Showing posts with label PRISM. Show all posts
Showing posts with label PRISM. Show all posts

December 31, 2017

Section 702 FAA expires: what are the problems with PRISM and Upstream?

(UPDATED: January 27, 2025)

Two important NSA programs, PRISM and Upstream, are based upon section 702 of the FISA Amendments Act (FAA), a law that was originally scheduled to expire today. Now the US Congress has to decide whether to continue or to reform this crucial legal authority.

Although PRISM became almost synonymous for NSA's alleged mass surveillance, it's actually, just like the Upstream program, targeted collection aimed at specific foreign targets. Still, many people think that these programs pull in way too many data (incidental collection) to be subsequently queried in an illegal way (backdoor searches).

Here we'll show some of the complexities of these two collection programs and that there are various internal procedures and methods in order to keep collection and analysis as focussed as possible.



Slide from the PRISM presentation that for the first time revealed PRISM
and Upstream as part of section 702 FAA collection.


Until recently, US lawmakers were too involved with president Trump's tax reform to devote enough attention to section 702 FAA. Therefore, on December 21, Congress extended the authority of this law through January 19, 2018. Lawyers from the Trump administration even concluded that the intelligence agencies can lawfully continue to operate under the FAA through late April (because the current FISA Court certification for the program actually expires late April 2018).

This leaves Congress some extra months to either reform or strengthen this important authority. There are several proposals, spanning from making the existing law permanent without changes, to imposing significant new limits to safeguard the privacy rights of Americans.

Meanwhile, the Office of the Director of National Intelligence (ODNI) came with additional information about data collection under section 702 FAA, and published for example a Section 702 Overview, which includes some nice infographics:



Diagram from ODNI about section 702 FAA collection. Click to enlarge.


702 FAA collection

The Snowden-revelations have shown that under the legal authority of section 702 FAA, NSA conducts two types of data collection:

- Upstream collection, for both internet and telephone communications, which are filtered out based upon specific selectors at major telephone and internet backbone switches. This takes place under the collection programs FAIRVIEW and STORMBREW.

- Downstream collection, only for internet (including internet telephony) communications, based upon specific selectors, which are acquired from at least 9 major American internet companies. This takes place under the collection program PRISM.

The Upstream and Downstream programs are different from eachother in many ways, but the thing they have in common is that collection take place inside the United States, while being aimed at foreign targets, although just one end of their communications has to be foreign. This means these programs also pull in communications between targeted foreigners and Americans - which is one of the main purposes of these programs: finding connections between terrorists inside and outside the US.



Slide showing the main differences between PRISM and Upstream
Published on October 22, 2013. Click to enlarge.


Upstream filtering

Although Upstream collection is based upon specific selectors, the American Civil Liberties Union (ACLU) presents it as "bulk surveillance", because in their opinion, the automated filtering actually means that NSA is "searching the contents of essentially everyone’s communications." Therefore they call these searches extraordinarily far-reaching and unprecedented and unlawful.

The Electronic Frontier Foundation (EFF) has a similar position and says that splitting internet cables is "unconstitutional seizure", while the subsequent search for selectors is an "unconstitutional search."

These judgements seem based upon comparing digital filtering with intercepting letters or telegrams (like what happened under project SHAMROCK from 1945-1975), but this ignores the differences with computer technology: NSA does copy entire data streams, but at virtually the same moment the filter system picks out the communications associated with the selectors, the other data are gone.

Searching through data packets of innocent people means at the same time destroying them - except when they contain one of the selectors which NSA is interested in.



Diagram from the EFF about Upstream collection. Click to enlarge.


Storage and classification

Under section 702 FAA, only data that are associated with a specific selector are stored. For Upstream collection, this means only the communications that remain after the filtering proces. These are processed (decoded, formatted, etc.) and stored in NSA databases for a maximum of only 2 years.

Downstream collection under the PRISM program results in all the data associated with specific selectors that the big internet companies hand over to the FBI, which then forwards them to NSA. These are also processed and then stored for a maximum of 5 years.
 
Data from FAA collection are usually stored in separate database partitions and are protected by the Exceptionally Controlled Information (ECI) compartment RAGTIME (RGT). Only analysts who are cleared for RAGTIME, have the specific need-to-know and who are authorized by the data owner have access to these data.

Already a few months before the start of the Snowden-revelations a book revealed that RAGTIME has 4 components:
- RAGTIME-A: foreign-to-foreign counterterrorism (CT) data
- RAGTIME-B: data from foreign governments (FG) transiting the US
- RAGTIME-C: data related to counterproliferation (CP) activities
- RAGTIME-P: domestic bulk collection of internet metadata*
Note that the first three components correspond to the first three FISA Court certifications that authorize section 702 FAA collection.

Last November, ZDNet reported about a leaked NSA document that lists a total of 11 components of RAGTIME. Besides the 4 known ones, the document also mentions RAGTIME-BQ, F, N, PQ, S, T and USP, but so far, we don't know what kind of data they protect.



On August 26, 2013, Der Spiegel published the so far only document from the RAGTIME (RGT)
compartment: the floorplan of the EU mission to the United Nations in New York.
Note the PINWALE ID (PWID): PWZA20120551215230001427125
 


Incidental collection

As almost every NSA target will communicate with at least some individuals who are not involved in terrorism or other threats to national security, it's inevitable that even targeted interception will result in storing communications of innocent (American) people too - NSA calls this "incidental collection".

The share of this incidental collection as part of the overall collection is not known: early 2017, NSA agreed to provide some information about how many American citizens may be impacted, but later, Director of National Intelligence (DNI) Dan Coats said that it "remains infeasible" for the government to cite a meaningful number.


Actual intercepts

Edward Snowden was also eager to draw public attention to this issue, and he took his last job for Booz Allen at NSA Hawaii especially for getting access to raw data collected under section 702 FAA. In his view, the PRISM and Upstream programs "crossed the line of proportionality."

He succeeded in his effort and was able to exfiltrate a cache of ca. 22.000 collection reports, containing 160.000 individual conversations (75% of which instant messages), which were intercepted by NSA between 2009 and 2012 - a much more substantive leak than the usual internal powerpoint and sharepoint stuff.

Snowden handed them over to The Washington Post, which reported about this cache on July 5, 2014. After a cumbersome investigation, it found that the intercepted communications contained valuable foreign intelligence information, but also that over 9 out of 10 account holders were not the intended surveillance targets and that nearly half of the files contained US person identifiers.



Breakdown of the intercepted messages collected under 702 FAA authority
that were reviewed by The Washington Post. Click for a larger version.


Targeted interception

The numbers from The Post do sound like a massive overcollection, but we should keep in mind that this still is targeted collection, something that privacy advocats always prefer rather than bulk collection.

NSA's Upstream program will likely result in just as many communications of innnocent people as when the police taps phone numbers and IP addresses under a warrant, although NSA targets may be more careful in conducting private telecommunications than ordinary criminals.

From the dataset examined by The Washington Post, it becomes clear that innocent people can be affected in two ways: first, when they communicate directly with (or about) a foreign target, and second, by "joining a chat room, regardless of subject, or using an online service hosted on a server that a target used for something else entirely."

This shows that even with targeted interception, the technical configuration of certain internet platforms make it apparently quite difficult, or even impossible to isolate the conversations in which a target is personally involved.

As the dataset that Snowden exfiltrated was derived from Upstream and PRISM collection, it's hard to say which of these programs is more intrusive. Upstream became a less useful source since the most common communication services have been encrypted, while PRISM may also not be as productive as before, after it was exposed by the press.




Dataflow diagram for Upstream collection under the FAIRVIEW program.
Published on November 16, 2016. Click to enlarge.
(More FAIRVIEW dataflow diagrams)
 

Backdoor searches

On August 9, 2013, The Guardian disclosed the so-called "backdoor searches". This is a method used by NSA analysts that was approved by the FISA Court in October 2011, so these searches are not illegal like the term "backdoor" suggests.

Apparently these backdoor searches were introduced as a replacement for the bulk collection of domestic internet metadata under the PR/TT program, which NSA terminated by the end of 2011.

These backdoor searches are not about collecting new data by tapping telephone and internet cables or acquiring data from internet companies, but about conducting searches in data that have already been collected.

While in general, NSA is only allowed to collect new data when they are related to foreign targets, these backdoor searches may also involve identifiers (like names, e-mail addresses and phone numbers) of US citizens, hence they are now officially called "U.S. person queries".

Initially, these searches were only allowed for data from PRISM, because Upstream not only collected communications "to" and "from", but also "about" targets, which made it more sensitive than PRISM collection (Upstream appeared to pull in tens of thousands of purely domestic e-mails each year).

In April 2017, NSA halted this "about" collection, after which the FISA Court allowed NSA to also conduct US person queries on data collected through the Upstream program - something that had already happened since at least mid-2013.


Risks and safeguards

NSA analysts retrieving communications of Americans is of course something that reminds of the notorious project MINARET (1967-1973), under which NSA targeted 1.650 US citizens, including civil rights leaders, journalists and even two senators.

After Glenn Greenwald tried, but failed to proof that NSA is still monitoring American citizens in that way, it's now these backdoor searches which are considered the biggest privacy violations under section 702 FAA - the ACLU says that they allow "spying on U.S. residents without a warrant."

Even former NSA director Michael Hayden was aware of the privacy risks of these queries, but the PCLOB report about section 702 explains that NSA has procedures and requirements to limit these US person queries, although they are different for content and for metadata:

- Queries of content are only permitted for US person identifiers that have been pre-approved (i.e. added to a white list) through one of several processes, including other FISA processes. Such approvals are for example granted for US persons for whom there are already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA's Office of General Counsel after showing that using a certain US person identifier would "reasonably likely return foreign intelligence information."

- Queries of metadata may only be conducted in a system that requires analysts to document the basis for their metadata query (a Foreign Intelligence (FI) justification) prior to conducting the query. An oversight report adds that "analysts are not required to check any specific database or seek any internal approvals prior to executing a query against [702 FAA] metadata."

Relevant queries

In general, NSA analysts are required to create queries that are as focussed as possible so they return information that is most useful and relevant for their foreign intelligence mission. According to the PCLOB report, analysts receive "training regarding how to use multiple query terms or other query discriminators (like a date range) to limit the information that is returned in response to their queries of the unminimized data."

In the Section 702 Overview that was published by ODNI on December 20, it is explained that US person queries on metadata are useful as they are often the fastest and most efficient way to check whether and how a certain US person (either suspect or victim) is connected to foreign actors. The overview also provides some remarkably concrete examples:
- Using the name of a US person hostage to cull through communications of the terrorist network that kidnapped her to pinpoint her location and condition;
- Using the e-mail address of a US victim of a cyber-attack to quickly identify the scope of malicious cyber activities and to warn the U.S. person of the actual or pending intrusion;
- Using the name of a government employee that has been approached by foreign spies to detect foreign espionage networks and identify other potential victims;
- Using the name of a government official who will be traveling to identify any threats to the official by terrorists or other foreign adversaries.



Dataflow diagram for Downstream collection under the PRISM program.
Published on June 29, 2013. Click to enlarge.


Numbers of queries

While NSA and the Office of the Director of National Intelligence (ODNI) were apparently not able to provide numbers about the "incidental collection" under section 702 FAA, they do better when it comes to numbers about the backdoor searches.

In a letter to senator Wyden, then DNI Clapper wrote that in 2013, NSA approved 198 US person identifiers for querying the content, and that there had been ca. 9.500 queries on metadata from data collected under the PRISM program, but of the latter ca. 36% were duplicative or recurring queries.

ODNI's annual transparancy report also provides numbers of US person queries. In 2016, there were 5.288 content queries, but this also includes CIA queries and NSA searches of content from Upstream collection, something that was actually unauthorized until April 2017 (see above), but which the agency is now trying to make visible.

The rise of the number of US person queries on metadata is even higher, as it went up from 9.500 in 2013, to 30.355 in 2016. The total presented in the ODNI report is supposed to apply to NSA, CIA and FBI, but actually it only shows the number for NSA, as the CIA isn't yet able to count such queries and the FBI isn't required to do so (see below).

It should be noted that for content, it's the particular identifier that is counted, not the number of times such an identifier is actually used to query the databases. For metadata this is different, as the agencies count each time a certain identifier is queried, which of course results in far higher numbers.



Numbers of US person queries on metadata, 2013-2016. Click to enlarge.


FBI searches

Besides NSA and CIA, the FBI is also allowed to conduct backdoor or US person searches on data that NSA collected under the PRISM program - something that is considered even more problematic, given the risk of parallel construction. The FBI doesn't need individual warrants for these searches either, but its agents should "design their queries in such a way that they will return evidence of a crime."

The FBI stores data from 702 FAA collection in the same repositories as data from its own traditional FISA monitoring and physical searches. This means that these data are searched and queried many times for other than national security purposes too, but the section 702 data can only be viewed by agents or analysts with the proper training and access rights.

Given the fact that the initial collection under section 702 FAA is aimed at foreign targets, it is "extremely unlikely" that this collection contains data that are of interest to FBI agents who are investigating criminal cases. Even as, inevitably, a relatively large amount of unrelated American communications are pulled in, the chance that they are useful for a particular criminal case is just very very small.

Besides that, by far the most FBI searches on section 702 data are for national security investigations, which means about foreign espionage, terrorism and Weapons of Mass Destruction (WMD). It's not clear whether FBI has similar restrictions for content queries as NSA.


UPDATES:

On January 11, 2018, the House of Representatives voted to extend section 702 FAA for another six years, which is until the end of 2023.
This means that the US Person or backdoor searches can continue without individualized warrants, except for a "narrow warrant requirement that applies only for searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens."
The renewal of section 702 also allows the restart of the "about" collection under the Upstream program, which was ended by NSA in April 2017, after being criticized by the FISA Court.

The bill went to the Senate, which voted to invoke so-called cloture on January 16. This means there will be no further debate or amendments - a disappointing end for liberal Democrats and libertarian Republicans who tried to limit the scope of intelligence collection under section 702.
By a vote of 65-34, the Senate passed the bill to renew section 702 FAA on January 18, 2018. The next day, president Trump signed the bill into law.


On December 18, 2019, the 2nd Court of Appeals in New York ruled that "incidental collection" of the communications of Americans is reasonable and therefore doesn't require a warrant.


On April 12, 2024 the House of Representatives passed a bill to renew section 702 FAA, but only for two instead of the usual five years. The bill sharply reduces the number of FBI personnel who can conduct US person queries, creates criminal penalties for abuse, bars the FBI from querying the database solely for evidence of a crime rather than a national-security purpose, mandates more auditing of the program and codifies other changes already adopted by the FBI. Also passed was an amendment to codify a prohibition of "about collection", which the NSA had already halted in 2017. An amendment that would have required a warrant before querying US person communications failed in a dramatic tie vote.

On April 20, the renewal of section 702 FAA was approved in the Senate by a 60-34 vote, which was just 15 minutes before the existing law expired. Later that day president Biden signed the bill into law.


On January 21, 2025, a federal district court held that a warrant is required for queries using American identifiers on data that have already been collected under section 702 FAA authority, the so-called backdoor searches. This ruling came in a criminal case, United States v. Hasbajrami, after more than a decade of litigation, and over four years since the Second Circuit Court of Appeals found that database queries constitute "separate Fourth Amendment events" and directed the district court to determine a warrant was required.



Links and sources
- Bruce Schneier: After Section 702 Reauthorization (2018)
- Politico: Five years after Snowden, security hawks notch landmark win (2018)
- Lawfare: FISA Section 702 Reauthorization Resource Page
- Wired.com: Congress is Debating Warrentless Surveillance in the Dark
- New York Times: Warrantless Surveillance Can Continue Even if Law Expires, Officials Say (2017)
- New America: A History of FISA Section 702 Compliance Violations (2017)
- Emptywheel.net: The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion (2017)
- The Washington Post: In NSA-intercepted data, those not targeted far outnumber the foreigners who are + The Debrief - An occasional series offering a reporter’s insights
- B. Hanssen: Why the NSA’s Incidental Collection under Its Section 702 Upstream Internet Program May Well Be Bulk Collection, Even If The Program Engages In Targeted Surveillance
- NSA Director of Civil Liberties and Privacy Office Report: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702
- Privacy and Civil Liberties Oversight Board: Surveillance Program Operated Persuant to Section 702 FISA
Geplaatst door op No comments:
Labels: ,

December 8, 2016

Wikileaks publishes classified documents from inside German NSA inquiry commission

(UPDATED: May 15, 2017)

On December 1, Wikileaks published 90 gigabytes of classified documents from the German parliamentary commission that investigates NSA spying and the cooperation between NSA and the German foreign intelligence service BND. The documents include 125 files from BND, 33 from the security service BfV and 72 from the information security agency BSI.

It should be noted though that all documents are from the lowest classification level and lots of them are just formal letters, copies of press reports and duplications within e-mail threads. Nonetheless, the files also provide interesting new details, for example about the German classification system, BND's internal structure, the way they handled the Snowden-revelations and the use of XKEYSCORE.



These topics will be updated or topics will be added when new information is found in the documents published by Wikileaks



The German parliamentary investigation commission just before a hearing
(photo: DPA)
 

About

Some background information was provided in an article from the newspaper Die Zeit, which says that only documents with the lowest classification level (VS NfD or RESTRICTED) are scanned and made available to the investigation commission on a government server. They are also available at the federal Chancellery.

Documents with a higher classification level are not digitalized and have to be read in a secure room (German: Geheimschutzstelle) in the parliament building. Most of the documents classified Top Secret can only be viewed at the Chancellery or the new Berlin headquarters of BND.



Classified documents provided to the investigation commission
(still from the ARD documentary Schattenwelt BND)


Regarding the source of this leak, IT experts of the German parliament said that they found no indications of a hack. Der Spiegel suggests that the source might be a member of the parliamentary commission for foreign affairs or for the affairs of the European Union, because one document published by Wikileaks (meanwhile removed) was only available to members of those two commissions.

Update:

On December 11, 2016, German press reported that according to a high-level security officer, there's a high plausibility that the commission documents published by Wikileaks were stolen during a large hacking attack on the German parliament's internal network late 2014/early 2015.
This attack was discovered in May 2015 and showed patterns similar to APT28 a.k.a. Operation Pawn Storm, the Sofacy Group, or Fancy Bear - a hacker collective which is probably sponsored by the Russian government. The timeframe of this hacking attack could explain why Wikileaks has no commission documents dated after January 2015.

It seems also possible that the secret documents about the joint NSA-BND operation Eikonal, which were published last year by the Austrian member of parliament Peter Pilz, came from this cyber attack on the German parliament servers.

Wikileaks hasn't redacted anything. Almost everything that is redacted is in blue, which is apparently the way BND is redacting its documents. Therefore, the files still contain all the internal organizational designators as well as the e-mail aliasses or addresses of many German government units and employees.



Internal BND e-mail from the EAD branch for the relationships with western countries &
cooperation partners, and the EADD unit for relationships with North America & Oceania
(click to enlarge)

 

BND classifications

Documents from BND are classified according to the official German classification system, which has four levels, corresponding to those used in many other countries:

- VS NUR FÃœR DEN DIENSTGEBRAUCH (VS NfD)
color code: blue or black; equivalent: RESTRICTED

- VS VERTRAULICH (VS Vertr. / VSV)
color code: blue or black; equivalent: CONFIDENTIAL

- GEHEIM (Geh. / Stufe I)
color code: red; equivalent: SECRET

- STRENG GEHEIM (Str. Geh. / Stufe II)
color code: red; equivalent: TOP SECRET

Besides these common classification levels, it was suspected that there would be at least one higher or more restrictive category to protect highly sensitive information. This has now been confirmed by various letters from the Wikileaks trove, which mention the following two classification markings:

- STRENG GEHEIM-ANRECHT (?)

- STRENG GEHEIM-SCHUTZWORT (Str. Geh. SW)
color code: ?; equivalent: TOP SECRET/SCI

The use of these markings is apparently a secret itself, because also members of the parliamentary commission puzzled about their exact meaning and usage. It seems though that these categories are rather similar to the US Classification System, which was explained here earlier.


Examples of the German coversheets for classified information


The German marking ANRECHT apparently means that certain information is classified Secret or Top Secret, but that within that particular level, it's only meant for those people who have a need-to-know (German: Anrecht), apparently especially when it comes to signals intelligence. In the United States this is realized through a range of different dissemination markings.

The marking SCHUTZWORT is also meant to restrict access, but in this case, the originator of a particular document determines a codeword (German: Schutzwort) which he provides only to those people who are allowed access to that document. This is similar to the system of Sensitive Compartmented Information (SCI) used in the US, where meanwhile several formerly secret codewords have been declassified.

A security manual from the German armed forces from 1988 also mentions special classification categories, like for example SCHUTZWORT and KRYPTO, the latter apparently for classified cryptographic information.




Letter from the Chancellery which was classified STRENG GEHEIM-ANRECHT,
which was marked as cancelled (UNGÃœLTIG) after the attached
documents at that classification level were removed
(click to enlarge)

Internal markings

From the commission files we also learn that BND uses te following internal markings. When disseminated outside BND, such information was meant to be classified GEHEIM.

- Meldedienstliche Verschlusssache - amtlich geheimgehalten

- Ausgewertete Verschlusssache - amtlich geheimgehalten

- Operative Verschlusssache - amtlich geheimgehalten

- FmA Auswertesache - amtlich geheimgehalten

 

BND organization

The files published by Wikileaks also contain a set of charts showing the organizational structure of BND between the year 2000 and 2014. There are some changes in the agency's divisions, with a reorganization in 2009, as can be seen in the following charts:


BND organization chart, situation until 2009
(click to enlarge)



BND organization chart, situation since 2009
(click to enlarge)


A more detailed BND organization chart was among the Snowden documents and was published earlier by Der Spiegel.

Internal designators

The BND's divisions, branches and units are designated by codes that consist of letters, written in capitals. In the current situation the main divisions have a two-letter designator which is more or less an abbreviation of their full name. The SIGINT division is for example TA, which stands for Technische Aufklärung.

From the e-mails published by Wikileaks we learn that lower units are designated by adding additional letters or words to the division designator. It seems that these addtional letters can be the first letter of a full name, a more or less random letter, or A for the first unit, B for the second unit, etc.

For example, "PLSA-HH-Recht-SI" is the first branch (A) of PLS, which is the BND president's staff. The term "Recht" indicates that this is apparently a unit for legal issues. A simpler designator is "GLAAY", which is a unit of the division GL (Gesamtlage)

By combining several documents related to XKEYSCORE, the following list of designators for BND's field stations could be reconstructed:
- 3D10: Schöningen or Rheinhausen (satellite interception)
- 3D20: Schöningen or Rheinhausen (satellite interception)
- 3D30: Bad Aibling (satellite interception)
- 3D40: Gablingen (HF radio interception)*
Similar designators are used for BND liaison offices:
- 2D01: London (with contacts to 7 British partner agencies, denoted as GBR01, GBR02, GBRMD, GBRND, GBRSD, GBRPS, and GBRTF)
- 2D02: Paris
- 2D03: Brussels/NATO
- 2D30: Washington
- 2D33: Canberra

Some divisions

The organization charts for BND's structure since 2009 shows that there are four divisions for analysis and production, which is where analysts prepare intelligence reports:
- Two divisions are for topical missions: TE for international terrorism and organized crime, and TW for proliferation of weapon systems and ABC weapons.
- The other two divisions, LA and LB, are responsible for a geographical area. From their logos in the signature block in internal e-mails we learn that LB is responsible for Africa, the Middle East and Afghanistan, while LA has the rest of the world:


Secure communications

A letter from BND from July 2013 says that BND's wide-area networks (WANs) which are classified Secret (Geheim) are secured by SINA encryption devices certified by the BSI. Communications between foreign and domestic BND facilities are transmitted through MPLS (Multiprotocol Label Switching) networks.

The letter also says that BND-unit SICD for eavesdropping techniques domestically checks only whether BND facilites may have been bugged, but found nothing over the past several years. Outside Germany, the embassies and consulates of the German foreign ministry were checked in regular turns.

 

XKEYSCORE

According to Wikileaks, one of the more interesting documents from their release is one that allegedly proofs that "a BND employee will be tasked to use and write software for XKeyscore." However, the German tech website Golem says that this seems to be based on a text section that only refers to BND employee A.S. who helped install XKEYSCORE at the Berlin headquarters of the domestic security service BfV, which uses this system only for analysing terrorism-related data sets.

More interesting are several other documents about XKEYSCORE. For example In a list of answers prepared for the meeting of the parliamentary oversight commission on November 6, 2013 it is said that XKEYSCORE is used since 2007 in Bad Aibling and that this system is being tested since February 2013 at the satellite intercept stations Schöningen and Rheinhausen. It was planned to use XKEYSCORE on a regular basis at the latter two locations too.

According to another document, BND uses XKEYSCORE for the following purposes:
- Check whether satellite links with internet traffic (only foreign-to-foreign and especially crisis regions, so no links to or from Germany or cables inside Germany) could contain data relevant for BND's mission
- Search for new relevant targets
- Make communications traffic from already known and selected targets readable to transfer them to analysts for preparing reports
XKEYSCORE processes data streams in real time, but for analysis purposes it can also buffer both metadata and content for a certain time, which depends on the available storage space of the buffer. Because XKEYSCORE is used for regular processing purposes, BND deemed it not necessary to inform the federal chancellery or the parliamentary oversight commission (PKGr) about this system specifically.

An internal BND e-mail from November 5, 2013, explains that at Schöningen and Rheinhausen, XKEYSCORE is used for intercepting foreign satellite communications. The specific purpose for the system is determining which satellite links are most useful and subsequently checking whether the traffic contains the communications of people the BND is looking for (so-called survey):


Internal BND e-mail about the use of XKEYSCORE at BND's satellite stations
(source: Wikileaks, pdf-page 248 - click to enlarge)


This is a rather unexpected use of XKEYSCORE, because for NSA and GCHQ the strength of the system lies in its capability to reassemble internet packets, filter them and allow analysts to search buffered content. It is still not fully clear whether BND uses XKEYSCORE also in this way.

In November 2014, W.K. from BND's SIGINT division testified that XKEYSCORE was used for decoding and demodulating IP traffic. Decoding for making things readable happens both online and on stored data, while (demodulating for) selecting the proper satellite links only happens on online data streams.

At Schöningen and Rheinhausen XKEYSCORE was only used for the latter purposes, in the pre-analysis stage. This also came forward from some testimonies before the investigation commission. For example E.B., head of the Schöningen station, said that XKEYSCORE was only used for looking at a few days of satellite traffic to determine which communication links where in it.

An earlier presentation about satellite interception at Menwith Hill Station in the UK shows that NSA and GCHQ have other systems, like DARKQUEST, for surveying satellite links, after which XKEYSCORE is used for processing and analysing the data.

Another file that was sent to the parliamentary commission contains two diagrams about how BND uses the XKEYSCORE system:

In the first diagram we see that what comes in through the satellite antenna first goes to an actual collection system (Erfassungssystem) which has some kind of database attached that says which satellite links have to be selected (Streckenauswahl). The result then goes to XKEYSCORE, which is fed by a database with rules (Regeln), which apparently determine which data to select and forward for further analysis (Weiterverarbeitung):




Another diagram shows the difference between XKEYSCORE and traditional collection processing systems: in the traditional set-up, it seems that first, IP packets from a data stream were reassembled (sessionized) and then went through a filter to select only those of interest (the green one), which were forwarded for further analysis. XKEYSCORE could do all that at once:




IBM servers

The Wikileaks files also contain an internal BND order form from February 25, 2014, used for ordering six servers for field station 3D20: two IBM X3650 M4 and four IBM X3550 M4 servers, with a total cost of 58.000,- euros. A separate text explains that these servers were needed for both PDBD and XKEYSCORE:

- PDBD was the new centralized BND tasking database, which would replace the proprietary tasking databases used at the various field stations.

- XKEYSCORE is described as a system that decodes packet-switched telecommunicatiosn traffic like e-mail, messenger, chat, geolocation information, etc. and is used for analysing telecommuncations traffic. At BND the system was needed because it became increasingly difficult to extract relevant information from the ever growing amount of data. The servers were needed to move XKEYSCORE from test to operational status.


Internal BND order form for several IBM servers to be used for XKEYSCORE and PBDB
(source: Wikileaks, pdf-page 72 - click to enlarge)

 

PRISM

A large file from the commission documents is about the reaction on the revelation of PRISM. In August 2013, members of the Bundestag asked so many questions about this NSA program, that one BND employee complained that it was unreasonable to expect that his agency could provide all the answers.

At that time, many details about PRISM weren't clear yet and statements from the US government and from internet companies seemed to contradict eachother. Among the documents that BND forwarded to the parliamentary commission was also one report from July 2013, which summarizes what was known about PRISM at that time.

This report was made by civil servants from unit ÖS I 3 of the Public Safety division of the German Interior Ministry (BMI). After summarizing what was known from the press reports, the report also describes a second tool that is named PRISM - based upon an earlier article on this weblog:



Summary of a second PRISM program as described on this weblog
(source: Wikileaks, pdf-page 104 - click to enlarge)


Shortly after the existance of PRISM was revealed early June 2013, much was unclear, so I did some open source research and found that the US military uses a program named PRISM, which in this case is an acronym for "Planning tool for Resource Integration, Synchronization and Management".

Shortly afterwards, in July 2013, German press published an NSA letter saying that there are actually three different programs with the name PRISM: one that collects data from the big internet companies, one that is used as a military tasking and planning tool, and finally one that is used for internal data sharing in NSA's Information Assurance Directorate (IAD).

 

BOUNDLESSINFORMANT

On July 29, 2013, the German magazine Der Spiegel published a chart from the NSA tool BOUNDLESSINFORMANT. The chart was related to Germany and it was thought that it showed that NSA had intercepted over 550 million pieces of communications traffic.

But within just a few days, BND contacted Der Spiegel, saying that they collected those data, and shared them with NSA. The SIGADs US-987LA and US-987LB designated collection at the BND satellite station in Bad Aibling and interception of phone calls in Afghanistan, respectively. This was confirmed by NSA and published by Der Spiegel on August 5, 2013.

A document published by Wikileaks explains that in Afghanistan, BND had a satellite interception facility (for downlinks to complement the uplinks intercepted at Bad Aibling) and also intercepted point-to-point microwave links (generally used for (mobile) telephony backbones).


BOUNDLESSINFORMANT screenshot showing metadata related to Germany
as being published by Der Spiegel on July 29, 2013
(click to enlarge)


An e-mail published by Wikileaks shows that meanwhile, M.J. from unit 3D3D of the Bad Aibling station was comparing the numbers from the BOUNDLESSINFORMANT chart with those from his logfiles and Nagios Checks. In the e-mail, from August 12, 2013 to his boss R.U., he concluded that at the beginning of the month there was a relatively clear similarity with the chart from Der Spiegel:


The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)


It should be noted that BND didn't count the numbers of metadata they provided to NSA, they did so only for content, so the numbers from M.J.'s chart may not be fully accurate. Even more puzzling is a table that was also with the e-mail from M.J. and contains the daily numbers for the metadata during this period:


The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)
(click to enlarge)


The strange thing here is that on the right side, the table has daily numbers broken down for several processing systems - strange because the chart from Der Spiegel only provided aggregated numbers, and because three codenames weren't seen in the published BOUNDLESSINFORMANT charts: POPTOP, CRON and SNOWHAZE. Did NSA provide these more detailed numbers so BND could compare them?

In a letter from August 13, 2013, BND president Schindler asks NSA director Alexander to confirm that the metadata collected through 987LA and US-987LB came solely from BND. This would help to make the public debate more rational.

Update:
During a hearing of the German parliamentary investigation commission on January 19, 2017, former BND president Schindler said that the BOUNDLESSINFORMANT charts that Snowden took, were from training course material. This was said here for the first time and given the problems these charts caused for BND, it's possible that they asked NSA for more details after which this explanation came up.

 

Cooperation in Afghanistan

In answers to questions from parliament, BND wrote that in Afghanistan, NSA operates a collection network, in which 14 countries participate (the Afghanistan SIGINT Coalition, or AFSC). Partner agencies enter the data they collect into a database (similar or identical to SIGDASYS) managed by NSA and they can request from the database those data that are relevant for their mission task.

Between 2011 and 2013, BND requested and received 216.423 data sets from this syetem. For the Afghanistan "burden sharing", BND was working on some 5000 targets, which resulted in ca. 1 million data sets each day. These were shared with the AFSC group and therefore also with NSA and GCHQ. Most of this is about localisation.

Furthermore, NSA provided BND with several thousand selectors of targets to collect the related data from satellite links from or to Afghanistan and other crisis regions. BND does this through its satellite intercept station in Bad Aibling, which results in ca. 3 million data sets each month. After passing the G-10 filter (to block communications related to Germans), these data are provided to NSA.

 

Intelligence sharing

In 2012, BND's SIGINT division TA shared 580 intelligence reports (Meldungen) with US agencies, 184 with British services and 553 with multinational groups. A total of 879 reports contained personal data from intercepted communications. In the first half of 2013 there were 200 reports shared with the US, 55 with the UK and 220 with multinational groups. A total of 408 contained personal data.

In return, BND received 7976 reports and information packages about terrorism and the proliferation of weapons of mass destruction in 2012. This total number is made up of ca. 750 reports from NSA, 4538 from CIA, 519 from DIA and 2169 from the US Central Command (CENTCOM).

 

Cyber security

Some insights about the cooperation between BND and NSA on the field of cyber defense can be read in a report about the visit of NSA director Keith Alexander to Berlin, on June 6 and 7, 2013 (which were the second and third days of the Snowden revelations!).

When it came to cyber issues, Alexander compared the internet to a "fibre ring" operated by internet service providers (ISPs), with "pipes" leading to the networks of industry, finance and government. Any malware, whether for destroying things or stealing data, should be stopped in the "fibre ring" before it reaches the "pipes" - "you need to see it first".

A German government official said that Germany has good cyber specialists, but they work only in a defensive way. When it comes to offensive cyber attacks, Germany is inactive. Also, contacts to industry should be revived. The general opinion was that German industry should protect itself, but small and medium businesses are very naiv and without obligations, companies will not spend money for cyber defense.

The report says that for cyber issues, a small group of "trusted states" could be created, because international regulations like the Budapest Convention seem hardly effective. According to general Alexander, the US is building partnerships, but sharing information depends on trust, which is not always given.

General Alexander also told BND that NSA had 27 teams of 56 persons each, which support the US Combatant Commands and that additional 6000 new cyber specialists will follow. NSA also supports the US Cyber Command with a detachment of 407 cyber experts. According to Alexander, NSA identified about 50 Chinese "intrusion sets" and gained access to Chinese networks to find out who the victims were of these massive and global cyber attacks.

In an answer to questions by member of parliament Oppermann from July 23, 2013, BND says that they support domestic security service BfV and information security agency BSI in recognizing foreign cyber attacks, which is called "SIGINT Support to Cyber Defence" (SSCD). Only BND is able to build technical systems to detect cyber attacks in(!) foreign countries.

The answer also says that "within the SSCD-working group of a international SIGINT coalition, BND exchanges information about the international detection of cyber attacks" - this international SIGINT coalition is most likely the SIGINT Seniors Europe (SSEUR or 14-Eyes) group. And apparently it's this working group that that BND director Schindler referred to when he talked about international cybersecurity cooperation in May 2014.

 

Index

Finally, a list of some of the most interesting files found so far (would have been useful when Wikileaks provided this kind of index though):

- MAT_A_BND-1-3a_2 (employees of US military and intelligence contractors in Germany)

- MAT_A_BND-1-5 (NSA's bulk metadata collection, PRISM and XKEYSCORE)

- MAT_A_BND-1-11a (BOUNDLESS INFORMANT, ECHELON)

- MAT_A_BND-1-11c (pdf-page 315: options how NSA could have intercepted Merkel's cell phone)

- MAT_A_BND-1-11j (pdf-page 145 ff.: cyber security cooperation between NSA and BND; page 155: short history of Bad Aibling Station; page 280: NSA letter about 3 different PRISMs)

- MAT_A_BND-1-11k (letter of BND president Schindler to NSA director Alexander)

- MAT_A_BND-1-13a (pdf-page 61 and 88: initially, BND assumed that PRISM was about collecting metadata; page 99: since 2012, NSA sent BND ca. 450 reports about terrorist threats)

- MAT_A_BND-1-13b (pdf-page 84 and 85: XKEYSCORE diagrams; page 227: targeted interception requires a "sessionizer" similar to XKS; page 277: SSCD working group of the SSEUR)

- MAT_A_BND-1-13c (pdf-page 127: data sharing in Afghanistan)

- MAT_A_BND-1-13h (pdf-page 108 ff.: report about the VERAS metadata system)

- MAT_A_BND-1-2a (pdf-page 19 ff.: Various presentations from the Black Hat 2013 conference)

- MAT_A_BND-3a (very extensive index of topics used by BND)

- MAT_A_BND-3-1a (BND organization charts from 2000-2014)

- MAT_A_BND-8a (contacts with GCHQ, cooperation between BND and NSA, reports about the refugee interview unit, internal G10 manual)

More to follow...


Geplaatst door op 1 comment:
Labels: , , , ,

April 23, 2014

What is known about NSA's PRISM program

(Updated: July 4, 2025)

In June last year the Snowden-leaks started with the disclosure of the PRISM-program. For many people it stands for NSA surveillance in general because they often have still no idea what PRISM is actually about.

Therefore, this article presents almost everything we know about the PRISM program, combining information from my earlier postings and from other media and government sources.

It shows that PRISM is not about bulk or mass surveillance, but for collecting communications of specifically identified foreign targets. NSA also has no "direct access" to the servers of companies like Microsoft, Facebook and Google - it's actually a unit of the FBI that picks up data related to specific identifiers.

In total, ca. 227 million internet communications are collected under the PRISM program each year, contributing to reports about counter-intelligence, terrorism and weapons proliferation. Anually, NSA analysts write more than 20.000 PRISM-based reports, which is ca. 15% of all intelligence reports the agency produces.




The PRISM presentation

Most of what we know about PRISM comes from an internal NSA presentation of 41 slides. Edward Snowden initially asked The Washington Post to publish the full slide deck, but the paper refused and so only 4 were subsequently published by The Guardian. Other slides were revealed later on.

Until now, a total of 19 slides have been published and another 4 were incidentally or partially shown on television. This means that a remaining 18 slides are still being withheld.

All known slides are shown here, in an order that probably comes closest to the original presentation. The slides (click to enlarge) have a number which is only for reference. If new slides of this PRISM presentation become available, they will be added here.


1. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the title of the presentation.

All slides are marked TOP SECRET//SI//ORCON/NOFORN, which means they are classified as Top Secret and protected by the control system for Special Intelligence (SI). The dissemination is strictly controlled by the originator, while it's generally prohibited to release them to foreign nationals.

The SIGINT Activity Designator (SIGAD) of the PRISM program is US-984XN, which indicates that PRISM is part of the BLARNEY-family and used for collecting data under the authority of the FISA Amendments Act.


The media have redacted the name of the person who is the PRISM collection manager, a title which is followed by S35333, which is NSA's internal organization designator for a unit of the Special Source Operations (SSO). The logo of this division is in the top left corner of each slide, with in the opposite corner a logo for the PRISM program itself.

Immediatly after the first slides of the presentation were published, some people thought it could be fake or photoshopped because of the not very professional looking design and the copy-paste elements. After more, and especially far more complex slides became available, we can now assume the presentation to be genuine.


This presentation about PRISM was given in April 2013, which is just a month before Edward Snowden left his job at NSA and therefore this seems to be one of the most recent documents he was able to download from the internal NSA network.



General aspects of PRISM

The following slides are about the workings of the PRISM program in general:


2. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows a short introduction of the world's telecommunications backbone.

The diagram shows that the majority of international communications from Latin America, Europe and even from Asia flow through the United States, which makes it easy for NSA to intercept them on American soil.

Note that most of the communications from Africa (the continent where many jihadist groups from the Middle East went to in recent years) are going through Europe, which explains why NSA sometimes needs European partner agencies (like from the Netherlands) to access them.



3. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows which internet companies are involved and what kind communications can be received by the NSA.

We see that under PRISM the NSA is able to collect e-mail, chat, video and voice messages, photo's, stored data and things like that. But there are also "Notifications of target activity - logins, etc". This was interpreted by The Washington Post as a function that gives NSA analysts live notifications "when a target logs on or sends an e-mail".

But as these notifications are clearly listed as collected data (see also slide 8 down below), it's more likely they refer to the notification messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client.

It is possible though that NSA analysts can get a notification when new communications from a target they are watching becomes available in NSA systems. Whether (near) real-time monitoring of a target's communications is possible, depends on the way these data are made available to NSA (see slide 5 below).



4. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the dates when PRISM collection began for each provider:
- Microsoft: September 11, 2007
- Yahoo: March 12, 2008
- Google: January 14, 2009
- Facebook: June 3, 2009
- PalTalk: December 7, 2009
- YouTube: September 24, 2010
- Skype: February 2, 2011
- AOL: March 31, 2011
- Apple: October 2012

According to the book 'Der NSA Komplex', which was published by Der Spiegel in March 2014, PRISM also gained access to Microsoft's cloud service SkyDrive (now called OneDrive) as of March 2013. This was realized after months of cooperation between FBI and Microsoft.*

The Washington Post reported that in the speaker's notes accompanying the presentation, it's said that "98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources". The Post also says that "PalTalk, although much smaller, has hosted traffic of substantial intelligence interest during the Arab Spring and in the ongoing Syrian civil war".

The program cost of 20 million dollar per year was initially interpreted as being the cost of the program itself, but later The Guardian revealed that NSA pays for expenses made by cooperating corporations, so it seems more likely that the 20 million is the total amount paid by NSA to the companies involved in the PRISM program.

Update:
In September 2014, the US Justice Department and the Director of National Intelligence declassified a range of documents showing that when Yahoo was asked to join the PRISM program in October 2007, the company refused, but was forced to comply by the Foreign Intelligence Surveillance Court of Review in May, 2008.


5. This slide was one of four disclosed by The Washington Post on June 29, 2013 and shows the PRISM tasking process, which means how the actual collection facilities are instructed about what data should be gathered.

The process starts with an NSA analyst entering selectors into the Unified Targeting Tool (UTT). In this case, selectors can be e-mail or IP addresses, but not keywords. According to an article in the French paper Le Monde, there are some 45.000 selectors involved in the PRISM collection.

Analysts can order data from two different sources:
- Surveillance, which means communications that will happen from the moment the target was selected (although the media interpreted this as the ability to real-time "monitor a voice, text or voice chat as it happens")
- Stored Comms, which are communications stored by the various providers dating from before the moment the target was selected

Edward Snowden vehemently accuses NSA for a lack of control and oversight mechanisms, which according to him, makes that analysts have unrestricted access to the communications of virtually everyone in the world. But the diagram in the slide clearly shows that there are multiple steps for approving every collection request:

1. For Surveillance a first review is done by an FAA Adjudicator in the analysts Product Line (S2) and for Stored Comms there's a review by the Special FISA Oversight and Processing unit (SV4).

2. A second and final review is done in both cases by the Targeting and Mission Management (S343) unit. Only after passing both stages, the request is released through the UTT and the PRINTAURA distribution managing system.

3. For Stored Comms the Electronic Communications Surveillance Unit (ECSU) of the FBI even does a third check against its own database to filter out known Americans.

Then it's the Data Intercept Technology Unit (DITU) of the FBI that goes to the various internet companies to pick up the requested data and then sends them back to NSA.

As indicated by companies like Google, they deliver the information to the FBI in different ways, like through a secure FTP transfer, an encrypted dropbox or even in person. According to a report by the journalist Declan McCullagh, the companies prefer installing their own monitoring capabilities to their networks and servers, instead of allowing the FBI to plug in government-controlled equipment.




6. This slide was published in Glenn Greenwald's book No Place To Hide and on his website on May 13, 2014. It shows a chart representing the number of unique selectors (like e-mail addresses) used for PRISM collection during the Fiscal Year (FY) 2012.

By September 2012, the communications of some 45.000 selectors were being monitored. The strongest growth was Skype (up 248%), Facebook (up 131%) and Google (up 61%).



7. This slide was one of three that were made available on the website of the German magazine Der Spiegel on June 18, 2014. It shows a table with numbers about requesting (tasking) the collection of internet communications (DNI) through the Unified Targeting Tool (UTT).

The table lists NSA units which are called Product Lines (click here for an explanation of the internal designations). For each unit it is shown how many DNI selectors, like e-mail and IP addresses, they are tasking in total and how many of those are directed to the PRISM program. We also see the percentages and the change compared to the previous year.

In absolute numbers, the top-5 units tasking most DNI requests for PRISM are:
- S2I: Counter-Terrorism Product Line (11.461 selectors)
- S2E: Middle East and Africa Product Line (6935 selectors)
- F6: NSA/CIA Special Collection Service (4007 selectors)
- S2D: Counter Foreign Intelligence Product Line (3796 selectors)
- F22: European Cryptologic Center (3523 selectors)

In total, all these NSA-units requested the communications of 175.126 internet addresses, of which 49.653 (or 28% of the total) were tasked to PRISM. It's not clear whether these numbers include double selectors, like ones tasked by multiple units.



8. This slide was shown on Brazilian television and seems also to be about PRISM Tasking, more specifically about a procedure for emergency tasking when lives are in danger. The slide was uploaded to Wikipedia, where there's also a transcript of the text:
[...] your targets meet FAA criteria, you should consider tasking to FAA.
Emergency tasking processes exist for [imminent/immediate] threat to life situations and targets can be placed on [...] within hours (surveillance and stored comms).
Get to know your Product line FAA adjudicators and FAA leads.

According to an NSA report (pdf) published in April 2014, analysts "may seek to query a U.S. person identifier when there is an imminent threat to life, such as a hostage situation".

Just like a number of other slides and fragments thereof shown on television, there seems to be no good reason why a slide like this is still not published in a clear and proper way. They contain nothing that endangers the national security of the US, but instead would help to much better understand how the PRISM program is actually used.



9. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the flow of data which are collected under the PRISM program. Again we see that it's the FBI's DITU that picks up the data at the various providers and sends them to the PRINTAURA system at NSA.

From PRINTAURA some of the data are directed to TRAFFICTHIEF, which is a database for metadata about specifically selected e-mail addresses and is part of the TURBULANCE umbrella program to detect threats in cyberspace.

The main stream of data is sent through SCISSORS, which seems to be used for separating different types of data and protocols. Metadata and voice content then pass the ingest processing systems FALLOUT and CONVEYANCE respectively. Finally, the data are stored in the following NSA databases:
- MARINA: for internet metadata
- MAINWAY: for telephone and internet metadata contact chaining
- NUCLEON: for voice content
- PINWALE: for internet content, video content, and "FAA partitions"




10. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the composition of the Case Notation (CASN) which is assigned to all communications which are intercepted under the PRISM program.

We see that there are positions for identifying the providers, the type of content, the year and a serial number. Also there's a fixed trigraph which denotes the source. For NSA's PRISM collection this trigraph is SQC. From another document (pdf) we learn that the trigraph for FISA data used by the FBI is SQF.

The abbreviations stand for: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?); RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking.

> See for more about this slide: PRISM case notations



11. This slide was one of four disclosed by The Washington Post on June 29, 2013.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but it seems to be for querying data collected under FISA and FAA authority.

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This shows that both NSA, FBI and the Department of Justice (DOJ) are using data collected under the authority of the Foreign Intelligence Surveillance Act (FISA), and that the NSA's part is codenamed PRISM.

Below these icons there is a search field, to query one or more databases resulting in a partial list of records. At the left there's a column presenting a number of options for showing totals of PRISM entries. The screenshot shows that on April 5, 2013, there were 117.675 "current entries" for PRISM.

> See for more about this slide: Searching the collected data

The tool shown in this slide is not use for analysing the data. For that, analysts can use other software programs like DNI Presenter or Analyst's Notebook.
Update: According to Barton Gellman's book Dark Mirror from May 2020, this is actually slide 40 of the original presentation, which also includes speaker's notes that haven't been published.*



Section 702 FAA Operations

The following slides are about how PRISM can be used to collect various types of data. This collection is governed by section 702 of the FISA Amendments Act (FAA), which in NSA-speak is called FAA702 or just merely 702.

Section 702 FAA was enacted in 2008 in order to legalize the interception that was going on since 2001 and that became known as the "warrentless wiretapping" because it was only authorized by a secret order of president George W. Bush. The FAA was re-authorized by Congress in December 2012 and extended for five years.

Under section 702 FAA, NSA is authorized to acquire foreign intelligence information by intercepting the content of communications of non-US persons who are reasonably believed to be located outside the US. This interception takes place inside the United States with the cooperation of American telecommunication and internet companies.

Operations under the original Foreign Intelligence Surveillance Act (FISA) from 1978 require an individual determination (the target might well be a whole organization though) by the FISA Court, but under FAA the Attorney General and the Director of National Intelligence (DNI) annually certify the procedures and safeguards for collecting data about certain groups of foreign intelligence targets.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like the minimization rules for hiding names and addresses of US citizens that may unintentionally come in with the communications of the foreign targets.



12. This slide was additionally published by The Guardian on June 8, 2013, to clarify that PRISM, which involves data collection from servers, is distinct from the programs FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. These involve data collection from "fiber cables and infrastructure as data flows past", which is called Upstream collection.

NSA can collect data that flow through the internet backbone cables, as well as data that are stored on the servers of companies like Google, Facebook, Apple, etc. The latter are collected "directly from the servers" as opposed to the communications that are still on their way to those servers when passing through the main internet cables and switches.

Directly from servers?

The words "directly from the servers" were misinterpreted by The Guardian and The Washington Post, leading to the claim that NSA had "direct access" to the servers of the internet service providers. As the next slide will show, there's no such direct access.

(The claim of NSA having "direct access" was not only based on this slide, but also on misreading a section from the draft of a 2009 NSA Inspector General report about the STELLARWIND program, which on page 17 says: "collection managers sent content tasking instructions directly to equipment installed at company-controlled locations". The Washington Post thought this referred to the companies involved in the PRISM program, but it actually was about Upstream Collection, which has filters installed at major internet switches. This follows from two facts: first, that the STELLARWIND program was terminated in January 2007 while PRISM only started later that year; second, that STELLARWIND only involved companies that operate the internet and telephony backbone cables, like AT&T and Verizon, not internet service providers like Facebook and Google)
Despite this clear evidence that speaks against a "direct access" to company servers, Glenn Greenwald still sticks to that claim in his book No Place To Hide, which was published on May 13, 2014. Asked about this by a Dutch news website, Greenwald said that the "direct access" doesn't mean that NSA "has full, unlimited access. But they can tell the companies what they want to have and then they can get it".

The Section 702 Program Report (pdf) by the Privacy and Civil Liberties Oversight Board (PCLOB) from July 2, 2014 describes that for PRISM collection, the FBI on behalf of the NSA sends selectors (such as an e-mail addresses or a chat handle) to a US-based internet service provider that has been served a Section 702 Directive. Under such a directive, the provider is compelled to hand over the communications sent to or from such selectors. Such acquisition continues until the government detasks a particular selector.

According to a document (pdf) declassified in September 2014, the government provided Yahoo with multiple lists of user accounts for which surveillance was wanted, and as of May 12, 2008, Yahoo started the surveillance of these accounts.


Upstream collection

An important thing that wasn't well explained by the media, is that not only PRISM, but also the domestic part of Upstream collection is legally based upon section 702 FAA. Note that NSA also conducts Upstream collection under three other legal authorities: FISA and Transit inside the US and Executive Order 12333 when the collection takes place abroad.


From a 2011 FISA Court ruling (pdf) that was declassified upon request of the Electronic Frontier Foundation we learn that under section 702 FAA, NSA acquires more than 250 million "internet communications" each year. This number breaks down as follows:
- Upstream: ca. 9% or more than 22 million communications *
- PRISM: ca. 91% or more than 227 million communications
The ruling doesn't explain what exactly a "internet communication" is. A problem that troubled both NSA and the FISA court was that under Upstream it's technically very difficult to distinguish between single communications to, from or about targeted persons and those containing multiple communications, not all of which may be to, from or about approved targeted addresses. The latter may contain to up to 10,000 domestic communications each year.*
 

Statistical transparency

On June 27, 2014, the Director of National Intelligence (DNI) for the first time published an Annual Statistical Transparancy Report (ASTR), which says that in 2013, the collection under Section 702 FAA affected some 89.138 targets. Such a target "could be an individual person, a group, an organization or a foreign power".

Specifically for 702 FAA collection, the number of 89.138 targets includes an "estimated number of known users of particular facilities (sometimes referred to as selectors)" - which means users of e-mail and IP addresses and such.

The report gives the following example: "foreign intelligence targets often communicate using several different email accounts. Unless the Intelligence Community has information that multiple email accounts are used by the same target, each of those accounts would be counted separately in these figures. On the other hand, if the Intelligence Community is aware that the accounts are all used by the same target, as defined above, they would be counted as one target".

In the various Statistical Transparency Reports published by the Director of National Intelligence we find the numbers of foreign targets under Section 702 FAA:
2013: 89.138 targets
2014: 92.707 targets
2015: 94.368 targets
2016: 106.468 targets
2017: 129.080 targets
2018: 164.770 targets
2019: 204.968 targets
2020: 202.723 targets
2021: 232.432 targets
2022: 246.073 targets
2023: 268.590 targets
2024: 291.824 targets

 
13. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013. It compares the main features of the PRISM program and the Upstream collection.

Direct Access?

The last line says that for PRISM there is no "Direct Relationship with Comms Providers". Data are collected through the FBI. This clearly contradicts the initial story by The Guardian and The Washington Post, which claimed that NSA had "direct access" to the servers of the internet companies. This led to spectacular headlines, but also a lot of confusion, as it allowed the companies involved to strongly deny any direct relationship with the NSA - because it's actually the FBI that is picking up their data.

Had this slide been published right in the beginning, then more adequate questions could have been asked and probably we could have got answers that made more sense.

A direct relationship does exist however with the companies which are involved in the Upstream collection, like AT&T and Verizon, who most likely have high volume filtering devices like the Narus STA 6400 installed at their switching stations. Unlike intercept facilities outside the US, where the XKeyscore system can store and search 3 days of content, the sites inside the US only seem to filter data as they flow past, and hence there's no access to Stored Communications.

About Collection

The slide also shows that the so-called "Abouts" collection is only conducted under the Upstream method. As we learned from a hearing of the Presidential Civil Liberties Oversight Board (PCLOB ), this About Collection is not for gathering communications to or from a certain target, but about a specific selector, like for example an e-mail message in which an e-mail address or a phone number of a known suspect is mentioned. This About Collection is not looking for names or keywords, is only used for internet communications and was authorized by the FISA Court.

Because under Upstream NSA is allowed to do About Collection which pulls in a broader range of communications, the retention period (the time the data are stored) is only two years. Data collected under PRISM, which are restricted to communications to and from specific addresses, are stored for the standard period of five years. Both under PRISM and Upstream there's no collection based upon keywords.



14. The slide was seen in a television report and shows a world map with the undersee fiber optic cables according to the volumes of data they transmit. This map is used as background of a number of other slides about FAA 702 Operations. In seems that additional information, like in the next slide, appears by mouse clicking the original powerpoint presentation.



15. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and in the central cyan colored box the codenames FAIRVIEW and STORMBREW are shown subsequently. Maybe other codenames are in the yellow box at the right side. It's not clear what the irregular blue shapes in the Indian Ocean are. The figure which is right of New Zealand is a stereotype depiction of a terrorist with a turban.



16. This partial slide was seen on the laptop of Glenn Greenwald in a report by Brazilian television and shows two scenarios for collection data under FAA 702 authority. It has two boxes with text, the one on the right reads:
UPSTREAM
Scenario #2
OPI tasks badguy@yahoo.com under FAA702 and 12333 authority in UTT
Badguy sends e-mail from [outside?] U.S. and comms flow inside U.S.
FAIRVIEW sees selector but can't tell if destination end is U.S. or foreign
RESULT
Collection allowed
Only the target end needs to be foreign
OPI stands for Office of Primary Interest and UTT for Unified Targeting Tool, the NSA application used for instructing the actual collection facilities.



17. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a list of 35 IP addresses and domain names which are the "Higher Volume Domains Collected from FAA Passive". Data from these domains are collected from fiber optic cables and other internet infrastructures - the Upstream or Passive Collection, complementary to the PRISM collection which involves some major US domains like hotmail.com and yahoo.com.

All IP addresses and domain names are blacked out, except for two French domains: wanadoo.fr (a major French internet service provider) and alcatel-lucent.com (a major French-American telecommunications company). The rest of the list will most likely contain many similar domain names, which shows that redactions of the Snowden-documents are not only made to protect legitimate security interests, but also when the papers, in this case Le Monde, want to keep these revelations strictly focussed to their own audience.
Update:
On May 8, 2014, the French paper Le Monde listed some more targets from NSA's Upstream Collection, although it is not clear whether these are derived from this slide or from a different NSA document.



Reporting based on PRISM

The following slides show some of the results from the PRISM program:


18. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a highlight of reporting under the section 702 FAA authority, which in this case includes both PRISM and the STORMBREW program of the Upstream collection capability. Information derived from both sources made the NSA/CSS Threat Operations Center (NTOC) figure out that someone had gotten access to the network of a cleared defense contractor (CDC) and was either preparing to, or at least had the ability to get 150 gigabytes of important data out. NTOC then alerted the FBI, which alerted the contractor and they plugged the hole the same day, apparently December 14, 2012.

Another cyber attack that was detected by PRISM occured in 2011 and was directed against the Pentagon and major defense contractors. According to the book 'Der NSA Komplex' this attack was codenamed LEGION YANKEE, which indicates that it was most likely conducted by Chinese hackers.*



This slide is not part of the original PRISM presentation, but from another slide deck from NSA's Special Source Operations division. The slide was published at Glenn Greenwald's website The Intercept on April 30, 2014.

It shows that during the 2012 Olympic Games in London, 100 specially trained and/or approved GHCQ employees were granted access to data collected under the PRISM program. 256 selectors (like e-mail addresses) were under surveillance, leading to 11.431 communication fragments ("cuts of traffic") being produced during one week in May. This is an average of 45 communication parts like e-mail and chat messages and such per address.

According to another document published by The Intercept, GCHQ wanted "unsupervised access" to data collected by NSA under the section 702 FAA authority (PRISM and Upstream) in "a manner similar to the Olympic Option" program from 2012. GCHQ seemed to be less enthusiastic about the current procedure to get such kind of access under supervised conditions, called Triage, which involves long steps to get the necessary approvals.



19. From this slide there are two different versions: a small and heavily redacted one appeared on the website of O Globo, and a large one, also with most of the topics censored, was published in Glenn Greenwald's book No Place To Hide on May 13, 2014. The slide is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013.

One of the things that were apparently blacked (or actually whited) out were published in the Indian paper The Hindu, which said that this slide also mentions "politics, space, nuclear" as topics under "India" and also information from Asian and African countries, contributing to a total of "589 End product Reports".



20. This slide was one of three that were made available on the website of the German magazine Der Spiegel on June 18, 2014. It shows a table with numbers about the intelligence reports based upon data collected through the PRISM program.

The table lists NSA units which function as Office of Primary Interest (OPI - click here for an explanation of the internal designations). In this case, the numbers are sorted in the order of reports produced. The top-5 most productive units are:
- F6: NSA/CIA Special Collection Service (3723 reports)
- S2I: Counter-Terrorism Product Line (3493 reports)
- S2E: Middle East and Africa Product Line (2574 reports)
- S2G: Counter Proliferation Product Line (2092 reports)
- NSAT: NSA Texas (1690 reports)

The total number of intelligence reports produced by all these OPI's is 144.779, and 22.500 of them are based upon information from the PRISM program, which is an average of 15%. According to a document published in Greenwald's book, there were 18.973 PRISM-based end-product reports in the fiscal year 2011 and 24.096 in 2012.



21. This slide was one of three that were made available on the website of the German magazine Der Spiegel on June 18, 2014. Just like the previous slide, it shows a table with numbers about the intelligence reports based upon data collected through the PRISM program.

The table again lists NSA units which function as Office of Primary Interest (OPI - click here for an explanation of the internal designations). In this case, the numbers are sorted by how many of the total number of reports issued by the various OPI's are PRISM-based, which can be seen in the fourth column. The top-5 units are:
- ECC: European Cryptologic Center (52%)
- S2I: Counter-Terrorism Product Line (42%)
- S2J: Weapons and Space Product Line (33%)
- S2G: Counter Proliferation Product Line (30%)
- NSAT: NSA Texas (30%)


These lists clearly show that collection under the PRISM program is not restricted to counter-terrorism, but is also not about monitoring ordinary people all over the world, as many people still think. PRISM is used for gathering information about a range of targets derived from the topics in the NSA's Strategic Mission List (pdf). The 2007 edition of this list was also among the Snowden-documents and subsequently published, but got hardly any attention.

Already on June 27, 2013 then NSA director Alexander stated in a Congress hearing that data collected under section 702 FAA and section 215 Patriot Act (the domestic metadata collection), enabled US agencies to disrupt 54 threat events, 42 of which "involved disrupted plots". Of those 54:
- 12 involved cases of material support to terrorists;
- 50 lead to arrests or detentions;
- 25 occurred in Europe;
- 11 were in Asia;
- 5 were in Africa;
- 13 had a homeland nexus.
Alexander said that in 53 of the 54 cases, data collected under section 702 provided the initial tip to "unravel the threat stream" and that almost half of terrorist reporting comes from Section 702.
Update:
Later that year, senator Patrick Leahy from the Senate Judiciary Committee said that "These [54 events] weren't all plots and they weren't all thwarted. The American people are getting left with the inaccurate impression of the effectiveness of NSA program".
In October 2013, general Alexander talked about 54 cases "in which these programs [sections 702 FAA and 215 Patriot Act] contributed to our understanding, and in many cases, helped enable the disruption of terrorist plots in the U.S. and in over 20 countries throughout the world".

According to former NSA deputy director Chris Inglis some 41 terrorist plots were foiled by information collected under section 702 FAA, most of them by PRISM. This is not a very large number, but as we've seen, PRISM is also used for creating intelligence reports about other topics.

In 2012, these were cited as a source in 1477 items of the President's Daily Brief, making PRISM one of the main contributors to this Top Secret intelligence briefing which is provided to the president each morning.

According to its annual report (pdf), the Dutch parliamentary intelligence oversight committee CIVD was informed on July 3, 2013 that information from PRISM prevented 26 terrorist attacks in Europe, including one in the Netherlands.



Conclusions

The following slides are the ones that contain some conclusions of the presentation about the PRISM program:


22. This slide was one of two published by The New York Times on June 4, 2015. Both seem to make up the last ones of the presentation about PRISM. In this slide we see some plans for the near future, like expanding the collection and a practical change to the UTT tasking tool.

More interesting is the aim to extend the PRISM collection to Dropbox, but although it is not clear whether this has been realised, Snowden warned people for using Dropbox (such a service provider doesn't participate voluntarily in the PRISM program, but is served with a Section 702 Directive).

NSA also wanted to obtain a separate certification for cyber threats from the FISA Court, so it could also collect data related to certain strings of malicious code through the PRISM and Upstream programs.



23. This slide was one of two published by The New York Times on June 4, 2015. Both seem to make up the last ones of the presentation about PRISM. It encourages analysts to use the possibilities of the PRISM and Upstream programs as much as possible, as they provide "unique collection on their targets".

Under the last bullet point it is said that PRISM and Upstream collection can also be used for searching "cyber signatures and I.P. addresses", which probably refers to the fact that in July 2012, the Department of Justice allowed NSA to target certain cybersecurity-related IP addresses under these programs, so long as there's a nexus with the Counter-Terrorism (CT), the Foreign Government (FG) or the Counter-Proliferation (CP) certifications.

The fact that IP addresses were explicitely linked to the cybersecurity authorization seems to indicate that (at least under section 702 FAA) IP addresses may not have been used as selectors before - which would contradict the general assumption that NSA commonly used IP addresses as selectors too.

Remarkably, the whole use of section 702 FAA programs for cyber security purposes was not investigated or even mentioned in the extensive report (pdf) on these programs by the Privacy and Civil Liberties Oversight Board (PCLOB) from July 2014.

Update:
On August 15, 2016, the website The Intercept published a few documents from the Snowden trove showing that the NSA used PRISM to get information about a New Zealand citizen who GCSB believed was involved in a plot against the regime on the island of Fiji, which turned out not to be the case.



- See also: Excerpts from NSA documents about PRISM



Links and Sources
- Statement before the House Committee on the Judiciary on the FISA Amendments Act (pdf) (2016)
- WebPolicy.org: The NSA’s Domestic Cybersecurity Surveillance (June 2015)
- EmptyWheel.net: Section 702 Used for Cybersecurity: You Read It Here First (June 2015)
- PCLOB.gov: Section 702 Program Report (pdf) (July 2014)
- MatthewAid.com: New NSA Report on Its Electronic Eavesdropping Programs
- EmptyWheel.net: Back Door Searches: One of Two Replacements for the Internet Dragnet?
- DNI.gov: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702 (pdf)
- TED.com: Edward Snowden: Here's how we take back the Internet
- C-Span.org: Privacy and Civil Liberties Oversight Board Hearing, Government Officials Panel
- TechDirt.com: Why Does The NSA Focus So Much On 'TERROR!' When PRISM's Success Story Is About Cybersecurity?
- SealedAbstract.com: The part of the FISC NSA decision you missed
- GlobalResearch.com: New Documents Shed Light on NSA’s Dragnet Surveillance
- TheGuardian.com: Microsoft handed the NSA access to encrypted messages
Geplaatst door op 1 comment:
Labels: ,
Subscribe to: Posts (Atom)
Some older articles on this weblog that are of current interest:
In Dutch: Volg de actuele ontwikkelingen rond de Wet op de inlichtingen- en veiligheidsdiensten via het Dossier herziening Wiv 2017