November 28, 2018

A new secure phone for outside the White House

Last Thursday, Americans celebrated Thanksgiving and traditionally the president addressed members of the military services that are deployed abroad. For Donald Trump this was the second time during his presidency.

The video footage and photos of that address also showed something that is one of the topics of this weblog: a new telephone used for top level telecommunications of the president of the United States:

President Trump speaks to members of the military over the phone
from his Mar-a-Lago resort in Palm Beach. November 22, 2018.
(photo: Mandel Ngan/AFP/Getty Images - click to enlarge)

The telephone set that president Trump used for his conference call can be recognized as a Cisco IP Phone 8841, but with some distinctive modifications.

Top Secret

The first one is that is has a bright yellow bezel around the high-resolution color display, while standard phones have a black or a silver one. As yellow is the color code for information classified Top Secret/Sensitive Comparmented Information (TS/SCI), the bezel shows that this phone can be used for calls at the highest level.

This phone is part of the Executive Voice over Secure IP-network, which connects the US president with all major decision makers, like the secretaries of State, Defense and Homeland Security as well as the Director of National Intelligence. The phones themselves have no encryption capability - they are connected to a central network encryptor, probably from General Dynamics' TACLANE familiy.

Fiber network

The second modification is that the device can be directly connected to a local fiber optic network, instead of the usual connection to a copper cable telephone system through an RJ-14 plug. Because signals traveling over copper cables cause electromagnetic emanations ("TEMPEST"), they are easier to intercept than when there's a fiber optic network.

The new phone was modified by CIS Secure Computing, Inc., which is a small company that provides additional security functions for commercial-of-the-shelf communications equipment. On its website it advertises the Cisco 8841 Fiber Enabled VoIP Phone and in the photo below the company's logo can be recognized on the back side of the device:

President Trump with the new Cisco IP phone seen from the back side. November 22, 2018.
(photo: AP/Susan Walsh - click to enlarge)

It's not known when exactly this new telephone was installed, but it must have been somewhere after Trump's first Thanksgiving address last year. Then we still saw the old phone for highly secure calls. This was a common Cisco 7975 Unified IP phone, which was also modified by CIS Secure Computing, providing it with TEMPEST protection and two 1 Gigabit SC Fiber ports.

Left: the old Cisco 7975 IP Phones in 2017; right: the new Cisco IP Phone 8841 in 2018
(click to enlarge)

White House

In the Oval Office, the old Cisco 7975 for the classified network had already been replaced by a Cisco IP Phone from the new 8800-series by September 2017. However, this phone has no additional security functions (like a fiber optic connection or on-hook disconnection of the handset) nor the yellow bezel.

The Cisco 7975 IP phones for secure calls were introduced in 2007 as part of a general upgrade of the White House communications systems under president George W. Bush. Meanwhile this type of Cisco telephones is about 15 years old, so the replacement may not come as a surprise.

It seems that with the modified Cisco IP Phone 8841 all the old phone sets for secure and non-secure calls, used both inside and outside the White House, have now been replaced by new devices from Cisco's 8800-series.

October 9, 2018

The GRU close access operation against the OPCW in perspective

(Updated: December 2, 2018)

Last Thursday, October 4, the Dutch Ministry of Defence held a press conference about how its Military Intelligence and Security Service MIVD had disrupted a spying operation by the Russian military intelligence agency GRU last April.

Four Russian operatives were caught red-handed when they tried to hack into the Wi-Fi network of the headquarters of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Meanwhile, the US Department of Justice (DoJ) published a formal indictment against seven GRU officers, including the four from the Netherlands.

Here, the failed GRU operation will be compared to close access operations of the NSA, which learns us more about the methods for hacking wireless networks. There are also some answers to frequent questions about the disruption by the MIVD.

Press conference with from left to right: MIVD director Onno Eichelsheim, Defence
minister Ank Bijleveld, British ambassador Peter Wilson
(photo: Bart Maat/ANP - click to enlarge)

MIVD presentation

During the press conference, the director of MIVD, major general Onno Eichelsheim, explained the case using a 35-page powerpoint presentation with an unprecedented amount of photos and details of what had been discovered about the Russian operation.

This makes the presentation very similar to the ones from the Snowden-revelations, although they were highly classified and for internal use only, while the MIVD presentation is unclassified (in Dutch: ongerubriceerd) and, although marked as For Official Use Only, made for the general public.

Front slide of the MIVD presentation about the disrupted GRU close access operation
(click to download the full presentation)

Close Access operations

MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities.

In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials.

This sounds very similar to an IMSI-catcher (also known as a Stingray), a very expensive device that functions like a fake cell tower. It's used by law enforcement and intelligence agencies either to identify the nearby active phone numbers, or to actually intercept the calls of a particular cell phone.

The equipment found in the car of the GRU officers, clarified by a diagram
(source: MIVD - click to enlarge)

WiFi Pineapple

Besides the equipment in the car, the backpack of GRU officer Serebriakov also contained some antennas, a WLAN Booster, a WiFi Signal Booster and a WiFi Pineapple model NANO. These Pineapples, with a cost of just around 100,- US Dollar, can mimic the functions of a Wi-Fi server. They are not only used by law enforcement and penetration testers, but are also popular among criminals who use them to spoof Wi-Fi networks so that victims connect to them rather than the intended legitimate server.

As explained in the DoJ indictment, it's likely that the GRU already tried to get access to the OPCW computer network through remote hacking methods, like spear fishing e-mails. Only after that failed to result in the desired access, the agency apparently decided to sent a team to break in through close access methods. Had they succeeded, then the hacking team back in Moscow would have taken over again to exploit the access through remote means.

NSA equivalent

The GRU officers clearly planned to hack the OPCW network and infect it, a technique that wasn't yet known to the MIVD, according to director Eichelsheim. The latter sounds intruiging, but wasn't explained any further.

For an indication of what that mysterious Russian method might be, we can look at the techniques used by the NSA to hack into WiFi networks, which are also referenced to as 802.11 networks. The Snowden-trove provided several documents about this, some of which were published in August 2016 by the website The Intercept.

The NSA equivalent of the set-up found in the car of the GRU officers seems to be a mobile antenna system running software codenamed BLINDDATE. This software can also be attached to a drone to be positioned within the range ofa wireless network of interest:

The NSA's BLINDDATE Wi-Fi hacking system, depicted in the field in Afghanistan
(click to enlarge)

One of the components of BLINDDATE is a "man-in-the-middle" attack method codenamed BADDECISION, which redirects the target's wireless web traffic to a FOXACID server of the NSA. Such a server is then able to infect the target's computer with various kinds of spying malware. This method even seems to work when the wireless connection is WPA or WPA2 encrypted.

Slide from an 2010 NSA presentation of the BADDECISION Wi-Fi hacking method
(click for the full presentation)

SCS units

Such close access operations for American intelligence are usually conducted by units of the Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment).

Interestingly, the GRU team had a similar composition with Aleksei Morenets and Evgenii Serebriakov as cyber operators and Oleg Sotnikov and Alexey Minin for HUMINT support.

The GRU team arrives at Schiphol Airport on April 10, 2018. From left to right: Serebriakov
(cyber), Minin (HUMINT), Sotnikov (HUMINT), Morenets (cyber), Russian embassy official.
(source: MIVD presentation - click to enlarge)

Traveling team

According to the DoJ indictment, Serebriakov and Morenets are both members of Unit 26165, also known as the GRU 85 Main Special Service Center, traveling to foreign countries to conduct on-site hacking operations. Evidence for that was provided by Serebriakov's laptop, from which the MIVD recovered the earlier Wi-Fi connections.

It appeared that they had also been in Rio de Janeiro, Brazil in August 2016 and in Lausanne, Switzerland in September 2016, where they targeted the anti-doping agencies WADA and USADA. In December 2017 the laptop connected to a Wi-Fi network in Kuala Lumpur, Malaysia, which related to the Flight MH17 investigation. After the OPCW in The Hague, their next assignment should have been the Spiez chemical laboratory in Switzerland.

Note that Serebriakov and Morenets traveled to targets related to some of the most controversial issues of Russian politics, which indicates their importance for GRU operations.

Embassy facilities

The fact that the four men were flown in, indicates that the GRU doesn't have such a team permanently stationed inside the Russian embassy in The Hague - just like there's also no SCS unit within the American embassy, according to a 2010 slide from the NSA.

The SCS units became notorious after it was revealed that one of them had been assigned to eavesdrop on German chancellor Angela Merkel and subsequently SCS "spying sheds" were discovered on the rooftops of a number of US embassy buildings.

The Russian embassy in The Hague, which is not very far from both the prime minister's residence as well as from the OPCW building, doesn't have visible spying structures on its roof.

The Russian embassy in The Hague. About 1/3 of the diplomatic personnel can
be considered working for Russian intelligence agencies.
(photo: - click to enlarge)


On November 30, 2018, the Dutch newspaper NRC came with a long piece about espionage by military officials from the Russian embassy in The Hague, a facility which includes six historic villas, a school, a tennis court and a range of satellite dishes, on a fenced area of ​​almost one hectare.

NRC journalists were able to identify several GRU employees working under diplomatic cover who were involved in various kinds of espionage activities. Most notable was Anton Naoemkin, who's official job at the embassy was Head of Protocol. He appeared to be the man who accompanied the GRU team at Schiphol airport as can be seen in one of the photos released in the MIVD presentation.

Naoemkin brought them to the embassy, where they were awaited by Konstantin Bachtin, who was also involved in the hacking attack, but who may also compromised the operation by constantly calling with Moscow - which may have been intercepted. NRC also mentioned that one month after the failed close access operation, the GRU conducted fishing mail attacks against the OPCW.


Referencing the "alibi" for the two Russians accused of poisoning Sergei Skripal, MIVD director Eichelsheim noted that the four GRU officers were clearly not on a holiday: they carried spying equipment, multiple cell and smartphones as well as 20.000,- US Dollar and the same amount of Euros in cash.

Also things like how Morenets tried to destroy a smartphone, several traces leading back to the GRU headquarters and the list of earlier Wi-Fi connections still stored on the laptop make the operation look sloppy and unprofessional. Actually it shows that the GRU didn't consider these kind of close access operations to be very risky, and the risk of being caught in the Netherlands not very high.

Plausible deniability

The presumed sloppiness is therefore no reason to lay back, but rather to be more alert. In hostile countries or high risk places, intelligence officers would make sure not to use and carry things that could to identify them or their mission so they can plausibly deny any accusations.

The cover story that the Russian foreign ministry came up with in this case is that there was nothing secret about trip of the four technical experts, as it was allegedly their job to test the cyber security of Russian diplomatic missions.

Prevention instead of monitoring

There were also some questions about how the Dutch services operated. Someone wondered for example why the MIVD didn't monitor the Russian hacking attempt for a short period of time in order to learn what kind of targets they were looking for - a common practice in cyber security.

During the press conference, MIVD director Eichelsheim said that the Russian equipment did not provide information about why the OPCW was targeted. We can assume that field operatives have no "need to know" for the actual purpose of the operation, which may also be classified differently. Maybe it was also already known that this particular GRU method is just used to get a general access to a network, instead of to particular users or files.

Another reason could be that the MIVD simply wanted to prevent any kind of attack on the network of an international organization like the OPCW - Dutch secret services can be quite strict when it comes to their legal tasks. This might have been different when the target had been a Dutch government agency, in which case it may be allowed to monitor a network intrusion for intelligence and prevention purposes.

Expelled instead of arrested

Another frequent question is why the Dutch authorities didn't arrest the GRU officers given the fact that they were caught red-handed. Instead, the four men had been immediately "escorted to a plane to Moscow" - not even formally expelled as some press reports suggest.

Here the most likely reason is that it's the usual practice in espionage to expel spies, especially when they operate under diplomatic cover. This not only prevents that a court case would attract public attention to intelligence failures and successes, but also that we can expect our own intelligence officials to be sent home instead of thrown in jail.

New strategy

A final question is why the MIVD came with such a unusually detailed presentation about a recent operation, given how extremely secretive the Dutch intelligence services are. But internationally there were precedents:

Last July, the US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0.

In September, the British government also identified two GRU officers ("Alexander Petrov" and "Ruslan Boshirov") as the suspects in the case of the poisoning of former GRU officer and double agent Sergei Skripal in Salisbury in March 2018.

And just before the press conference in the Netherlands, the UK National Cyber Security Centre (NCSC) came with a statement in which the GRU was accused of "indiscriminate and reckless cyber attacks" including disrupting the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets, hacking a small UK-based TV station and cyber attacks on Ukrainian financial, energy and government sectors.

This makes clear that "naming and shaming" Russian intelligence officials is a new deterrance strategy of the Western allies in the hybrid cyber and information war that Russia inflamed a few years ago.

Links and sources
- Hoe de Russen (waarschijnlijk) probeerden de OPCW te hacken
- Heads rolling at the GRU? Blundering Russian intelligence
- The Rise of Russia's GRU Military Intelligence Service
- How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims
- A Tale of Two GRU Indictments
- Waarom de MIVD de Russische spionnen niet liet vastzetten

September 17, 2018

Trump's telephones in the Treaty Room

Under the presidency of Donald Trump, the White House became much less transparant than under previous administrations: most information has been stripped off the White House website and hardly any photos from behind the scenes are published. Therefore we see very little of how the White House rooms and West Wing offices are currently used.

But a new photo, released by the president's social media director a few days ago, now shows a glimpse of the so-called Treaty Room, in which president Trump and vice-president Pence received an update call on the emergency preparedness concerning the impact of Hurricane Florence:

Vice-president Pence and president Trump in the Treaty Room, September 15, 2018
(White House photo - click to enlarge)

The Treaty Room

The Treaty Room is on the second floor of the main building of the White House, the residential mansion, which includes both the ceremonial rooms and the private quarters of the president. The room is named after the peace treaty between the United States and Spain, which was signed here on August 12, 1898, ending the Spanish-American War. The signing is depicted in the large painting by Theobald Chartran.

Previous presidents used the Treaty Room as their private study where they could work during evening hours, as it is on the same floor as their private rooms. The picture below shows president Obama working behind a large table, which president Trump turned into the position it had under George W. Bush, along the wall on the west side. Given how empty the table and the credenza are, it seems that Trump doesn't use the room frequently.

President Obama in his private study in the Treaty Room of the White House. We see two black
Avaya/Lucent 8410 phones, a computer screen and an HP laser printer. March 2009.
(Callie Shell/Aurora Photos - click to enlarge)

The telephone equipment

In the recent photo with vice-president Pence en president Trump we see that on the large table in the Treaty Room there are the following three telephone sets:
- A Cisco 8851 IP phone (with a box on the back) for non-secure calls
- A Cisco 8851 IP phone for secure calls
- An IST-2 red phone

The two Cisco phones are the same ones as on the president's desk in the Oval Office, where they gradually replaced the older Cisco telephones.

Behind the two Ciscos there's a large gray telephone that can be recognized as an Integrated Services Telephone version 2 or IST-2, a device that was designed by Raytheon and subsequently manufactured by Telecore, Inc.

This IST is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

A special feature of the IST-2 is that one can make both secure and non-secure calls through this one single device. The phone itself has no encryption capability: any secure calls are encrypted in bulk before leaving the secure building, enclave or compound.

As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons which are used to select the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority.

It's not really clear why there's an IST-2 in the Treaty Room and (at least visibly) not in the Oval Office. The two Cisco IP phones should be sufficient for any secure or non-secure phone calls, but it is possible that for connecting to military commanders it is still easier to use the IST-2 with its many direct line buttons.

> More about the president's IST: The telephone contacts of president George W. Bush

July 14, 2018

Collection of domestic phone records under the USA FREEDOM Act

(Updated: March 2, 2020)

One of the most controversial NSA programs revealed by Edward Snowden was the bulk collection of domestic telephone records under the authority of Section 215 of the USA PATRIOT Act. A detailed analysis of the workings of this program was published on this weblog earlier.

In 2015, Section 215 was replaced by the USA FREEDOM Act, which prohibited the collection in bulk and provided more safeguards. The NSA became much more transparant about this program, which gives the opportunity for the following explanation of how the domestic phone records program currently works.

NSA is also more transparant about things going wrong: last month it revealed that it had to delete all the telephone records collected since 2015 due to technical irregularities.

Screenshot from 60 Minutes from December 15, 2013, showing an NSA contact chaining tool
used for the telephone records collected under Section 215.

Collection under Section 215 USA PATRIOT Act

The NSA started its bulk collection of domestic telephone metadata as part of the President's Surveillance Program (PSP), which president George W. Bush authorized in secret right after the 9/11 attacks. Its purpose was not to spy on random Americans, but to find connections between foreign terrorists and conspirators inside the US.

In May 2006, this bulk collection was brought from the president's authority under that of the FISA Court, based upon a very extensive interpretation of Section 215 of the USA PATRIOT Act. Internally, NSA refers to this kind of collection as BR FISA, with BR for Business Records.

Under Section 215, NSA collected domestic phone records from the three biggest American telecommunication companies: AT&T, Verizon and Sprint. According to government officials, the data provided by these companies consisted mostly of landline phone records, which meant that NSA actually got less than 30% of the total amount of US telephone metadata.

However, as of August 29, 2011, AT&T started to provide cell phone metadata too: ca. 1,1 billion records a day, which would make over 30 billion records each month. Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders that don't allow the collection of location data. Verizon was apparently not able or not willing to strip the location metadata, so their cell phone records could not be acquired by NSA.

To put these numbers in perspective: with a wireless communications market share of 32% for AT&T, the total number of cell phone metadata for the US would equal roughly 94 billion a month. During the first half of 2012, the NSA's total collection of foreign telephone metadata was 135 billion records a month. In January 2013, mobile phone calls in the Netherlands generated some 7.65 billion records a month.

At NSA, the domestic phone records were forwarded to MAINWAY, which is a centralized system for "contact chaining to identify targets of interest." MAINWAY not only contains domestic telephone metadata, but also foreign telephone and internet metadata, collected both inside and outside the US. Putting both foreign and domestic metadata in one system, allows finding as many connections as possible.

See for more:
- How NSA contact chaining combines domestic and foreign phone records
- Section 215 bulk telephone records and the MAINWAY database

Collection under the USA FREEDOM Act

Because the bulk collection under Section 215 was often regarded unconstitutional, the program was terminated as of November 2015 and replaced by the USA FREEDOM Act (USAFA or UFA), which was incorporated in Title V of the Foreign Intelligence Surveillance Act (FISA). Under this new authority, bulk collection of domestic phone records is not allowed anymore.

Instead, NSA can request only those records that contain phone numbers that have been in contact with an approved "seed" number. This means that all the American telecoms now have to hand over the matching results from both landline and cellphone calls, so it's a much larger pool compared to the situation under Section 215.

How this current domestic phone records program works is explained in remarkable detail in the transparancy report of the NSA Civil Liberties and Privacy Office (CLPO) from January 2016, as well as in the Annual Statistical Transparancy Report from the Office of the Director of National Intelligence (ODNI).

The statistical report for 2017 was published last April and also contains a lot of information about traditional FISA and Section 702 FAA (PRISM and Upstream) collection.

Overview of NSA's collection of domestic phone records under the USA FREEDOM Act
(source: NSA Transparancy Report - click to enlarge)

Seed numbers

The process starts with selecting specific targets and the phone numbers ("selectors") they use. Through the FBI and the Department of Justice, these selectors are submitted to the FISA Court (FISC), which determines whether there's a Reasonable, Articulable Suspicion (RAS) that these numbers are associated with foreign intelligence agents or people engaged in international terrorism. Under Section 215, the RAS was determined by one of 22 designated NSA officials.

After the FISC has approved these numbers, it issues individual orders approving the submission of these specific selectors to the telecommunications providers, and directing those providers to hand over the associated metadata to the proper government agency. According to the ODNI statistical report for 2017, the FISC issued orders for 42 targets in 2016 and for 40 targets last year.

The report doesn't mention the total number of selectors used by these targets. It's these selectors, phone numbers and maybe similar identifiers, that NSA uses as a "seed" to start creating a so-called contact chain. For earlier years, the total numbers of seed selectors were as follows (it's not known how many of these belonged to Americans):

2012 2013 2014 2015
288 423 161 56

Business records

At NSA, the RAS-approved selectors are entered into what is publicly called the "Enterprise Architecture", but which actually must be the MAINWAY contact chaining system. This returns any selectors from NSA's existing metadata collection that have been in direct contact with the RAS-approved seed selector.

Both the RAS-approved seed selectors and the connected ones from NSA's existing collection are then submitted to the telecommunications providers. They will query their databases of business records for those that contain any of the submitted phone numbers. The results are returned to the NSA, which lets them pass various validation steps, applies data tags and forwards them to the MAINWAY system.

Because a FISC order is valid for up to 180 days, the selectors can be submitted multiple times during that period in order to caputure any new matching records. These business records, or Call Detail Records (CDRs) are defined as "session identifying information" and include:
- Originating telephone number
- Terminating telephone number
- International Mobile Subscriber Identity (IMSI) number
- International Mobile Station Equipment Identity (IMEI) number
- Telephone calling card number
- Time and duration of a call
NSA is not allowed to receive the content of any communication, the name, address, or financial information of a subscriber or customer, or the cell site location or Global Positioning System (GPS) coordinates.

Contact chaining

The ODNI statistical transparancy report from April has a nice graphic that shows how to count the number of business records that the telecoms provide to the NSA:

Example of contact chaining of telephone metadata under the USA FREEDOM Act
(source: ODNI Transparancy Report - click to enlarge)

We see that the RAS-approved seed phone (number) can be in direct contact with a certain number of other phones, which is called the "first hop". Additionally, the providers also have to look for the phones that have been in contact with those first hop phones. This step is called the "second hop". A third hop is prohibited by law, but NSA analysts also determined that a third step is not analytically useful.

This way of contact chaining by linking phone numbers that have been in contact with each other may already be familiar from the reportings about the Section 215 program.

But the graphic also shows something that was rarely made clear: the business records collected by NSA are not just the phone numbers. Two phone numbers that have been in contact with eachother will usually have done so more than once (except for so-called "burner phones" that are intentionally used for one call only).

So for each pair of phone numbers, there can be a lot of records, at least one record generated per phone call or text message, both for the person calling and the person called. The example in the graphic shows 7 phones that produce 6000 call detail records (CDRs) during a certain period of time. This is something to keep in mind when it comes to the huge numbers of metadata collected by NSA.

Number of records

The ODNI transparancy report also provides the real numbers of telephone records collected by NSA under the authority of the USA FREEDOM Act. Although NSA is required by law to provide the annual number of "unique identifiers", the agency doesn't has the technical ability to isolate these unique identifiers within records received from the providers. This means that every single record is counted, even if the same record is received multiple times from one or multiple providers.

The report also explicitly says that the results of contact chaining will likely include both foreign and domestic phone numbers: "while the records are received from domestic communications service providers, the records received are for domestic and foreign numbers." Also, the targeted seed number could be a foreign number, which in the first hop could have called a foreign number, that in its turn could have called another foreign number in the second hop.

With that in mind, the report says that in 2016, the telecommunications providers handed over 151.230.968 phone records to NSA. In 2017 they did so for 534.396.285 records, which is not only a dramatic increase compared to the previous year, but also a probably unexpectedly high number for the just 40 targets approved by the FISA Court.

However, if each of these 40 targets called 50 numbers, and those numbers were also in contact with 50 numbers, we get some 100.000 phone numbers. Let's assume each pair of numbers was involved in 500 calls (or text messages), we already have 50.000.000 records. And this is still without duplicate records, like from multiple providers or recurring requests.

The large increase compared to 2016 may have been caused by a variety of factors, according to Alex Joel, ODNI's chief civil liberties officer: changes in the amount of historical data companies are choosing to keep; the number of phone accounts used by each target and changes to how the telecommunications industry creates records based on constantly shifting technology and practices.


These domestic call detail records may not be stored for more than 5 years after they were initially delivered to NSA. In addition, the minimization procedures require NSA to destroy promptly any records that are determined not to contain foreign intelligence information. Phone records that have been "the basis of a properly approved dissemination of foreign intelligence information" may be retained by NSA indefinitely.

After these records have been received and stored, they may also be queried, including using search terms associated with US persons. In 2016, NSA used ca. 22.360 search terms for such queries, while in 2017 that number had risen to 31.196.


Recently, it turned out that the practical implementation of the collection of domestic phone records under the USA FREEDOM Act is apparently not that easy: in a remarkable public statement from June 28, 2018, NSA revealed that several months earlier, "analysts noted technical irregularities in some data received from telecommunications service providers."

These irregularities occurred in a number of Call Detail Records (CDRs), which meant that NSA was not legally authorized to receive them in that form. It appeared infeasible to identify and isolate the properly produced data, so NSA concluded that it should not use any of these records.

Subsequently, the agency began deleting all the phone records they had acquired since 2015. According to the statement, NSA meanwhile addressed the root cause of the problem for future CDR acquisitions. Civil liberties blogger emptywheel suggests that the records may have contained content or location data, but NSA spokesman Chris Augustine said that the problem did not result in any collection of location records from cellphone towers.

According to the NSA's general counsel, Glenn S. Gerstell, the irregularities were caused by one or more providers who sent NSA data sets that also included some numbers of people the targets had not been in contact with. When the agency then fed those phone numbers back to the telecoms to get the "second hop" records, NSA acquired metadata of people with no connection to the approved targets.

Senator Ron Wyden, a longtime NSA critic who for years tried to get the Section 215 program disclosed, now blamed the providers instead of NSA for the technical problems: "Telecom companies hold vast amounts of private data on Americans," Wyden said. "This incident shows these companies acted with unacceptable carelessness, and failed to comply with the law when they shared customers’ sensitive data with the government."

Former assistant attorney general for national security David Kris said that these "errors illustrated how new problems can sometimes crop up when the government makes systems more complex in an effort to better balance security and privacy."


In the public statement it is said that the massive metadata deletion follows from the NSA's "core values of respect for the law, accountability, integrity, and transparency" but outsiders speculated about other motives: were these records destroyed before the Trump administration could misuse them? President Trump also tweeted about this issue and saw it as part of the "Witch Hunt" against him:

David Kris, former assistant attorney general for national security, replied to Trump that "This NSA program is only for international terrorism, not spying or clandestine intelligence activity, so unless your collusion included terrorism, it should be no problem for you personally!"


In early 2019, NSA suspended its collection of domestic phone records under the USA Freedom Act "after balancing the program’s relative intelligence value, associated costs, and compliance and data-integrity concerns caused by the unique complexities of using these provider-generated business records for intelligence purposes."

In February 2020, the Privacy and Civil Liberties Oversight Board (PCLOB) issued a report about the NSA's metadata collection under the USA Freedom Act. The Board considered the program "constitutional under settled Supreme Court precedent" and found "no abuse of the program; nor did it find any instance in which government officials intentionally sought records that they knew were statutorily prohibited." During its four years of operation, the program had cost 100 million USD (part of which was paid to the telecom providers). Metadata from the program were used in 15 intelligence reports, only two of which provided the FBI with unique information.

Links and sources
- Privacy and Civil Liberties Oversight Board: Report on the Government's Use of the Call Detail Records Program Under the USA Freedom Act (2020)
- A Strange & Unsettling Day (2018)
- N.S.A. Purges Hundreds of Millions of Call and Text Records (2018)
- AT&T Pulled Cell Location for its "Mobility Cell Data" (2015)
- The NSA’s Telephone Metadata Program Is Unconstitutional (2014)

February 14, 2018

The hotlines between North and South Korea

(Updated: July 31, 2021)

The current 2018 Winter Olympics, held in PyeongChang, South Korea, led to a charm offensive by neighbouring North Korea, which included the reopening of a border hotline with the South, that had been closed for almost two years.

The reopening came with new photos of the fancy-looking communications equipment, which will be described here, as well as the fact that there's not just one phone line, but over 40. Unlike other hotlines, the ones between North and South Korea are mostly used for low-level practical issues.

A South Korean liaison officer speaks with his North Korean counterpart over the
inter-Korean communications channel at Panmunjom, January 3, 2018
(photo: Unification Ministry - click to enlarge)

The Red Cross hotline

The first hotline between North and South Korea became operational on September 22, 1971. The link was the result of the first inter-Korean Red Cross meeting held on September 20, which resulted in an agreement to establish two lines for direct telephone calls between the two countries.

It was also agreed to construct a liaison office inside the Joint Security Area (JSA) of Panmunjom, which is in the heavily-fortified Demilitarized Zone (DMZ). The direct telephone link between the liaison offices is therefore often called the Red Cross or border hotline.

Equipment of the hotline

On the South Korean side, the hotline equipment is located in the communication office on the second floor of the Freedom House, which was built in 1998. On the North side, the line ends at a desk in the Panmungak building, which is less than 100 meters (328 feet) away. In the Panmunjom area, the hotlines connect the inter-Liaison Office, the inter-Korean Red Cross Talks Liaison Office and the Front Office of the inter-Korean Talks Headquarters.

The current equipment, which is seen in the most recent photos, was installed in 2009 and consists of a large, wood-panelled console on a desk. On top is a sign that says "South-North Direct Telephone". The system features two disk drives, two sets of USB ports and one computer screen, which shows the Windows XP user interface. It's not clear what the function of the screen is, as there's no keyboard visible.

Equipment of the Red Cross or border hotline on the South Korean side
(photo: YTN News - click to enlarge)

Update: As noted on Twitter, the computer screen appears to show the user interface of a VoIP softphone client, maybe an ancient version of X-Lite, but that hasn't been confirmed yet. Probably this setup made it easier to have the calls recorded, for example by using the CD-stations.

Most important parts are however two telephone handsets, one red and one green. The red one is for incoming calls from North Korea, while the South uses the green handset to make outgoing calls to the North. However, both phone sets are capable of sending and receiving, but there have been installed two of them just in case one fails.

Since 2015, the console has two digital clocks on top, as in that year North Korea shifted to UTC+08:30 or Pyongyang Time (PYT), while South Korea stayed in the UTC+09:00 or Korea Standard Time (KST) zone. In the photo below, the green clock shows 3:34 for South Korea and the orange/red one 3:04 for North-Korea.

At the left of the hotline console there's a Samsung SF 530 fax machine through which North Korea sometimes sends messages about topics that range from logistics to threats.

Operation of the hotline

The hotline phones at the Inter-Korean Red Cross Liaison Office and the Inter-Korean Liaison Office on the South side are operated by officials from the Unification Ministry. They are experts in diplomatic protocol and have in the past played roles in face-to-face talks as well.

To resolve the problem of who calls first, it was decided that the South calls the North on odd dates, while on even dates it's the other way around. The daily routine for weekdays is that communication officials make a phone call everyday at 9:00 AM and again at 4:00 PM. No routine calls are made on Monday morning, Saturdays and Sundays and on bilateral holidays, except for when there are special requests.

The government can instruct to use the hotline for the exchange of official messages, which come in the form of a 'telephone notice' which means that a liaison officer calls the other side and reads a document carrying a proposal or official position on a proposal of the other side. All this is very similar to how the hotline between Washington and Moscow is operated, although that one is just for written communications.

Finally, when a document with official seals has to be delivered to either North or South Korea, a call is made to arrange a face-to-face meeting at a certain time on the demarcation line.

Earlier hotline equipment

The earlier equipment that was used on the hotline of inter-Korean Liaison Office can be seen in a series of photos published on the occasion of its reopening on August 14, 2000, after having been closed since November 1996:

South Korean minister of Unification, Park Jae-kyu using the hotline, August 14, 2000
(photo: The Korea Times - click to enlarge)

The South Korean minister of Unification using the hotline, August 14, 2000
(photo: eHistory - click to enlarge)

This earlier hotline device, with the size of a small refrigerator, has two telephone handsets, one in yellow and one in some kind of light green. In the upper section there's a tape recorder for each of the phone lines. It seems that after the new equipment was installed in 2009, the old device was kept as a remembrance, covered by a blue cloth with a golden fringe:

The old (left) and the new (right) hotline equipment
(photo: Unification News - click to enlarge)

More hotlines between the Koreas

After the Red Cross border hotline at Panmunjom was established, more lines would follow. On April 29, 1972, a direct line between Seoul and Pyongyang was secretly set up to prepare the visit of high-ranking officials to Pyongyang. Following this visit, the director of the CIA contacted North Korean president Kim Il-sung and they agreed upon a direct telephone line for the Inter-Korean Control Committee.

There are no reports about a phone line that connects the presidents of North and South Korea, like for example the famous Washington-Moscow Hotline, or the hotlines between the American president and several other heads of government. (See Update!)

The Joint Security Area (JSA) between North en South Korea, with the
North Korean Panmungak building, seen from the South
(photo: iStock - click to enlarge)

33 hotlines through Panmunjom

More lines were established throughout the 1990s and 2000s and since December 2010 there are 33 direct phone lines which connect North and South Korea through Panmunjom. Five of them are intended for daily communications, 21 for negotiations between the two countries, two for handling air traffic, two for sea transport and three for economic co-operation:

- 2 lines in Panmunjom for the Red Cross, since September 22, 1971.

- 1 line between Seoul and Pyongyang to prepare a high-level visit, since April 29, 1972.

- 20 lines between Seoul and Pyongyang for inter-Korean Red Cross talks, including 2 lines for the Central Red Cross Organisation, since August 18, 1972.

- 1 line between Seoul and Pyongyang for economic talks, since December 20, 1984.

- 2 lines between the newly established inter-Korean Liaison Office in the Panmunjom Freedom House and the Panmokgak building for inter-agency business talks, since May 18, 1992.

- 2 lines between Daegu (since September 18, 2001: Incheon) and Pyongyang for air traffic control, since November 19, 1997.

- 2 lines between Seoul and Pyongyang for the inter-Korean Maritime Authority, since August 12, 2005.

- 3 lines between Seoul and the Kaesong Industrial Complex for the inter-Korean Economic Cooperation Consultation Office, since November 1, 2005.

Several of these direct phone lines through Panmunjom have lost their original function, such as the one for economic talks, but these lines are now for example used as a fax line for communications between the North and South Korean Red Cross Liaison Office, which was opened on April 11, 2004.

The Joint Security Area (JSA) between North en South Korea, with
the new South Korean Freedom House, seen from the North
(photo: - click to enlarge)

15 hotlines outside Panmunjom

There are also 15 inter-Korean direct telephone lines which, due to geographical reasons, are not connected to Panmunjom:

- 3 lines between military authorities for the Donghae Bukbu Line, since December 5, 2003 (ultimately terminated in October 2010)

- 6 lines between military authorities for the Gyeongui Line, since August 15, 2005.

- 6 lines between Dorasan Station in the South and Panmun Station in the North for the inter-Korean railroad, since May 14, 2007.

Military hotlines

Besides the aforementioned telephone ines, there are also several military hotlines. In accordance with bilateral agreements, a West Sea communications link was established in September 2002 and an East Sea link in December 2003, each consisting of a phone line, a reserve phone line and a fax line (these lines may well be identical with those for the Gyeongui and the Donghae Bukbu railroads respectively).

Another military hotline was agreed upon in June 2004, in a step towards easing tensions and avoid accidental clashes. On the internet there are at least two photos that apparently show military hotlines between North and South Korea. We see ordinary military field telephones, which don't seem to have encryption capability, but it's possible that they are connected to separate encryption units:

South Korean Lieutenant Choi Don-Rim (left) communicates with a North Korean officer
at a military office near the Demilitarized Zone (DMZ) in 2005.
(photo: AFP - click to enlarge)

A South Korean military official communicates with his North Korean
counterpart through a military hotline, September 6, 2013.
(photo: Yonhap - click to enlarge)

Interruptions of the hotlines

Since the establisment of the first hotline in 1971, the direct communication links between North and South Korea were interrupted seven times, each time by North Korea:

On August 30, shortly after the Panmunjom ax attack, the hotline was shut down by the North. It was resumed on February 7, 1980 following a first working-level agreement to discuss the inter-Korean prime ministerial talks.

North Korea unilaterally declared to cease contact on September 24. The hotline was reopened again on September 29, following an agreement with the North Korean Red Cross for consultation on North Korean flood assistance.

The direct phone lines were aborted immediately after a North Korean submarine ran aground near Gangneung in the South in an attempted infiltration mission. Communications resumed on August 14, 2000 following the first agreement on inter-Korean ministerial talks.

North Korea declared the hotline "disconnected" after Seoul proposed a resolution about human rights in North Korea during the General Assembly of the United Nations in November. Communications resumed on August 25, 2009 with the visit of President Kim Dae-jung's special envoy to Seoul and inter-Korean Red Cross talks.

After the Cheonan incident, North Korea shut down all communications channels with the South on May 26. The air control phone line was re-established on October 18, 2010, while the lines at the inter-Korean Red Cross liaison office were reconnected on January 12, 2011.

On March 11, North Korea had stopped responding to calls on the Red Cross hotlines and also shut down the communication line with the American military command in South Korea, as well as the military telephone and fax lines used to coordinate cross-border travel to the joint industrial park in Kaesong. The North connected the Red Cross hotline again on June 7. A hotline used by military officials regarding travels to Kaesong was restored on September 6, 2013.

In February, Pyongyang stopped responding to South Korea's calls in the Panmunjom office after Seoul suspended a joint economic project at the Kaesong Industrial Complex over Pyongyang's nuclear tests. The military West Sea hotline was also closed, just like all other hotlines through Panmunjom, except for the two air traffic controle lines.

Reopening in 2018

On January 3, 2018, North Korean leader Kim Jong Un gave the order to reopen the Panmunjom border hotline at 3:00 PM local time. According to South Korea's Unification Ministry, the North Koreans made first contact at exactly the time ordered.

Both sides were on the phone from 3:30 PM to 3:50 PM local time and during this initial 20-minute conversation, the two nations "checked technical issues of the communication line," according to a statement from South Korea's Unification Ministry.

The Ministry said North Korea phoned for a second time several hours later, suggesting the two sides wrap up business for the day. Other than checking that the link was operational, it is unclear what was discussed. According to a ministry spokeswoman there was no mention of future talks or the Olympics.


A top-level telephone hotline between the presidents of North and South Korea was established on April 20, 2018, in preparation of a summit between both leaders later that month in the border town of Panmunjum. Before this meeting, both presidents are expected to have a talk over the phone, but no date has been set for the call.

According to the Yonhap news agency, the new hotline connects the desk of South Korean president Moon Jae-in at the presidential Blue House with North Korea's State Affairs Commission, which is headed by Kim Jong-un. South Korean officials were the first to pick up the phone, then took a return call from their North Korean counterparts to make sure the line was working in both directions.

A South Korean official talks on a phone for testing the new hotline
at the presidential Blue House in Seoul, April 20, 2018
(photo: Yonhap - click to enlarge)

A telephone set that is used for the hotline between
the presidents of North and South Korea
(photo: AFP - click to enlarge)

In June 2020, North Korea cut the hotline as relations soured after a failed summit between the two countries and shortly afterwards, North Korea blew up an inter-Korean border office that had been built to improve communications.

After an exchange of letters between the leaders of North and South Korea, North Korea's news agency KCNA announced that "According to the agreement made between the top leaders, the north and the south took a measure to re-operate all inter-Korean communication liaison lines from 10:00 on July 27." According to South Korea's Ministry of Unification, representatives from both sides spoke on the phone for three minutes. Another call would be conducted on Tuesday afternoon, and henceforth everyday.

Links and sources
- Reuters: Unique 'hotline' sets stage for new North and South Korea talks (2018)
- Korea Exposé: Call Me Maybe: How N. and S. Korea Actually Communicate (2017)
- Huffington Post Korea: 남북 직통전화 개설과 중단의 간략한 역사 (2014)
- Ministry of Unification: 남북관계 지식사전

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties