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some less-developed countries like Afghanistan, Sudan, Somalia, Cuba and North-Korea, and remote regions in Russia, China and Africa apparently still use Intelsat satellite links for their international telecommunications. A number of these countries are also linked to Intersputnik satellites.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.

The Burum teleport, with the NSO intercept station (left) and the
ground station operated by Stratos Global and Castor (right)
(photo: Castor - click to enlarge)

According to a reply from the Dutch government, the 1,8 million metadata were collected by the MIVD from phonecalls, including some sms and fax messages, that "originated and/or terminated" in foreign countries. After all communication data with a Dutch phone number were filtered out, the remaining data were "shared with partner agencies".

This means, these data weren't just shared with NSA on a bilateral basis, but also in multinational military intelligence sharing groups like the 9-Eyes and the 14-Eyes, which is actually called SIGINT Seniors Europe. Both groups consist of the Five Eyes plus a number of 3rd Party nations.

In response to parliamentary questions, the Dutch government seemed to suggest that the 1,8 million metadata equals 1,8 million "unique moments/types of communication". This contrary to earlier and widespread assumptions that 1 phone call creates multiple metadata records.

Most Volume

In the screenshot we can see that the metadata records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data could be derived from multiple collection platforms and not just from the satellite intercept station near Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch SIGINT unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile signals intelligence units which can be deployed during foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.

The headquarters of the Dutch military intelligence agency MIVD,
which is located in the Frederikkazerne in The Hague
(photo: GPD)

Top 5 Techs

This section of the screenshot mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense.

It was strange that there was no word for the letter F, but some research revealed that the F most likely stands for Format. In several job vacancies CERF can be seen as listed among a number of other NSA data formats like CSDF and ASDF. We can assume now that CERF = Contact Event Record Format.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Maybe CERF is used for collected metadata in general and CALL specifies that for telephony metadata (although in NSA-speak, telephony is always designated as DNR). An additional codeword like MOSES1 could then be used to further specify these data sets.

Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.

The satellite intercept station of MIVD near Burum
(photo: ANP)

We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts. Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.

> More background of this story: Dutch government tried to hide the truth about metadata collection

In July 2017, a Dutch journalist involved with the Snowden revelations said on Twitter that the 1,8 million records represent some 12 million pieces of metadata (which means one record consists of at least 6 fields) and that the Dutch Ministry of Defence had confirmed that they were collected from Somalia.


On March 5, 2014, the Dutch paper NRC Handelsblad came with a follow-up story, which provided more context to the Dutch collection of metadata.

It says the Netherlands has been sharing intercepted telecommunications with the US since 2006. This partnership accelerated after the Dutch started their ISAF mission in the Afghan province of Uruzgan in 2006 and it continued after this mission ended in 2011. According to NRC there is still a steady flow of millions of telephony metadata from MIVD to NSA.

The paper presents the following example: When in August 2012 the Dutch navy ship HMS Rotterdam was the flagship for the NATO anti-piracy operation OCEAN SHIELD, this vessel was also intercepting the communications of Somali pirates. This was made possible because NSA had provided the covert Dutch SIGINT team on the ship with a special interception system.

NSA's access to the pirates’ communication had collapsed after the latter switched to land-based communications, which couldn't be intercepted by the Americans. Therefore the metadata provided by the Dutch were very welcome. A combination of the interception of Somali pirate communications from aboard the Dutch ship and through the Dutch satellite intercept station in Burum lead to successful mapping of pirate networks:

Note that the grey text in the bottom right corner says that this slide originally was classified as TOP SECRET//SI//NOFORN, but apperently later this was lowered to SECRET//SI//REL TO USA, NLD, probably to share it with the Dutch.

The diagram from the slide is also shown in a larger version. Some connections and icons have Dutch labels, so this seems to be generated by a software tool used by the Dutch MIVD. Probably it's Sentinel Visualizer or Analyst's Notebook or a similar software program, but it also resembles the SYNAPSE data model used by NSA.

Links and Sources
- DeCorrespondent.nl: Op dit grasveldje in de Achterhoek luistert Nederland de Taliban af
- NRC.nl: The secret role of the Dutch in the American war on terror
- NetKwesties.nl: Onjuiste geheimhouding regering over AIVD/MIVD
- Cyberwar.nl: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- DutchNews.nl: The Netherlands, not USA, gathered info from 1.8 million phone calls
- NRC.nl: NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- Defensie.nl: MIVD: Interceptie van telecommunicatie


clegra said...

Concerning a missing interpretation of the letter F in CERF CALL: could it stand for a "Contact Event Record for a Foreign Call"?

Anonymous said...

CERF - as in Vint Cerf - satellite intercept

Why assume a filter related to Dutch citizens? That would be pointless.

P/K said...

Yes, the F could be for Foreign, or also for Facility. But the given explanation still seems not very convincing.

It was NRC Handelsblad saying that MIVD filters out all communications of Dutch citizens, this because it's not legal for them to pass these on to NSA.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties