Documents

(TS//NF) Full One End Foreign (1EF) Interim Status Update By REDACTED on 2012-10-15 1030 (TS//NF) Special Source Operations (SSO) commenced deploying full One End Foreign (1EF) Internet Protocol (IP) address filtering for Foreign Intelligence Surveillance (FISA) Amendments Act (FAA) 702 collection at Unilateral Legal collection sites on 5 September, 2012. To date, this change has been effected at 6 FAA accesses. The metrics available cannot account for collection which may have been subsequently sequestered due to potential over-collection concerns (capabilities integrated into the collection distribution components), but the net count of additional collection events resulting from the expansion to 1EF filtering as of 11 October 2012 is 1,595. This gain may increase more dramatically as the capability is rolled out to additional high producing accesses. (TS//NF) Given the sensitivity of the FAA collection authorities, SSO is proceeding at a measured pace according to the plan. In order to address evolving intelligence priorities in a timely manner SSO collection managers have directed the inclusion of IP addresses associated with a small set of focused regions of interest (Iran, Afghanistan, Israel, Nigeria, Pakistan, Yemen, Sudan, Tunisia, Libya, and Egypt) to several accesses which have not yet migrated to this open aperture approach. From the two most lucrative sites within one program that are not yet 1EF capable, this inclusion has netted an additional 182 intercepts. (TS//NF) Where feasible, the migration to full 1EF IP filtering will continue through approximately mid-November. Efforts are continuing to establish the necessary tools to manage the IP filter list at sites which cannot accommodate the full 1EF, where some focus on the collection gain versus resource trade space is required to maximize each site/Program’s contributions to the FAA 702 mission. The timeline for establishing these tools has yet to be determined, but efforts are being focused on this component to fully maximize SSO’s potential under FAA 702 collection authorities. POC: REDACTED (TS//SI//NF) Initial Application of One-End Foreign (1EF) Filter at a FAA Upstream DNI Collection Site By REDACTED on 2012-09-10 1319 (TS//SI//NF) On 5 Sep 2012 at ~1500Z, the FAIRVIEW site known as OVERHILL, became the first Foreign Intelligence Surveillance Act (FISA) Amendment Act (FAA) Upstream Digital Network Intelligence (DNI) site to use the 1EF filter (sourced from EVILOLIVE, Internet Protocol (IP) geo-location reference source, foreign IP list) for FAA compliance purposes. The 1EF filter replaces the use of the more limited FAA IP Subnet filter as a method to ensure compliance with FAA collection authorities, while opening the collection aperture to maximize collection opportunities. A further advantage of this approach is that the IP filter will be current with EVILOLIVE updates,

whereas the process to develop the FAA IP list was a lengthy and complicated effort requiring input from the range of Target Offices of Primary Interest (TOPIs) involved for managing and prioritizing IP addresses for inclusion into the FAA IP subnet list. FAA IP Subnet generation process results in some inherent latency and may be somewhat less precise for compliance purposes due to this artifact. Use of the 1EF filter approach vice the more restrictive FAA IP Subnet filter will provide a significant increase in the amount of traffic presented for processing/selection. Early indications from the OVERHILL site is that the volume of traffic being delivered for processing using the 1EF filter approach is on the order of two times as much as compared to when the FAA IP Subnet filter was in use. This does not necessarily translate into a corresponding increase in FAA DNI selected hits, but the expectation is that an increase in selection will typically occur when using the 1EF filter approach due to the significant increase in traffic being forwarded for processing and potential selection. (TS//SI//NF) The current strategy for rolling-out the 1EF filter to additional Special Source Operations (SSO) FAA Upstream DNI sites is to add the 1EF filter to one FAA DNI site per week in place of the current FAA IP Subnet filter. This will occur at sites that can support the entire 1EF filter (i.e. the entire foreign IP list as listed in EVILOLIVE). The FAA Upstream DNI sites that currently cannot support the entire 1EF filter list will continue to use the FAA IP Subnet filter until such time that collection management tools are established to develop an expanded EVILOLIVE sourced IP list on a site by site basis, maximizing the FAA potential of each access. (S//SI) This first step is the result of an 18+ month effort, collaborating across SSO, SIGINT Development Strategies and Governance (SSG), Office of General Counsel (OGC), Department of Justice (DoJ), FAA Mission leads, and the Authorities integration group, factoring in all participants concerns. (C//REL FVEY) POC: REDACTED, FAIRVIEW Collection Manager, REDACTED, REDACTED; REDACTED, FAIRVIEW Technical Director, S3531, REDACTED (U//FOUO) Last Remaining FAIRVIEW ETMLs are Operational By REDACTED on 2012-07-24 1444 (TS//SI//NF) On 19 June 2012, FAIRVIEW turned up 7 Extended TURMOILs (ETML) at FREEWAY, a major west coast Internet Protocol (IP) backbone access. This was the last remaining access scheduled to go operational in FY12, and delivered 3,221 Digital Network Intelligence (DNI) FISA Amendment Act (FAA) intercepts to National Security Agency Washington (NSAW) within the first 15 hours of operation. Additionally FREEWAY, based on initial intercepts, has the potential to be the highest contributing FAIRVIEW access for LEGION JADE activity. POC: REDACTED, S3531, REDACTED

(TS//SI//REL FVEY) FAIRVIEW Tour for new FBI Agent and Attorney By REDACTED on 2012-05-11 1519 (TS//SI//REL FVEY) On 3 May, FAIRVIEW provided the new FBI Agent, REDACTED, and their new Attorney, REDACTED, a tour of one of the program’s east coast cable stations (NASSAU SHORE) and the program’s centralized processing SCIF (PINECONE). A FAIRVIEW overview was provided expanding upon the program’s vast access and collection infrastructure, budget constraints, and program authorities with a focus on the fundamental partnership with the FBI. Other topics included the varying data flows (i.e., DNI, DNR, CDRs, etc.), FY12 and FY13 strategies, budget constraints, sensor deployments (ETML, VANGUARD and NETFLOW), and endpoint-midpoint shaping activities with TAO and NCSC. The day was extremely successful and broadened their understanding of the breadth and depth of the program which requires their partnership for success. POC: REDACTED, FAIRVIEW D/Program Director, REDACTED, REDACTED (TS//SI//REL FVEY) FAIRVIEW Tour By REDACTED on 2012-03-28 1333 (TS//SI//REL FVEY) On 23 March, S3 and GAO Technical Directors: S3 - REDACTED, REDACTED, REDACTED; GAO - REDACTED and REDACTED, and SV SIGINT Compliance and Architecture Lead REDACTED, attended the FAIRVIEW partner provided tour of one of the program’s east coast cable stations (NASSAU SHORE) and the program’s centralized processing SCIF (PINECONE). A short FAIRVIEW overview was provided which led into an in-depth technical discussion regarding the program’s vast access & collection infrastructure, the varying data flows (i.e., DNI, DNR, CDRs, etc.) to include program authorities, budget constraints, sensor deployments (ETML, VANGUARD and NETFLOW), and endpoint-midpoint shaping activities and future opportunities in partnership with organizations such as TAO, NCSC and other IC elements such as the FBI, DEA and the CIA. The partner also provided a briefing on company/USG activities outside of FAIRVIEW (i.e., NEST, DIB Pilot) and expounded on current and future program Cyber plans. The day was extremely successful and broadened their understanding of this unique Government/Partner relationship, highlighted the Partner’s ability and willingness to help with NSA’s SIGINT and Cyber missions, provided insight into the breadth and depth of the program’s access and showcased the highly collaborative nature of the FAIRVIEW partner and the value of their intellectual capital. POC: REDACTED, FAIRVIEW Program Director, REDACTEDs

(TS//SI//REL FVEY) FAIRVIEW Tour for HPSI/SSCI Staffers By REDACTED on 2011-11-16 0844 (TS//SI//REL FVEY) On 21 October, the FAIRVIEW partner provided HPSI staffers REDACTED (CCP Majority Monitor), REDACTED (Congressional Fellow) J REDACTED (Senior Majority Counsel) and SSCI staffers REDACTED (CCP Majority Monitor) and REDACTED (CCP Minority Monitor) with a tour of one of the FAIRVIEW program’s east coast cable stations (FRIAR) and FAIRVIEW’s centralized processing SCIF (PINECONE). A high level overview of the FAIRVIEW program was provided. Discussion topics revolved around data collection to include FAA, BR FISA, Court Order and Transit, the program’s authorities, and budget constraints. The day was extremely successful and broadened the Staffer’s understanding of the Government/Partner relationship, Partner provided services, the FAIRVIEW program overall and identified areas where the Staffer’s may be able to provide overarching support with their broader understanding of SSO Corporate programs. POC: REDACTED, FAIRVIEW Program Director, S3531 (TS//SI//REL FVEY) FAIRVIEW Tour for Director, Research Directorate By REDACTED on 2012-01-13 0814 (TS//SI//REL FVEY) On 6 January 2012, Dr. Michael Wertheimer, Director of NSA’s Research Directorate, was provided a tour of FAIRVIEW’s East Coast cable station (FRIAR) and FAIRVIEW’s centralized processing SCIF (PINECONE). In addition to the site tours, Dr. Wertheimer also received a high level program overview, to include discussion of the various authorities the program operates under, current and future program Cyber plans and some discussion regarding FAIRVIEW’s Business Record FISA (BR-FISA) collection. The discussion also included mention of the program’s FY12 Strategic Initiatives, a snapshot of the FAIRVIEW’s access & collection footprint, clearly depicting the breadth of the access. The day was extremely successful and broadened his understanding of this unique Government/Partner relationship, highlighted the Partner’s extreme willingness to help with NSA’s SIGINT and Cyber missions and the breadth and depth of not only the program’s access, but also the amazing knowledge of the FAIRVIEW partner’s workforce. POC: REDACTED, FAIRVIEW Tech Director, S3531 (TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records Delivered Under BR FISA By REDACTED on 2011-08-30 1440 (TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The

intent of the Business Records FISA program is to detect previously unknown terrorist threats in the United States through the cell chaining of metadata. This new metadata flow is associated with a cell phone provider and will generate an estimated 1.1 billion cellular records a day in addition to the 700M records delivered currently under the BR FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a push to get this flow operational prior to the tenth anniversary of 9/11, and extensive coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC) NSA received approval to initiate this dataflow on August 29, 2011. Analysts have already reported seeing BR Cellular records in the Counter Terrorism call-chaining database queries. POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; & REDACTED, S35324, REDACTEDs (TS//SI//NF) Mobility Business Records Flow Significantly Increases Volume of Records Delivered Under BR FISA By REDACTED on 2011-08-30 1440 (TS//SI//NF) On 29 August, FAIRVIEW started delivering Mobility Business Records traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The intent of the Business Records FISA program is to detect previously unknown terrorist threats in the United States through the cell chaining of metadata. This new metadata flow is associated with a cell phone provider and will generate an estimated 1.1 billion cellular records a day in addition to the 700M records delivered currently under the BR FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a push to get this flow operational prior to the tenth anniversary of 9/11, and extensive coordination with external entitites via our OGC (to include: FBI, DOJ, ODNI, and FISC) NSA received approval to initiate this dataflow on August 29, 2011. Analysts have already reported seeing BR Cellular records in the Counter Terrorism call-chaining database queries. POCs: REDACTED, S3531, REDACTEDs; REDACTED, ST, REDACTEDs; & REDACTED, S35324, REDACTEDs (TS//SI//NF) FAIRVIEW: CLIFFSIDE Site - Collection Resumes After ~5 Months By REDACTED on 2011-08-23 0805 (TS//SI//NF) On 5 Aug 2011, collection of DNR and DNI traffic at the FAIRVIEW CLIFFSIDE trans-pacific cable site resumed, after being down for approximately five months. Collection operations at CLIFFSIDE had been down since 11 March 2011, due to the cable damage as a result of the earthquake off of the coast of Japan. The initial damage assessment showed the loss of collection of 275 E1 DNR circuits and 55 DNI

circuits. Since the cable was repaired and returned to service (5 Aug), FAIRVIEW operations has tasked 205 E1 DNR circuits and 37 DNI circuits for collection. Enviornmental survey continues to compare the old enviornment footprint to the new environment footprint and FAIRVIEW operations will continue to task collection for all new and restored circuits. POC: REDACTED, S35333, REDACTED (FAIRVIEW Collection Manager) (TS//SI//REL FVEY) FAIRVIEW High Level Structural Survey (HLSS) Data Populating TWISTEDPATH Data Repository By REDACTED on 2011-01-28 1431 (TS//SI//REL FVEY) On 12 January 2011, FAIRVIEW (US-990) began delivering High Level Structure Survey (HLSS) SCAN1 data from the program’s 6 cable accesses to TWISTEDPATH. HLSS is signal level characterization, providing the mux structure of the signal and various overhead data values. HLSS is a characterization of the signal environment, and as it is established provides a first indication of high level changes in the environment where a deeper analysis is required. The HLSS includes, among other things, a J1 overhead byte which carries identifying information about the user/operator of that link, such as a specific network provider, corporation, etc., which is a high value data item to analysts. This effort is a first step towards the eventual utilization of more advanced Automated Characterization & Survey (ACS) capabilities (i.e., Scan 2)within the program. (TS//SI//REL FVEY) This delivery marks another major milestone in the program’s efforts to automate survey at the cable sites. In FY10, FAIRVIEW’s production and survey case notations became compliant with SSO case notation specifications. Now, in FY11 the program can finally deliver that data to NSA for analytical use. The new auto survey system is comprised of both partner and agency developed components. FAIRVIEW is currently surveying all circuits not in production at its 6 cable sites every 3-5 days depending on the size of the sites, covering some 1,836 circuits in all. Over the next several months all circuits in production will be added to auto survey, bringing the total number of circuits surveyed to 2,076, finishing another important phase of this large and complex effort. POC: REDACTED, S3322, REDACTED / REDACTED, S3321, REDACTED (TS//SI//REL FVEY) FAIRVIEW Carrier Grade VoIP (SIP Protocol) Transit Collection Activated By REDACTED on 2011-01-28 1401 (TS//SI//REL FVEY) On 19 January 2011, FAIRVIEW (US-990) began delivery of Carrier Grade Corporate VoIP (SIP Protocol) under Transit Authority. This involves the

diversification of the program’s Voice collection posture to include VoIP as the communications networks converge and move beyond PSTN. This capability follows our PSTN authorization model and takes advantage of least cost routing services offered by the FAIRVIEW Partner. However, this algorithm incorporates automated feedback loops for improving authorization effectiveness as part of the process. (TS//SI//REL FVEY) This new capability rests on a large and complex system which collects, processes, authorizes, and selects calls using both SIP and H.323 VOIP protocol technology from 26 separate IP backbone router nodes. Traffic generated by this VoIP algorithm is unique due to additional authorization attributes and changes in routing across authorization domains (i.e., Transit, FAA and Court Ordered). A large component of this eligible traffic is to/from high interest areas such as Pakistan. POC: REDACTED, S3321, REDACTED 3 (TS//SI) Activation of NSA’s First Ever Extended TURMOIL (E-TML) Capability By REDACTED on 2011-01-28 1359 (TS//SI) As of 1715Z on January 10, 2011, SSO’s FAIRVIEW Program turned up the Agency’s first E-TML operational flow. This achievement is the result of several years of coordinated effort between SSO and T1 and will be the first of many within FAIRVIEW and ultimately across all relevant SSO Programs. Over the next couple of years, E-TML will migrate towards becoming a viable, widely available, NCC product. (TS//SI) E-TML extends TURMOIL filtering and selection into commercial accesses in a way that meets Partner OPSEC requirements while protecting sensitive Agency information. This type of access is common to many Corporate Partners – distributed, unclassified, commercial accesses with moderate, but limited transport bandwidth to SCIFed processing sites. E-TML Filtering and selection at the access point greatly reduces the amount of data needing to be sent back to processing SCIFs over the limited bandwidth available for that purpose. As a result, it is possible to move from the current heavily IP filtered, bulk forwarded collection of a tiny portion of the typical Terabyte or more SSO access toward full coverage. (TS//SI) The E-TML concept is one where the hardware at the unclassified, commercial accesses is commercially available, unclassified, and compatible with Partner OPSEC cover missions. Intrinsic to the design, however, are a range of security countermeasures meant to deal with both Partner OPSEC concerns and to allow the hosting of sensitive software or selector information. In FAIRVIEW, with the guidance of IAD and NSA Security, this set of countermeasures along with layers of additional physical security, OPSEC processes and procedures, and commercial encryption were implemented to mitigate any risk. A risk assessment was conducted regarding hosting unclassified software based on TURMOIL’s first stage packet filter and DFCE, patterns derived from classified selectors, and the possible future hosting of classified software in the E-TML front-end. After review by both SID and NSA Security, the residual risk

was deemed acceptable.. POCs: REDACTED, S3321, 769-4104 / REDACTED, S3321, REDACTED (TS//SI//REL) ANTI-MYTH Effort By REDACTED on 2009-12-07 1642 (TS//SI//REL) The FAIRVIEW program is entering the final test phases of what is believed to be the first deployment of anti-myth COURIERSKILL dictionaries for a nonFAA collection site, in this case FAIRVIEW's SMTP (port 25) transit collection source. This initiative began in May of 2009 and has involved countless hours of collaboration between SSO FAIRVIEW, UTT and CADENCE personnel. Combined with the introduction of realm-based restrictions in UTT for this site group, limiting the site group to selector realms relevant to a SMTP flow, the anti-myth permutations in our new dictionaries are hoped to greatly decrease if not eliminate instances of message over sampling off of this flow which, although by itself not an authorization violation, was politically problematic for our partner relationship and negatively impacted the quality and excessive quantity of our collection delivery to PINWALE. (TS//SI//REL) This initiative was levied against the UTT strong selector dictionaries, but the FAIRVIEW program intends to proceed with a rebuild of the weak selection CADENCE-only dictionary also levied against this flow, complete with new operational policy guidelines that will be communicated to analysts in the first quarter of CY2010. (TS//SI//REL) Where applicable, the Corporate Portfolio Mission Management team intends to apply the "lessons learned" from this FAIRVIEW initiative across other SSO Corporate Programs to improve the accuracy and quality of intercept across multiple programs. (U//FOUO) POC: REDACTED, ODD Corporate Portfolio Manager, REDACTED, REDACTED(s)