August 24, 2013

NSA also has arrangements with foreign internet providers

(Updated: January 25, 2014)

Last Tuesday, August 20, the Wall Street Journal came with a big story with new details about the NSA surveillance programs. The article claims that NSA has the capacity to reach roughly 75% of all US internet traffic that flows through domestic fiber-optic cables. However, this was strongly denied by the NSA

The 75% claim got a lot of attention, but most media apparently oversaw a section later on in the article, which reveals a far more sensitive NSA collection method:

"The NSA started setting up Internet intercepts well before 2001, former intelligence officials say. Run by NSA's secretive Special Services Office, these types of programs were at first designed to intercept communications overseas through arrangements with foreign Internet providers, the former officials say. NSA still has such arrangements in many countries, particularly in the Middle East and Europe, the former officials say."

Documents which were recently leaked by Edward Snowden already confirmed that the NSA collects internet data from telecommunication cables going through the United States. But now we learn that also foreign internet providers are cooperating with NSA in order to intercept foreign communications.

For Americans it may be embarrassing that NSA is tapping into domestic internet cables, but for people elsewhere in the world it must be even more embarrassing that their telecommunications provider might have some secret agreement with a foreign intelligence agency.

Here we will combine this with a number of other recent stories and this shows us that NSA and its British counterpart, the Government Communications Headquarters (GCHQ), have arrangements with a number of big American and British telecommunications companies, and also with an unknown number of foreign internet providers. These are cooperating because they are required by law and both NSA and GCHQ are paying them for the expenses. The result is a global internet surveillance network.



The doughnut-shaped building of GCHQ in Cheltenham, Gloucestershire.


Cooperating with GCHQ

The names of the companies cooperating with GCHQ were published on August 2 by the German newspaper Süddeutsche Zeitung and the NDR television channel. As these are smaller regional media, it seems that The Guardian didn't dare to publish these names themselves. Both media were given access to some top secret GCHQ documents from 2009, partly from an internal system called GC-Wiki, which mention the following telecommunications providers (meanwhile some have merged) and their codenames:
- Verizon Business (DACRON)
- British Telecom (REMEDY)
- Vodafone Cable (GERONTIC)
- Global Crossing (PINNAGE)
- Level 3 (LITTLE)
- Viatel (VITREOUS)
- Interoute (STREETCAR)

GCHQ has clandestine agreements with these seven companies, described in one document as "intercept partners", in order to give the agency access to their network of undersea cables. The companies are paid for logistical and technical assistance and British Telecom even developed software and hardware to intercept internet data. At GCHQ this collection effort is conducted under the "Mastering the Internet" component of the TEMPORA program.

The identity of the participating companies was regarded as extremely sensitive, in official documents referred to as "Exceptionally Controlled Information" (ECI), with the company names replaced with the codewords. Disclosure of the names would not only cause "high-level political fallout", but would also be very damaging for the trustworthiness of the companies.



One of the doors of room 641A in the building of AT&T in San Francisco,
where the NSA had a secret internet tapping device installed,
which was revealed by an AT&T technician in 2006.


In reaction to these disclosures, Vodafone and Verizon said that they comply with the laws of all the countries in which they operate cables and that they won't disclose any customer data in any jurisdiction unless legally required to do so. This is the same kind of reply some of the US internet companies gave regarding to their alleged involvement in the PRISM program.


Tapping the internet backbone

Together, the seven companies operate a huge share of the high-capacity undersea fibre-optic cables that make up the backbone of the internet's architecture. The German media also noted that these companies also run some important internet nodes in Germany, and for example Interoute owns and operates Europe's largest cloud services platform.

We do not know how many of the internet cables and nodes of these providers have collection and filtering devices attached. Former NSA official and whistleblower William Binney gives quite a large number of major points in the global fiber optic networks where there would likely be Narus, Verint or similar intercepting devices. In this article there's a list of the most likely surveillance nodes on the networks of AT&T, Verizon, BT Group and Deutsche Telekom - situated all over the world.

The Guardian confirms that in 2012 GCHQ had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time. The collected metadata is stored for up to 30 days, while the content of communications is typically stored for three days.

On August 28, new reports by the Italian paper L'Espresso and the international website of the German paper Süddeutsche Zeitung revealed the names of at least 14 undersea fiber-optic internet cables which GCHQ is tapping:

- TAT-14, connecting the United States with the United Kingdom, France, the Netherlands, Germany, and Denmark
- Atlantic Crossing 1, linking the USA and the United Kingdom, the Netherlands and Germany
- SeaMeWe3, which connects Europe, Asia and the Middle East
- SeaMeWe4, linking Europe, North Africa and Asia
- FLAG Europe Asia (FEA), linking Europe to Japan through the Middle East and India
- FLAG Atlantic-1, linking New York with France and England
- Circe North, connecting the United Kingdom with Belgium, France, Germany and the Netherlands
- Circe South, idem
- Solas, between the United Kingdom and Ireland across the Irish Sea
- UK-France 3
- UK-Netherlands 14
- Ulysses 1 and 2, running between Dover and Calais, resp. IJmuiden and Lowestoft
- Yellow/AC-2, connecting New York with Bude in the United Kingdom
- Pan European Crossing (PEC), linking the United Kingdom, Belgium, and France



Overview of the undersea fiber-optic cables
Click for an interactive map!


The existance of internet tapping points outside the US and the UK was confirmed in a report by The Independent from August 23. It says GCHQ runs a secret internet-monitoring station at an undisclosed location in the Middle East to intercept and process vast quantities of emails, telephone calls and web traffic on behalf of Western intelligence agencies.

The station is able to tap into and extract data from the underwater fibre-optic cables passing through the region. All of the messages and data passed back and forth on the cables is copied into giant computer storage buffers and then sifted for data of special interest. These data are then processed and passed to GCHQ in Cheltenham and shared with the NSA.


Network Security Agreements

On July 7, The Washington Post published about a "Network Security Agreement" between the US government and the fiber-optic network operator Global Crossing, which in 2003 was being sold to a foreign company. Global Crossing was later sold to Colorado-based Level 3 Communications, which owns many international fiber-optic cables, and the 2003 agreement was replaced by a new one (pdf) in 2011.

According to the Post, this agreement became a model for similar arrangements with other companies. These ensure that when US government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely. The 2011 agreement with Level 3 clearly says that all domestic communication cables shall pas through a facility from which lawful electronic surveillance can be conducted:



The bottom line here is in the word "lawful". As long as information requests by NSA or GCHQ are lawful, the internet providers will assist in gathering the required data. They even have to.


Corporate Partner Access program

Just like GCHQ, NSA is also paying telecommunication companies. This came out when on August 30, The Washington Post published parts of the highly classified US Intelligence Budget. This revealed that NSA’s Special Source Operations (SSO) division runs a project called Corporate Partner Access, which involves major US telecommunications providers to tap into "high volume circuit and packet-switched networks".

For the fiscal year 2013 this program was expected to cost $ 278 million, down nearly one-third from its peak of $ 394 million in 2011. Among the possible costs covered by this amount are "network and circuit leases, equipment hardware and software maintenance, secure network connectivity, and covert site leases". The total of 278 million breaks down as follows for specific programs:
- BLARNEY: $ 65.96 million
- FAIRVIEW: $ 94.74 million
- STORMBREW: $ 46.04 million
- OAKSTAR: $ 9.41 million

A final $ 56.6 million is for "Foreign Partner Access", but according to The Washington Post it's not clear whether these are for foreign companies, foreign governments or other foreign entities.

The article says that telecommunications companies generally charge to comply with surveillance requests from state, local and federal law enforcement and intelligence agencies. This simplifies the government’s access to surveillance and the payments cover for the costs of buying and installing new equipment, along with a reasonable profit, which makes it also profitable for the companies to cooperate with NSA and other agencies.

Some more details about collecting data with the help of foreign facilities came from NSA slides shown in the background of a Brazilian television report on September 8, 2013. These slides mention at least three sub-programs of OAKSTAR for collecting phone and internet communications "through a foreign access point":
- MONKEYROCKET
- SHIFTINGSHADOW
- ORANGECRUSH
The latter program is specified as a "Foreign access point through PRIMECANE, and 3rd party partner" (see below).

 



2nd and 3rd party countries

Similar arrangements with telecommunication providers can be expected in Canada, Australia and New Zealand, as the signals intelligence agencies of these countries have a very close information sharing relationship with GCHQ and NSA under the UKUSA-Agreement from 1946. Regarding signals intelligence these countries count as 2nd party allies of the NSA.

One step below, there's a group of around 30 countries that are considered to be 3rd party partners. According to the Snowden-leaks Germany, France, Austria, Denmark, Belgium and Poland are among them.* Probably Norway, Malaysia, Singapore, Japan, South Korea, Israel, Taiwan and South Africa are 3rd party partners too.*

Update #1:
New documents show that Sweden is a 3rd Party partner of NSA since 1954.

Update #2:
Another disclosed NSA document has confirmed that France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden are 3rd Party partners of NSA and that they are part of a group called SIGINT Seniors Europe (SSEUR) or 14-Eyes.

As the Wall Street Journal article says that the foreign internet providers are "particularly in the Middle East and Europe", this reminds of a special relationship the United States has with a number of countries in particularly these regions. We know them by the fact that they have a so-called Defense Telephone Link with the US:

- In Europe: Albania, Austria, Bulgaria, Czech Republic, Estonia, Latvia, Lithuania, Macedonia, Poland, Romania, Slovenia and Slovakia.
- In the Middle East: Bahrein, Israel, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates.

Most of these countries are small, dependent on US military support and therefore often willing to cooperate with US intelligence agencies. Of course this doesn't necessarily mean that in all of these countries the NSA has agreements with local internet providers, but the list may give an indication of where we can expect cooperating companies. Having secret arrangements with a foreign intelligence agency is a highly sensitive and tricky business, so internet providers have to be covered by their government.

> See for the latest: NSA's foreign partnerships


The new way of intercepting

For the NSA these arrangements with foreign internet providers make good sense. Before the Internet-age, NSA could intercept many communications on its own, for example by placing taps at underwater telephony cables and intercepting satellite transmissions and microwave links. These were the long-distance connections for the public switched telephone network, which also carried most of the early internet traffic.


The 20 feet/6 meter and 6 tons tapping device for a Soviet cable in
the Sea of Okhotsk, which was placed in the 1970's under operation Ivy Bells
and was discovered and removed by the Soviets in 1981.


With the rapid expansion of the internet after the year 2000, the copper cables and satellite and microwave links have been replaced by fiber-optic cables, which are far more difficult to intercept. NSA is reportedly capable of placing taps at underwater fiber cables, but these are of course very cumbersome and costly operations.

Therefore, the way to go was to place taps at locations where the fiber-optic communications are switched. For the internet, much of the switching occurs at relatively few sites, but here intercepting has to be done with the help, or at least the knowledge, of the companies who are operating these sites.

Before 2001, NSA was only authorized to intercept communications with both ends being foreign. So the first internet providers to cooperate with had to be outside the US. But due to the very nature of the internet, NSA soon found out that it was increasingly difficult to keep foreign and domestic communications separated.

For that reason president George W. Bush secretly authorized NSA to also wiretap international communications where just one party is believed to be affiliated with terrorism. Under this new authority NSA could now also involve American telecommunication providers, first those providing hardware transmissions (AT&T, Verizon, etc) and later companies offering the software for today's communications (Microsoft, Google, Apple, etc).


Nothing really new

Now, NSA and its UKUSA partners are cooperating with a range of national and foreign internet providers, which gives them access to the main internet cables and switching points all around the world. This is just like they operated the ECHELON network with listening stations worldwide, intercepting the former satellite communications.

For some people all this may sound like Snowden's claim about the NSA being able to eavesdrop on every conversation of everyone in the world, but there's no evidence for that. NSA does want access to as many communication channels as possible, but only for gathering information about enemies of the United States, not about ordinary people. Given the enormous amount of data traffic, NSA will just do everything to gather that info as focussed and efficiently as possible - more about that next time.

(This article was updated with info about the Level 3 agreement, the British base in the Middle East, the names of the fiber-optic cables and the budget for cooperation of telecom providers)


Links and Sources

- NY Times: N.S.A. May Have Penetrated Internet Cable Links
- Wall Street Journal: New Details Show Broader NSA Surveillance Reach - still availabe here
- Süddeutsche Zeitung: Snowden enthüllt Namen der spähenden Telekomfirmen
- The Guardian: BT and Vodafone among telecoms companies passing details to GCHQ
- The Washington Post: Agreements with private companies protect U.S. access to cables’ data for surveillance
- Süddeutsche Zeitung: British Officials Have Far-Reaching Access To Internet And Telephone Communications
- Wikipedia listing: List of international submarine communications cables

6 comments:

  1. It does not matter if the NSA/GCHQ only intends to use part of it. The concerning aspect for most people is the initial collection, the bulk collection in the first instance. It is unlawful and presents extraordinary risks to privacy. No computer system, not even NSA, is 100 percent invulnerable from attack. It would be only a matter of time before those systems are breeched, either internally or from the outside.

    ReplyDelete
  2. NSA and Prism is keenly spying over all data and most companies do not have any knowledge about this data transfer at all.

    ReplyDelete
  3. Hi, Thanks for your article. You have written very well about NSA also has arrangements with foreign Internet service Providers, I have found it very valuable.

    ReplyDelete
  4. An IP Address is a unique identifier address assigned specifically to a particular device. With this address, computers or devices that do the same work are identified on the network router help and can communicate with other devices over the internet.

    ReplyDelete
  5. NSA and Prism is keenly spying over all data and most companies do not have any knowledge about this data transfer at all.

    ReplyDelete