January 5, 2023

About the legality of the NSA's testing and SIGINT Development projects

(Updated: January 11, 2023)

On November 1, 2022, Bloomberg published a remarkable story about an NSA analyst who in 2013 developed and tested a new collection method that resulted in the unauthorized collection of American telephone data.

Here I will provide some additional details about what that method could have been about and will also look whether these so-called SIGINT Development (SIGDEV) projects are actually legal under American law.





A controversial project

The Bloomberg report is based upon internal NSA documents requested by FOIA-expert Jason Leopold, who had to wait six years before their release. The set of documents contains the report by the NSA's Inspector General from 2016 and more than 330 pages of appendices, which include a lot of internal e-mails about the case. However, most parts of the documents have been redacted.

From what is readable it becomes clear that in March 2013 two whistleblowers, one of them a (female) global network analyst, discovered that another analyst in the NSA's Signals Intelligence Directorate (SID) was working on an unnamed project that apparently violated internal regulations and possibly the law.

The whistleblowers informed internal compliance officials, but during a meeting of seniors officials it was concluded that the project of the other analyst was acceptable because as "technical development or protocol development" it was covered by the internal regulation about Signals Intelligence Development (USSID SD4000, see below).

The global network analyst, however, wasn't satisfied and contacted the NSA's Inspector General (IG) on May 7, 2013, which was exactly one month before the first story based upon the Snowden-documents came out. The female analyst, in the IG report referred to as "the Source", accused her colleague of running a project which targeted a large volume of US persons phone numbers without proper authorization and without the necessary foreign intelligence purpose.


NSA headquarters with the OPS-1 building, where large parts
of the Signals Intelligence Directorate (SID) are located


A more senior NSA official told the IG that the accused analyst claimed that "the foreign intelligence purpose behind his project is to make the collection system healthier, the analytic process richer and the system more efficient". According to a subject matter expert, the analyst probably "saw his project as an easy way to accomplish his targeting and collection" and he decided to "work on his project until someone told him he should stop".

His division chief, however, claimed that he told the analyst to stop his activities because he intentionally targeted US persons. Another chief told the IG that personnel in that particular branch "do not receive guidance from upper management on how to perform their mission because no one understands it" and in one of the e-mails it's said that this case is "extremely complex and would take an encyclopedia to explain fully".


Inspector General George Ellard eventually spent 3 years investigating the case and completed his report on February 12, 2016. It substantiated all of the allegations that the source had brought forward: the project had "resulted in, or were at least reasonably likely to result in, the unauthorized collection of communications to or from USPs or persons in the United States, or both."

The IG also found that even if the analyst had been truly unaware that he had tasked and collected US person's data, he "acted with reckless disregard of the regulations, policies, and procedures that govern the use of the SIGINT system". Finally, the IG addressed a lack of oversight, as senior officials didn't fully understand what was happening under their responsibility.


According to the Bloomberg report it's unknown if the analyst was ever held accountable. However, according to a list of his annual training courses in the IG report, the analyst took his first course in November 2010 and his last one in May 2014, which may indicate that he started his job at the NSA somewhere in 2010 and left in 2014.



Filtering telephone communications

Besides the case as described above, the Inspector General's report and the appendices released by the NSA contain some additional details that are worth mentioning.

Appendix A.3 contains a list of definitions, almost all of which have been redacted. There's one entry, however, that could provide a clue to the analyst's controversial project: under the letter L there's the name of a particular NSA collection software.

Checking my extensive list of NSA Nicknames and Codewords shows that there's only one known collection program starting with L that fits the redacted space in the definitions list: LOPERS.


(text in red added by the author)


LOPERS is NSA's main system to process telephone data that are collected from the core networks of telephone companies. This fits with the fact that the analyst's project resulted in collecting (American) telephone numbers. More information about LOPERS is found in an earlier internal dictionary from the Snowden trove:




According to this description, "LOPERS decodes the telephone numbers present in the call signaling and forwards the numbers to KEYCARD for normalization and validation. Calls including targeted selectors are captured and saved to an output directory". This means LOPERS filters out phone numbers and subsequently the content of phone calls to and from the phone numbers which are on the NSA's target list.

Given that LOPERS was apparently involved in the case of the unauthorized collection, we can imagine that the analyst could have been trying to improve the algorithms of its filter system. Another indication for this is that the table of abbreviations of the IG report contains the following entry: "% is a wildcard for an undefined character length".

So when the analyst developed a highly complex way for filtering telephone data, that bears the risk of pulling in the wrong data, in this case phone numbers of US persons.


The second word that has been redacted in the dictionary entry for LOPERS is more difficult to unmask as the system has multiple functions and purposes. The most likely options, like 'telephone', 'DNR phone' or 'main PSTN', don't fit the redacted space. What fits best is 'IP telephony', but that would only refer to one part of LOPERS' functionality:


(text in red added by the author)


The term 'IP telephony' could make sense though when the analyst's project was actually about finding or improving ways to intercept IP telephony, which requires different methods than those used for tradtional Public Switched Telephone Networks (PSTN). As early as 2004, the NSA was afraid of the complications by Voice-over-IP (VoIP) providers offering Pick-Your-Own-Number services.

With the increase of VoIP telephony, the telecommunication networks moved beyond PSTN and so did the NSA's collection efforts: in January 2011, AT&T began to provide "Carrier Grade Corporate VoIP" under the FAIRVIEW program, which encompasses AT&T's cooperation in collecting foreign intelligence inside the US.


This "new capability rests on a large and complex system which collects, processes, authorizes, and selects calls using both SIP and H.323 VOIP protocol technology from 26 separate IP backbone router nodes [...] A large component of this eligible traffic is to/from high interest areas such as Pakistan".

In dataflow diagrams like the one below from 2012, we see that LOPERS was one of the components of this new VoIP collection under the FAIRVIEW program:


Dataflow diagram for VoIP collection under FISA authority in cooperation with AT&T
(source - click to enlarge)


These details about FAIRVIEW show that the NSA began to use LOPERS for collecting VoIP telephony as well. The analyst's controversial project, however, was conducted under authority of Executive Order 12333, which means outside, instead of inside the United States like under FAIRVIEW.



Other examples of SIGINT Development

The project the NSA's Inspector General investigated from 2013 to 2016 was so-called Signals Intelligence (SIGINT) Development (SIGDEV), which is the term for activities to develop, improve and refine new collection methods.

The Snowden revelations included a range of documents about SIGDEV projects, which was sometimes confusing because it wasn't always clear whether such projects actually moved beyond their experimental status or not. We also learned that the signals intelligence agencies of the Five Eyes organize a large annual SIGDEV Conference (SDC) to share their most promising discovery efforts.

An early example of a controversial SIGDEV project from the Snowden trove is a presentation from the NSA's Canadian counterpart CSEC which describes a "Tradecraft Development" project aimed at identifying IP networks. The presentation was published by the Canadian television channel CBC in January 2014.

Some people assessed that this was a proof-of-concept using an existing database of user IDs found on wifi networks, but the reporter who revealed this presentation insisted that the project used real-world data collected from the wifi system of a Canadian airport. In that case, the experiment would have been illegal, as CSEC isn't allowed to operate domestically.

Probably the biggest known testing program from the NSA is BASECOAT, which provided access to the core network of a cell phone provider in the Bahamas, an island country with some 350,000 inhabitants. BASECOAT was part of the SOMALGET program which collected and processed the content of all the phone calls from a particular network.

In the Bahamas, this capability was used as a "test bed for system deployments, capabilities, and improvements", most likely to improve its operation in Afghanistan, where SOMALGET was also deployed. Together with programs that collected telephone metadata from three other countries, SOMALGET was part of the umbrella program MYSTIC.


The various components of the MYSTIC program;
"country X" later turned out to be Afghanistan
(image: The Intercept - click to enlarge)



The legal framework for SIGINT Development

One of the most striking and controversial aspects of these SIGINT Development projects is that they are conducted on real-world data from actual collection systems, instead of on dummy data sets or data that have already been lawfully collected earlier on. So is this legal under American law?

In Executive Order 12333 from December 4, 1981, which is the basic legal authority for American foreign intelligence collection, the NSA is given the responsibility to "Conduct of research and development to meet the needs of the United States for signals intelligence and communications security".

This was further detailed in United States Signals Intelligence Directive (USSID) SD4000, Signals Intelligence Development, from April 6, 2011, which was superseded by SID Implementing Directive, Annex F Governance of the Signals Intelligence Mission, from February 25, 2013.

These internal policy documents haven't been published, but from the Inspector General's report from 2016 we learn that USSID SD4000 said that SIGDEV activities:
- are governed by the NSA's SIGDEV Strategy and Governance (SSG) division
- have to comply with other regulations, like EO 12333 and USSID SP0018
- must allow auditing of queries

USSID SP0018 is about legal compliance and has an Annex D about the testing of "electronic equipment that has the capability to intercept communications". Such testing includes "development, calibration, and evaluation of such equipment".

The wording of this regulation seems from the time that signals intelligence was about intercepting wireless communications, but it can easily be applied to SIGDEV activities for cable tapping purposes.

According to USSID SP0018 Annex D, such testing (and development etc.) is allowed under the condition that to the maximum extent practical, the following signals should be used:
1. Laboratory-generated signals;
2. Communications transmitted between terminals located outside the US, not used by any known US person;
3. Official government communications with the consent of that agency;
4. Public broadcast signals;
5. Other communications in which there is no reasonable expectation of privacy.

Where it is not practical to test equipment according to the aforementioned provisions, testing is also allowed using signals that may contain US person communications, but only under the following conditions:
1. The proposed test is coordinated with the NSA's General Counsel;
2. The test is limited in scope and duration;
3. No particular person is targeted without consent;
4. The test does not exceed 90 days.

When the testing results in the collection of communications of US persons, these communications shall be:
a. Retained and used only for the purpose of determining the capability of the electronic equipment;
b. Disclosed only to persons conducting or evaluating the test, and
c. Destroyed before or immediately upon completion of the testing.

Annex D of USSID SP0018 concludes with saying that "The technical parameters of a communications, such as frequency, modulation, and time of activity of acquired electronic signals, may be retained and used for test reporting or collection-avoidance purposes. Such parameters may be disseminated to other DoD intelligence components and other entities authorized to conduct electronic surveillance."



Conclusion

Given the rules laid out in Annex D of USSID SP0018 it can be perfectly legal for the NSA to conduct SIGINT Development activities on real-world data if, under the aforementioned conditions, there are no alternatives that allow an equally adequate testing of new systems and methods.

If the controversial SIGDEV project which the NSA's Inspector General investigated from 2013 to 2016 was indeed about improving filtering and selection methods, that would explain why the analyst used it on a live collection system: only then it could become clear whether the new method was able to sort foreign data from those related to US persons.

The Inspector General, however, concluded that the analyst failed to comply with the regulations for SIGDEV projects, especially because USSID SD4000 requires that such projects have to comply with EO 12333 and USSID SP0018, which prohibit the intentional targeting of US persons, except when its approved by the FISA Court, the Attorney General or the Director of NSA.

As the analyst hadn't obtained such approval and it appeared that his method resulted in the intentional targeting and subsequent collection of US person telephone communications, he had violated all applicable regulations.




Links and Sources
- Schneier on Security: NSA Over-surveillance (Nov. 11, 2022)
- Bloomberg: NSA Watchdog Concluded One Analyst’s Surveillance Project Went Too Far (Nov. 1, 2022 - without paywall)

Some older articles on this weblog that are of current interest: