September 22, 2019

From 9-Eyes to 14-Eyes: the Afghanistan SIGINT Coalition (AFSC)

(Updated: January 30, 2024)

It was a mystery for over five years: the 9-Eyes intelligence cooperation, which was first revealed by The Guardian in November 2013. It was only an extensive new piece on the website The Intercept from last May that made clear that the 9-Eyes is actually the Afghanistan SIGINT Coalition (AFSC).

The main purpose of the AFSC was to collect GSM metadata using DRT interception devices and feeding them into the NSA's huge data analysis platform for Afghanistan operations called the Real Time Regional Gateway (RT-RG).

The AFSC started in 2009 with nine members but eventually grew to the same 14 countries that already cooperated in another intelligence exchange group called SIGINT Seniors Europe (SSEUR). The AFSC existed at least until the end of 2014.

Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)

Intelligence sharing coalitions

The existence of the 9-Eyes group was first revealed by the British newspaper The Guardian on November 2, 2013:
"The NSA operates in close co-operation with four other English-speaking countries - the UK, Canada, Australia and New Zealand - sharing raw intelligence, funding, technical systems and personnel. Their top level collective is known as the '5-Eyes'.

Beyond that, the NSA has other coalitions, although intelligence-sharing is more restricted for the additional partners: the 9-Eyes, which adds Denmark, France, the Netherlands and Norway; the 14-Eyes, including Germany, Belgium, Italy, Spain and Sweden; and 41-Eyes, adding in others in the allied coalition in Afghanistan."

This revelation caused some embarrassment, as especially France and The Netherlands had clearly expressed their anger about the NSA's alleged eavesdropping operations against their citizens (see below), but now it turned out they were also engaged in some close alliances with the Americans.

Other 9-Eyes: CFBLNet

The Guardian's revelation started speculation about the differences between these groups and their specific purposes. From open sources, a range of similar "Eyes" for sharing military and intelligence information were identified on this weblog in November 2013 in a posting titled Five Eyes, 9-Eyes and many more.

It turned out that the term 9-Eyes was already used since 2008 for exchanging classified information among the Five Eyes and nine NATO members of the Combined Federated Battle Laboratories Network (CFBLNet). This is a multilateral network for research, development and testing on C4ISR systems.

However, the members of the CFBLNet 9-Eyes were not fully identical with those in the Guardian article, so it seemed not likely that this was the mysterious 9-Eyes group mentioned in the Snowden documents.

The 9-Eyes of the CFBLNet listed in a NATO standardization document from 2010
(click to enlarge)

14-Eyes: SSEUR

In December 2013, Swedish television published a range of NSA-documents from the Snowden files which revealed that the 14-Eyes were also known as the SIGINT Seniors Europe (SSEUR) and consisted of the Five Eyes plus nine European partners: Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden:

(click to enlarge)

From various other sources it became clear that the SIGINT Seniors Europe is a group in which the heads of the participating military or signals intelligence agencies coordinate the exchange of military intelligence according to the needs of each member.

The SSEUR group was established in 1982 for more efficiently monitoring the Soviet Union* and a database system called SIGDASYS was set up so the participating agencies could exchange as much military SIGINT and other information as possible.* In the early 2000s, a sub-group for counter-terrorism was formed under the name SIGINT Seniors Europe Counter Terrorism coalition (SISECT).


Meanwhile, the function of the 9-Eyes remained unclear: the Dutch interior minister Ronald Plasterk refused to say anything about it, but there were rumours that it was for exchanging military signals intelligence related to operations in Afghanistan.

That could explain why no other documents about the 9-Eyes had been published, because apparently Glenn Greenwald had an agreement with Snowden not to disclose information that could endanger American troops in Afghanistan.

Nonetheless, information about NSA's involvement in Afghanistan did came out: in June 2014 for example, the German magazine Der Spiegel released an NSA paper from January 2013, which lists all the members of the Afghanistan SIGINT Coalition (AFSC). Its membership appeared identical with the SIGINT Seniors Europe or 14-Eyes.

NSA presentation slide showing the 2nd and 3rd Party partners
and some coalition and multilateral exchange groups.
Published in No Place To Hide, May 2014.

From 9-Eyes to 14-Eyes

But as was revealed in The Intercept's article from last May, the Afghanistan SIGINT Coalition not always had 14 members: the group started in 2009 with just nine members and was therefore called 9-Eyes. Besides the Five Eyes it included Denmark, France, the Netherlands and Norway.

In 2010, Sweden and Germany joined the Afghanistan SIGINT Coalition and by January 2013, Belgium, Italy, and Spain had also become members of the group. By then, the AFSC had exactly the same membership as the SIGINT Seniors Europe or 14-Eyes.

It is not known whether the number of "Eyes" increased with each new AFSC member, but it's clear that an "Eyes" designation is not always a unique designator and there can be multiple groups with the same number of Eyes at the same time. To avoid confusion, such multilateral partnerships can best be called by their actual names.


The Real Time Regional Gateway

The Afghanistan SIGINT Coalition was created because the NSA needed additional linguistic capabilities as well as data from regions in Afghanistan where they had little or no coverage themselves.

Therefore they turned to trusted coalition partners and provided them with wireless interception equipment known as DRT-boxes, which were first identified as such on this weblog in November 2013.

After Dutch, Danish, Norwegian, German and Spanish troops each got one, two or three DRT devices, they started feeding intercepted GSM metadata into a huge distribution and analysis system called Real Time Regional Gateway (RT-RG) as of Summer 2008.

This RT-RG system was first publicly mentioned in a Defense News article from October 2010 and in the book Top Secret America from 2011 it was described as follows:
"RTRG allows users to see all signal intelligence that collectors are working on in real time. This includes ground collectors, Air Force RC-135 Rivet Joint and Liberty planes, SIGINT-equipped drones, and SIGINT satellites operated by the NRO. RTRG has provided a tenfold increase in the speed with which intercepts are povided to operators on the ground."

This is already a pretty accurate description, except that it doesn't mention the participation of coalition partners, which governments always handle as something extremely sensitive.

Slide from an NSA presentation showing all the collection systems that fed the RT-RG platform
(click to enlarge)

RT-RG started as a project called RT-10, which was first deployed in Baghdad in 2007. An internal NSA newsletter says that in order to provide a comprehensive real-time view of the telephone and internet communications in Baghdad (with roughly 4 to 5 million residents), the RT-10 system had to be able to ingest each day:
- 100 million telephone metadata records
- 1 million pieces of telephone content
- 100 million internet metadata records

The success of the RT-RG system lay in the fact that these massive amounts of data were stored locally: in 2009, a large RT-RG data center was built at Area 82 of Bagram Airport north of Kabul. It was right next to the Afghanistan Regional Operations Cryptologic Center (A-ROCC), where analysts from the 9-Eyes countries worked side-by-side.

Previously, war-fighters in the field had to retrieve their intelligence from central databases at NSA headquarters. This costed time and bandwith, but it also meant that only data related to known targets was sent back and stored. But with storing the full-take collection in a regional repository, all data could be subjected to analytic algorithms in order to find new targets for the so-called Find, Fix, Finish operations.

In 2011, the Afghanistan RT-RG had a database of 27 terabytes, which could only store approximately one month of regional data (90% of the user queries were within a one-week timeframe though). A planned move to NSA's new cloud architecture would increase the storage space to up to 125 TB and would allow larger-scale analytics to be conducted.

Architecture of the Real Time Regional Gateway (RT-RG) in 2012
(source: NSA presentation - click to enlarge)


How many GSM metadata the countries from the Afghanistan SIGINT Coalition collected can be seen in charts from the NSA's data visualization tool BOUNDLESSINFORMANT. The available charts show that the following numbers were acquired through the DRTBOX system during a one month period between December 10, 2012 and January 8, 2013:
- France: 62 million metadata records
- Spain: 60 million metadata records
- Italy: 45 million metadata records
- Sweden: 33 million metadata records
- Norway: 33 million metadata records
- Denmark: 22 million metadata records

(The chart for the Netherlands shows the CERF CALL method through which cellphone metadata from Somalia were collected. DRTBOX is not mentioned, maybe because Dutch troops had left Afghanistan already by August 2010)

These numbers are very small compared to what NSA and American military units collected. They also, once again, show that "mass surveillance" of entire populations would require the collection of billions of metadata records rather than the millions that showed up in these particular charts (60 million would roughly be the number of metadata generated by 20.000 handsets).

In the second half of 2013, these charts were published in various major European newspapers saying that they proved that NSA monitored millions of phone calls in those countries. Soon it turned out this interpretation was completely wrong, something which co-author Glenn Greenwald only admitted in The Intercept's article from last May.

BOUNDLESSINFORMANT chart showing metadata collected by French intelligence,
including 62 million records through the DRTBOX system
(click to enlarge)

3rd Party partners

Interesting is that Polish troops in Afghanistan also got one DRT interception device and there's also a BOUNDLESSINFORMANT chart showing that in one month time they collected some 71 million cellphone metadata. But despite this effort, Poland did not become a member of the Afghanistan SIGINT Coalition.

Poland was also not a member of the SIGINT Seniors Europe, so it seems the AFSC was only meant for countries that were already part of the SSEUR. The slide at the top of this blog post shows that, together with several other NATO countries, Poland is listed in red as a "National SIGINT Partner".

Except for Slovenia, these National SIGINT Partners appear to be identical with the so-called 3rd Party partners, which are the (signals) intelligence agencies of over 30 countries with which NSA has a formal relationship. They are one level below the 2nd Party partners, or Five Eyes, who have a fully integrated signals intelligence cooperation.

Quid pro quo

The operations in Afghanistan show how many different levels of cooperation there can be: there were 3rd Party partners who did nothing more or less than ordinary NATO members. Among them, information is only shared up to the classification level SECRET.

Then there was Poland which collected and shared telephone metadata, but did not participate in the CENTER ICE platform through which the countries of the SIGINT Seniors Europe communicated and exchanged threat information at the level TOP SECRET/SI.

The closest cooperation for 3rd Party partners was in the AFSC, where they fed telephone metadata directly into the NSA's RT-RG system. Because cooperation between intelligence agencies is always based upon the principle of quid pro quo, these partners also got things in return, equal to their input.

For the members of the AFSC these returns included real-time data access, unique linguistic resources and joint counter insurgency operations - things that could have been crucial for the success of their operations or the safety of their troops, but which the Five Eyes did not make available to the (initially broader group of the) SIGINT Seniors Europe.


The latest document in which the Afghanistan SIGINT Coalition was mentioned is an NSA paper from April 2013. One month later there was an AFSC conference in Denmark at which would be discussed what to do after the ISAF mission would be disbanded in December 2014. It's not known whether there was any kind of continuation.

The Real-Time Regional Gateway proved to be so successful that already in 2012, NSA deployed the system at 11 locations around the world, including at its regional center in Texas to combat Mexican drug trafficking, as well as on board of the nuclear submarine USS Georgia, which collected mobile phone metadata around the Horn of Africa.


Since 2022, the NSA admits the existence of the AFSC/14-Eyes on its website, which says:

"One of the most successful sets of international partnerships for signals intelligence is the coalition that NSA developed to support U.S. and allied troops in Iraq and Afghanistan. The combined efforts of as many as 14 nations provided signals intelligence support that saved U.S. and allied lives by helping to identify and neutralize extremist threats across the breadth of both battlefields. The senior U.S. commander in Iraq credited signals intelligence with being a prime reason for the significant progress made by U.S. troops in the 2008 surge, directly enabling the removal of almost 4,000 insurgents from the battlefield."

- Bug Brother: La NSA n’avait (donc) pas espionné la France (June 2019)
- The Intercept: Mission creep: How the NSA’s game-changing targeting system built for Iraq and Afghanistan ended up on the Mexican border (May 2019)
- Die Nachrichtendienste und ihre geheimen Klubs: Ein Einblick in die unbekannte Seite der Antiterrrorkooperation in Europa (Oct. 2018)
- The Intercept: The powerful global spy alliance you never knew existed (March 2018)
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations (Oct. 2015)

September 12, 2019

A document about the UKUSA partnership with unknown classification compartments

(Updated: September 13, 2019)

A highly sensitive document about the intelligence sharing relationship between the United States and the United Kingdom reveals the existence of three classification compartments that were previously unknown.

The assessment was declassified in September 2018 after a FOIA request by Privacy International and Yale Law School's Media Freedom & Information Access Clinic (MFIA). The document has no date, but must be from somewhere before the NSA's internal reorganization in the year 2000.

First page of the assessment of the UKUSA relationship
(click to enlarge)

Classification markings

The classification marking at the top of the document reads:


This rather long and complex marking consists of three separate parts. First there's the actual classification level:

This is the highest level of classified information, which would cause "exceptionally grave damage" to US national security if it were disclosed unauthorized.

Then there are several Sensitive Compartmented Information (SCI) control systems and compartments which further restrict the access to particularly sensitive information:

- VRK11
VRK stands for Very Restricted Knowledge and was a sub-control system to limit access to uniquely sensitive COMINT activities and programs. It contained compartments or categories which had an identifier of one to three alpha numeric characters, so in this case the document contains information from VRK compartment 11.
Shortly before 2004, VRK was succeeded by a new system called Exceptionally Controlled Information (ECI).

- TK
TK stands for TALENT KEYHOLE, which is a combined control system for products of overhead collection systems, such as spy satellites and reconnaissance aircraft.

- AG

- DC

- MC
Unknown. (Update: On Twitter, Bill Robinson said that MC is the abbreviation for MERCURY, a series of satellites for COMINT, SIGINT and ELINT collection, which were operated from Menwith Hill in the UK)

Finally, there's a dissemination marking which adds additional restrictions:

This stands for No Foreign Nationals and is applied to any information that may not be released to any non-US citizen.

The classification of the document is remarkable and interesting in various ways. Not only because it contains VRK11 and TK information - this applies to some other declassified documents - but because it has three additional markings (AG, MC and DC), which seem to show up here for the first time.

These markings clearly look like abbreviations of code words, but that's also a bit strange because in an overall classification line, code words should be written in full. And if we assume that these markings stand for additional control systems or compartments, it's remarkable to see three that were not known before.

Benefits for the US

Although the term UKUSA is often used for the 5-Eyes partnership between the US, the UK, Canada, Australia and New Zealand, this documents uses the term in its original sense, being the relationship between the signals intelligence agencies of the United States (NSA) and the United Kingdom (GCHQ).

As this is a highly sensitive issue, the document is almost entirely redacted: 11 out of 14 pages are witheld in full, while of the remaining 3 pages also large portions have been redacted. The remaining portions are still interesting however, also because they confirm things we learned from the Snowden-revelations.

The text starts with saying that the UKUSA relationship is of "inestimable value to NSA and cannot be abandoned". But there are some weaknesses and understanding them would make NSA better able to "make some hard decisions about the future of the relationship." These weaknesses are of course redacted, but the main benefits for NSA are still readable:

- A "unique collection from GCHQ conventional sites, freeing US resources". This seems to be about data collection from undersee fiber-optic cables, which NSA also uses and therefore hasn't to invest in its own accesses to these kinds of data streams.

- NSA can also use something from the UK "where the US has none", but what exactly this is, is redacted. However, another declassified document says: "The UK has sites at strategic locations for collection that otherwise would be unavailable to the US." Some GCHQ accesses even exist "solely to satisfy NSA tasking".

- The "compatibility and interoperability of US & UK SIGINT systems" which makes it faster and easier to exchange content data, metadata and end products.

- A "strong analytic workforce, with a capability for independent interpretation of events" which saves US resources by division of efforts.

- An "especially competent cryptanalytic workforce". Another declassified document adds: "GCHQ is NSA's only peer in the field of cryptomathematics and virtually all major advances within the field of cryptography have occurred as a result of our mutual sharing."

- The "pooling of resources on key technical projects during austere fiscal periods" - again financial reasons, showing how much NSA is apparently bothered with money issues despite their annual budget of over 10 billion US dollar in 2013.

- And finally, as the perhaps most important benefit the document says that the UK has "a record of supporting the US as an ally in confronting world problems".

According to another unredacted part of the document, NSA worried about the large numbers of integrees that NSA and GHCQ exchanged, who took on more and more tasks and responsibilities. GCHQ for example wished to place an integree in G2/SA (a unit in the former NSA division responsible for non-communist countries), but this was rejected "as it would give GCHQ insight into certain sensitive operations we do not share."

Another unredacted part makes clear that the Americans were also concerned about the increasing number of electronic communications interfaces between NSA and GCHQ, which had been established "based on a myriad of decisions at various levels within NSA". The question was asked: "Should there be a common NSA position on the number and kind of electronic interfaces between NSA and GCHQ? Should the number be driven by NSA design or by GCHQ needs?"

The UKUSA partnership

The same FOIA request by Privacy International and MFIA also resulted in the declassification of a larger batch of documents related to the US-UK relationship, including ones that date back to the early 1950s and recall the origins of this unique intelligence partnership.

It began with the UKUSA Agreement, which was signed on March 5, 1946 by Col. Patrick Marr-Johnson, British Army General Staff, for and in behalf of the London Signal Intelligence Board (LSIB), and by Lt. Gen. Hoyt S. Vandenberg, GSC, Senior Member, for and in behalf of the State-Army-Navy Communications Board (STANCIB).

Canada had hoped to be a third signatory of the UKUSA Agreement but that didn't happen. Eventually a separate CANUSA agreement between Canada and the United States was "presumably signed in 1949" after the British LSIB saw no objection.*

After a first tripartite conference was held with the Australian Defence Signals Branch (DSB) in September 1953, Appendix J (about the "collaboration with commonwealth countries other than the U.K.") and Annexure J1 of the UKUSA Agreement were revised and these were signed by New Zealand in January 1956 and by Australia in May 1956.

The relationship between these five partner agencies continued to be governed by the original UKUSA agreement from 1946, supplemented by a range of appendices and an array of Memoranda of Understanding (MoU) and Divisions of Effort (DoE). However, NSA was apparently not able to locate, let alone produce, most of these additional documents.

The various kinds of data and intelligence that NSA and GCHQ exchange under the UKUSA partnership are listed in yet another declassified document:

Exchange of intelligence between NSA and GCHQ
(click to enlarge)

In November 1993, the NSA's Deputy Director of Operations (DDO) initiated a review of the UKUSA Exchange Agreement "to include a list of what is not currently exchanged with the British, what we should not exchange in the future, and new things that should be exchanged in the future".

Finally, a document from the Snowden trove says that in the same year, the original bilateral relationships between the US and the individual Second Party countries were turned into a "group (5-EYES) partnership" which in 1998 got a coordinating body called the Joint Executive for SIGINT Operability (JESI).

- Lawfare: Newly Disclosed NSA Documents Shed Further Light on Five Eyes Alliance (March 2019)
- Privacy International: Privacy International v. NSA et al. (US 5EY FOIA)

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties