Sharing Communications Metadata Across the U.S. Intelligence Community

Aug. 25 2014 — 5:00p.m.


Sharing Communications Metadata Across the US. . I . Ia- I a'r'l'Ii- . ii. I - Intelligence Community? ICREACH 15 May 2007 a . a This Brie?ng is Classified TOP DE RIVED FROM: Manual 1-52, Dated: 20070108, Daelassify On: 20320108

w: :13 The Need for Greate_r IC Sharlng of Information 1. (U) Recommendations of 9/11 and WMD Commissions 2. (U) Congressional Interest IFITPA 3. (U) DNI A part of 100-Day Plan 4. (U) Information Sharing Strategy DFHCIAL USE ONLY

Information Sharing Policy DCID 8/1, June 2004 ?All IC agencies will provide intelligence information at the earliest point at which customers can understand and effectively use it to support their mission NSA Policy 1?9, May 2005 implements DCID 8/1 and Transformation 2.0: information originated by NSAICSS shall be shared with U.S. Government customers and partners and with Foreign to the maximum extent possible, consistent with applicable statutes, executive orders and regulations, and consistent with the ineed-to-knowi principle and with applicable authorities governing the protection of intelligence sources and methods.? DFHCIAL USE

SIG NT 171'." J-cn . (1313' (1313' l'J_4' Matrix SIGINT Data Minimized Assessed Shareable for Fl SIGINT Products Yes Yes Yes Services SIGINT Yes No, but Yes Communications provided for Metadata* Fl purposes Flaw SIGINT No No No *[CttFiELt lSommunications metadata refers to structured ?data aboutdata?: it includes all information associated with, but not including content, and includes ant?r data used by a network, service, or application to facilitate routing or handling of a communication or to render content in the intended format; it includes, but is not limited to; dialing, routing, addressing, or signaling information and data in support of various network management activities billing, authentication or tracking of communicants}. REL TD USA, FVETH EDBEDIDB

.. . IfSharing Matrix - ICREACH Minimized Assessed Shareable for Fl COMINT Yes No, but Yes Communications provided for Metadata Flfpurpeses {DFHCIAL USE

Wri? it 131 Cir?ti . Information Sharing Ensure efficient, effective sharing of ever expanding volumes of IC communications metadata. The IC requires access to a much greater volume of data, for a larger number of 1. Make more data accessible 2. Wider set of IC 3. For more comprehensive in-depth analysis of Communications Metadata for - Situational Awareness - Collection Management - Target Development TU FVETHZDEIZDIDB

3 Proposal PROPOSAL: 1. Make IC communications metadata accessible to the greater IC. a. Data will be updated and accessible instantly by IC Intelligence b. Data will be provided for foreign intelligence and counter- intelligence purposes. 0. Data sources and methods can be protected. d. Data will be minimized* according to each agency' 5 standards 5 data will be minimized to NBA minimization standards. 3 data to CIA minimization standards. etc.). if Minimize: specific procedures to minimize the acquisition and retention, and prohibit the dissemination, of non- publiclyr available information concerning unconsenting U.S. persons consistent with the need of the US. to obtain, produce and disseminate foreign intelligence information. DFHCIAL USE

3 Proposal 2. (S) Handles the ever increasing volumes of communications metadata (est. 2-5 billion records/day) 3. (S) Incorporates all communication types - telephony and all forms of digital, e.g. e-mail 4. (U) Allows for the eXpansion of communications metadata fields and sources U) Accommodates multimedia (voice/data/video) convergence U) Allows for greater access by US. military elements 5. 6. 7. (U) Requires only JWICS account plus PKI 8. Does not necessarily replace CrissCross/Proton 9. C) Allows for incorporation of foreign partner data* As negotiated

- .1l? .1l?I .1l? .1l? .1l? .1l? .1. .1l? 1 II- .. t-?r t-?r t-?r t-?r t-?r t-?r t-?r 'rr t-?t t-?r I r? I 1-. 'i'Juli. i- i Er 1. . ~53 (SHREL) ICREACH is a one-st0p shopping tool for consolidated communications metadata analytic needs. Through can access most tools and all appropriate data sets related to both telephony and DNI data with a single login. i REL TD USA,

NSA Propos lm lementation: Use of Current Status: ICREACH is an evolving NSA toolkit (middleware) focused on analyzing the target in a converged telephony-DNI environment. The federated query searches across all data sets for information relating to a target identifier. For example, through ICREACH an analyst could find all metadata comms related to a target: phone number, Global Mobile Satellite and cellular events and selectors, email address, etc. and any associated locational information. TD USA, FVETHEDBEDIDB

1. (U) Certify Users 2. (U) Train Users 3. (U) Grant Access to Users UNCLASSIHEDHFUR USE

?El'1 ?i?nii?? micertified? Any individual who: a. requires access in support of Agency mission (as validated by Agency POC) a part of the US. IC 0. holds d.has PKI e. is an lC-intelligence analyst (of any sort) 2. PKI-enabled accounts will be accessible via JWICS. DFHCIAL USE

in" ?1u'l'1"rt: ICREACH Training NSA will train a cadre of individuals from each agency who will then go back and train their own users. Training consists of: a. Intro to communications metadata to familiarize users with cell phones, email, etc. b. Course to familiarize users with ICREACH tool. 0. Intelligence Oversight training, including minimization. d. Limitations on use of communications metadata for operational purposes. PSTN Public Switched Telephone Network IMSI International Mobile Subscriber Identity TD USA, FVETH ED333103

1. (UIIFOUO) Agency POCs to approve accounts for individuals. 2. (U) Accounts expire after three (3) months of inactivity. 3. (U) Users re-apply and are re-certitied annually. DFHCIAL USE

Intelligence Oversight 1. Approval authorities and auditors at each agency will conduct the requisite oversight training and then conduct independent oversight. 2. Auditing of agency personnel will be conducted by each agency. audit records will be pushed by NSA to each agency in order to perform that task. 3. Access will be terminated immediately upon identification of any violation and will be reinstated only upon re-certification by the agency approval authority. 4. NSA will perform random auditing of IC-wide users to ensure compliance across the IC and notify Agency of any non- compliance. DFHCIAL USE

. amam- am- am- arram- are me. -Total Call Events in NSA est. 149 Billion Of those: -Total Call Events est. 101 Billion -Total Call Events est. 92,000 El Eve MDT Sha reable with 5 Eyes i I Nun MBA Eve Sha rea ble with 5 99% Fer date range 2000-2006, as of early July 2006; some data has been aged off system

lCFieaoh will share over 850 billion NSA event records at IOC with an additional 1-2 billion records added daily Telephonyr (1999-Apr 07) (2004-Apr ?07) Total Call Events est. 711 Billion TOta' Events 95t- 143 Billion Total Call Events from est. 126 Billion "0 Wt Parties 2"?El Parties Billions can Events DN I Events 350 30 1:133? 250? 30' ii 150- 40_ 1999 E??l E??l 2W4 Jan? Feb? Mar? Apr? zoos Jan-?? Feb-t}? Mar-t}? Apr-?? {17" Yearly T?t?l? Yearly Totals SECRETHCUMINTHREL TU FVETHED3EDIDB

Increases NSA communications metadata sharing from 50 billion records to 850+ billion records (grows by 1-2 billion records per day) Boo: 50?? Yearly Growth to; Projected DNI I DNI Projected PSTN PSTN lncluo?es Call rents from Party Partners (est. 126 Billion records) TD USA, FVETHEDBZDIDB

- IfI'll I I . 1. .. :11 "mil -- ICREACH WWI NSA populates these fields in PROTON: Called a: calling numbers, date, time 3: duration of call ICREACH users will see telephony metadata" in the following fields: DATE a TIME IMEI International Mobile Equipment DURATION Length of Call Identifier CALLED NUMBEFI MSISDN Mobile Subscriber Integrated CALLING NUMBER Services Digital Network CALLED FAX (CSI) Called Subscriber MDN Mobile Dialed Number ID CLI Call Line Identifier (Caller ID) TRANSMITTING FAX (TSI) - DSME Destination Short Message Transmitting Subscriber ID Entity IMSI International Mobile Subscriber OSME Originating Short Message Identifier Entity TMSI Temporary Mobile Subscriber Visitor Location Register Identifier

. will - -I I 1 ?1 'i'u ?n'r-1I Il?u-1I I~p-1- I~p-1- II -1I II II -1I I~p--1I I?r -1I I~p-.I.-. oil-J Mr]. II I. a 5 n1 In?- ICFIEACH telephony metadata fields (con' MCC Mobile Country Code CALLING Reverse Terminal MNC Mobile Network Code Identification Number LAC Local Area Code DIALED NUMBER CELL ID Serving Cell Identification FWD SIM - Forward Subscriber TIMING on Timing Advance Value ?entity Module (distance from base transceiver) REV SIM - Reverse Latitude/Longitude in Identity Module degrees and minutes MES TYPE - Message TYPE CALLING FTIN Forward Terminal Identification Number ICFIEACH users will also see this DNI metadata: Email addresses Chat handles Date 3: Time Protocols

Increases Number of SIGINT Metadata Modes and Fields Shared Metadata Field PSTN PCS DNI Date Time Currently Duran Sh Called Number Calling Number H. Called Fax number Transmitting Fax number TMSI MSISDN MDN DSME CSME VLH lCReach LAC Expansmn Timing Advance La?Leng Calling Calling Dialed Number Ferward SIM Reverse SIM Email Address Chat Handle Pretesels TD USA, FVETHEDEEDIDB

IC_Reach 1 .D Netscape Elle gel-l: ?ew go ?mkmarks lools ?mdow Help ,1 _900 0 Ham-cw . a. a Mall 15 Home 5? Radio Netscape Ck Search Baoohnarks Q11 NBA News Yeeha ESE-arch Tools SEARCHLIGHT Web Help ?x?x ?ewice I IC_R-each 1.0 I H'l PUSHIHIJ- ICREACH Version 1.0 Released March 2006 (S) is a one?stop shopping tool for consolidated metadata analytic needs. Through can access several data sets related to both telefzil'nsnj?ar and D141 data with a single login and a federated query that returns any available data from multiple sources For more infonnation. please review the FAQs. ICREACH Liz-gin Click only ifme SID :1 rted . - a-I . "l Passw_rd i Request a ILEEALH User Account gm Inv Password ng 1' Update my ICREACH Act cunt lz'if-r-nnanon Login I Reset Click here for instructions on how to obtain your personal certi?cate to use PKI. - Sum Dual-plus!? It Last Modi?ed: 06 Jammy- 2&36 (m Last Rudmi: 23 December 2005 Denved From 1-52 Version: 1_o Dated. 23 Nov 2004 mm:? DECLASSIFYON 2029l123 TAC 1' I i (.1 Page Publisher Related Links: 4' Target Development Services 0 Target Analysis Center eat] Trans?rringd?l Fr_ ?a a SECRETHREL TO USA,

ITICREACH Query - Eilrll?RlIln-lr k-w. II II IlaHip-5:! -- I M. Starch a fl. Mn-lil HI .-II HI I IE HHI II-: ?l?h?lrl II ll Ikl km ch?. NHWH I.-I Stu-1.1? I I TI ll fife TGHT cafe I EQF- :u-ar '53} th-LH 1. .u "71} Cum?emu) Ierqet Develeement eerwcee r. .. 5 EIBLE EIEICA.TICIN IE Fe- deer-twe cl Eme- Accauni Inf-e Ln gn?' QUERY Clue-W Results Feedback: Help What-'5 New FILII. Seerehee are limited In er fewer eeleetere Date Range: tn I331 Select-er: I {Hemme- deIJ'mJ'f-eci} File of Eelectere: I I (?ne per mg} Name: Submit - 5'1" 1' UHHLIJLE 1:3 lg i; I Fro?H 11:3 I

l? 11,. 11". ?,Irr! "Hf! "n ?3rr: ?grr?,Irr! ?zm "p ?pr! "Hf! "n ?grr! ?jr ?zm "Hf! "n ?3r ?3r "Hf! "n ?grr: ?,Irr! "n TOP ICREACH Query Summary @331 IE - Halsuupn [i In Erlil' ?it-:w Gr: ?ed-uka In?l?: U?lr- I a (a (a hm:me hearth If IE Mall {ii Heme 5-H Had?: Netscape EL hearth I EIHeel-arnerle El}- News Elia- ?reel-Ia Elbe-arch Ieels El} Ierqet Uevelepment her-wees 1 qt} DEWJIJL-IIC HIGHEST PD ESELE 15' Federated ?uew Ace-aunt lnfe Lege? {11" HERE Uhi??l??l? Query Results Feedback Help What's New EDDEDQELI te EDI-3131 024 1'3 sun: ITEM Ll El ?r?uur reuurde in [he Click: en the eelectel' te mew Ite era-maimed result-5. LEE-END r'l: PSTN rP PCS EH UNDEI LS INMAHSHT I: Ir?n'u'eliri Helentnr FIE FP GM L5 ?eleetnr r-r. I 1? 1 Sela-mun Fl: FP GM LS Felecter L5 IE IEI-zucurn-ant: secs) EDBEDIDB

"TOP ICREACH Data Results Lu:- tE-z-c-Icrn-Jrl-zs ?lm-jaw Help . ?fh G: (E I?ll. hearth I dig If hj, Mail 53 Ilnmn Ea Harlin El an'?rnri? "man?h I Tc,- New: Tc.- in. '11:an TGI IT w?h I '34; Gnu-wire "151 I (-0ta} thlu HULIL 4:433 HtLi I1 13th 1'1 PETE: Tr E5- DI I NEE SUBS-CHEER DISH fi?Tt?-T. - - - m1 4'3. PC.) $13.11. ULL ?ag-1E "-91.11 rum; 111m at: LUNG DA 1.11. J.) mam mum h-iHlH?? l_ 1 CIEDCICIE '3 nl II nl II lI

NSA Display SA Data Broker Middleware Data TD FVETHED3EDIDB

NSA '5 ?.135 Second Parties GEHQ Emker User User User Interface Interface Interfaee NSA Date Breker Bunker DB Brnker S9 Brokers in yellow are in development @999 ESE Brnker RETHREL TD USA, FVETHED3EDIDB

1, am we we are are- arr: am- am are- are am an". we we am- am- arr: am- am are- we am anare- am we we are an". are- are- 1- am am- are-"z! Intelli enee NSA Second Parties End Proton (ED User User User GEHQ Interface Interface Interface Emma.- BSD Data Bunker Brnker NSA Data Brnker 6? e? as: aa? 959 GCSE Brnker *As ICREACH sac-lass, IC partners may wish in dsvsIc-p their c-wn as 2'?d parties are rising

Future Brnker SDHTINGLEAD Ln; IL I. in; i m: Pattern atLtte El Target Alerting SGDHEBAHD ICHeach El Results 5.5993 - Shamable I GCHQ CSE Guntent Future Preparatinn 1 Enuirunment 53 - Future miter DSD GCSB

seca'emcawmmt To us, wounding Recap ICFIEACH is a large scale expansion of communications metadata shared with IC partners (CHFIEL) Enables federation of community metadata across IC agencies (CHFIEL) Makes greater use of communications metadata which is information about content (but not the content itself) Definition: Information used by networks, services, or applications to route communications or make the content usable including: Dialing, routing, addressing, location, or signaling data used for network management Formats and protocols used to render the information for people and systems (SHSIHFIEL) Expands NSA sharing in three dimensions: Includes more modes of communications (PSTN, INMARSAT, PCS, DNI) increase in types of metadata shared (from 5 fields to 33 fields) 121: increase in volume shared (from 50 billion to 800+ billion records) REL TD USA, FVETHZDEZDIDB

Next Steps - (U) Pilot development underway IOC June - (U) CCP Funded for first year - (UHFOUO) Agreements on 2? Party sharing (bi- directional) - (U) Expansion to open source? - Limitations and responsibilities related to Operational use - (U) Software licensing OFFICIAL USE

From date of sponsorship: Train the trainers Account Set-up Scrub PROTON NOFORN data for release to ICREACH 3: Second Parties Establish ICFIEACH Configuration Control Board (COB) across IC 2008: Reach out to other databases ICREACH Enhancements

I. I r0 . -. I ?uffICHEACH Timeline (UHFOUO) 2005 .. . all. Initiative conceptualiz - Dec' info [3 oposed 0 SUQQES 3 a 3 I . rmall CAD if It and consider I I other options before 3 Int n1itting to DNI (UHFOUO) 2006 I Architecture - Oct: 1? . Late [jgmally proposed to DNI v: interim es ponse from DNI recom mending continue working init' Ia tlve With ODNIICIO 8: ollection (U) 2007 - May' Pilo . develo June: Pilot IOC pment begins UNCLAS DFHCIAL USE ONLY

.I..- - - .- - .- - .- - .- - .- - - - .- - - - .- - .- - - - - - - - -..I .I-..I .I.. -..-..I .-..I .-.- - - .- - .- - .- - .- - . - - .- - .- - .. Additional slides UNCLASSIFIED

. .l fgi ?he. 11 i - - I I'll I'll I'll I'll i'l i'll I'll I'll I'll I'll I'll I'll i'l i'll I'll I'll I'll i'll ?1 I'll I'll i'll I'll I I'll i'll I'ICFleach Deployment 1 Schedule (SHREL) ICREACH requires between and in FY07 to implement the initial phase, depending on the pace of the development effort. FY2007 Eolloa'iog?peoaorship ??dagrs Ell dog?s Ell days l?ll days Phase 1 - Establish IT and training aeross the - Add nut and other use data sourees ie.g., PCS, to Federated Query - PHI Validation and Aeet Establishment Phase 4 and out vears Phase 3 - Transition and Integrate NSF: to ?perational Hardware - Develop interfaee with If: data sourees and brokers Proeess . . . . - Enhanoements to improve - Initiate User trainin sessions Final - - - Essie" User and Metadata Use Training sehedule staffingg requirement: TED) '?tegrat'un ourse Phase 2 - Code and Test User Interfaoe and we Phase _3-1 - Test Authentieation and ?Pt'm'ze hardware performance Seourity for User Interfaee - Conduot ?Train the Trainer" for UI and Management proeess SECRETHREL TD FVETHED3ZDIDB

- - - - ICReach Post Deployment 1 Schedule Daplaymant 1 Lita Cycle Support - Estimated Life Cycle [par year: 1- a} $2.5 - 4.5M Paat Denlavmant 1 Activity - interface If: data and hrakara - Party Brakara [a made available} - Data Braker - ?thar IC Agency Data Brakara - Enhanaamanta ta impraiia analytic taal intagratian Liz?'11 1.1: FTE GUI .5 FTE Wat) Samba 3 and T65 - --

Fetching more

Filters SVG