The problem had been brewing for nearly a decade, intelligence sources had warned, as the National Security Agency vacuumed up more and more surveillance information into computer systems at its Fort Meade, Maryland, headquarters: There just wasn’t enough power coming through the local electric grid to support the rate at which the agency was hoarding other people’s communications.

“If there’s a major power failure out there, any backup systems would be inadequate to power the whole facility,” a former NSA manager told the Baltimore Sun in August 2006.

“It’s obviously worrisome, particularly on days like today.”

It turns out that manager, and other sources quoted in the Sun piece, were even more correct than was publicly known at the time: The NSA had, just the prior month, already experienced a major power outage and been forced for the first time to switch over its most critical monitoring — its nerve center, the National Security Operations Center — to a backup facility in Augusta, Georgia, according to an internal report classified “secret.” The culprit: hot weather and electric company problems generating sufficient power, according to an article posted on the internal agency news site known as SIDtoday.

For the NSA, the relatively smooth handoff was a triumph. But the incident marked an important turning point, underlining how the NSA was collecting too much information for its facilities to handle. The agency would go on to build a massive data center in a barren stretch of Utah desert, estimated to be capable of holding billions of gigabytes of information.

Indeed, the story of the 2006 Fort Meade brownout is one of several stories of overwhelming mass surveillance to emerge from a review of 287 SIDtoday articles, provided by NSA whistleblower Edward Snowden. Other tales, collected below, include how an NSA intern working in the English countryside marked for killing or capture nine people in Iraq; how a secret team of NSA commandos deployed to foreign countries to break codes; and how the NSA spied on satellite internet systems in the Middle East.

The Intercept is publishing three other articles taken from this cache of documents, including an investigation by Henrik Moltke into how revolutionary intelligence pooling technology first used by the U.S., Norway, and other allies in Afghanistan spread to the U.S.-Mexico border — raising questions about over-sharing at home and abroad. In another article, Miriam Pensack reveals how the sinking of the Russian submarine Kursk in 2000 was closely monitored by Norwegian (and eventually U.S.) intelligence, which knew more about the tragedy than was initially revealed. And Murtaza Hussain shows how the NSA drew up new rules in response to a request from its Israeli counterpart, which had sought to use U.S. intelligence to target killings, apparently at Hezbollah.

NSA Commando Unit Promised “Any Target, Anywhere, Any Time”

In 1966, a new NSA project was hatched to figure out why an electronic signal under surveillance was “exhibiting parameters outside normal operating conditions,” as an NSA history later put it. Members of “WEREWOLF,” as the project was to be called, concluded that the equipment used to monitor the signal was causing the abnormalities.

The team behind WEREWOLF would go on to conduct other “special deployment” missions, but not before a change of cover name. The unit chief decided that WEREWOLF, atop a list of automatically generated possibilities, wasn’t quite right and, reading further down, settled on the more heroic-sounding “MUSKETEEER.” At some point, the unit took on the credo “Any Target, Anywhere, Any Time.”

While technology, as well as the NSA’s mission, would change dramatically over the next 40 years, MUSKETEER teams would steadily “deploy on special collection and survey missions,” according to the NSA history, which ran in SIDtoday. They fixed signal monitoring problems, ran boutique surveillance operations from inside U.S. embassies, and surveyed transmissions in far-off places, often invited by other U.S. government entities.

In more colorful moments, they foiled an assassination attempt against a U.S. special operations commander in the Philippines and discovered vulnerabilities in a Russian-made anti-aircraft missile system, known as SA-6, as used by Bosnia during the Balkans conflict. The latter work resulted in the “neutralization of multiple batteries” of the missiles by U.S. fighter aircraft, according to the history. (The article does not mention whether MUSKETEER’s involvement was linked to the 1995 downing of U.S. fighter pilot Scott O’Grady by a Serbian SA-6 missile. The NSA was harshly criticized for failing to relay intelligence that could have prevented the shoot-down. )

One SIDtoday article recounts how a MUSKETEER team, having deployed to the U.S. embassy in Beijing, struck gold during a survey of Wi-Fi signals from “the embassies of India, Singapore, Pakistan, Colombia, and Mongolia.” At the Indian Embassy, the team discovered that someone, possibly sponsored by the Chinese government, had hacked computers inside and was transmitting “approximately 10 sensitive diplomatic documents” every day (“often Microsoft Office-compatible files or Adobe PDF documents”) to drop boxes on the “public internet.” The NSA began regularly collecting the information from these drop boxes for itself and “analyzing the Indian Embassy’s diplomatic communications,” according to SIDtoday.

Later, by analyzing “how the Chinese conduct computer-to-computer (C2C) operations against foreign targets,” the team was able to find hacking by China “in several other locations.”

This type of operation, in which a spy agency piggybacks off the work of a different spy agency against a shared target, is referred to as “fourth-party collection.”

Snooping on diplomatic communications is a violation of Article 27 of the 1961 Vienna Convention on Diplomatic Relations, which states that the “the official correspondence of the mission shall be inviolable.”

The Secret History of the NSA’s Joint Venture with the CIA

A two–part interview in SIDtoday provides new details about the Special Collection Service, the covert NSA joint effort with the CIA to collect signals intelligence from U.S. embassies abroad. The revelations include information on SCS’s history and examples of its missions.

Der Spiegel disclosed important details about SCS in 2013 using Snowden documents, including that SCS tapped the mobile phone of German Chancellor Angela Merkel.

Before SCS was created in 1979, the NSA and CIA ran independent, covert signals intelligence programs — sometimes “at opposite ends” of the same building — serving different missions, the director and deputy director of SCS told SIDtoday in the interview. Congress intervened, directing the CIA and NSA to run the SCS program together, presumably to save money and avoid duplicated efforts.

At the Indian Embassy in Beijing, the NSA discovered that someone, possibly the Chinese government, had hacked computers inside. The NSA began regularly collecting the information for itself.

Since then, the number of SCS sites has ebbed and flowed depending on budgets and operational needs. In 1988, before the Berlin Wall came down, SCS reached a peak of 88 sites worldwide, the director said. In the following years, the number decreased, only to drastically increase in the aftermath of 9/11, when no fewer than 12 new sites were added. At one point, the SCS Caracas site was shut down when it was no longer needed, only to be reopened when “anti-American Venezuelan President” Hugo Chávez was elected in 1998.

A separate SIDtoday article, written by two NSA managers, described an SCS operation conducted against Venezuelan communications. For years, an NSA facility in Yakima, Washington, had been spying on Venezuelan satellite signals, but the “large regional satellite beams” visible from there provided “only moderately successful results.” So agents from SCS, along with an NSA analyst from Yakima, traveled to an undisclosed location, presumably close to or in Venezuela, for a clandestine three-week survey of narrow “spot beam” satellite signals sent to the country. As they collected data from over 400 newly discovered signals, team members sent this information back to analysts in Yakima, as well as San Antonio, Texas, where “dozens of links carrying traffic for Venezuelan targets of interest” were discovered.

The most important SCS site is probably its headquarters, located in an “attractive (…) rural location outside Laurel, MD,” according to the interview. While the address of the “tree-lined corporate campus” was included in James Bamford’s 2008 book “The Shadow Factory,” and is identified as “Special Collection Service” on Google Maps, the SIDtoday article is the first public document confirming the existence of the joint NSA-CIA facility.

“You can’t tell NSAers and the CIA people here apart” as all SCS staff wear “purple badges, a sign of our status as a joint organization,” Ron Moultrie, the deputy SCS director, told SIDtoday.

The CIA uses SCS sites as places from which to monitor foreign intelligence services as they attempt to track CIA assets, a practice known as counterintelligence, according to the SCS directors. The NSA, meanwhile, uses SCS sites as a “platform” for a number of operations, including computer hacking, carried out in 2006 by a unit known as Tailored Access Operations (and today called Computer Network Operations).

Throughout the nine years of the SIDtoday archive, SCS is promoted as an assignment for those with “a sense of adventure” and a taste for “attractive” locations. Sometimes, as was the case at SCS Damascus on September 12, 2006, things get “a little hectic.”

According to a firsthand account by an SCS staffer of an attack on the U.S. Embassy in Damascus, published in SIDtoday, the sound of an explosion sent the SCS staff into lockdown mode and triggered “full emergency destruction” preparations. The attack was eventually subdued by Syrian security forces and the attackers killed. One casualty was SCS’s microwave search system: Bullets penetrated “maintenance sheds” on the embassy roof, which were actually concealing SCS antennas. One slug “severed a control cable” for the microwave searcher, “rendering the antenna inoperable,” according to SIDtoday.

The SCS staffer’s account stated that “two explosive-laden cars” were involved in the attack.

Publicly available media reports describing the incident painted a dark picture of what would have happened if a truck “loaded with pipe bombs strapped to large propane gas canisters outside the embassy” had not failed to detonate.

NSA Pioneers Use of “Stingray” Cellphone Spy Towers

In May 2006, the NSA made an early — and largely fruitless — attempt to use so-called Stingray devices to monitor local mobile phone conversations in Lithuania’s capital city of Vilnius, where Vice President Dick Cheney had traveled to attend a conference with regional leaders, according to an account in SIDtoday.

Stingrays mimic cellphone towers, tricking mobile phones into connecting to them instead of to legitimate towers. This allows the Stingrays to intercept calls and texts. Two NSA linguists, as part of an SCS team, used this Stingray-type device to try and eavesdrop on local cellular networks. They did not have much luck; SIDtoday noted that the device “did not provide a capability against the primary cellular systems found,” although agents were able to identify “relevant airport communications and police networks.”

It is not clear if the effort violated laws against wiretapping in Lithuania, a U.S. ally and member of NATO.

Unlike similar operations in which “teams need to work from unsecured hotel rooms or out-of-the-way locations such as unimproved attics,” SIDtoday said, this team worked from the comfort of a shielded enclosure within the U.S. Embassy, from which they could survey the “local wireless and [radio frequency] environment.”

Beginning a few days before Cheney landed in Vilnius, the SCS team monitored police communication 24 hours a day looking for “any indications of threats or problems on which the Secret Service might need to act.”

It didn’t find any.

Weather Takes Down NSA Headquarters

In summer 2006, a heat wave rendered the intelligence nerve center within the NSA’s headquarters inoperable. As the record-setting wave toasted the East Coast and brought triple-digit temperatures to the spy agency’s home in Fort Meade, Maryland, conditions “in the Baltimore area and problems with Baltimore Gas and Electric power generation caused server and communications failures around the NSA Washington complex,” SIDtoday reported. For the first time, the agency’s time-sensitive watch center functions were taken over by a backup installation of the National Security Operations Center at Fort Gordon in Augusta, Georgia.

The story of the NSA’s overall struggle to supply power to Fort Meade was reported by the Baltimore Sun around the time of the outage. Author James Bamford further discussed the issue in his book “Body of Secrets,” noting that energy problems at the NSA dated to the late 1990s and seemed to be coming to a head by 2006. Bamford wrote that abundant power and a “less vulnerable” electric grid in Texas led the NSA to decide in 2007 to place a new data center there.

“Problems with Baltimore Gas and Electric power generation caused server and communications failures around the NSA Washington complex.”

But the 2006 outage and the switchover to Fort Gordon are revelations.

The National Security Operations Center, or NSOC, operates 24 hours a day, seven days a week, managing critical functions concerning possible foreign threats to national security.

What could have been a calamity was avoided by the emergency switch over to NSA Georgia, located at the Fort Gordon Army base near Augusta. On August 1, 2006, a backup high-priority operations center there, codenamed DECKPIN, was activated at 4:00 Zulu (Greenwich Mean Time), according to the SIDtoday story, written by the DECKPIN coordinator at Fort Gordon. Four hours later, Baltimore-area power was stabilized, and operations switched back to the NSOC at Fort Meade. The Georgia staff was put on standby again on August 3, “to ensure availability while the [electric company] work was completed.” The NSA around this time was Baltimore Gas and Electric’s biggest customer, using the same amount of power as half the city of Annapolis, according to Bamford.

Since 2006, new NSA facilities in Texas, Hawaii, Georgia, and Utah are sharing the load of the agency’s enormous power requirements.

U.K. Base, and NSA Intern, Facilitated Death or Capture of “Chicken Man” and Other Iraq Militants

In mid-2006, the NSA was closely watching a “most wanted” militant organization with a presence in Iraq, known as the Moroccan Islamic Fighting Group. The agency was struggling to eavesdrop on the group’s communications, which it said had led to a “critical gap” in intelligence.

However, the NSA got lucky when an intern working at the agency’s Menwith Hill surveillance base in England uncovered a network associated with the group. By tracking the communications of an Algerian bombmaker associated with the Moroccan organization, the NSA was able to identify other Islamist fighters working to manufacture explosives in Iraq, according to a July 2006 SIDtoday article. The NSA discovered chatter between militants, who were apparently fighting with the Moroccan jihadis against the U.S. and its allies in Iraq. One of the militants on an intercepted phone call referred to “chickens” falling from the sky, an apparent coded reference to the downing of U.S. helicopters that previous May. The man on the phone call became known to the NSA as “Chicken Man,” and his communications proved invaluable to the U.S. spies who were listening in.

The NSA passed the intelligence it gathered from the phone calls to U.S. forces in Iraq. The analysts at Menwith Hill — working with NSA employees at the agency’s base in Augusta, Georgia — continued to keep tabs on the jihadis. Then, between May 23 and May 25, 2006, the U.S. military launched operations that resulted in the killing and capture of nine mostly foreign fighters, including Chicken Man, according to the SIDtoday article.

Menwith Hill is the NSA’s largest overseas surveillance base and continues to play a key role in U.S. military operations around the world. As The Intercept has previously reported, the spy hub has been used to aid “a significant number of capture-kill operations” across the Middle East and North Africa, according to NSA documents, and is equipped with eavesdropping technology that can vacuum up more than 300 million emails and phone calls a day. Human rights groups and some British politicians have demanded more information about the role of Menwith Hill in controversial U.S. drone strikes and other lethal operations, arguing that the base is unaccountable to British citizens and is shrouded in too much secrecy.

Breakthroughs in Locating Internet Cafes in Iraq

During the Iraq War, suspected insurgents often accessed the internet from public computers at internet cafes, as previous SIDtoday reporting described. Even when the NSA could intercept internet traffic from a cafe, the agency couldn’t always determine where the cafe was located. But in 2006, the NSA had two separate breakthroughs in how it conducted surveillance against internet service providers in Iraq, allowing them to pinpoint the exact location of many more cafes.

“We’ve had success in targeting cafes over the past year,” a July 2006 article stated, “but until recently there was a major gap in our capabilities.” The network run by a popular provider of internet service to cafes across Iraq was so complicated that, even when analysts knew the IP addresses of the cafes, they couldn’t narrow down their locations beyond what city they were in.

By surveilling satellite signals, and with the help of hackers at a division known as Tailored Access Operations, the NSA managed to intercept the internet service provider’s customer database. The agency also installed its system for searching signals intelligence, XKEYSCORE, at a new field site in Mosul, allowing it to conduct bulk surveillance of internet traffic traveling through the region. With the knowledge of who the ISP’s customers were, combined with internet surveillance, “previously un-locatable cafes have been found and at least four ‘wanted’ [alleged] terrorists have been captured.”

Another SIDtoday article, from December 2006, credited analysts working in the NSA’s British base at Menwith Hill with locating internet cafes in the Iraqi city of Ramadi that were allegedly used by associates of Al Qaeda leader Abu Ayyub Al-Masri. It did this through an intiative known as GHOSTHUNTER, which mapped locations of small, “VSAT” satellite dishes throughout the region.

“Terminals from the current top three VSAT technologies in the Middle East — DirecWay, Linkstar, and iDirect — have
all been successfully located as part of the GHOSTHUNTER initiative,” the article said, including 150 terminals “on networks of interest… in Baghdad, Ramadi, and neighboring cities.”

Intellipedia: the Intelligence Community’s Classified Wiki

A November 2006 article in SIDtoday described Intellipedia, a wiki for analysts throughout the intelligence community, with information limited based on clearance level. At the time, the tool had “only about 20 registered users” from the NSA, compared with over 200 at the CIA, which had been leading the charge to promote the wiki, even offering staff a six-day sabbatical to study it and other collaboration tools.

After hearing “rave reviews” about a CIA’s Intellipedia sabbatical, plans to adopt the training for NSA employees were in the works, according to an early 2007 article, and one of the CIA’s Intellipedia “pioneers” gave presentations to NSA analysts about the platform.

On January 28, 2014, the top-secret version of Intellipedia had 255,402 users and 113,379 pages; the secret version had 214,801 users and 107,349 pages; and the unclassified version had 127,294 users and 48,274 pages, according to the NSA’s response to a Freedom of Information Act request.

As part of an investigation into cyberattacks that target hardware supply chains, The Intercept published multiple top-secret Intellipedia wiki pages. These include the “Air-Gapped Network Threats” page, the “BIOS Threats” page, and “Supply Chain Cyber Threats” page.

According to SIDtoday, Intellipedia was introduced alongside two other tools to bring classified information into the internet age: a classified instant messaging system linking the NSA, CIA, and other intelligence agencies, as well as blog platform “for sharing your knowledge and your point of view with others.”

The post Meltdown Showed Extent of NSA Surveillance — and Other Tales From Hundreds of Intelligence Documents appeared first on The Intercept.

The NSA was to set up one of the two initial systems at Bagram for its own use, and the other for its counterpart from Norway, the Norwegian Intelligence Service, or NIS. The Norwegians were perfect guinea pigs. A “gregarious, friendly bunch” who threw good barbecue parties, they had “almost no collection capability” to eavesdrop independently and were thus “heavily dependent on the U.S.,” an NSA staffer at Bagram later wrote on an internal agency news site, SIDtoday. (The article and the other intelligence documents in this story were provided by NSA whistleblower Edward Snowden.) One of the new terminals failed when the NSA attempted to turn it on, but after the provision of some “necessary spares,” both were operational.

Spies from the two nations were about to get a dramatic example of how powerful the digitization of intelligence-sharing could be. One morning a few weeks after CENTER ICE went live, the Norwegians sent an urgent email using the new system: “Our guys think they are being shadowed… Are you seeing anything?”

Norwegian marines were indeed being followed and “were ambushed later in the day,” the NSA staffer wrote. But thanks to CENTER ICE, the “ambush ended with bombs dropped on some ACMs [anti-coalition militants] and all Norwegian personnel unharmed.” In another incident, Norwegian forces suddenly found themselves surrounded and under heavy gunfire in Helmand Province, an insurgent hotbed in Afghanistan’s south. More enemies were approaching. NIS staff “weren’t hearing anything,” so they messaged the Americans on CENTER ICE and once again were able to “extricate themselves with no injuries” thanks to the NSA’s ability to track the militants.

“This initial success was exactly what we hoped would happen as a CENTER ICE proof of concept,” wrote the NSA staffer.

CENTER ICE was just the beginning, a step toward a much more aggressive experiment in the same vein. Norway would soon be among the first coalition partners to share, in real time, a wide range of data on Afghanistan, including essentially raw information scooped up from cellphones and fed into a revolutionary new local processing system called the Real Time Regional Gateway, or RT-RG. In 2011, according to documents published with this story, intelligence drawn from RT-RG was involved in more than 70 percent of all combat operations in Afghanistan, including 6,534 “enemies killed in action.”

There has been some public scrutiny of how the United States relied heavily on signals intelligence for those killings, which often resulted in civilian casualties.

But the fact that Norway and some of the U.S.’s closest allies helped feed this system with their own spy work has not been reported before. This is partly because documents linked to Norway’s participation in RT-RG, when examined in 2013, were misunderstood by various journalists, including two co-founders of The Intercept, as indicating that the NSA was engaged in mass spying on the citizens of allied countries, including Germany, France, Spain, Norway, and Italy.

A set of documents from the Snowden archive about RT-RG, reviewed by The Intercept in partnership with the Norwegian Broadcasting Corporation, or NRK, sheds new light on how Norway came to depend on real-time intelligence-sharing to save Norwegian lives, while at the same time contributing to targeted killings and captures with no oversight or control over how data it had collected was used.

The revelations raise questions about the complicity of the U.S.’s other European partners in such controversial targeting practices and underline how RT-RG blurred the lines between sources of intelligence, corroding the ability of partners to impose special rules on how their data was handled — a particularly salient issue now that the system is in use by U.S. law enforcement entities.

Norwegian Defense Minister Frank Bakke-Jensen told NRK that Norway is not responsible if intelligence it shared was used by other nations — such as the U.S. — to kill innocent civilians. “We have no control over how another nation uses this information, but we require that they operate within International Law,” the defense minister said. He added that Norway does not review how data shared by the Norwegian intelligence service is used.

“There is no doubt that Norway was a full-fledged participant in this cooperation,” Kristian Berg Harpviken, a leading Afghanistan expert from the Peace Research Institute Oslo, told NRK. “We bought the whole package, so we must take responsibility for the totality of the war.”

“We bought the whole package, so we must take responsibility for the totality of the war.”

The documents also show how RT-RG, within less than five years, migrated from the battlefields of Iraq and Afghanistan to the U.S.-Mexico border, where it was used to combat drug trafficking and people smuggling — a vastly different type of mission.

“The news that the NSA transported a mass spying program designed for war zones in Iraq and Afghanistan to the U.S.-Mexico border is both alarming and totally unsurprising,” said Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. “Mass surveillance is always initially justified as a necessary defense against foreign enemies. Then comes the inevitable mission creep, as surveillance methods originally conceived as tools of war or foreign espionage are brought home and turned inward.”

The Whole Haystack

The first Real Time Regional Gateway was deployed to Baghdad in early 2007. The timing was no coincidence. Four years in, Operation Iraqi Freedom, the U.S.-led military invasion of Iraq, had descended into sectarian violence and anti-coalition attacks, resulting in an all-time high number of casualties.

In spite of a massive surge of U.S. troops, the security situation was deteriorating, with roadside bombs and other improvised explosive devices increasingly common. In the Green Zone, Baghdad’s fortress-like international area, mortars and rockets rained down, requiring U.S. Embassy staffers to wear flak jackets and bulletproof helmets when walking between buildings, “worn out and tired of sitting in hallways,” as one SIDToday update put it.

This dire situation provided an opportunity for then-NSA Director Keith Alexander, who firmly believed that his agency could make the difference needed to win the war. His opening gambit was a system called RT10 — a “very high-priority initiative at NSA” at the time, according to Alexander’s science adviser, engineer James E. Heath. “The goal of RT10 is to get essential NSA cryptologic capabilities to the military front lines in a matter of seconds and minutes (‘real time’), not hours and days,” Heath wrote in SIDtoday.

The new system, Heath explained, would do away with the “latencies associated with transmitting and ingesting collection,” i.e. sending data acquired in Iraq back to NSA facilities in the U.S. By storing and processing the data locally, there would be less need to filter it, allowing for a wider net to be cast so that the NSA would have much more data available for retrospective analysis.

“Collection that would otherwise have been discarded because it could not be directly linked to a known target is now subjected to analytic algorithms that can reveal new targets of interest,” Heath wrote. In order to cover Baghdad, the RT10 system would need to be able to ingest 100 million “call events” or metadata records, 1 million “voice cuts” or recordings of phone calls, and another 100 million internet metadata records — per day.

At these volumes, RT10, the first iteration of what would become Real Time Regional Gateway, signaled a radical shift from traditional signals intelligence doctrine: from collecting and storing only what’s needed to find the “needle in the haystack” to Alexander’s “collect-it-all” philosophy, first described in a Washington Post article by a former intelligence official as “Let’s collect the whole haystack.”

According to a PowerPoint presentation authored by Heath, RT10 would result in “better decisions in less time.” Not only would it be able to geolocate targets almost immediately based on their cellphones, if offered “pattern-of-life” analysis, detecting when targets used multiple phones or otherwise “deviate in behavior.”

In one instance, RT-RG was put to task against a “particularly elusive” Iraqi target who was ”known to take his cell phone completely apart when he went home to prevent our tracking,” according to SIDtoday.

Unable to properly distill the target’s pattern of life, NSA analysts instead turned the powerful surveillance tool against his wife. She would travel to south Baghdad on weekends to be with her husband, thus revealing a likely future location at which he would be vulnerable. So the combat team “locked onto the wife’s cell phone selector for confirmation” and “raided the location identified by the RT-RG tools.”

The Rockets Stopped Falling

RT-RG soon attracted interest from outside the military and for military operations well outside Iraq. An NSA employee deployed to Baghdad in 2009 described, in SIDtoday, how he was asked to demonstrate the system to enthusiastic representatives from the FBI and other government agencies. The employee showed off a screen mapping live insurgent movements, with “Arabic text messages scrolling across the bottom as the insurgents sent messages” to one another.

I could see it was starting to sink in with many of the ops guys… An analyst from the FBI raised his hand and, pointing at the screen, asked, “Is this why the rockets stopped falling on the Green Zone?” — shaking his head in awe, he watched [as] one of his own targets moved across the screen, tracked in near real-time — to which I nodded and smiled.

By the time the Real Time Regional Gateway was churning away at the haystacks of data emerging from the Baghdad area, plans for a new RT-RG installation in Afghanistan were already in full swing.

Back at Bagram, where CENTER ICE had made its debut, a new state-of-the-art data center was to be erected for RT-RG in a mine-strewn, far-off corner of the airfield called Area 82. Several documents in the Snowden archive reflect an unmistakable pride in bringing advanced cloud computing infrastructure to this desert plot in Afghanistan, a country where internet access was banned by the Taliban in 2001.

Right/Top: Area 82 in early 2009. The RT-RG data center is seen in the middle. Left/Bottom: Area 82 in June 2010. Photos: NSA

In August 2007, around the time when construction started on Area 82, Dutch military intelligence in Oruzgan Province in central Afghanistan, followed in early 2008 by Germans in the northern cities of Mazar-e-Sharif and Kunduz, and Danes in Helmand in the southwest, began using a new technology they had acquired through an NSA technology transfer program, an agency slide indicates.

The new technology simulated the radio receivers operated by mobile phone companies, tricking cellphones into connecting and then intercepting their communications. It was employed by devices commonly referred to as Stingrays, after one early brand, and dirtboxes, after the manufacturer Digital Receiver Technology Inc., which Boeing bought in 2008.

Ahead of European allies’ deployment to Afghanistan, they would have purchased and received training from the NSA in “specific Digital Receiver Technology (DRT) capabilities” in order to “exploit the communications they are expected to encounter,” as arranged for Spanish forces in 2005 and described by SIDtoday.

The DRT collection units were part of a bigger plan: to feed the newly constructed data center in Bagram with intercepted mobile phone communications from areas in Afghanistan where the NSA previously had little or no coverage.

The “gregarious” Norwegians started collecting cellphone communications using two DRT systems from two locations outside Kabul in February 2008. Sometime between April and June the same year, Norway, Denmark, the Netherlands, Germany, and Spain were scheduled to start feeding metadata intercepted from mobile phones by DRTs into RT-RG, according a document tracking the “dataflow status” of the project.

Voice-monitoring capabilities were provided by a system called ONEROOF, which held audio intercepts. Together, ONEROOF and RT-RG enhanced “the warfighter’s ability to ‘find, fix, and finish’ the adversary,” that is, to locate, kill, or capture a human target, an NSA liaison to the military’s Central Command told SIDtoday.

So-called target development procedures that would normally require an analyst on the other side of the globe to query different databases and use a number of tools to manually enrich the intelligence were automatically available in RT-RG, provided it had enough data.

For example, instead of an analyst manually querying phone metadata for specific events that would help determine the likely “bed down” location where a target would sleep, RT-RG would automatically pre-calculate such locations for all entered targets. It would automatically look for people traveling with a target. And it would visualize the results of these traditionally time-consuming tasks with color-coded overlays on satellite images, so that military commanders could make quicker, and supposedly better, decisions in the theater.

In One Year, 6,534 “Enemies Killed in Action”

RT-RG did not just make U.S. forces more lethal; it changed how they fought. A longtime NSA analyst put it this way in SIDtoday: Unlike in Vietnam, where the enemy mainly used Morse code over the radio, today’s enemy “is mainly using the mobile phone to communicate.” New technology “has allowed us to exploit a mobile communication for its content (‘find’) (..) and pinpoint its location (‘fix’) within a very small radius,” requiring “only a platoon-sized force (if that) … to action (‘finish’) the target.” A platoon normally includes roughly one dozen to four dozen soldiers.

In the words of the then commander of U.S. and allied Afghanistan forces, Gen. David Petraeus, quoted in a presentation prepared for a conference of technical minds from the NSA and its closest allies, “RTRG is the most significant [signals intelligence] support to the war fighter in the last decade.” But while RT-RG would reduce the number of troops needed on the ground, it coincided with an increased number of NSA staffers and soldier-spies deployed to war zones. As former NSA Deputy Director Rick Ledgett stated publicly, the NSA “deployed 5,000 NSA people to Iraq, and 8,000 to Afghanistan – and in total 18,000 to hostile areas around the world.”

At the same time, reliance on signals intelligence, or “SIGINT,” increased dramatically in the battlefield.

“Over 80% of combat operations in Afghanistan are driven by SIGINT or have SIGINT contribution,” former NSA Afghanistan representative Brian Goodman told SIDtoday in 2009. ”That is an indisputable fact. … Not a single combat operation goes on without SIGINT coverage.”

Two years later, in 2011, RT-RG “played a key role in 90 percent of all SIGINT developed operations,” according to the conference presentation. This translated to 2,270 capture/kill operations, 6,534 “enemies killed in action,” and 1,117 detainees. In comparison, the U.S. recorded 415 casualties in Afghanistan in 2011, while the U.K. and other nations recorded a total 148, according to iCasualties.org. (The presentation did not qualify the terms “enemy” or “killed in action,” or mention whether operations based on intelligence from RT-RG lead to the death or capture of the wrong people.)

Quid Pro Quo Intelligence-Sharing

As RT-RG became increasingly central to waging war in Afghanistan, the U.S. encouraged allies to put more data into it, upping their complicity in what would later be exposed as a deeply flawed infrastructure for killing and capturing those flagged as enemies.

The U.S. side of this system for killing people, often on the basis of phone monitoring, has been documented. One Intercept report described how U.S. drone strikes would hit the wrong people because targets had begun swapping identifying SIM cards out of their phones, aware of their adversary’s ability to track handsets. Another report, part of the Drone Papers, detailed how, during a five-month campaign in northeastern Afghanistan, “nearly nine out of 10 people who died in airstrikes were not the Americans’ direct targets.” The Drone Papers also revealed how “military-aged males” killed in drone strikes would be labeled as enemies killed in action unless there was information indicating otherwise.

The participation of Norway, and other U.S. intelligence partners, in feeding this lethal system has not received the same level of popular attention.

Indeed, the main difference between the Iraq and Afghanistan implementations of the Real Time Regional Gateway was the introduction of extensive intelligence-sharing between coalition partners.

To manage this complex, multinational environment, the U.S. came up with what was essentially a tiered model, in which the closest partners enjoyed the best access to lifesaving intelligence in return for filling collection gaps and sharing scarce resources, such as linguists. This new approach, according to a SIDtoday announcement, was put in motion on the NSA’s initiative “to include greater reliance on our” signals intelligence partners in response to a “potential troop buildup in Afghanistan” and “expected new information needs.”

A June 2009 NSA briefing laid out the structure of the Afghanistan spying coalition.

At the top level was the U.S. plus its so-called second-party partners: the U.K., Canada, Australia, and New Zealand, also known as the Five Eyes, with full access to signals intelligence and “complete integration of SIGINT operations.”

At the second-highest tier was the newly formed group called the Afghanistan SIGINT Coalition or Nine Eyes, which added Norway, Denmark, France, and the Netherlands to the five.

Access to Nine Eyes required sharing the mobile phone surveillance collected using the newly acquired dirtboxes in real time or near real time. In return, members got access to data from RT-RG, “real-time threat warning,” “find-fix-focus collaboration and analysis,” and superior targeting and geolocation data, according to the June 2009 briefing.

The Nine Eyes nations, except for France, were ingesting data from their dirtboxes into RT-RG by mid-2009, according to an NSA presentation. (The reason for France’s absence could be that its military intelligence didn’t receive the necessary training before October 2008, when an NSA team traveled to Haguenau in Alsace, France, to give its counterpart from the 54e Regiment de Transmissions — the electronic warfare branch of the French army — a “crash course in exploiting metadata from GSM, CENTER ICE and RT-RG,” according to SIDtoday.)

At the next membership level — 14-Eyes — were Belgium, Germany, Italy, Spain, and Sweden, with access to the CENTER ICE communications and sharing platform, and some of the same benefits but with delays and limitations.

At the bottom, dubbed 41 Eyes, were the remaining countries participating in the International Security Assistance Force coalition in Afghanistan, or ISAF, getting the standard NATO intelligence fare.

In this quid pro quo structure, the most aggressive participants in the U.S.-designed surveillance regime would be rewarded with a constant flow of lifesaving intelligence on enemy movement and accurate targeting data. This is spelled out in a memo on the “NSA intelligence relationship with Norway,” which shows that the Norwegians provided signals intelligence “analysis as well as geolocational and communications metadata specific to Afghan targets of mutual interest” in return for “daily force protection support in Afghanistan and technical expertise to support target development of Afghan insurgent targets”.

The NSA “Could Be at Area 82 for 50 Years”

By late 2009, international Afghan surveillance-sharing through RT-RG was becoming entrenched and institutionalized. As it grew, problems surfaced.

In October, a new and “’Super Sized’ SIGINT Facility” opened at Area 82 in Bagram. The Afghanistan Regional Operations Cryptologic Center, or A-ROCC, was constructed in less than a year, offering facilities, housing, and even a fitness center for more than 250 people. All materials and equipment had to be transported from the U.S. via ship and “overland via the Khyber Pass” or flown “directly to Bagram Airfield on six Boeing 747s,” a member of the NSA Afghanistan-Pakistan management team wrote in SIDtoday.

French, British, and American spies were already “working side-by-side,” the manager wrote, with personnel from “Canada, Australia, New Zealand, Norway, Denmark, and possibly the Netherlands” soon to follow. The new facility, the article noted, was the result of “major policy decisions” and would allow “nine SIGINT coalition nations to work together as one.” It would also double the number of linguists available to process intercepted texts, phone calls, and other material: “Who could have imagined even a year ago that a French linguist, using U.S. collection sources, would be providing tactical support for operations being carried out by Polish forces on behalf of ISAF?”

The new facility allowed the inner circle Afghanistan SIGINT Coalition partners to plug into RT-RG “via several ‘peering points,’” an NSA liaison to Central Command told SIDtoday. Peering is a networking term for the exchange of traffic between networks, essentially the act of plugging one into another.

Connecting the partners to RT-RG posed a growing challenge in terms of different national, legal, and political environments. “With the increase in partnering,” the liaison, Col. Parker Schenecker, wrote, “sanitization and dissemination presents a growing challenge” — a reference to the need for intelligence to be filtered and “cleaned” before it can be shared, and for restrictions on its distribution to be observed. But, according to Schenecker, the NSA stepped up and showed a “willingness to take manageable risks to maximize effectiveness.”

In 2010, Sweden and Germany joined what had been the Nine Eyes coalition and by January 2013, according to a document previously published by Der Spiegel, Belgium, Italy, and Spain had joined the group, bringing the total number of nations participating in the Afghanistan SIGINT Coalition to 14. According to the same document, the Germans had become the “third largest contributor” to RT-RG.

Images: NSA

At Area 82, it seems safe to say, the sort of extensive intelligence-sharing exemplified by RT-RG became a cornerstone of U.S. intelligence strategy. In his SIDtoday interview, Goodman, the former NSA Afghanistan representative, called Area 82 the “NSA’s foundation for the long term — we could be at Area 82 for 50 years if we needed to!”

Showdown in Oslo

The U.S. military was so gung-ho about RT-RG that it produced, judging from the Snowden archive, many documents about the system’s results. Some of this material, created using an NSA data management and visualization tool called BOUNDLESSINFORMANT, was misunderstood by journalists, including Intercept co-founders Glenn Greenwald and Laura Poitras, working with European news outlets during the early days of reporting on Snowden material. This led to a dramatic showdown.

NSA material was misunderstood by journalists, including Intercept co-founders. This led to a dramatic showdown.

On November 19, 2013 in Oslo, Norway, in the Ministry of Defense press room, chaos reigned, with reporters and photographers frantically trying to get ready. E-tjenesten, as the Norwegian Intelligence Service is known locally, rarely spoke to the press. This — a briefing with less than half an hour notice in response to a news story — was unprecedented.

Earlier that November morning, Norway’s second-largest paper, Dagbladet, had detonated the potentially biggest spy bombshell in decades. “Secret documents about Norway,” the front page of the tabloid said, next to the iconic image of Snowden: “The US spied on 33 MILLION Norwegian calls.”

The report was based on a graphic from BOUNDLESSINFORMANT. It showed a graph labeled “NORWAY Last 30 Days,” suggesting that the NSA hoovered up information about ordinary Norwegian citizens’ phone calls. “Even a child’s phone could have been tapped,” the paper stated.

The story completely dominated the morning news cycle. “Friends should not spy on each other,” Prime Minister Erna Solberg told reporters shortly before 10 a.m.

In the Ministry of Defense press room, at 11:15 a.m., head of E-tjenesten Kjell Grandhagen entered the room, making a rare public appearance in full uniform. The day before, he had tried to convince Dagbladet not to publish the story.

“Today, Dagbladet printed several articles alleging that the U.S. intelligence organization NSA collected traffic data on 33 million telephone calls in Norway,” he read, looking up from behind his reading glasses. “This is not correct.”

The document, Grandhagen said, was not about NSA spying in Norway. Instead it reflected data that his service had collected abroad in support of Norwegian military operations and “related to international terrorism, also abroad.” The data had been shared with multiple foreign partners, including the NSA. This was perfectly legal and had been reported to the Norwegian Parliamentary Intelligence Oversight Committee as per standard procedure.

“We know the content of this and perfectly recognize the traffic pattern presented by Dagbladet. We are the ones who collected it,” Grandhagen told a reporter from Dagbladet during the ensuing Q&A. “We are 100 percent sure that our explanation is correct.”

The counterattack worked. In a follow-up statement, Solberg, retreating from her earlier proclamation that that “friends should not spy on each other,” now dismissed Dagbladet’s allegations as “wrong.” The 33 million call events, she said, adding a new piece to the puzzle, had been recorded in Afghanistan, not in Norway. By the end of the day, Dagbladet’s news editor said his colleagues might have “misunderstood parts of the document.”

Norway was not the only country where military officials complained about reporting that stemmed from RT-RG. On October 29, 2013, after diplomatic tensions in both Spain and France following publications in El Mundo and Le Monde, Alexander, the NSA director, told the U.S. Congress that allegations in those newspapers were “completely false.”

“This is not information that we collected on European citizens,” Alexander said. “It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations.”

It is now clear that the call events reported by Dagbladet were indeed collected by the Norwegian Intelligence Service and shared with the NSA during a 30-day period between December 2012 to January 2013. Greenwald and the other journalists interpreted them incorrectly in part because contextual information available elsewhere in the Snowden archive was not understood at the time or even available to the European publications.

Such information would have explained why documents used as evidence that the NSA conduced mass surveillance on cellphones in Spain, France, Norway, and Italy all indicated that “DRTBOX” was the primary collection method: The countries partnered with the NSA to buy dirtboxes for use in Afghanistan (and, in some cases, elsewhere), and shared the cellphone data they then collected. Denmark, France, Italy, Spain, Sweden, and Norway, all members of the Afghanistan SIGINT Coalition, shared a total of 258,703,534 metadata records collected using dirtboxes with the NSA between December 10, 2012 and January 8, 2013, according to the documents.

The Intercept has conducted a thorough examination of all the BOUNDLESSINFORMANT documents used in the disputed 2013 articles by European outlets. At the heart of the misunderstanding was how journalists interpreted two documents published with the first article about BOUNDLESSINFORMANT, co-authored by Greenwald and Ewen MacAskill for The Guardian newspaper and published on June 8, 2013. The first document was an NSA presentation on how BOUNDLESSINFORMANT worked, the second an NSA set of Frequently Asked Questions about the tool. The first document said the tool could be used to determine “what assets collect against a specific country” — as well as “how many records are collected for an organizational unit … or country” (emphases added). The second document similarly stated that BOUNDLESSINFORMANT could show “how many records (and what type) are collected against a particular country” or “how many records are collected for an organizational unit (e.g. FORNSAT).” Journalists focused on the statements about collection against countries while disregarding the statement about collection for countries.

“I am totally in favor of correcting the record if the reporting was inaccurate.”

On July 1 2013, journalists from German newsweekly Der Spiegel, in collaboration with filmmaker Laura Poitras, published a cover story that drew on new BOUNDLESSINFORMANT documents purporting to represent collection against Germany, France, Italy, the Netherlands, and Spain. In reality, the documents reflected records shared with the NSA by foreign partners, including the BND in Germany.

A week later, Spiegel and Poitras, who stepped down from The Intercept in 2016, reported corrective information from the BND, which told the magazine that it was responsible for intelligence collection in Germany that had been attributed to the NSA; BND sources even identified for Spiegel a specific listening station in south Germany where some of the data originated — and said the rest came from German “telecommunications surveillance in Afghanistan.”

Journalists from Le Monde and El Mundo in Spain, working with Greenwald, went on to report on BOUNDLESSINFORMANT documents on France and Spain as evidence of mass surveillance by the NSA against these countries. Responding to denials from Grandhagen and others, Greenwald reiterated this interpretation in a piece in Dagbladet.

Greenwald, referring to this period in 2013, said, “At the time, Der Spiegel had already reported this interpretation, the NSA wouldn’t answer our questions, and they wouldn’t give us any additional information. I am totally in favor of correcting the record if the reporting was inaccurate.”

“The NSA documents themselves, in repeated places, stated that they purported to show how much data the NSA was collecting against each country,” he added. Further, when he and other journalists asked intelligence agencies to disprove their coverage, “those agencies repeatedly refused to provide any documentary proof that the NSA had erroneously characterized its own spreadsheets.”

“As a result, we noted the agencies’ objections to our stories, while also noting they were in conflict with the NSA’s own documents, but their refusal to provide any documentation made it impossible to conclude that the NSA’s own descriptions were false,” he continued. “It now appears that subsequent reporting has revealed that the NSA’s description was erroneous, and that these slides showed how much communication data was being collected by those countries in Afghanistan, rather than collected about those countries by the NSA.”

Spiegel issued a statement that read, “DER SPIEGEL has set the record straight six years ago. As soon as German Foreign Intelligence (BND) answered our reporters’ questions on the ‘Boundless Informant’ slides and their context back in the summer of 2013, we reported their version. BND’s detailed explanations and Keith Alexanders remarks before Congress have subsequently also been covered in the SPIEGEL-Book ‘Der NSA-Komplex.'”

Dagbladet News Editor Frode Hansen said the newspaper assumes that what Kjell Grandhagen said at the press conference in 2013 was correct. “His information corrects what we brought to the fore, that it is about monitoring telephone calls made in Norway,” Hansen said. “It appears that there’s massive surveillance abroad, but that this monitoring stops at the Norwegian borders. We published several articles associated with the documents, the same day we published the first article, and in the following weeks, we had several stories related to the documents.”

Faster Intelligence, at a Great Price

At the November 19, 2013, press conference, Grandhagen told a reporter from Aftenposten, the country’s largest newspaper, that Norway had been carrying out this type of collection for years, and would continue to do so. Asked whether “we are talking hundreds of millions of phone calls,” he said, “That may well be.”

It was not just Norway that collected and shared metadata with the NSA. The BOUNDLESSINFORMANT documents show that Denmark, France, Italy, Poland, Spain, and Sweden shared data collected using dirtboxes with the NSA by 2013. Germany and the Netherlands, both Afghanistan SIGINT coalition members, also shared cellphone metadata by 2013 and used DRTs in Afghanistan in 2009, the documents show.

There is no evidence to suggest that the data shared into RT-RG and used by coalition partners was subjected to any special limits or were exempt from find-find-finish and capture/kill operations.

Harpviken, from the the Peace Research Institute Oslo, was unaware until now of Norway’s role in the Afghanistan intelligence-sharing coalition and the RT-RG program. But he saw what happened in practice.

“Many called it an industrialization of warfare. We used special forces operations — especially night raids — on a huge scale, to either kill or capture Taliban commanders,” he told NRK. “We got the intelligence much faster. But it had great consequences for the civilian population. … Many civilian lives were lost due to imprecise intelligence. The rapid turnaround made it harder to insure the quality of the intelligence, and the large number of operations meant that civilian injuries increased accordingly.”

“Many called it an industrialization of warfare. It had great consequences for the civilian population.”

In 2010, U.S. Special Forces killed a number of people in a convoy that belonged to a candidate in the Afghan parliamentary election. It later turned out that the U.S. military had targeted the SIM card of a person believed to be a senior Taliban leader, when in fact the card belonged to a completely innocent person who contributed to the election campaign of a relative.

The incident was “illustrative of what can go wrong when your intelligence is bad,” said Kate Clark, a former BBC Afghanistan correspondent. She investigated the attack as a researcher for the independent think tank Afghanistan Analysts Network, interviewing survivors, witnesses, and Afghan officials, and speaking to senior officers in the special forces unit that executed the attack.

According to Clark, the investigation revealed “parallel worlds” between signals intelligence and the Afghan reality on the ground. “They were blind to human intelligence. Had they had any understanding of HUMINT, they would have discovered that [the relative of the parliamentary candidate] was well-known,” and not Taliban, she said.

There is at least one official acknowledgment that Norway was potentially complicit in such abuses. The Godal Committee, tasked with investigating Norway’s engagement in Afghanistan, said in its final report that Norwegian forces frequently acted based on statistics and technical analysis and had no control over how intelligence it shared was used by allies.

But the Norwegian military remains defensive.

“Good intelligence and good intelligence cooperation with allied countries result in lower risk of loss of military lives. We also reduce the risk of loss of civilian lives in this type of operation,” Norwegian Defense Minister Frank Bakke-Jensen told NRK.

According to a general statement by the director of the Norwegian Intelligence Service, Morten Haga Lunde, provided to NRK and The Intercept, sharing data “within an established intelligence partnership” is “neither in violation of international law nor Norwegian law,” and it is “legally unproblematic for such operations to include the use of drones or other legal weapons platforms, as long as the operations are conducted within the framework of the law of war and international law.”

RT-RG on the Mexican Border

In the spring of 2017, the NSA took RT-RG public and began hinting at other deployments of the system.

On May 7, the National Cryptologic Museum, a small, public-facing corner of the NSA campus in Fort Meade, Maryland, added a new display to its collection. Carefully avoiding any mention of cellphones or metadata, it explained how RT-RG represented a completely new way to combat the threats from improvised explosive devices and “Al Qaeda’s bomb making capabilities,” and how the program had been “extended from Iraq to Afghanistan and other conflict zones around the world” (emphasis added).

Days later, in a Fox News exclusive, Richard Ledgett, the NSA deputy director, spoke about the program in a rare public interview. In the segment, Ledgett explained how RT-RG “might connect something like a phone number to a location … and then display that to an analyst,” who would in turn warn a troop convoy about an impending ambush.

The two-minute segment, “Inside the government’s secret NSA program to target terrorists,” mentioned in passing that since it was fielded in Iraq and Afghanistan, the system had been used in “other conflict zones which the NSA will not publicly identify.” The Fox segment also didn’t mention whether these “other conflict zones” were linked to terrorism or interventions involving the U.S. military.

The Intercept can now reveal that one of the “conflict zones” in which the powerful Real Time Regional Gateway was deployed was the U.S.-Mexico border, where the system became operational in 2010.

Indeed, after Iraq and Afghanistan, the RT-RG program spread around the world. By 2012, there were 11 RT-RG sites tailored to “the telecommunications technologies prevalent in the region,” as a GCHQ document put it, with Iraq in “draw down” and two submarines able to serve as mobile regional gateways, according to an NSA PowerPoint presentation from 2012.

In one week, the NSA document boasted, RT-RG was used “afloat on [a] subsurface platform[,] USS Georgia,” where it was able to receive “31 million GSM [mobile phone] events, leading to 10 high-value target voice ID and 90 tactical tip-offs.”

But perhaps the most controversial application of Alexander’s new tool dates back to February 2008, when a meeting was convened at the El Paso Intelligence Center, or EPIC, a Drug Enforcement Administration-led facility established in Texas to help secure the southern border and encourage information-sharing between federal agencies. An NSA memo summarizing the meeting shows that, the same month that Norway started using dirtboxes near Kabul, and several months before RT-RG in Afghanistan was declared operational, discussions were held about using RT-RG on the U.S.-Mexico border.

At the meeting were officials from the DEA, the anti-drug trafficking Joint Interagency Task Force South, the NSA, and EPIC, including a representative from U.S. Customs and Border Protection. Discussions with the Department of Homeland Security about sponsoring NSA network connectivity at EPIC are also referenced in the memo. At the meeting, the NSA was represented by Col. Barb Trent, deputy to Heath, the science adviser to the NSA’s director and an early RT-RG proponent.

According to the memo, the DEA was “very enthusiastic about and anxious to move ahead smartly on the acquisition of an RT-RG capability located at EPIC” and had requested “up to $10 Million for RT-RG” in El Paso. Another official present at the meeting was of “the opinion that the ‘funding will shake loose,’ because intelligence leadership was “in accord about the ‘value of sharing interagency data.’”

The DEA was “very enthusiastic about and anxious to move ahead smartly on RT-RG.”

EPIC has “a particular emphasis on … illegal drugs, weapons trafficking, terrorism, human trafficking, human smuggling, illegal migration, money laundering and bulk cash smuggling,” according to the center’s website. No fewer than 21 federal agencies have staffers at the center, including the NSA.

Bringing RT-RG to EPIC was tricky because many law enforcement “customers” did not hold sufficient security clearances, the memo said. The solution, Trent said, was for the RT-RG tool to present the underlying data according to the clearance level of the user and that “these same issues were being worked in the RT-RG deployments in Iraq and Afghanistan.”

Another challenge was to ensure that the role of the NSA system was obscured if necessary when investigations arising from its use ever ended up in court. The NSA memo addressed this issue cryptically, saying that the “RT-RG capability in whatever form it exists at EPIC would have to respect and incorporate Special Operations Division’s (SOD’s) role.” The SOD is a controversial DEA division that uses NSA intelligence to create leads for federal and local police, but since the source can’t be known, the division trains agents to use so-called parallel construction to cover up where the information originated, as reported by The Intercept.

The ultimate goal, the memo stated, was “linkage between the law enforcement and SIGINT worlds” — that is, between the NSA and law enforcement entities like the DEA. But there were “multiple policy issues to be addressed before that can be realized.”

One thing that was unclear in 2008 was whether EPIC would get its own RT-RG or use the one at NSA Texas.

It is, however, clear that the latter facility, located in San Antonio and focused on intelligence needs to the south of the U.S., used RT-RG starting in June 2010 to help stanch the flow of migrants and drugs into the U.S. Six staffers from NSA Texas People Smuggling Organization branch had received RT-RG training, according to an NSA document dated August 12, 2010. The cellphone of one alleged such person, “SIA [Special Interest Alien] smuggler Chuy in Reynosa,” was targeted “for geolocational purposes,” the document said.

The document stated that getting “formal RT-RG training” was a challenge and that only 13 of 28 NSA Texas Southern Arc Target Development staffers had received it.

The main targets tracked by RT-RG at NSA Texas, the document made clear, would belong to Mexican drug cartels, and RT-RG was expected to bring ”substantial operational benefit for Mexican Cartel HVT [high-value targets] and Border Security missions.”

RT-RG brought to the border region a tactic used in Iraq: pattern-of-life analysis, in which a target’s future movements are anticipated by mapping their past activities and those of their associates. In Iraq, the NSA had hunted down an elusive insurgent, who frequently disassembled his phone, by targeting his wife’s phone, thus homing in on the couple’s jaunts to south Baghdad. In or around Mexico, it used similar types of analysis against three “hit squad” members of the Vicente Carrillo Fuentes Organization, a cartel based in Ciudad Juárez across the border from El Paso. This pattern-of-life work led to the capture of two of the cartel members, with “an imminent operation pending to capture the third,” according to the August 2010 document.

RT-RG also brought close to home another tactic from Iraq: Alexander’s “collect it all” approach. In 2012, RT-RG at NSA Texas began receiving metadata gleaned from the U.S. internet backbone, as well as from internet trunks outside the U.S., according to a June 2012 NSA report. The data was laundered by “obfuscating the source information and filtering out metadata from countries of no interest to that area of responsibility” and would “provide RT-RG Texas with 85% of their input volume, which contains 60% of the hits on their targets,” another report said.

Beyond the backbone data, RT-RG at NSA Texas in 2012 also added data obtained from AT&T’s network under a program known as FAIRVIEW. It is not clear how data was processed for use at NSA Texas, but one document mentions a filter system called SHELLTRUMPET that handled the mass surveillance data flowing into San Antonio.

To the NSA, the deployment was a success story, according to a geospatial analyst at NSA Texas, writing in SIDtoday. To take surveillance strategies developed to minimize U.S. casualties in battle and use them for law enforcement was, the analyst wrote, the “perfect example of taking techniques developed in one environment and applying them in other targeting situations.”

To the rest of us, such transplantation of spycraft, whether among federal agencies at the U.S. border or among various countries in Afghanistan, might serve instead as an example of the dangerous path that technological innovations can take as they slowly — but surely — “creep” from one context to another.

“Foreigners also have privacy rights under international law, including treaties the U.S. has signed. The Snowden documents make clear that these rights were systematically violated,” said  Goitein, the national security specialist from Brennan Center.

“Although government officials have claimed that the RT-RG program was highly effective, such claims are always based on classified evidence and must be taken with a grain of salt. The last time such a claim was rigorously investigated — when officials claimed in 2013 that “bulk collection” of Americans’ phone records was a valuable counterterrorism tool — it quickly fell apart.”

The NSA declined comment for this story.

Documents published with this story:

• SIDtoday: Putting a New Tactical Comms System to Good Use in Afghanistan (NSA, July 2006)
• SIDtoday: New Tool Put Into Play in Afghanistan (NSA, March 2006)
• SIDtoday: RT10: Getting Information to the Front Lines in Time to Make a Difference
• SIDtoday: Follow the “Honey” (NSA, June 2008)
• SIDtoday: Hollywood Special Effects? No, It’s Modern-Day SIGINT (NSA, July 2009)
• SIDtoday: Innovative Super Sized SIGINT Facility Opens in Afghanistan (NSA, November 2009)
• GCHQ Bagram Presentation 2010
• NSA Area 82 Update April 2009
• NSA Afghanistan Coalition Dissemination Brief to Senior Leadership Forum 2009
• Excerpt of May 2008 NSA Afghanistan Dataflow Analysis
• SIDtoday: What Are the Latest SIGINT Developments in Iraq and Afghanistan? An Interview with Colonel Parker Schenecker (NSA, October 2009)
• NSA Presentation on RTRG Analytics for Forward Users
• SIDtoday: SIGINT Then and Now: Vietnam vs Iraq (NSA, March 2009)
• SIDtoday: SID/FAD Presentation: Enabling Coalition Partners in Afghanistan (NSA, October 2009)
• SIDtoday: Puis-je vous aider? Highlights from a Third-Party-Training TDY (NSA, December 2008)
• SIDtoday: New Policy for the Coalition in Afghanistan Is Signed (NSA, April 2011)
• GCHQ Summary of RTRG
• NSA El Paso Intelligence Center Trip Report 2008
• SSO News on MYSTIC SHELLTRUMPET for June 20, 2012
• NSA June 2012 SSO Weekly Brief Excerpt
• SIDtoday: From the Sandbox to Mexico: Applying Wartime Tactical Techniques to Strategic Missions (October, 2009)
• NSA BOUNDLESSINFORMANT Chart on Sweden
• NSA BOUNDLESSINFORMANT Chart on Denmark

The post Mission Creep: How the NSA’s Game-Changing Targeting System Built for Iraq and Afghanistan Ended Up on the Mexico Border appeared first on The Intercept.

The documents, published on an NSA internal news site called SIDtoday and provided by agency whistleblower Edward Snowden, provide a glimpse into the intelligence relationship between two countries during the 2006 conflict.

They form a two-part SIDtoday article titled “The Israel-Hizballah Crisis — Perspectives from an Acting SLO Tel Aviv,” the personal account of a Tel Aviv-based NSA official — a signals intelligence liaison officer, who is tasked with managing relations with foreign partners — and their experience with their Israeli counterparts during the war. By their account, the NSA relationship with Israel during the 2006 war was strained. The NSA liaison officer recounted disputes that occurred with the Israelis over intelligence requests made by the Israeli SIGINT National Unit, or ISNU, the elite Israeli counterpart to the NSA.

“ISNU’s reliance on NSA was equally demanding and centered on requests for time sensitive tasking, threat warning, including tactical ELINT” — electronic intelligence — “and receipt of geolocational information on Hizballah elements,” the NSA official wrote. “The latter request was particularly problematic and I had several late-night, sometimes tense, discussions with ISNU detailing NSA’s legal prohibition on providing information that could be used in targeted killings.”

“Even with his full understanding of the US statutes, [ISNU Commander] BG Harari sought assistance from NSA for an exemption to this legal policy. To ISNU, this prohibition was contrary not only to supporting Israel in its fight against Hizballah but overall, to support the US Global War on Terrorism.”

“I had several late-night, sometimes tense, discussions with ISNU.”

The account goes on to suggest that the NSA ultimately reached a compromise with its Israeli counterpart by working with the Office of the Director of National Intelligence, or ODNI, the cabinet-level office that oversees U.S. intelligence efforts. “In the end,” the article states, “a framework was decided upon by ODNI that defined the parameters and methods of what could and could not be shared with the Israelis.” The documents do not give details of this framework.

With tensions between Israel and Hezbollah constantly being ratcheted up — and persistent chatter about a new conflict — the logistical, geopolitical, and legal contours of U.S. intelligence-sharing with the Israelis takes on increasing import. The reluctance of U.S. officials to share intelligence information in 2006 highlights the thorny geopolitical dynamic between these longtime allies, whose intelligence agencies are sometimes at odds with each other; it also raises questions about the legality of sharing intelligence with a partner nation operating outside U.S. legal constraints.

The question of what intelligence the United States can legally share with a foreign government is notoriously murky. An executive order signed under President Ronald Reagan in 1981 established that the United States “may enter into intelligence and counterintelligence arrangements and agreements with foreign governments and international organizations.” Decades later, despite revolutions in information collection and retention, as well as numerous campaigns for greater transparency on foreign intelligence-sharing, legal experts say that the legal rules about what can and cannot be shared remain opaque.

“There is very little we know about the U.S. government regulations pertaining to the sharing of intelligence with foreign governments,” said Asaf Lubin, a legal expert on cybersecurity and privacy at the Fletcher School of Law and Diplomacy at Tufts University. “It is fair to assume that the Office of the Director of National Intelligence together with the attorney general have developed certain policies on the formulation and application of these intelligence-sharing regimes, but they are not publicly available.”

The NSA and Israeli intelligence drew up a memorandum of understanding in 2009, authorizing the sharing of certain raw intelligence data, according to a Snowden document published by the Guardian. The memo was controversial for apparently giving the Israelis access to data about American citizens, including private messages and metadata. But the civil liberties implications of the agreement were even more troubling when it came to data vacuumed up by the NSA about non-U.S. persons — people who are not residents or citizens of the United States — and then shared with Israeli intelligence.

As a 2016 Brennan Center for Justice report on the memo noted, “None of the publicly available directives explains how intelligence agencies take into account the impact of intelligence sharing on the human rights of non-U.S. persons.” The report added, “The lack of transparency raises concern that shared information could be used to repress, censor, or persecute, or commit other human rights abuses.”

Handwritten Note Refers to Israeli Request as “Problem Area”

The memorandum of understanding between Israel and the NSA suggests a deal was reached nearly three years after the 2006 Israel-Lebanon War. It’s unclear how much cooperation the NSA provided to Israel during that conflict.

An internal NSA presentation, which was also classified, recapped some of the key issues that arose between the NSA and ISNU during the fighting between Israel and Hezbollah. Dated April 2007, the slide deck also described the NSA’s relationship with ISNU more generally. The document noted that ISNU had roughly 5,500 enlisted conscripts and 1,200 career officers, and that the Israeli agency was headquartered in Tel Aviv with “production centers” in Syria, the Palestinian territories, Egypt, and Lebanon.

“There is very little we know about the U.S. government regulations pertaining to the sharing of intelligence.”

According to the slides, Israeli officials experienced “high anxiety” and were heavily reliant on the NSA for support during the 2006 war with Hezbollah. A slide titled “What Did ISNU Want?” indicated that the Israelis sought information on kidnapped soldiers in Lebanon, Iran’s role in those kidnappings, electronic signals intelligence, and geolocational data. A handwritten note on the margins of the slide — affixed by an unknown person — described this last point as a “problem area.”

The presentation also appraised the war effort, noting that Hezbollah was well-prepared for the conflict and enjoyed logistical support from Iran and Syria. The group operated in civilian neighborhoods, and the Israelis were receiving “bad world press” — presumably a reference to critical news stories about the destruction wrought on Lebanon during the war. As the SIDToday documents noted, life in Tel Aviv carried on more or less normally during the fighting, with hotels and restaurants packed with customers. The presentation also observed that there was “little sympathy for civilian non-Israeli casualties from man-on-the-street.”

The widespread civilian harm caused by the fighting also makes the details of U.S. intelligence cooperation with Israel controversial. Human Rights Watch estimated that over 1,100 Lebanese were killed over the course of the war, largely as a result of Israeli airstrikes and shelling in southern Lebanon. Several dozen Israeli civilians were also killed by Hezbollah rocket and mortar attacks that targeted Israeli border towns. Human Rights Watch later criticized the Israel Defense Forces for using indiscriminate force, claiming that the IDF had shown “reckless indifference to the fate of Lebanese civilians.”

“Israel repeatedly, and in some cases egregiously, violated the laws of war,” Nadim Houry, co-author of the Human Rights Watch report, said. “The Israeli military engaged in indiscriminate aerial attacks and massive use of cluster munitions, repeatedly targeting civilian infrastructure that was not tied in any way to the armed conflict.”

Israeli officials’ own statements seemed to back up human rights groups’ allegations that the IDF had deliberately targeted civilian infrastructure as a means of deterrence. Israeli officials later publicly dubbed this strategy the “Dahiyeh Doctrine,” a name taken from a south Beirut neighborhood that suffered catastrophic destruction during the fighting. Despite employing such tactics, the IDF was largely seen to have lost the war — or at least been fought to a draw by Hezbollah. Two points on the NSA slide presentation stated that, in the aftermath of the war, “public confidence in the IDF erodes” and “military morale/confidence low.”

There are ominous signs that Israel and Lebanon are nearing another confrontation, during which the ISNU may again lean on the NSA for support. Although Israeli intelligence-gathering capabilities are believed to have improved since the last war, Hezbollah has also reportedly acquired significant new arms and fortified areas under its control in southern Lebanon. The IDF recently carried out operations near the Lebanese border to uncover tunnels said to have been dug by Hezbollah, and the Israeli Air Force periodically strikes Hezbollah targets in neighboring Syria.

Over the past several years, Hezbollah leaders claimed to have received “game-changing” weapons that would alter the course of any future war with Israel. For their part, Israeli officials have issued a steady drumbeat of statements emphasizing the level of destruction that Lebanon would suffer during another war, specifically highlighting the grievous harm that would be caused not just to Hezbollah, but also to Lebanese civilians and infrastructure.

“If the next war indeed breaks out, it will be rough. But, first and foremost, it will be rough for the other side,” IDF Maj. Gen. Nitzan Alon warned in an interview last year. “I don’t think any Israeli citizen would want to switch places with a Lebanese citizen during the next war.”

The post Israel Hated American Ban on Sharing Intel for Assassinations, So U.S. Made New Rules appeared first on The Intercept.

If one were to draw a map of the locales most pivotal to Vladimir Putin’s political trajectory, the bottom of the Barents Sea might not immediately come to mind. And yet, long before his incursions in Syria, Ukraine, and the U.S. elections, it was in those frigid waters off the navy base at Vidyayevo, in the northwestern corner of his country, that the Russian leader’s career took an indelible turn.

On August 12, 2000, a year after Putin took the helm as President Boris Yeltsin’s premier and less than six months into his own presidency, an explosion rocked the forward torpedo room of the Oscar II class Russian submarine Kursk. The blast was followed by a second, larger explosion that drove the vessel to the bottom of the Barents, inciting a crisis during what was to have been a milestone show of force by the Russian Northern Fleet.

A National Security Agency staffer monitored the dismal events from Oslo, Norway, where he had arrived as a signals liaison officer barely one month prior. The officer later described responses to the disaster from the NSA and its counterpart the Norwegian Intelligence Service in an account he wrote for an NSA internal news site, SIDtoday. The account, provided by whistleblower Edward Snowden and published with this article, indicates that Norwegian intelligence was aware the catastrophe had occurred two days earlier than it has said was the case, and provides new details on the timeline of the Russian naval response to the explosions, underscoring the extent to which the crisis was mismanaged.

“Three and a half hours passed before any [Russian] suspicion of problems on board OSCAR II 850 arose.”

For Putin, that mismanagement stood among the most prominent examples of how Russia’s military and diplomatic capabilities broke down after the fall of the Soviet Union, staining the early years of his presidency and ultimately spurring him to tighten his political grip.

The Barents is a contentious place, not only for its Arctic climate, but because it hugs the Russian and Norwegian coastlines. There, over decades of Cold War tensions, Western powers stood at their Soviet adversary’s doorstep, before geography and geopolitics merged to seal the fate of the 118 sailors who died aboard the Kursk.

Much remains unknown about the Russian navy’s handling of the disaster, and the official Russian narrative was not without its switchbacks. Initially, Moscow claimed that the Kursk collided with another vessel in the Barents, causing it to sink. In fact, a leaking torpedo blew up during a training exercise, Russia’s official investigation later concluded. Russian authorities also initially said that all aboard perished almost immediately; in fact, 23 sailors survived the blasts and sinking, likely for at least several hours, if not days, according to evidence later found by divers. Their resilience made it all the more lamentable that it took the Russian navy more than 15 hours to launch a rescue, which ultimately failed. As SIDtoday recounted, the Kursk’s sinking “occurred without any distress calls or communications of its problems.” By the time the Kursk landed on the seafloor, it was unable to contact the Northern Fleet command, and the aftermath of the explosion demonstrated a communication failure in which the Russian navy effectively lost track of its submarine.

“It seems as if the Northern Fleet was not aware that the explosions had occurred on one of their vessels,” an NIS report quoted in the SIDtoday article stated. “Thus, 3 ½ hours passed before any suspicion of problems on board OSCAR II 850 arose. Another 1 ½ hour passed before the sub call dissemination activity started.” Experts believe this dissemination activity was the fleet’s first attempts to communicate with the Kursk. These delays do not appear to have been reported previously.

SIDtoday also stated that the NIS report was issued on “Saturday 12 August,” the same day as the Kursk explosions. This is significant because the Norwegian military told the press in the wake of the incident that it did not realize an accident had occurred until Monday, the same day Russia announced the sinking — but the NIS report makes clear that Norway knew a Russian sub had been in a severe accident. Quoted at length in SIDtoday, it gives timings for the two explosions that are specific to the minute, adding:

THIS CATASTROPHIC CASUALTY CAUSING ENTRY OF WATER INTO THE NOSE COMPARTMENTS AND PL850 [Kursk] HIT THE BOTTOM PROBABLY A FEW SECONDS LATER [sic]. BASED ON UPDATED DATA, PL850 OSCAR II WAS LOCATED AT BOTTOM OF THE SEA IN POSITION 6936.59N 3734.32E ATA DEPTH OF 108 METERS WITH PERISCOPE AND ANTENNAS ERECTED.

A Norwegian spy ship, FS Marjata, was tracking the Northern Fleet exercise and collected information related to the Kursk, military officials told Norwegian newspapers, including Dagbladet and Bergens Tidende. The spy ship was within 15 nautical miles of the Kursk accident, said the latter publication; a Norwegian Defense Command spokesperson told the paper that the military recorded the sound of the explosions but did not register anything unusual at the time, only noticing the explosions when reviewing the recordings after Russia disclosed the accident on Monday.

Dagbladet reported that the Ministry of Defense said just after the accident, on Monday, that it received indications over the weekend of an accident involving a Russian nuclear submarine. But by Tuesday night, the ministry backtracked, telling Dagbladet that the information it received over the weekend could be interpreted in various different ways and that only on Monday was it certain that an accident had occurred.

The Norwegian report, apparently issued Saturday, gives timings for explosions specific to the minute. But Norway said it did not realize an accident occurred until Monday.

But journalist Robert Moore, in a 2003 book on the accident, “A Time to Die,” reported that Marjata’s “data are sent in real time to Oslo for analysis by naval intelligence specialists,” bolstering the idea that NIS could have been aware of the accident on Saturday, as indicated by SIDtoday.

NIS declined to comment for this article. The Russian government did not respond to a request for comment. NSA did not comment.

According to the SIDtoday document, “It was clear that the [Russian] Northern Fleet command had no information on the condition of the sub or crew” just after the sinking, and that once they managed to locate the Kursk, “the Russians did not have the ability to reach the sub to conduct any type of rescue/extraction operations.”

As European media began reporting on a “missing” Russian submarine in the following days, Britain, the U.S., and Norway offered publicly and, reportedly, through backchannel communications to aid in location and rescue efforts. In a move that would mar the early days of Putin’s leadership, the Northern Fleet waited until Wednesday — four days after the Kursk sank — before accepting any help from foreign powers. Norwegian and British rescuers wouldn’t arrive until that Saturday, a week after the accident.

Fourteen months after the disaster, the Dutch company Mammoet lead the initiative to lift the 17,000-ton submarine from more than 300 feet beneath the surface of the Barents. The recovery operation, which ultimately took 15 hours, proved particularly sensitive due to the twin nuclear reactors and stock of torpedoes and cruise missiles aboard the vessel. Upon surfacing, the Kursk was towed to dry dock at Roslyakovo.

How Kursk Lead to “Clear Subordination” Under Putin

The dysfunctional response to the crisis proved an unflattering revelation of the status of the Russian navy at the turn of the century, according to Michael Kofman, a senior research scientist at CNA, a Virginia nonprofit that operates the Center for Naval Analyses and developed early techniques for U.S. anti-submarine warfare. After a decade of economic and political instability following the collapse of the USSR in 1991, Russia’s defense infrastructure was underfunded and relied heavily on vestiges of Soviet military power. “Russia inherited a large percentage of the Soviet Union’s navy with a tiny fraction of its budget,” Kofman told The Intercept. Thus, Russia’s navy had on its hands equipment “meant to fight World War III with NATO,” Kofman said, without the need for such force and without the finances to maintain it.

Kofman also recalled that the Kursk’s grandeur — “an undersea atomic guided missile cruiser, as well as a capital ship and one of the largest submarines you can find at sea” — compounded the already unflattering optics surrounding the crisis. (A “capital ship” is one of a navy’s most important vessels and typically among its largest.)

“Putin learned you’ve got to get a lid on TV and control how they portray you.”

The crisis struck at a sensitive moment in Russia’s history. As the country was renegotiating its footing on the world stage, the Kursk disaster undermined equivalencies Russia drew between itself and other major Western powers. According to Sean Guillory, a scholar at the University of Pittsburgh’s Center for Russian, East European, and Eurasian Studies, a desire to reassert Russian geopolitical leadership offers one potential explanation for Putin’s unwillingness to accept assistance from Western powers immediately after the disaster. But for Guillory, there is also a security argument to be made, insofar as accepting military aid from NATO members would potentially expose sensitive Russian military information. “You can be sure that if the Americans are going to assist and rescue a submarine, they’re going to be taking notes,” Guillory said.

Whatever factors ultimately informed Putin’s delayed response to the crisis and to Western offers of aid, the historical moment Putin found himself in heightened the implications of the tragedy. Guillory pointed out that the events of August 2000 occurred at a time when, despite the formal demise of the USSR in 1991, “the Soviet system is still continuing to collapse,” the Kursk proving one of its most telling relics.

From a public relations standpoint, both domestically and internationally, the Kursk disaster was what one might euphemistically call a teachable moment. Media coverage of Putin’s handling of the crisis was less than flattering, largely because Putin had yet to yoke Russian media firmly to his bidding, according to Tony Wood, author of the recent book, “Russia Without Putin: Money, Power and the Myths of the New Cold War.” “The lessons Putin learned were, you’ve got to be a bit smoother, and you’ve also got to get a lid on TV and control how they portray you, otherwise they could finish your presidency,” said Wood. While families of missing sailors sought information on the state of their loved ones in the days following the blasts aboard the sub, Putin could be seen on vacation at a Black Sea resort at Sochi. Though he did go on Russian national television to take responsibility for the mismanagement of the disaster in late August, he also gave a remarkable interview to CNN journalist Larry King some weeks later that demonstrated an altogether different sort of statesmanship. In response to King’s inquiry into just what happened to the submarine, Putin responded flatly, through a translator: “It sank.”

Such obfuscations from Russian leadership did not go unchallenged, however. The NSA document recounts another dubious development in the weeks following the disaster that recalled “shades of the KGB in the 50s.” During a meeting between Russian officials and the families of some of the Kursk sailors in late August, Nadezhda Tylik, the mother of Kursk sailor Sergei Tylik, was yelling at First Deputy Prime Minister Ilya Klebanov when a trench coat-clad figure appeared behind her with a syringe in hand. In a video that aired on several major European news outlets, Tylik can be seen receiving an injection before collapsing into the arms of surrounding military officials, her diatribe interrupted. The SIDtoday document, as well as a number of media outlets, described the event as a forced sedation intended to silence Tylik. In a subsequent statement, Tylik countered the sedation narrative, claiming that the syringe captured on video contained medication for her heart. Tylik declined to offer comment for The Intercept. “Sorry,” she wrote via email, “but it is hard for me to remember those tragic days and for that reason I refuse to do interviews of any kind.”

Much as the disaster and its aftermath forever altered the lives of those who lost loved ones aboard the Kursk, so too did it change the tenor of Putin’s distinct flavor of statecraft. According to Wood, what emerged in the aftermath of Kursk was a strict adherence to “the vertical of power,” a catchphrase ascribed to Putin in the 2000s. Wood describes this as the “clear subordination and hierarchical functioning of all parts of the government,” essentially “a strict chain of command.” While this effectively sounds like any well-functioning form of governance, it also became associated with what critics view as Moscow’s emerging authoritarian predilections. The concept of the vertical of power actually predated Putin. “Yeltsin talked about it in the 1990s as well,” said Wood. “The difference is that, at that point in time, it was talked about as something that didn’t exist.” While the Kursk might not have singlehandedly prompted Putin to impose a stronger grasp on Russia’s media and military apparatuses, the scandal and dysfunction surrounding the disaster do delineate a clear before and after in Putin’s political and diplomatic trajectory. Indeed, by the mid- to late 2000s, Russia had experienced significant economic growth and had made notable funding and infrastructural advancements within its military. “If a crisis like the Kursk had happened several years later, Russia probably would have had the money and the wherewithal to handle it themselves,” said Wood.

The post Sinking of Russian Nuclear Submarine Known to West Much Earlier Than Stated, NSA Document Indicates appeared first on The Intercept.

It began not by tapping enemy insurgents’ phones or capturing their emails, but by following the money.

When the National Security Agency discovered that Iran may have been buying computer chips from the United States, routing them through a U.S. ally, and potentially supplying them to detonate bombs against U.S. forces in Iraq and Afghanistan, it credited so-called economic intelligence with the find.

And the solution was not a death blow delivered by the military, but rather a new regulation on the export of certain technologies via the Commerce Department, which the spy agency said would end up “saving American and coalition lives.”

The unusual strategy of tracing monetary flows to stop explosions is one of many significant disclosures contained in a batch of 328 internal NSA documents provided by whistleblower Edward Snowden and released by The Intercept today after research and redaction.

Also included in the material, which originates from SIDtoday, the newsletter of the agency’s core Signals Intelligence Directorate, is the untold story of how intelligence related to Al Qaeda leader Abu Musab al-Zarqawi was finally acquired; an assessment that a “vast … network of Iranian agents”  operated in Iraq and influenced its government; a major push to hone the agency’s voice identification technology; details on how NSA staff deployed abroad viewed, and sometimes stereotyped, their host countries; and grumbling about having to comply with public-records laws.

Those stories and others are detailed in the highlights below; the NSA declined to answer questions about them. Also with this SIDtoday release, drawing on the same set of documents, Peter Maass profiles the NSA’s “SIGINT Curmudgeon,” Rahe Clancy, who wrote a beloved set of articles for SIDtoday, trying to instigate change from within the agency and riling up his fellow spies against its corporatization. Alleen Brown and Miriam Pensack, meanwhile, detail instances in which the NSA has spied on environmental disputes and around issues like climate change, overfishing, and water scarcity. And Micah Lee reveals that the NSA infiltrated virtual private computer networks used by various airlines, the Al Jazeera news network, and the Iraqi government.

U.S. Army Gen. George W. Casey, Jr., commander for Multi-National Force-Iraq, speaks with U.S. Army Maj. Sean Bastian, commanding officer of a military transition team, during a Thanksgiving Day visit Nov. 23, 2006, at Combat Outpost Rawah in Iraq’s Al Anbar province.

In Iraq, a “Vast and Disperse Network of Iranian Agents”

The NSA caught Iran smuggling American microprocessors that may have been used to bomb U.S. troops in Iraq, according to a May 2006 SIDtoday article. To import the chips, Iran set up front companies in the United Arab Emirates, an agency staffer wrote; the front companies then sent the microprocessors to customers in Iran and Syria.

The chips had both civilian and military capabilities and “have been used or are capable of being used” in the improvised explosive devices used extensively against U.S. forces in Iraq, the report concluded. Intelligence on the chip smuggling came not from intercepted military or diplomatic communications, as is typical at the agency, but rather through “economic reporting.”

Earlier the same year, an NSA representative who was embedded with U.S. Special Operations Command stated in a top-secret SIDtoday report that analysts had discovered “a vast and disperse network of Iranian agents in Iraq serving the Iranian Ministry of Intelligence or the Islamic Revolutionary Guards Corps.”

In Kuwait, different NSA units deployed a satellite interception system to hear conversations between Iranian agents, according to SIDtoday. This produced new intelligence reports that “have focused on Iran’s (and specifically Iran’s external paramilitary and intelligence forces’) activities in Iraq and the influence they wield on important figures in the new Iraqi Government.”

SIDtoday’s 2006 reporting on Iran’s involvement in Iraq buttressed comments by Gen. George W. Casey Jr., the top American military commander in Iraq, who told reporters in June that year that the military was “quite confident that the Iranians, through their covert special operations forces, are providing weapons, I.E.D. technology and training to Shia extremist groups in Iraq.” By 2017, the New York Times would say that Iran dominated Iraq: Iran-sponsored militias dominated in Iraq’s south, and cabinet politicians who resisted Iran lost their jobs, while U.S. efforts in Iraq primarily focused on chasing the Islamic State in the country’s north.

U.S. Army soldiers make radio contact after arriving by helicopter at night at an undisclosed location south of Baghdad, where they believed a top leader of the insurgency and close associated of Abu Musab al-Zarqawi was hiding, June 5, 2005.

How Key Al-Zarqawi Intelligence Was Obtained

In Iraq, at a strategic level, the U.S. was concerned about Iran; at the ground level, its top priority in 2006 was finding the Jordanian Ahmad Fadil al-Khalayleh, better known as Abu Musab al-Zarqawi — the most wanted terrorist in the country. Al-Zarqawi was the leader of the insurgent group Al Qaeda in Iraq and a fugitive from a Jordanian death sentence. The reward for information resulting in his capture or death reached $25 million.

Zarqawi was brutal to Iraqis as well as Americans. According to Joby Warrick, author of the Pulitzer Prize-winning book “Black Flags: The Rise of ISIS,” “The Jordanian also would seek to strike fear into Americans and other Westerners in Iraq with a series of kidnappings and videotaped beheadings. The first victim, Pennsylvania businessman Nicholas Berg, was butchered on camera by a hooded Islamist that CIA officers later confirmed was Zarqawi himself.”

NSA specialists were able to figure out the location of the internet cafe in Baghdad where the courier was about to access an email account.  An important message from al-Zawahiri to al-Zarqawi, “outlining al-Qaeda’s strategic vision for Iraq,” was obtained.

A major breakthrough had come in 2005, when NSA analysts intercepted, via a courier in Iraq, emails that were intended for al-Zarqawi from Al Qaeda No. 2 Ayman al-Zawahiri in Pakistan. In partnership with U.S. forces, NSA specialists in geospatial intelligence and counterterrorism were able to figure out the location of the internet cafe in Baghdad where the courier was about to access an email account. The courier and a “traveling partner” were caught, and an important message from al-Zawahiri to al-Zarqawi, “outlining al-Qaeda’s strategic vision for Iraq,” was obtained. The 15-page document was made public by the Office of the Director of National Intelligence in 2005, but the circumstances under which it was obtained appear to have not been previously reported. (Warrick’s book said “the CIA’s acquisition of the letter was a closely-guarded secret” and stated only that “the surveillance net” around al-Zarqawi “had snagged a singular piece of correspondence.”)

By early 2006, SIDtoday continued to report on how signals intelligence successes helped capture lesser-known figures. But the primary target remained at large and continued to issue propaganda videos. An intelligence analyst described the intensity of an assignment to a task force in Mosul, Iraq: “We worked for 14 to 18 hours a day, pouring over traffic and piecing together data to find threats or information that would help us locate and go get bad guys. You would feel every minute of those days, but you’d wake up one morning and it would be August.” 

Back at NSA headquarters, new mathematical analysis tools supplemented old-school language expertise in the process of reviewing audio recordings of al-Zarqawi posted on the open web, confirming his voice.

At last, on June 7, 2006, the “primary PC,” which stands for “precious cargo,” was found and dealt a death blow. In SIDtoday, an analyst from the NSA Cryptologic Services Group described the work of the Special Operations Task Force leading up to the targeted bomb strike that killed al-Zarqawi and others, reportedly in a two-story house near Baqubah, northeast of Baghdad, saying that a combination of signals intelligence, imagery intelligence, human intelligence, and “detainee reporting” uncovered the identity and location of al-Zarqawi’s “personal religious advisor,” Sheikh ‘Abd-al-Rahman, who was followed to al-Zarqawi’s hiding place and perished with him.

In this television image from Arab satellite station Al Jazeera, Osama bin Laden, right, listens as his top deputy Ayman al-Zawahiri speaks at an undisclosed location, in this image made from undated video tape broadcast by the station, April 15, 2002.

Fervor for Voice Matching Technology

By the end of 2006, the NSA had come to believe that audio fingerprinting as performed against al-Zarqawi could be used as a simple fix for a host of complex problems, from freeing hostages to curbing nuclear weapons proliferation, according to a series of SIDtoday articles.

Despite repeated setbacks, the NSA remained enthusiastic about voice matching technology, which identifies people by the sound of their voice. The agency had help: According to SIDtoday, voice matching techniques were developed by the Massachusetts Institute of Technology Lincoln Laboratory on the back of efforts to confirm the authenticity of broadcasts by Al Qaeda leaders Osama bin Laden and Ayman al-Zawahiri.

A February 2006 SIDtoday article described some of the difficulties inherent in voice matching, noting that Al Qaeda second-in-command al-Zawahiri displayed more “tonal diversity” than usual following a botched drone strike against him. (The attack killed at least 18 in the Pakistani village of Damadola but missed al-Zawahiri, reportedly due to faulty intelligence on his location.)

“During the 30 Jan message — lasting about three minutes — the terrorist never quite settled down, probably rattled by the attempt on his life and the vehement content,” the article stated. Despite al-Zawahiri’s shaky voice, “mathematical voice matching produced a perfect score of 99% upon comparison with previous soundfiles on this speaker from the same source.”

Six weeks later, another article described how two of five transmissions by al-Zawahiri in a nine-month span failed to yield a high-confidence voice match with previous transmissions. This was solved with new technology from MIT, which “allows optimal combination of vocal-tract models from contentious intercepts,” according to SIDtoday. The lesson to NSA: “Careful modeling” is “critical” for making voice identification actually work — and particularly important once voice matching is applied on a “large scale” to identify those “bent on terrorist activities against U.S. forces or the local populace.”

The same article goes on to describe a hand-held device, close to going into production, which would provide field access to MIT’s “mathematical engine” and voice matching estimates in “hostile environments.”

A May 2006 article describes another voice recognition stumble, when an October 2003 audio recording of bin Laden could not identify the Al Qaeda chief’s voice because it “proved to be of too low quality.” The file was later “enhanced” using software from a “local vendor … to yield a perfect match.” Still, there were successes, credited to the MIT software, with which “voice matching has become simplicity itself.” For example, an April 2006 recording of bin Laden was successfully matched against a January 2005 recording of bin Laden and against multiple other recordings.

The May SIDtoday article included references to screenshots of the MIT software’s “Speaker Comparison Algorithm” interface. Though those screenshots were not included in the SIDtoday articles as provided by Snowden, two images from an article on Lincoln Laboratory’s webpage — which were removed during the course of reporting this article — refer to a similarly named interface:  

Screenshots of MIT Lincoln Lab’s VOCALinc tool, which was “sponsored by the Department of Defense” and developed “utilizing U.S. government operational data.”

The MIT voice identification software was so important to the NSA that the agency approved a four-hour course on it based on MIT documentation and added the class to the National Cryptologic School syllabus, according to a July 2006 SIDtoday article.

The code, or an MIT-updated version of it, appears to have still been in use nearly eight years later. According to publicly available documentation from 2014, MIT Lincoln Lab’s VOCALinc tool was “already in use by several entities,” including “intelligence missions concerning national security” in areas such as terrorism. The document also references the development of “unseen devices such as body microphones and multirecording systems.” (Lincoln Lab did not provide responses to questions in the weeks leading up to publication of this article, although a spokesperson indicated he would try to get a response from a staffer “if sponsors allow him to discuss these topics.”)

Perhaps the clearest example of the enthusiasm for audio fingerprinting at the NSA in 2006 comes from an article written in March by the agency’s “Technical Director, Operational Technologies,” Adolf Cusmariu.

In the article — titled “Nuclear Sleuthing — Can SIGINT Help?” — Cusmariu took the idea at the base of the NSA’s voice matching technology to a new level of optimism.

What if, Cusmariu asked, the NSA scanned intercepted phone calls for the distinct sound generated by centrifuges used in uranium enrichment facilities? Could this help identify hidden nuclear weapons facilities in “rogue states like Iran and North Korea?”

What if, Cusmariu asked, the NSA scanned intercepted phone calls for the distinct sound generated by centrifuges used in uranium enrichment facilities?

There were several problems with the idea. First, there was the issue of background noise — the sound of the centrifuges inevitably mixing with other audio sources — “making unequivocal fingerprinting problematic.” Then, there was the fact that “the person making the call would have to be located inside, or at least near, the centrifuge compound for the acoustical signature to be audible.”

“Yes, a needle in a haystack!” Cusmariu admitted, but nonetheless, “algorithms have been developed … looking for just such signatures.” Unfortunately, “no convincing evidence has been found so far.”

Public records show that, in the months following these articles, Cusmariu filed for patents on “identifying duplicate voice recording” and “comparing voice signals that reduces false alarms.” Both were granted and describe methods similar to those discussed in SIDtoday, but with different applications.

To be sure, there was reason for some level of optimism about voice recognition technology. A brief — and top secret — SIDtoday article from May 2006 suggested that voice identification helped free the Briton Norman Kember and two Canadian fellow peace activists, who were held hostage in Baghdad. The successful operation was widely reported at the time, but the fact that voice ID helped identify the hostage-takers was not made public.

The CIA and the NSA staff of the Special Collection Service site in Baghdad worked together to find the kidnappers for several nights leading up to March 23, 2006, the article disclosed. On the final night, British and American spies, working side by side “to eliminate incorrect targets through voice identification,” were able to isolate “the specific terrorist believed to be holding the hostages.” The article does not, however, state whether the match was made by a computer, human, or combination of the two.

Eventually, the NSA played a pivotal role in developing voice matching technology, as described in Ava Kofman’s exposé earlier this year in The Intercept.

 “Dragon Team” Helped NSA Thwart Cordless Phones Used by Insurgents

Although it lacked the technical glamour of voice matching, the NSA saw its effort against high-powered cordless phones as critical to protecting U.S. troops on the ground. Early on in the Afghanistan and Iraq wars, the simple, rugged devices, also known as HPCPs, were in common use by insurgents, including as a means of triggering improvised explosive devices, or IEDs. SIDtoday articles from 2003 complained that these handsets, which could communicate with other handsets that were also within a 50-mile range of the radio base station, created an “intelligence gap,” and were such a problem that the NSA hosted a “Worldwide HPCP Conference” to understand, and design attacks against, this technology.

Less than three years later, the NSA had made significant progress. A SIDtoday article from May 2006 said a “dragon team” of NSA researchers developed a tool called “FIRESTORM” that supported a denial-of-service attack capability against cordless phone networks. FIRESTORM could prevent IED attacks and support an ability to “ping” a specific device, “forcing the targeted HPCP to emit an RF signal that can be geolocated by any asset in the area.” The dragon team had been “eagerly working with potential users to move this capability out of the development lab and into the fight.”

Sugar Grove station in West Virginia.

How NSA Staff Viewed the Rest of the World

The NSA needed staff paying attention to issues, like HPCPs, that resonated only once you were outside the bubble of Washington, D.C., and Fort Meade, Maryland — or which could only be addressed effectively from another country. To do so, it needed to convince them of the benefits of relocation. The perennial “SID Around the World” series within SIDtoday described daily life on assignment to global NSA locations, often in glowing terms. With a substantial portion of agency postings in remote locations, where big satellite dishes can dominate empty landscapes, or in offices on military bases, or in the underground bunkers below them, the idea was to make working abroad for the NSA sound fun. But in just its third year, the series seemed to fall back on lazy stereotypes and imperious complaining.

The series seemed to fall back on lazy stereotypes and imperious complaining.

A lucky staffer in Bangkok, an “adventurous woman,” is most enthusiastic about the cost of living there. “You can hire a maid for less than $100 a month or $1200 per year as a single person,” she wrote. “Most domestic services include: cooking, cleaning, washing, ironing, and babysitting children and/or pets. Tell me where you find that kind of help so cheaply? And the Thai domestic help are kind and trustworthy; therefore, no need to worry about your valuables.” You can live like a queen.

In 2006, to one staffer, the Japanese “fascination with technology” was notable; they carried cellphones equipped with two-way video conferencing and web browsing, and drove cars equipped with GPS. 

Yet “[d]espite having one of the oldest cultures in the world, the Japanese seem very innocent and naive.” Really?

It seems there were some ugly Americans on assignment.

Traffic was bad, or the roads are narrow, in England, Japan, and Turkey, too.

In Turkey, the cuisine was “world-class,” although lacking variety: “Probably 90 percent of Turkish restaurants offer no more than 4 or 5 traditional Turkish dishes.”

Indeed, culinary attractions, a staple of the series, seemed sparse. In fact, NSA staffers were introducing America’s Fourth of July fare and Italian dishes to the villagers of rural Yorkshire, where they tasted English boiled beef and potatoes with a “wilted sprig of parsley” on top. No really, “it is actually very good and certainly doesn’t deserve the bad reviews that it has been getting.”

But the shopping! In Ankara, the fruit was so fresh, the price was so cheap, and there were, again, “world-class” handicrafts. In Thailand, there were many “wonders for a single woman to enjoy,” like gorgeous silk fabrics, gems, and jewelry.

Meanwhile, back in the U.S., one of the best parts of a Utah posting was the dusty road trip on I-15 to California. And from the Sugar Grove station in West Virginia, the nearest shopping was 40 miles away, in another state, over snow, black ice, and curvy roads in the winter. Nothing was said about the cuisine. Getting to work at the underground NSA site required driving to the top of a mountain from the U.S. Naval Information Operations Command center at Sugar Grove, a naval base in landlocked West Virginia. There were occasional bear sightings. Since its 2006 appearance in SIDtoday, the naval base has been decommissioned and sold, but the underground NSA facility continues to operate with its secret mission.

Through its sister publication Field of Vision, The Intercept covered Sugar Grove with a film and story last year. As Sam Biddle reported at the time, “antennas at the NSA listening post, codenamed TIMBERLINE, were built to capture Soviet satellite messages as they bounced off the moon, imbuing a pristine stretch of Appalachia with a sort of cosmic gravity.” The former base is scheduled to reopen in October as a substance abuse treatment center.

The most enthusiastic appraisal of daily signals intelligence life was contributed by a GCHQ staffer assigned to the NSA Fort Meade headquarters from the United Kingdom. The temporary Marylander loved the food (“crab cakes!! Maryland crab soup!”), the climate, the roads, the local countryside, and the cheap gas. They and their wife were delighted by football and baseball games, and even by deer nibbling on flower beds. The Britons also enjoyed the friendly neighbors and, in a turnaround, were the hosts for the Fourth of July barbecue, leading “several spirited renderings of the Star-Spangled Banner.” 

Informing the Public at the NSA: “A Dirty Job, But Someone’s Got To Do It”

It wasn’t just people in other countries who seemed foreign to some NSA staff; voluntarily providing information to the American public provoked some strange and not entirely welcome sensations as well. James Risen and Eric Lichtblau of the New York Times reported in December 2005 that the NSA had been secretly authorized to spy on U.S. communications without a warrant. The Pulitzer Prize Board, in awarding the U.S.’s highest journalism honor, credited the pair with inspiring “a national debate on the boundary line between fighting terrorism and protecting civil liberty.”

Fulfilling public information requests is a “disruption to … day-to-day operations.”

This debate, in turn, seems to have inspired a surge in Freedom of Information Act requests directed at the NSA. The requests, in which journalists and other citizens try and pry information from the notoriously secretive agency, spiked to more than 1,600 in the first half of 2006, from 800 in the course of an entire normal year, a member of the Intelligence Security Issues division disclosed in SIDtoday. The staffer did not mention Risen (now at The Intercept) or Lichtblau, but did cite “the agency appearing so frequently in the news” as the cause of the increase.

In SIDtoday, the Intelligence Security Issues staffer portrayed the NSA’s response to handling FOIA requests in terms typically reserved for a trip to the dentist for a root canal, describing his department’s work as “a dirty job, but someone’s got to do it,” and promising to make fulfilling FOIA requests “as painless as possible,” even though fulfilling the requests is a “disruption to … day-to-day operations.” One wonders what adjectives the Intelligence Security Issues division deployed seven years later to explicate the process, when the Snowden revelations prompted an 888 percent rise in FOIA requests to the agency.  

The Skype internet phone program is seen on Sept. 1, 2009, in New York City.

NSA Decided It Was Legal To Spy on Some U.S. Phone Numbers

Sometimes, if a law became inconvenient, the NSA could do more than grumble; it could change its interpretation of the rule. For most people, the arrival of online phone call services like Skype and Vonage was a boon; it allowed them to dodge long-distance calling fees and to take their number with them anywhere around the world. The NSA, however, realized in 2006 that it had a big problem with such convenience: Online calling services might allow targets to acquire phone numbers with U.S. area codes and thus become off-limits to the agency, which is not supposed to conduct domestic spying.

“A target may be physically located in Iraq but have a US or UK phone number,” an NSA staffer grappling with the issue wrote in SIDtoday. NSA had previously interpreted a federal legal document, United States Signals Intelligence Directive 18, as barring the targeting of U.S. numbers, and built safeguards into various online systems, causing U.S. numbers to be “minimized upon presentation … and restricted from contact chaining,” a process in which a network of connected people is mapped, according to SIDtoday. In response to the rise of internet calling, the NSA developed techniques “for identifying the foreign status” of phone numbers, and the agency’s Office of General Counsel ruled that U.S. phone numbers affiliated with online calling services could be classified as foreign and targeted for surveillance if the number was “identified on foreign links” and was associated with an online calling service such as Vonage.

U.S. President George W. Bush holds a copy of a presidential commission’s report on pre-war intelligence on weapons of mass destruction while flanked by Judge Laurence Silberman and former Democratic Sen. Charles Robb of Virginia, co-chairs of the commission, during a press conference on March 31, 2005, in Washington, D.C.

Back to Basics: NSA Staff Instructed on Better Analyzing and Sharing Information

Whatever its success collecting and exploiting signals intelligence, the NSA was concerned its staff might not be communicating or disseminating this intelligence properly. “Write Right,” SIDtoday’s monthly column on authoring effective reports, brought to its 2006 edition a new focus on how to effectively route information to other intelligence agencies and federal entities, a process referred to officially (and dully) within NSA as “information sharing.”

The new attention to broad intelligence dissemination may have been a response to the scathing report of the so-called WMD Commission in March 2005, which stated, among other things:

The Intelligence Community’s performance in assessing Iraq’s pre-war weapons of mass destruction programs was a major intelligence failure. The failure was not merely that the Intelligence Community’s assessments were wrong. There were also serious shortcomings in the way these assessments were made and communicated to policymakers.

A maxim on intelligence from Colin Powell, the former chair of the Joint Chiefs of Staff, is quoted twice in SIDtoday’s 2006 “Write Right” columns, once in May and again in December: “Tell me what you know, tell me what you don’t know, tell me what you think; always distinguish which is which.” Columns previously devoted to spell-checking or capitalization began giving advice on adding context (“collateral”) and analysis (“comment”) — and on how to provide analysis without editorializing. Warnings about the use of web research as “collateral” sources included a prohibition on citing Wikipedia.

With information sharing as the new norm, the “Write Right” author (and guest authors) repeated the need to understand and follow changing policies and to make sure that a report is releasable to the intended recipients. This guidance included what could or could not be discussed on the agency’s collaborative discussion forum, called “Enlighten.” No chit-chat: “The ENLIGHTEN system is an aid to professionals in doing their jobs,” according to the forum’s primer, which is quoted in an October 2006 “Write Right.” “All information posted on ENLIGHTEN must pertain to Agency-related (official) business. UNDER NO CIRCUMSTANCES IS ENLIGHTEN AUTHORIZED FOR DISSEMINATING PERSONAL OR NON-OFFICIAL INFORMATION.”

Customers queue outside the Apple Store in London for the launch of the iPhone 3G on July 11, 2008.

The NSA Goes After Newer (3G!) Phones and “Social Networks”

Rapid change was buffeting not just NSA’s information-sharing practices but some of the core communications systems the agency surveilled as well, and in early 2006 the agency held multiple internal events to explain newly developed techniques to evolve its intelligence collection in parallel with these systems.

One SIDtoday article announced a “brown bag session” about exploiting video from third-generation, or 3G, cellphones, including “basic instructions on how best to search, analyze and use camera cell phone video data.” 3G mobile data networks first became commercially available in Japan in 2001, in South Korea and the United States in 2002, and in the United Kingdom in 2003. By 2008, the United States and Europe alone had over 127 million 3G users.

Another article announced an “open house” hosted by the “Social Network Analysis Workcenter” to show off “ASSIMILATOR,” a new web-based tool for analyzing the social networks of surveillance targets. In this case, “social network” refers to the list of people a target communicates with based on signals intelligence from a variety of sources, not social networking services.

Top photo: A U.S. soldier at a press conference in Baghdad takes down an older photo in order to display the latest image purporting to show the body of Abu Musab al-Zarqawi, an Al Qaeda-linked militant who led a bloody campaign of suicide bombings, kidnappings, and hostage beheadings in Iraq.

The post 328 NSA Documents Reveal “Vast Network” of Iranian Agents, Details of a Key Intelligence Coup, and a Fervor for Voice-Matching Technology appeared first on The Intercept.

You know the type.

Middle-aged, male, tired of his job. He’s been around for ages and moans about how things were done 10 times better back in the day. Every so often, he snaps pointlessly at a co-worker. He’s the office curmudgeon. It’s time for him to go, and he probably realizes it.

Workplace grouches are usually ignored or fired, but the National Security Agency gave a unique platform to one of its own. In the mid-aughts, in an internal newsletter, the NSA published a series of articles by Rahe Clancy, an eavesdropper disillusioned with what the agency had become and what he was doing there. It’s not that Clancy disliked spying on people or governments — he supported the collection of signals intelligence, or SIGINT — but he felt that the NSA had lost its way.

After 30 years on the job, he wrote, “I found myself turning into a SIGINT Curmudgeon.” In 2005, he published his coming-out article for the newsletter, SIDtoday, which was targeted at the agency’s core Signals Intelligence Directorate. Clancy wrote that he was particularly worried about the future of his area of expertise, known as “collection,” through which the NSA intercepts and downloads a variety of transmissions, both earthbound and from satellites. “I was convinced,” he continued, “that collection was a dying career field and that NSA management was hastening its demise through neglect.” Clancy was writing for a distinctive audience — the thousands of eavesdroppers, hackers, and analysts who worked for the NSA. His articles for SIDtoday, posted on a secure computer network, were provided to The Intercept by whistleblower Edward Snowden.

Clancy had a theory about what was going wrong: The NSA was being run like a corporation, not a spy agency. It emphasized managers, clients, products, and customer satisfaction. There were substantial pay-and-perk gaps between leadership and the workforce. And the lingo was maddening, a daily hailstorm of “paradigm,” “synergy,” “enterprise,” and “teaming.” It was all driving him nuts — literally. One day, he broke down and had a loud disagreement with his bosses in the middle of the office. He considered early retirement, but had to stick it out because he needed his full benefits.

“I fail to see how running a Cryptologic Intelligence Agency bears more than a superficial resemblance to running a corporation,” he wrote in his final column. “If we had a product to sell, and competition selling that product, I would gladly embrace the corporate model for NSA. But we don’t have competition.”

A strange thing happened on his grumbling way out the door. Clancy’s final column, published as he retired in 2006, was an unexpected hit. Titled “The SIGINT Curmudgeon’s Last Shot!,” it made bitter fun of what he defined as the “Corp-speak” that had overtaken the agency (“SYNERGISTIC: Isn’t that from ‘Mary Poppins’?”). In a follow-up article, the editors of SIDtoday said they received an “unprecedented amount of feedback” and published a sampling of it. “Spot on!” a staffer wrote. “Too many think it’s more important to ‘get ahead’ than get things done!” Another eavesdropper remarked, “Wonderful and to the point. Too much is spent on hype and pointless nonsense.” A longtime veteran added, “I have often mourned the NSA that I joined in 1982. … If anyone knows where it went, please send me a map.”

With his last shot, the curmudgeon became a hero.

A Bookworm and a Collector

In the style of tabloids, SIDtoday had a rotating cast of columnists drawn from the agency’s workforce. There was the “SIGINT Philosopher” who wrote about ethical issues of surveillance; there was a column called “Ask Zelda!” that was akin to “Dear Abby” for spies; and there was “Signal v. Noise,” which explored the intricacies of data collection. Clancy, as the “SIGINT Curmudgeon,” cast a critical eye on the internal discourse at the world’s largest eavesdropping agency. He was, in his cranky way, an amateur anthropologist of modern surveillance culture.

In retirement, Clancy continues his curmudgeonly ways, in the sense of being a bit grumpy about talking with a reporter. He eventually came around to discussing, in an exchange of emails, his critique of the agency, though he kept to generalities. “The numerous oaths I have taken to protect classified information and the Constitution are still very much real to me,” he told The Intercept. “If that leads to me being ‘overcautious,’ so be it.”

My attempts to contact Clancy began several years ago, when I was able to get an email address and phone number for his wife. The first time I spoke with her, in 2015, she said the NSA told her husband not to talk with me. The next time I spoke with her, in early July as I began writing this article, she gave me his phone number. I left several voicemails over several days and emailed his wife again; there was no response. However, about a week later, Clancy emailed me. “Apologies for ignoring your attempts to communicate for so long,” he wrote. “I was not anxious to discuss any of the leaked documents nor was I eager to have my name made public. I’m still not thrilled about it!”

“I’ve never been very good with authority, especially the military type.”

I had sent a few general questions, and he answered some of them. He said he’s an avid reader — the genres he likes include alternative history, westerns, war novels, historical novels, Egyptology, and sci-fi, specifically space opera. He has 1,000 books in his home library and 500 in his digital collection. He does not consider himself a writer. “I wrote for work and sometimes for fun,” he said. “If I have any talent in that arena it’s because of dedicated teachers and a very small high school. There were never more than 100 students in grades 9-12.”

A few minutes on Google helped fill in the blanks about that high school and other parts of Clancy’s biography. He comes from salt-of-the-earth America. He was born in 1948, and his father was a North Dakota farmer and World War II veteran who served in the Guadalcanal campaign. He was raised in a small town, Buffalo, and after graduating from the local high school, he attended the University of North Dakota in Grand Forks. He left after a year to enlist in the Army and apparently served in military intelligence during the Vietnam War. But he lasted only three years — he acknowledged in one of his articles that “I’ve never been very good with authority, especially the military type.” After returning to North Dakota and getting married in 1974, he took a civilian job in England with the Department of Defense; this was the start of his career at the NSA, which is under the aegis of the DOD. His three children were born in England, and in 1990 they moved back to the U.S., settling in Maryland, not far from the NSA’s headquarters in Fort Meade.

Like pretty much everyone else at the NSA, Clancy’s work was classified. He described a bit of it in one of his articles, however, referencing “20 years of FORNSAT experience and 10 years of HF collection.” His reference to FORNSAT indicates satellite collection, which involves targeting the streams of data coming from satellites down to receivers on earth. His reference to “HF collection” seems to mean the collection of “High Frequency” radio signals, a traditional backbone of the NSA’s eavesdropping. In the last stretch of his career, Clancy served for 17 months as a senior collection officer at the NSA’s National Security Operation’s Center, where he was involved in responding to events as they happened across the globe. It was a job he loved, and it softened his curmudgeonly edges.

“I supported Afghan military operations, Iraqi military operations, numerous CSAR (Combat Search and Rescue) missions, downed aircraft, hostage situations, and a myriad of other tasks,” he wrote in SIDtoday. “I helped track Al Qaeda operatives, Taliban members, members of the former Iraqi regime, and aircraft and ships carrying weapons to/from proscribed nations. Sometimes all at once! I was on duty the night we went into Iraq and I went home that night feeling wrung-out, but with a feeling of accomplishment. When I think back on all of the history to which I had a ringside seat during that tour, it’s almost overwhelming!”

Clancy had a different kind of ringside seat throughout his career: He saw the NSA metastasize.

“Corp-speak” Divides the NSA

When Clancy started in the 1970s, the NSA focused primarily on intercepting the pre-digital murmurings of foreign governments and armies. It was, for sure, a secretive organization and engaged in its share of legally dubious spying, but it wasn’t the hyper-controversial behemoth it later became. The advent of the web in the 1990s changed the scope of the NSA’s work. As the world’s communications broadened to the digital sphere, the NSA widened its eavesdropping beyond satellites, phone lines, and telegraph cables to include the new infrastructure for online communications used by governments, non-state actors, and regular people. After 9/11, the NSA took on new duties and resources in a huge rush, engaging in vast eavesdropping activities that, in many cases, again likely violated the law.

By 2013, the most recent year for which statistics are available, thanks to documents leaked by Snowden, the NSA’s budget was $10.8 billion. It had become a massive bureaucracy and adopted the techniques of large corporations, to the chagrin of Clancy and others. You don’t have to take the curmudgeon’s word for it. The archive of documents leaked by Snowden includes a large number of files that extoll a business school approach to managing the NSA, using a type of language that almost seems to parody corporate communications. For instance, one SIDtoday article was titled “The Customer Scorecard,” and here’s its first paragraph:

One of the key initiatives for the Customer Relationships Directorate for 2004 is to update and improve the customer Support Plans (CSPs) for each customer of the Signals Intelligence Directorate (SID). The main element required in making the CSPs better is feedback from the customer. To obtain this feedback, the CRD began a pilot program called the ‘customer scorecard’. This scorecard will be used to determine how the Signals Intelligence Directorate is meeting its customers’ product and service needs.

Intentionally or not, the NSA was draping its life-and-death activities in corporate jargon, offering its staff a layer of semantic insulation that distanced them from the lethal nature of what they were doing. After all, their “customers” are not customers in the usual sense of the term. They are military services, intelligence agencies, the White House, State Department, and other parts of the U.S. government. The “products” of the NSA are, similarly, unlike the products most companies make. They are intelligence reports that include, for instance, electronic surveillance used to locate people for drone assassination and find targets in foreign countries to bomb.

The NSA was draping its life-and-death activities in corporate jargon.

Another SIDtoday document, titled “Making Customer Feedback Work for Everyone,” is a mind-bending exercise in funneling lethal activities through the blender of corporate pablum. “Today,” the document states, “our vision is providing the right information to the right customer at the right time — within their information space — completely focused on our customers’ successful outcomes.” It continues:

Toward that end, we are embracing processes and technology that will make available the intended outcomes of customer Information Needs, customer feedback, observed customer behavior and preferences, outright customer complaints and their resolution across the SIGINT enterprise at the touch of a button. We have been developing the business processes for this technology for the past 18 months and are now ready to prototype the technology that will lead us to trending and analysis of customer feedback and behavior. We expect this to result in improved one-to-one customer relationships that benefit many customers across the board.

Clancy was mystified by language of this sort.

“The lure of the ‘lingo’ is very strong,” he wrote in his last column. “To listen to someone speak ‘Corp-speak’ fluently is like listening to a Bushman speaking a Khoisan ‘click’ language. It’s absolutely fascinating, but, except for some of the hand waving, it’s totally incomprehensible to outsiders! A few months ago I was in a meeting that was attended by a couple of seniors who were not technical people. They were staff or HR types and they spoke ‘Corp-speak.’ One of them did a lot of talking during the hour meeting, but I have no idea what he said. I’m not a stupid person (really!) but I was clueless. I mean, I recognized the words: ‘Leverage,’ ‘paradigm,’ ‘synergy,’ ‘synergistic,’ ‘enterprise,’ ‘extended enterprise,’ ‘teaming,’ ‘corporateness,’ etc., but they didn’t fit together in a way that I understood.”

In response to Clancy’s column, the editors of SIDtoday published nine comments from NSA staffers. The final comment summed up the general reaction. “I laughed and cried,” the comment began. “It became a part of me. But seriously, Clancy hit the nail on the head for me. We spend so much time in this agency talking about unique product, as if it’s the greatest cleanser or whitener to hit the market, that we forget that as a government agency we are not in a ‘for profit’ business. … Our job, first and foremost, is to get intelligence out to the people who need it, period. Words such as ‘actionable’ or slogans like ‘Ahead with SIGINT that counts’ don’t really mean anything.”

The NSA, contacted by The Intercept, declined to comment on the accusations that the agency had become too corporate.

Life After the Agency

Clancy still lives in Maryland and, in his retirement, worked for a while as a dog trainer at PetSmart. He and his wife raise Alaskan klee kais, a smaller version of Siberian huskies. “About two litters each year for the love of our dogs,” he wrote me. “Our dogs are our family.” He has a Facebook page where he posts pictures and videos of their puppies, which are indeed very cute. He occasionally takes them on outings to a local Starbucks.

Some of his Facebook posts are exactly what you’d expect from a self-described curmudgeon. Last year, he posted a graphic that said, “The fact that Jellyfish have survived for 650 million years despite not having brains gives hope to many people.” He also shared a video that began with this notice: “Just because you went to college doesn’t make you smarter than anyone else. … Common sense doesn’t come with a degree.” He even looks a bit like a curmudgeon — bald head, long, gray beard, a few extra pounds at his girth — though in most pictures, he has a broad smile.

His parting with the NSA has the hallmarks of being quietly triumphant. I asked, in one of my emails, whether he was aware that his final SIDtoday article had elicited such a strong and positive response inside the agency. He didn’t reply directly, though he wrote, “I have been approached by current employees who found out who I am and just wanted to shake my hand, so I know that at least some people remember me.”

“I had hoped to encourage the ‘worker bees’ to become more vocal and involved.”

In his grouchy way, was the SIGINT Curmudgeon a whistleblower of some sort? Certainly not in the way of Snowden or Chelsea Manning — they took their critiques to the public by leaking vast amounts of classified documents, hoping that their actions would spur greater awareness of secret government abuses. Clancy was hardly a rebel of that type. Last year, he posted onto his Facebook page a graphic that said, “President Trump is focused on ‘America First’! Democrats are focused on stopping Trump! Think about that.” He also gave a five-star review to a pro-Trump outlet, One America News Network, and shared several posts from the Convention of States, which seeks to hold a constitutional convention that would greatly restrict the powers of the federal government.

These posts raise some interesting questions. In his nostalgia for returning the NSA to its cultural roots, does Clancy think the government should throttle back its post-9/11 spying activity? One of the most controversial aspects of the NSA’s work is that, in its efforts to vacuum up the worldwide communications of foreigners, it also acquires immense quantities of American citizens’ emails, texts, and phone records — what it calls “incidental” collection. Although conservatives tend to support NSA surveillance as an anti-terrorism matter, the scope of the agency’s spying has attracted deep criticism from, among others, libertarian lawmakers like Sen. Rand Paul.

I asked Clancy about this.

“My personal political views had no bearing on my job performance,” he replied. “I am politically conservative and believe governance should be as close to the people as possible. Privacy must be protected but so must our intelligence gathering capability to protect the country.”

His aims were apparently modest: He sought to incite quiet changes from the inside. “I wrote these articles not only to voice my personal concerns (and frustration) about the state of the Agency but to get people talking and thinking,” he told me. “I had hoped to encourage the ‘worker bees’ to become more vocal and involved. Get ideas rolling uphill if possible.”

I asked for a bit of detail about the reforms he wanted to encourage, but he shied away from explaining more. In any event, he doesn’t appear to believe that his curmudgeonly dissent reached the people who matter the most. As he noted in one of his emails to me, “If I influenced Agency seniors in any way, I would be pleasantly surprised.”

Documents

Articles by (and about) Rahe Clancy, the “SIGINT Curmudgeon,” for SIDtoday:

• Opinion Piece: The SIGINT Curmudgeon’s Last Shot! – April 10, 2006
• Letters to the Editor: Views on the ‘Corporatization’ of NSA – April 20, 2006
• The ‘Regruntlement’ of a SIGINT Collector – February 3, 2005
• ‘SIGINT Curmudgeon’ Excited By SCO-FEST – February 1, 2006
• Can You Cut the Mustard as a SCO? — What It Takes – March 27, 2006

Top photo: Rahe Clancy.

The post Before Snowden, an NSA Spy Tried to Incite Change From the Inside. He Called Himself the “Curmudgeon” of Signals Intelligence. appeared first on The Intercept.

In the northernmost place in the United States, Point Barrow, Alaska, a National Security Agency collection site has allowed analysts to observe Russia’s military buildup 24/7, as melting Arctic ice opens a new conflict zone. The NSA has also monitored a dispute between India and Pakistan over access to the Indus River system, which is fed by glaciers high in the Himalayas, now shrinking. And as fisheries are facing increasing pressure from seas whose currents and temperatures have already been altered significantly by climate change, the NSA has listened in on phone conversations and monitored the movement of fishing boats engaged in potentially illegal practices that threaten dwindling stocks.

Previously unreleased documents leaked by former NSA contractor Edward Snowden show how the agency has gathered intelligence meant to support U.S. interests related to environmental disasters, conflicts, and resources. In the coming years, greenhouse gas pollution caused by the burning of fossil fuels will increase the frequency of ecological crises and conflicts over natural resources. The documents provide a window into the role the United States’s most sprawling international surveillance agency will play in an altered world.

The documents show that although the NSA’s interest in environmental issues is limited, it’s wide-reaching and has grown over the years. Unsurprisingly, the agency is driven not by an imperative to avoid climate-induced ecological crises, but by a need to respond to such crises as they threaten U.S. political and economic interests or explode into violent clashes.

According to the documents, the NSA targets its surveillance at disputes over natural resources, from the dwindling fisheries of the South China Sea to the newly opened shipping channels of the Arctic. It also plays a role in monitoring natural disasters, including by gathering intelligence after an earthquake and tsunami struck Japan in 2011. Documents previously reported on show the agency routinely surveils climate talks, giving U.S. negotiators an edge as they avoid committing to the dramatic emissions reductions necessary to avoid the most dire potential effects of climate change. Intelligence is shared not only with diplomats and emergency responders but also with officials from agencies like the Environmental Protection Agency and the Interior Department.

The NSA’s eco-spying coincided with repeated findings within the intelligence community that environmental concerns had national security implications. The military has long recognized climate change as a major threat, and over the years, the Defense Department has framed it as a “threat multiplier,” enflaming conflicts by adding to the mix issues like drought, loss of access to drinking water or irrigation, rising sea levels, migration and die-offs of wild game, wildfires, catastrophic storms, and the human displacement that comes with all such issues. A previously published NSA document, dated May 14, 2007, quoted then-Under Secretary of Defense for Intelligence James Clapper at an internal NSA conference saying, “Increasingly, the environment is becoming an adversary for us. And I believe that the capabilities and assets of the Intelligence Community are going to be brought to bear increasingly in assessing the environment as an adversary.”

The U.S. intelligence community’s Worldwide Threat Assessment, released in February 2018, dedicates a section to the issue of climate change. “The impacts of the long-term trends toward a warming climate, more air pollution, biodiversity loss, and water scarcity are likely to fuel economic and social discontent—and possibly upheaval—through 2018,” the assessment said.

But under President Donald Trump, security officials have sometimes avoided talking about climate change. Neither the Defense Department’s 2018 defense strategy nor the president’s national security strategy highlight the issue as a security threat. Nonetheless, Trump’s military, intelligence, and border agencies are responding to issues whose links to climate change may not be outwardly apparent — from the war in Syria, which has been linked to an earlier drought; to the hurricanes that ravaged Houston and Puerto Rico; to emigration from Central America, where a prolonged period without rain in recent years made agriculture in the region’s Dry Corridor extremely difficult. The documents hint at, but do not fully capture, the potentially vast role of the surveillance state in a climate-changed world.

The NSA declined to comment.

A Chinese Maritime Police Bureau ship uses water canons to harass a Vietnamese Fisheries Surveillance Force vessel near the disputed Paracel Islands on May 27, 2014, while at sea.

Monitoring the Movements of Chinese Fishing Vessels

One particularly vexing environmental challenge for the NSA was the tracking of Chinese commercial fishing boats, which routinely became electronic phantoms, believed to be hundreds or thousands of miles from where they actually were. This was due to a combination of strange errors occurring at hemispheric boundaries in addition to an intricate system of intentional misinformation adopted by the Chinese, according to a 2012 article in SIDtoday, the internal news site of the NSA’s Signals Intelligence Directorate. The boats “are often involved in [Exclusive Economic Zone] incursions and illegal fishing activities,” the document stated.

Indeed, in the South China Sea, a fight over fishing has become a proxy for a broader power struggle among the nations located along its banks. China has laid claim to a wide swath of the sea. Waters it claims as its own overlap with maritime territories claimed by other nations under the U.N.’s system of exclusive economic zones, or EEZs. The territorial conflicts are often framed as being about oil, but perhaps just as important is the sea life that represents a key part of several nations’ economies and diets.

The fisheries of the South China Sea are declining — and are on the brink of collapse, according to scientists. Stocks have shrunk by 70 to 90 percent since the 1950s, largely due to overfishing. This has further incentivized nations that surround the sea to go to battle over the disputed territories. Regulating fishing has become impossible, since accepting another nation’s fishing laws would be accepting its jurisdiction over the territory. Fishermen who can no longer access areas dominated by the Chinese, in nations like the Philippines — a U.S. ally — have increasingly turned to illegal fishing methods. And occasionally, disputes over fishing have exploded into military standoffs.

“Disputes over fishing rights are increasingly becoming flash points for international incidents.”

“As maritime resources are stressed by increased fishing pressures, disputes over fishing rights and violations of EEZ are a growing concern and are increasingly becoming flash points for international incidents,” the SIDtoday article, dated June 27, 2012, said. “Monitoring of the locations and activities of foreign fishing fleets is an important mission of the United States Coast Guard, many of our Second Party partners, as well as being an item of concern for the US State Department.”

Most large maritime vessels use what’s known as the automatic identification system, which lets other ships in the area know where and who they are. “Naturally, it wasn’t surprising to hear our customers’ concerns when a large number of Chinese fishing vessels were observed broadcasting their position 1,000 miles from where they actually were,” the article stated. “Not only did this pose a threat to the safety of navigation for ships operating in proximity to these fishing vessels, it also complicated the monitoring of the EEZ for the United States and our Second Party partners. A combined effort between NSA Colorado and Second Party partners surged on this problem.”

One of the problem’s causes seemed to be accidental — the Chinese boats’ coordinates “would appear to ‘bounce or reflect’ off the equator and the international dateline as the ships continued east or south,” the article said.

So, for example, a boat located on the Pacific coast of South America would appear to be in northern India. Alerted to the problem, China corrected it in 2011, according to the document.

A second problem “was not an error but an intentional ‘misuse’ of the AIS messaging protocol to produce a different (home-grown) coordinate system,” the document said. At least 18 Chinese ships were found to be using an alternative definition of the latitude and longitude system, which threw off their coordinates for everyone else using the standard system. The result: While the Chinese knew where their ships were, neighboring boats did not. “The underlying reason for why the PRC has opted to use this alternate coordinate system for some of their fishing vessels is still unknown,” the article said.

Eavesdropping on Phone Calls to Stop a Stateless Fishing Boat

The NSA has also been involved in policing banned fishing practices used by stateless ships. High seas drift-net fishing involves attaching buoys to the top of a miles-long net that descends into the depths of the ocean. The net is sometimes attached to a ship, but other times is left to float, passively collecting any marine life that comes by, including fish or whales that are not of any commercial interest to the fishermen. The net works by entangling the gills of fish in its fine mesh. The nets are often made of nylon and put in place at night, so that they become invisible to sea life.

Another SIDtoday article, written by a technical director at NSA Hawaii and dated October 16, 2012, indicates the NSA works with the U.S. Coast Guard in chasing down fishing boats that use the destructive fishing method. In September 2011, the Coast Guard caught a large fishing vessel using drift nets 2,600 miles south of Kodiak, Alaska, but the boat’s partner vessel escaped. Seven months later, the NSA picked up a signal from a satellite phone associated with the boat. “It was time to take action,” the document stated.

“An NSA Hawaii linguist listened in on the fishing vessel’s communications for any signs that the crew would resist a boarding operation by the Coast Guard,” the article said. A packet of intel related to the chase was provided by Hawaii analysts to the Coast Guard’s Maritime Intelligence Fusion Center twice a week.

Finally, on July 27, 2012, 700 nautical miles east of Yokosuka, Japan, the Coast Guard boarded the fishing vessel. “The vessel’s crew consisted of 26 Chinese and one Taiwanese, and the vessel claimed to be Indonesian flagged, but after contacting Indonesia the vessel was determined to be stateless,” the document said.

It continued, “While on board the Da Cheng, the boarding team discovered 10 NM of driftnet, 500 kilograms of shark fins, over five tons of shark carcasses, and 30 tons of tuna.” The vessel was turned over to the Chinese Bureau of Fisheries for further investigation.

During a Dam Dispute in India and Pakistan, the NSA Was Watching

It’s not just oceans and seas that the NSA keeps an eye on for aquatic disputes. One of South Asia’s most important sources of water is the Indus River system, which is fed by glacial water high in the Himalayas. One recent study projected that at least a third of Asia’s mountain glaciers will melt away by the end of the century, potentially destabilizing water sources. Changing monsoon patterns will exacerbate the situation.

Access to water has long been a point of tension between India and Pakistan, and disputes are perennial over access to the tributaries, which were divided between the two nations under the Indus Waters Treaty. In the mid-2000s, India’s Baglihar Dam project was a key point of contention. Pakistan claimed it could deprive the nation of water that should be designated for its agricultural sector, which in some areas of the country relies almost exclusively on the Indus system.

The NSA was listening in.

The NSA spied on nongovernmental entities in order to access intel on water conflicts.

A SIDtoday article published March 22, 2006, on World Water Day, noted, “NSA reporting has followed the ongoing tensions surrounding the India-Pakistan Indus Water Treaty and construction of Baglihar Dam, providing our customers with unique information as they monitor this volatile region.”

In fact, the agency had its eye on a number of riparian disputes and predicted a future of increasing water scarcity and conflict. “As competition for water grows among the Nile Basin countries in Africa, analysts continue to report on contentious water extraction projects that could potentially lead to conflict in this area,” wrote the author, an NSA liaison on “economics and global issues.”

The document indicates that the NSA spied on an array of both governmental and nongovernmental entities in order to access intel on water conflicts, stating, “NSA’s broad access to government officials, multilateral organizations, and NGOs has yielded unique perspectives on water availability for internally-displaced persons (IDPs) in Sudan, flooding in Afghanistan, and contaminated water sources in Baghdad.”

And this “broad access” predicted a future where such collection could be increasingly important. “While the world’s population tripled in the 20th century, the use of water resources has grown six-fold. At this rate, more than 2.7 billion people will face severe water shortages by the year 2025 and another 2.5 billion will live in areas where it will be difficult to find sufficient fresh water,” the document said. Signals intelligence “has provided critical insight on issues ranging from inter-state water disputes and food security, to economics and technology sharing, health infrastructure, and natural disasters.”

Barneo expedition drift ice camp in the Arctic, on April 13, 2016.

In the Arctic, a 24/7 Watch on the Russians

In response to climate change, the NSA has increased its northernmost surveillance, an internal document indicates. This past winter, ice cover in the Arctic was the second lowest it’s ever been, after the year before. Sea ice in the summers has shrunk by about 40 percent since the 1980s, and what’s left is much thinner. A 2018 study led by researchers with the federal National Oceanic and Atmospheric Administration shows that it would be nearly impossible for temperatures in the Arctic to rise as high as they have without the impact of greenhouse gases.

The result is that new shipping lanes have opened up at the top of the globe. Areas once impassible have become accessible for the transport of goods, movement of military vessels, and exploration of fossil fuels. A 2009 assessment indicated that the Arctic potentially contains 13 percent of the undiscovered oil left in the world, and 30 percent of the remaining natural gas. In response, Russia has built up its military presence dramatically.

Special bases will “be a vital part of NSA’s efforts against the emerging Arctic Intelligence problem.”

Ice melt in the Arctic and increasing competition for hydrocarbons and minerals has forced the U.S. to make the Arctic a higher priority, an NSA technical director at the Alaska Mission Operations Center acknowledged in a SIDtoday article dated November 29, 2011.

For the NSA, Russia’s plans for two new Arctic army brigades and new icebreaker boats were of particular concern. “These plans, along with an increasing Chinese presence and expressed interest in the Arctic, pose a significant intelligence challenge to the United States, Canada, and the other Arctic countries,” the document said.

The NSA “maintains a 24/7 watch over Russian military air activity in the Arctic,” the document added. Using various collection techniques, including intercepts of shortwave radio and foreign satellite transmissions, the NSA monitored for Russian bombers and watched for Russian resupply flights to its Barneo ice station, near the North Pole.

The NSA’s Arctic operation was centered at the time at the Alaska Missions Operations Center on Joint Base Elmendorf-Richardson in Anchorage, but the agency also had a “remote intercept facility” at Point Barrow, Alaska.

The facility, housed at the Air Force’s Long Range Radar Site, included an antenna array, an FRD-13 Pusher — a massive circular antenna, nicknamed an “elephant cage,” used to intercept radio communications — and a Sensitive Compartmented Information Facility, containing collection equipment. Two personnel were stationed at all times at Point Barrow.

“The facility at Barrow is moving into the future of NSA operations,” the document said, noting that there would soon be upgrades to the Barrow facility, including a wideband radio collection system known as “GLAIVE.”

“The AMOC is uniquely positioned to continue to be a vital part of NSA’s efforts against the emerging Arctic Intelligence problem,” it said.

People visit Tiananmen Square, which is shrouded with heavy smog, on Jan. 16, 2014, in Beijing.

Climate Change a Growing Priority for the NSA

Previously unreleased documents indicate that climate change increasingly became a topic of interest in the mid-2000s and early 2010s. Climate change is mentioned repeatedly in reports describing the NSA’s priority issues. A secret NSA report describing geopolitical trends for 2011 to 2016, for example, ranked climate change as No. 31 out of 34 priorities (No. 1 was “global energy security”).

To bring analysts up to date on this increasingly urgent issue, the NSA offered various learning opportunities. For example, in advance of the U.N.’s Cancún, Mexico, climate talks in 2010, approximately 50 analysts attended an entire “Climate Change Day,” according to SIDtoday. And in the summer of 2006, the agency held a seminar on the causes and effects of climate change titled “Fire and Ice.” A description says, “Climate change (most likely as a result of global warming) is expected to accelerate at an unprecedented rate over the coming decades and has already been linked to drought and related famine, shifts in precipitation, and the loss of fresh water resources. Extreme weather patterns are a growing threat.” It adds, “Alternative viewpoints will also be addressed.”

More than a decade later, the intelligence community appears less concerned about the validity of alternative viewpoints. The intelligence community’s publicly released 2018 Worldwide Threat Assessment notes, “The past 115 years have been the warmest period in the history of modern civilization, and the past few years have been the warmest years on record. Extreme weather events in a warmer world have the potential for greater impacts and can compound with other drivers to raise the risk of humanitarian disasters, conflict, water and food shortages, population migration, labor shortfalls, price shocks, and power outages. Research has not identified indicators of tipping points in climate-linked earth systems, suggesting a possibility of abrupt climate change.”

It underlines that bad air pollution may drive protests in China, India, and Iran. Water scarcity will drive conflicts related to the construction of dams and will complicate agreements around the use of river water. And accelerating biodiversity loss caused by pollution, warming, unsustainable fishing, and acidifying oceans “will jeopardize vital ecosystems that support critical human systems.”

Top photo: Fishing boats set sail from a harbor to catch fish in the South China Sea on Aug. 16, 2017, in Sanya, Hainan Province, China.

The post The NSA’s Role in a Climate-Changed World: Spying on Nonprofits, Fishing Boats, and the North Pole appeared first on The Intercept.

A virtual private network, or VPN, uses an encrypted connection to enable users to go over the internet and connect to a private network, such as a corporate intranet. This allows an organization’s staff to access internal services like file-sharing servers or private wikis without having to physically be in the office.

The NSA’s ability to crack into sensitive VPNs belonging to large organizations, all the way back in 2006, raises broader questions about the security of such networks. Many consumers pay for access to VPNs in order to mask the origin of their internet traffic from the sites they visit, hide their surfing habits from their internet service providers, and to protect against eavesdroppers on public Wi-Fi networks.

The fact that the NSA spied on Al Jazeera’s communications was reported by the German newsmagazine Der Spiegel in 2013, but that reporting did not mention that the spying was accomplished through the NSA’s compromise of Al Jazeera’s VPN. During the Bush administration, high-ranking U.S. officials criticized Al Jazeera, accusing the Qatar-based news organization of having an anti-American bias, including because it broadcasted taped messages from Osama bin Laden.

“Both protocols offer a zillion configurable options, which is a source of a lot of the vulnerabilities.”

At the time, Al Jazeera defended itself against this criticism, insisting that its reporting was objective. “Osama bin Laden, like it or not, is a party to this present crisis,” news editor Ahmed Al Sheikh told the BBC in 2001. “If we said that we were not going to allow him the air time, then we would have lost our integrity and objectivity and our coverage of the story would have become unbalanced.”

According to the document, contained in the cache of materials provided by NSA whistleblower Edward Snowden, the NSA also compromised VPNs used by airline reservation systems Iran Air, “Paraguayan SABRE,” Russian airline Aeroflot, and “Russian Galileo.” Sabre and Galileo are both privately operated, centralized computer systems that facilitate travel transactions like booking airline tickets. Collectively, they are used by hundreds of airlines around the world.

In Iraq, the NSA compromised VPNs at the Ministries of Defense and the Interior; the Ministry of Defense had been established by the U.S. in 2004 after the prior iteration was dissolved. Exploitation against the ministries’ VPNs appears to have occurred at roughly the same time as a broader “all-out campaign to penetrate Iraqi networks,” described by an NSA staffer in 2005.

“Although VPNs pose special challenges for SIGINT (signals intelligence) collection and processing, we’ve recently had notable success in exploiting these communications,” wrote the author of the document, an article for the internal NSA news site SIDtoday. The author added that the NSA’s Network Analysis Center had been focusing on “VPN SIGINT Development (SIGDev) for over three years now, and the investment is paying off!” The article does not say what VPN technology any of the targets used, nor does it give any technical details on how the NSA broke the encryption on them.

The technical details that describe how the NSA exploits VPNs are a closely-guarded secret, according to another SIDtoday article, from December 2006. “Exploiting VPNs makes use of some of the newest state-of-the-art techniques,” the article stated, “and because of this, the exploitation details are held closely and generally not available to field sites.” The author went on to describe a tool called VIVIDDREAM that lets analysts who discover new VPNs test whether the NSA has the capability to exploit it, all without revealing to the analyst any sensitive information about how the exploit works.

Documents provided to news organizations by Snowden do not conclusively list which VPN technologies have been compromised by the NSA and which have not. However, there have been a number of news reports about the NSA’s VPN hacking capabilities based on these documents, and cryptographers who have reviewed them have come up with some educated guesses.

In 2014, The Intercept reported on the NSA’s plans, dated August 2009, to use an automated system called TURBINE to covertly infect millions of computers with malware. The revelations described a piece of NSA malware called HAMMERSTEIN, installed on routers that VPN traffic traverses. The malware was able to forward VPN traffic that uses the IPSec protocol back to the NSA to decrypt. However, the documents did not explain precisely how the decryption occurred.

Later that year, Der Spiegel published 17 documents from the Snowden archive related to the NSA’s attacks against VPNs, many of them providing more details about TURBINE, HAMMERSTEIN, and related programs.

There are many different VPN protocols in use, some of them known to be less secure than others, and each can be configured in ways to make them more or less secure. One, Point-to-Point Tunneling Protocol, “is old and insecure and there are a bunch of known security vulnerabilities since forever,” Nadia Heninger, cryptography researcher at the University of Pennsylvania, told me in an email. “I would not at all be shocked if these were being exploited in the wild.”

The NSA also appears to have, at least in some situations, broken the security of another VPN protocol, Internet Protocol Security, or IPSec, according to the Snowden documents published by The Intercept and Der Spiegel in 2014.

“For both TLS and IPsec, there are both secure and insecure ways of configuring these protocols, so they can’t really be labeled as blanket ‘secure’ or ‘insecure,’” Heninger explained. “Both protocols offer a zillion configurable options, which is a source of a lot of the published protocol-level vulnerabilities, and there are cipher suites and parameter choices for both protocols that are definitely known to be cryptographically vulnerable.” Still, she was “pretty confident” that there are ways to configure TLS and IPsec that “should resist all known attacks.”

Another possibility is that the NSA figured out how to break the encryption on VPNs without even using cryptography. “I should also note that we’ve seen a lot of hardcoded credentials and other software vulnerabilities get found in various VPN implementations, which would enable a bunch of boring noncryptographic attacks like just running a script on an end host to exfiltrate login credentials or other data as desired. This is the kind of thing that most of the Shadow Brokers tools were actually doing,” Heninger said, referring to the cache of post-Snowden NSA exploits and hacking tools that were published on the internet in 2016 and 2017.

In 2015, Heninger and a team of 13 other cryptographers published a paper, titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” that revealed major weaknesses in the security of several of the internet’s most popular protocols. Their paper described a new attack called Logjam and concluded that it was within the resources of a nation-state to use this attack to compromise 66 percent of all IPSec VPNs. “A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break,” the authors speculated.

The NSA declined to comment for this story.

Top photo: A Qatari employee of Al Jazeera Arabic language TV news channel walks past the logo of Al Jazeera in Doha, Qatar in Nov. 1, 2006.

The post NSA Cracked Open Encrypted Networks of Russian Airlines, Al Jazeera, and Other “High Potential” Targets appeared first on The Intercept.

After arriving in Baghdad “grungy and tired,” the staffer would later write, he discovered that the CIA and its partner, the Defense Intelligence Agency, had moved beyond talking to locals and were now intent on looking through their computer files. Marines would bring the NSA man “laptops, hard drives, CDs, phones and radios.” Sometimes the devices were covered in blood — and quite often they contained pornography, deemed “extremely useful” in humiliating and “breaking down” for interrogation the people who owned them.

The story of how the National Security Agency harvested porn for use against prisoners in Iraq is just one of the revelations disclosed in the agency’s internal newsletter SIDtoday during the second half of 2005.

There’s also the tale of how some intercepts would be rushed almost instantly to the president at Camp David via golf cart “with virtually no oversight.”

Then there’s one about how the NSA declared it could find “not many” Arabic translators it could trust among “the largest Arabic-speaking population in the United States.”

Or the story of how the agency listened as the Egyptian government dictated through its communication channels the final results for an election that had barely begun.

Told in more detail below, these are highlights from some 297 SIDtoday articles published today by The Intercept as part of an ongoing project to release, after careful review, material provided by whistleblower Edward Snowden.

From the same SIDtoday release — our sixth thus far — we are publishing three other articles. One is an investigation into a secretive global intelligence-sharing alliance led by the NSA, comprising 18 members and known as the SIGINT Seniors. Another looks at increased surveillance in the United Kingdom following the London bombings in 2005 — and discloses for the first time a secret agreement to share metadata harvested from the vast data repositories of the NSA and its counterparts in the U.K., Canada, Australia, and New Zealand.

Also today, in collaboration with the Norwegian Broadcaster NRK, we shine light on a large spy base located outside Oslo. The base was built with the NSA’s help to aid Norway’s military and counterterrorism operations overseas. But it has also swept up Norwegian citizens’ phone and email records – and is now at the center of a dispute over illegal surveillance.

The NSA declined to comment for this article.

Porn Recovered by NSA Used to “Break Down Detainees” in Iraq

An NSA staffer deployed to Iraq led a counterterrorism and counterintelligence mission involving forensic investigations on computers seized in raids. The staffer’s “Media Exploitation” team found pornographic videos and photos alongside thousands of audio files of the Quran and sermons, and recruitment and training CDs with video of bombings, torture, and beheadings. The team “jokingly” referred to the content as the “three big ‘P’s – porn, propaganda and prayer.”

Reports and files were distributed to the NSA and other intelligence agencies; the staffer was detailed to the Iraq Survey Group, a joint venture between the CIA and the Defense Intelligence Agency to find weapons of mass destruction and disrupt terrorist activities. But among the customers of the material gathered by the NSA staffer were the military units interrogating captured insurgents and suspects. Special Forces interrogators found the pornography “extremely useful in breaking down detainees who maintained that they were devout Muslims, but had porn on their computers,” according to an account by the NSA staffer in SIDtoday. (The account makes no acknowledgment of the human rights abuses by staff at Abu Ghraib prison in Baghdad, which were in the news starting in April 2004, nearly four months before the account was published, and which were, at the time, still under investigation.)

As the conflict with insurgents escalated in Fallujah into Operation Phantom Fury/Al Fajr, NSA staff with “top-secret” clearances were deployed to the combat zone. Marines gave the NSA staff seized computers, CDs, phones, and radios directly from the battlefield, some “covered in blood.” This material, too, was used in interrogations that helped keep the “bad guys” behind bars. No “smoking WMD” evidence was found, according to the SIDtoday account.

A former interrogator at the U.S. detention center at Guantánamo Bay, Cuba, has said, in a statement obtained by the New Yorker, that pornography was used at the facility to reward some detainees and as a tool against others, who were forced to look at the material. The Associated Press has also reported on the use of pornography at Guantánamo as an inducement.

The intelligence community has also used seized pornography as a form of propaganda. In November 2017, the CIA released files recovered from the fatal raid of Osama bin Laden’s hideaway in Abbottabad, Pakistan “in an effort to further enhance public understanding of al-Qa’ida.” The agency noted that the overall trove recovered from the compound contained pornography that it was not releasing with the other files. The discovery of pornography on bin Laden’s computers in 2011 was leaked to the media within days of the raid, and a New York Times story focused on the porn reported that the adult material “will be welcomed by counterterrorism officials because it could tarnish his legacy and erode the appeal of his brand of religious extremism.”

Evidence of Election Fraud in Egypt

The NSA used signals intelligence to uncover apparent fraud in a referendum on how Egypt’s presidential elections would be run.

Rules supported by Egyptian President Hosni Mubarak would allow direct election of the president, abolishing the old system, in which the parliament forwarded a single candidate to voters for approval. But the rules also imposed major barriers to appearing on the ballot, including a requirement that independent candidates win support from 65 of 444 members of parliament and that other candidates come from a party with at least 5 percent representation in parliament — which at the time no opposition party held. These requirements engendered significant opposition, including a call to boycott the referendum.

The agency apparently intercepted government communications early on election day, instructing underlings to report a “yes” vote of about 80 percent and turnout of 40 to 50 percent. Official results then showed a “yes” vote of 83 percent and turnout of 54 percent, “pretty much in line with the instructions. Most foreign observers on the scene described actual voter turnout as very light, nowhere near 50 percent,” SIDtoday reported.

The referendum was followed by Egypt’s historic first multi-candidate presidential election, on September 7, 2005. Although the winner, Mubarak, was a “foregone conclusion,” there was “much interest” about whether this vote count would be honest. With only 23 percent voter turnout, Mubarak won 88.6 percent of the vote. The NSA’s analysis? “SIGINT provided good evidence that there was no massive fraud in the vote count,” according to the same “senior reporter/subject matter expert” who described the suspicious referendum. “Local vote totals reported on the day of the election by Egyptian authorities conformed closely to the final results.” Also, the runner-up, Ayman Nour, with 7.6 percent of votes, was a surprise to “top Egyptian officials” who had wanted a different candidate to come in second, the NSA staffer added. The opposition claimed there were irregularities, but Egypt’s electoral commission was satisfied with the process.

Just three months after the election, surprise favorite Nour was jailed on charges of election fraud and imprisoned for the next five years.

NSA Trusts Few Arabic-Speaking Americans It Finds at Detroit Job Fair

As the NSA swept up Arabic communications from Iraq and other hotspots in the “global war on terror,” it found its translation capabilities severely lacking. “This shortcoming must be rectified,” an NSA senior language authority wrote in 2004.  In September 2005, the agency convened a “career invitational” in Detroit, hoping to draw on the high proportion of Arabic-speaking residents in the area and recruit them as linguists for a language center on nearby Selfridge Army National Guard Base.

But the invitational “may not yield many hires” due to unspecified agency concerns about the candidates, an NSA assistant deputy directory wrote in SIDtoday. After gathering 750 resumes, the NSA homed in on 145 potential candidates through “preliminary processing,” and of these, at least 43 passed two placement exams. These finalists were subjected to “special source checks”; other documents throughout the Snowden archive use the phrase “special source” in connection with surveillance operations, including by the agency’s Special Source Operations unit, which at one point was said to be responsible for 80 percent of NSA collection, including its notorious PRISM program — implying that signals intelligence may have been used to vet the candidates. The “special source checks” caused eight individuals to be removed from the applicant pool and led to plans for “significant and lengthy investigation[s]” into at least some of the remaining candidates — investigations that “may not sufficiently resolve the identified issues,” SIDtoday noted. Although the language center on the Selfridge base could accommodate 85 linguists across four daily shifts, the assistant deputy director made clear that filling the seats was far from imminent and wrote, “We will continue to review other sites” to fill the need for linguists.

The NSA’s aggressive probing of Americans of Middle Eastern descent was not confined to job applicants or to Detroit; earlier Intercept reporting on documents supplied by Snowden revealed that the agency used the Foreign Intelligence Surveillance Act to monitor the communications of prominent Muslim-American community leaders and politicians. Internally, the intelligence community continues to lag in employee diversity, with a 2015 report from the Office of the Director of National Intelligence showing that racial and ethnic minorities comprise less than a quarter of the agencies’ staff.

“Smoking Gun Evidence” Against Yasser Arafat

In the course of arguing for more new hires, the deputy chief of the NSA’s Middle East and North Africa line told an interviewer in SIDtoday that intelligence provided by the unit had “shaped history.” One way this occurred was through “golf cart reporting.” During the 2000 peace talks between the Israelis and Palestinians at Camp David, the NSA intercepted communications on the stances of participating diplomats in “near real-time,” the deputy chief said, and would “stamp ‘draft’ on it and fax it to a CIA liaison officer up in Thurmont, Maryland who in his own golf cart would race across the grounds to give it directly to the President or Secretary of State. Imagine the thrill and the responsibility of providing — with virtually no oversight — intelligence going directly to the President!”

U.S. negotiators would know the Israeli and Palestinians’ positions prior to the teams’ arrival.

The deputy chief further credits his unit’s reporting as the basis for the U.S.’s refusal to negotiate with Palestinian Liberation Organization leader Yasser Arafat, stating the division “had smoking-gun evidence that Arafat was still supporting terrorism.” It’s unclear to which precise chapter of Middle East peace talks this claim refers, but President George W. Bush formally refused to accept Arafat as a negotiation partner in 2002, amid speculation that the Palestinian leader was implicated in the 2000 outbreak of the second Intifada.

The Camp David talks were hardly the first instance of NSA diplomatic spying, a key activity for the agency. Previously published documents have shown the agency spying on heads of state, U.N. headquarters, and representatives to a climate change summit.

Czech Partnership

In 2006, then-U.S. Ambassador William J. Cabaniss was worried and unburdened himself to Czech Prime Minister Mirek Topolánek, saying he hoped intelligence-sharing between the two nations would not be adversely affected by structural changes in how Czech intelligence was managed. Topolánek assured the ambassador that things would be fine, despite a transition of a key spy agency to parliamentary control. As described in a State Department cable published by WikiLeaks, “the Prime Minister said that UZSI, the foreign intelligence branch, ‘has been effective and we don’t want to change that.’”

U.S. concern over changes at UZSI was understandable, as at least one element of the American intelligence community had spent the prior year gushing over the benefits of newly secured access to UZSI intel. The NSA, as previously reported, was essentially let inside UZSI’s “SIGINT vault” in early 2005. By late 2005, the U.S. and Czech Republic appeared to have officially solidified their “Third Party” signals intelligence-sharing partnership and UZSI, over the course of at least three visits in six months, presented their American counterparts with a slew of information, largely about Russian government and business interests according to two articles in SIDtoday. These files included information about the communications of Russian and Belarusian arms dealers, banking networks, and counterintelligence targets. They also gave the Americans a program designed to identify Russian words in voice communications. “Our ability to jointly produce valuable SIGINT while enjoying each other’s company and learning about our cultural differences may indeed make this the start of a beautiful friendship,” wrote a staffer from the central European branch of the NSA’s foreign affairs directorate.

(One of the SIDtoday articles alleged that the Belarus company, BELTECHEXPORT, was involved in weapons proliferation. The U.S. State Department in 2011 imposed, but in 2013 lifted, sanctions against the company for weapons proliferation.)

Anti-Imperialist Camp

A previous SIDtoday release noted the NSA’s interest in a European leftist group called the Anti-Imperialist Camp. The NSA had accused the group of toeing a line between “legitimate political activity” and abetting terrorism. In a later SIDtoday article, titled “Terrorism or Political Action? The Anti-Imperialist Camp Crosses the Line,” a member of the NSA’s “indigenous European terrorism branch” describes the AIC as a “duplicitous organization” and touts the NSA’s interception of Anti-Imperialist Camp’s communications as a pathway into “[an] expansive network of extremists and terrorists.” The article alleged that the organization maintained contacts with such individuals, and said that “insights into [this] expansive network” led to the identification of “a Jordanian extremist with extensive links to other extremists,” “a new organization that calls itself the Resistant Arab People’s Alliance,” and several other individuals and groups.

Longtime Anti-Imperialist Camp member and spokesperson Wilhelm Langthaler told The Intercept that he could not “identify one single activity, participant, or interlocutor” from this list of what SIDtoday strongly implied were contacts of the group.

The SIDtoday article further stated that the U.S. government had “recent[ly],” as of August 2005, approached the Italian government and “demanded the arrest of individuals involved with the Italian wing of the AIC.” Several individuals associated with the AIC had been arrested in April 2004 as part of a multinational effort against the Turkish militant organization, DHKP-C. The three AIC members, initially charged with conspiracy or “subversive association” with an alleged member of the terrorist group, were released and ultimately absolved of all charges in September 2010. In her decision, Judge Beatrice Cristiani observed that if the AIC did indeed help the DHPK-C, it was because they intended to assist “a dissident and not a terrorist” —essentially verifying the group’s legitimate political intent, which the NSA so adamantly decried.

Breakthrough in Cellphone Tracking

NSA analysts can often identify and track particular mobile phones by monitoring cellular networks for 15-digit handset identifiers called the International Mobile Subscriber Identities. Events on the network, like making a call, receiving an SMS text message, or connecting to a new cell tower, are normally tagged with such numbers.

But starting in the 1990s, NSA analysts had struggled whenever cellular networks implemented Temporary Mobile Subscriber Identities (TMSIs), according to a July 2005 SIDtoday article. “TMSIs obscure the true identities of the cellular subscribers being referenced in call records, location events, and SMS,” the author wrote, because “TMSIs can change every few hours or even with every phone call.” And, to make matters worse, two cellular networks in Iraq had just implemented TMSIs, obscuring the NSA’s collection efforts there.

The ASSOCIATION program solved this problem. With advances in metadata collection, processing, and storage, the NSA discovered that it could use individual metadata records to work backward from a TMSI to obtain the original IMSI and thus, associate cellphone events with the exact phone that made them.

Early on, Skype Posed Challenges

At the end of 2005, the NSA faced serious new challenges in spying on Skype calls. At the time, Skype was a 2-year-old service that was growing in popularity. “At this time, SIGINT targets have a method to freely obscure their communications on the global Internet,” an analyst wrote in SIDtoday, “thus hindering our ability to collect vital communications intelligence.”

Unlike traditional phone calls, anyone with internet access anywhere in the world could make a free, anonymous Skype account, identified only by a username. And unlike the phone network, in which calls get routed through (and eavesdropped on) at central offices, Skype calls were peer-to-peer, making central eavesdropping impossible. On top of all this, Skype calls were also encrypted, and the NSA did not yet know how to decrypt them.

A reader wrote a letter to the editor pointing out that internet calling systems like Skype also complicate the NSA’s ability to comply with USSID-18, an NSA policy through which the agency attempts to not spy on Americans. “Anyone with any brains” will register a U.S. phone number for their account, they wrote, even though this phone number can be used from anywhere in the world.

The NSA’s troubles with spying on Skype calls were eventually resolved. New York Times reporting, based on Snowden documents, revealed that in 2008, Skype “began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials.”

Blast from the Past

“Social networking is truly the wave of the future,” Eric Mesa, a young software engineer at the NSA wrote in a December 2005 letter to the editor of SIDtoday. “A lot of you may not know this, but college students (of which I finally ceased to be in May 2005) have been voluntarily assembling their own social networks online!”

He went on to describe a service “known as The Facebook” and explained how it worked, including that “through the link ‘visualize my social network’ they can see a diagram similar to the ones we use to map terrorist networks.”

Top photo: U.S. Marines escort nine detainees captured in Fallujah, half of them from other countries such as Yemen, Saudi Arabia, and Gulf states, to a local “prison” as other U.S. Marines of the 1st Battalion 3rd Marines, Alpha company engage four insurgents during house searches on Nov. 23, 2004 in Fallujah, Iraq.

The post NSA Used Porn to “Break Down Detainees” in Iraq — and Other Revelations From 297 Snowden Documents appeared first on The Intercept.

In partnership with NRK

Behind an abandoned military facility 40 miles northwest of Oslo, Norway built a surveillance base in close collaboration with the National Security Agency. Its bright, white satellite dishes, some of them 60 feet in diameter, stand out against the backdrop of pine-covered hills and red-roofed buildings that scatter the area.

Classified documents describe the facility as “state-of-the-art,” with capabilities “previously not released outside of NSA.” Despite a hefty price tag of more than $33 million paid by Norwegian taxpayers, the Norwegian Intelligence Service has kept the operations at the site beyond public scrutiny.

The station, code-named VICTORY GARDEN, was ostensibly built to support Norwegian troops serving overseas and to combat terrorism. But its dragnet has also secretly captured records of phone calls and emails transmitted between law-abiding Norwegians and their friends, families, or colleagues in foreign countries, an investigation by The Intercept and the Norwegian Broadcasting Corporation, known as NRK, has found.

In 2014, the data collection at the base was central to a behind-closed-doors dispute between the Norwegian Intelligence Service and the oversight committee that monitors the conduct of the country’s spy agencies, according to sources with knowledge of the incident. The intelligence service argued that the surveillance was lawful and necessary. But the committee disagreed and claimed that the storing and searching of Norwegians’ communication records was legally dubious. The disagreement remains unresolved; meanwhile, the surveillance appears to have continued unabated.

The cooperation between the Norwegian Intelligence Service and the NSA began officially in the early 1950s, when Norway and the United States signed an agreement called NORUSA. Due to its geographical proximity to the Soviet Union and its submarine bases on the Kola Peninsula, Norway was uniquely positioned to provide intelligence on Soviet submarines, missile systems, and military activity during the Cold War.

The countries have since continued to cooperate closely. In 2001, Norway approached the NSA seeking to buy foreign satellite surveillance technology, known as FORNSAT, according to documents obtained by The Intercept from Edward Snowden. Two years later, the NSA provided the Norwegians with four specialist antennas. Each capability was given code names seemingly inspired by different types of gardens – WINTERGARDEN, FLOWERGARDEN, TOPIARYGARDEN, and so forth – together forming a VICTORYGARDEN.

Norwegian intelligence sent employees on multiple trips to receive training and test equipment at the NSA, and a delegation from a now-defunct NSA Yakima facility in Washington state traveled to Norway. Meanwhile, NSA employees based in Oslo took delivery of more than 90 containers crammed with electronic equipment, which were sent by boat and airplane, according to an October 2005 article in SIDtoday, an internal NSA newsletter. Two months later, on December 15, 2005, the Norwegian Intelligence Service’s director, Torgeir Hagen, declared VICTORYGARDEN operational. An NSA article describing the base’s opening ceremony concluded: “We have only begun to see future possibilities to benefit both our nations and the free world.”

Erik Reichborn-Kjennerud, a researcher at the Norwegian Institute of International Affairs, said that the documents provided a rare insight into how Norway’s relationship with the NSA has evolved. It “seems that Norway is asking for more and more capabilities, including training that enables them to better conduct surveillance,” Reichborn-Kjennerud said. “There’s been very little public debate about this in Norway.”

Until recently, the surveillance station located near Oslo was so secret that the oversight committee could not mention it in unclassified annual reports. Cryptic references in Norway’s defense budget pointed to “modernization of the Defense Satellite Earth Station” without linking these to the intelligence service. Local media were told the large dishes were used for communications with NATO partners and Norwegian forces overseas.

During the country’s parliamentary elections in 2017, then-Minister of Defense Ine Eriksen Søreide visited the facility. “Satellite communication is extremely important,” she told Ringerikes Blad, a local newspaper, “when frigates at sea need to communicate with the command center.” She announced an additional 200 million Norwegian kroner ($25 million) funding to strengthen cyber defense and additional satellite equipment.

But there is a lot more to the station than enabling “satellite communication.” The documents provided by Snowden state that VICTORY GARDEN can “see 130 foreign satellites” – indicating that it can tap into communications passing across them, including the contents of international phone calls and emails, as well as various types of metadata. (Metadata reveals information about a communication — such as the sender and recipient of an email and the time and date it was sent — but not the written content of the message.)

VICTORY GARDEN’s antennas are aimed at countries from which the Norwegian Intelligence Service collects information in support of Norwegian interests and interventions in countries such as Afghanistan, Iraq, and Syria. But Norway’s spies have also used the base for a more controversial purpose, not previously publicly disclosed: For several years, they have collected metadata about Norwegians’ communications with people located in foreign countries and accessed those records through searchable databases. In 2014, the oversight committee found out about that practice and began raising concerns.

“Our most important task is to ensure that the Norwegian Intelligence Service does not monitor Norwegians in Norway. It’s not their job,” said the committee’s chair, Eldbjørg Løwer, in an interview for this story. “We were uncertain whether the way they conducted these operations was sufficiently grounded in the law.”

The intelligence service told the committee that Norwegian citizens’ metadata is used to identify new targets. It denied that it used the intercepted communications for “mapping domestic relations or matters relating to Norwegian persons.” The country’s defense minister, Frank Bakke-Jensen, claimed that the spy agency “does not conduct surveillance against Norwegians in Norway.” He added, however, that “the legislation needs to be updated.”

In response to questions for this story, Norwegian spy chief Morten Haga Lunde said that a new law currently in the works will solve the oversight committee’s legal concerns. The VICTORY GARDEN base, he added, served an important purpose and helped save lives in 2013 during a terrorist attack on an Algerian gas facility.

It is unclear how many Norwegians’ communications have been swept up by the surveillance to date. A spokesperson for the intelligence service said he could not provide that information.

The NSA declined to comment.

———
Documents published with this article:

• Life as a TLO in Oslo
• SIGINT development working group meets in Oslo
• Norway gets FORNSAT collection capability on par with NSA
• VICTORY GARDEN: ‘Growing’ a Norwegian national FORNSAT capability
• Norwegian-US conference held at Ft Meade and Colorado
• NSA’s intelligence relationship with Norway
• Canyondust coverage regions
• FORNSAT technologies

———

Top photo: A surveillance base in Norway.

The post Norway Used NSA Technology for Potentially Illegal Spying appeared first on The Intercept.

The “SIGINT Seniors” is a spy agency coalition that meets annually to collaborate on global security issues. It has two divisions, each focusing on different parts of the world: SIGINT Seniors Europe and SIGINT Seniors Pacific. Both are led by the U.S. National Security Agency, and together they include representatives from at least 17 other countries. Members of the group are from spy agencies that eavesdrop on communications – a practice known as “signals intelligence,” or SIGINT.

Details about the meetings of the SIGINT Seniors are disclosed in a batch of classified documents from the NSA’s internal newsletter SIDToday, provided by whistleblower Edward Snowden and published today by The Intercept. The documents shine light on the secret history of the coalition, the issues that the participating agencies have focused on in recent years, and the systems that allow allied countries to share sensitive surveillance data with each other.

The SIGINT Seniors Europe was formed in 1982, amid the Cold War. Back then, the alliance had nine members, whose primary focus was on uncovering information about the Soviet Union’s military. Following the attacks on the U.S. in September 2001, the group grew to 14 and began focusing its efforts on counterterrorism.

The core participants of the Seniors Europe are the surveillance agencies from the so-called Five Eyes: the NSA and its counterparts from the U.K., Australia, Canada, and New Zealand. As of April 2013, the other members were intelligence agencies from Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain, and Sweden.

The alliance – which the NSA sometimes refers to as the “14 Eyes” – has collaborated to monitor communications during major European events, such as the Olympics in 2004 (hosted in Greece), the Winter Olympics in 2006 (hosted in Italy), and the soccer World Cup in summer 2006 (hosted in Germany). Between 2006 and 2007, as part of a counterterrorism operation, the agencies began working on “exploitation of the Internet,” which was described by the NSA as a “huge step forward” for the group, because some members of the alliance had previously been “reluctant to acknowledge there was such a thing as the Internet.”

As of 2010, the agencies were focused on targeting suspected terrorists, sharing intelligence related to piracy in the Horn of Africa, and they were collaborating on the development of new surveillance tools and techniques. According to the documents, the Seniors Europe had its own dedicated communication network called SIGDASYS, through which each agency can share copies of intercepted communications. The group also used a system called CENTER ICE to share intelligence about the war in Afghanistan.

The documents indicate that the Seniors Europe hold an annual conference, each time in a different location. In 2013, for instance, the group gathered in Sweden; in 2011, it met in the U.K; in 2010, in Germany; and in 2009, in Canada. In 2013, the NSA expressed an interest in creating a permanent facility that would host representatives from the Seniors Europe in a joint collaborative space. The NSA discussed the idea with its U.K. counterpart, Government Communications Headquarters, or GCHQ. The British were “all in” on the proposal, according to the NSA. However, from some unnamed members of the SIGINT Seniors, there was “persistent pushback” on the plan.

The NSA thought the facility would be best hosted in the U.K., as this would “be optimal in terms of having the most flexibility in tuning the operation to benefit the Five Eyes.” The agency also suggested the idea of France potentially hosting the unit, but outlined its reservations about setting up the spy hub in continental Europe. “Some European nations may be leery about hosting a facility in their nation,” the NSA noted, partly due to “associated concerns for European human rights laws.” (Both NSA and its British counterpart, GCHQ, declined to answer questions for this story. GCHQ issued a statement asserting that it adheres to “a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.”)

The Pacific division of the SIGINT Seniors is younger than the European branch. The NSA formed it in 2005, with the aim of “establishing a collaborative effort to fight terrorism in the Asia-Pacific region.” In March 2007, the NSA said that it was in the process of “raising ideas for expanding [SIGINT Seniors Pacific’s] intelligence focus beyond counterterrorism.”

The NSA was passing the Indians selected top-secret material, and India began leaking some of the intelligence.

The founder members of the Pacific alliance were the spy agencies from the Five Eyes, as well as South Korea, Singapore, and Thailand. By 2013, France and India had joined the Pacific group. The NSA was particularly keen on having India on board as part of a broader U.S. government effort to improve relations with the country, and “felt strongly that India’s participation in multilateral intelligence sharing would help mature its Indian SIGINT agencies as well as provide regional [counterterrorism] expertise.” In March 2008, then-NSA Director Gen. Keith Alexander led a delegation of officials – including representatives from Singapore and New Zealand – to New Delhi, where he asked India’s spy agencies if they would like to join forces. Three months later, the Indians accepted.

The Pacific group used a system called CRUSHED ICE to share information. According to an NSA document dated from November 2007, CRUSHED ICE is a secure network that enables sharing of secret intelligence, collected from intercepted communications, about counterterrorism. “The system allows for collaboration by way of voice, binary-file/email exchanges, analysis and reporting, graphics and mapping, communities of interest, collection management, and other applications as needed,” the November 2007 document stated.

For the countries invited to participate in the SIGINT Seniors, there are obvious benefits. They can learn new surveillance techniques from the world’s most powerful spy agencies and at the same time, obtain information about their own countries or regions that they otherwise may have been unable to access. But not all nations who have been invited to join the alliance have jumped on board. According to an NSA document from March 2007, Japan refused to sign up to the Pacific group, expressing concerns that “unintended disclosure of its participation would be too high a risk.”

A downside of SIGINT Seniors is the risk that a partner will mishandle sensitive information. This happened on at least one occasion with India. By the time terrorists had struck Mumbai in a series of attacks in November 2008, the country had been admitted to the Pacific group. The NSA was passing the Indians selected top-secret material, such as interrogation reports and recordings of intercepted phone calls. In the weeks following the Mumbai incident, India began leaking some of the intelligence — “at times it seemed a daily occurrence,” the NSA’s country desk officer complained. The NSA limited the provisioning of top-secret information to India after repeated warnings and meetings left it dissatisfied. Still, the NSA, which had deployed analysts to India, remained hopeful Indian intelligence agencies would “mature … into the partners NSA needs in South Asia.”

The SIGINT Seniors likely remains active today and has probably grown its capabilities in recent years. According to the 2013 “black budget” – a portion of the U.S. federal budget dedicated to secret intelligence-gathering work – the NSA was that year working to bolster both the European and Pacific branches of the SIGINT Seniors, and planned to “expand the level of cooperation on [counterterrorism] and explore other potential areas of collaboration.”

———

Documents published with this article:

• SIGINT partnership agrees to greater sharing
• Linguistic resource sharing in Asia-Pacific takes step forward
• NSA’s changing counterterrorism relationship with India
• SIGINT Seniors Pacific successes highlighted at conference
• Counterterrorism analytic working group meets in Madrid
• Global Collaboration Environment: Director’s talkinig points
• World Cup report from SUSLAG
• Who’s Who in Afghanistan
• SIGINT Seniors: Making history in a good way

———

Top photo: Australian Defense Facilities Pine Gap, Feb. 19, 2016.

The post The Powerful Global Spy Alliance You Never Knew Existed appeared first on The Intercept.

The incident, one of the worst terrorist atrocities in British history, resulted in a major overhaul of policing across the United Kingdom. The government beefed up security, introduced new counterterrorism measures, and retrained first-responders to handle major crises. The attack also reshaped British spy agencies’ tactics and led to a more aggressive use of electronic surveillance – details of which are revealed for the first time in classified documents published today by The Intercept.

The documents – from the National Security Agency and its British counterpart Government Communications Headquarters, or GCHQ – offer a unique insight into how U.K. and U.S. intelligence agencies responded in the aftermath of the London bombings. They reveal how the attackers may have been able to evade detection and disclose the existence of a secret intelligence-sharing agreement designed to enable “unfettered” sharing of phone and email records across the Five Eyes, an alliance of spy agencies from the U.K., the U.S., Australia, Canada, and New Zealand.

Immediately following the bombing, GCHQ developed a three-tiered strategy, according to the documents, which were obtained by The Intercept from the whistleblower Edward Snowden. The agency focused on providing operational support to the police and security services; worked on “target discovery,” sifting its databases in an effort to find information about the attackers or those connected to them; and formed a think tank called the “Blue Skies Team,” which developed new tools and techniques that could be used to identify people associated with the attackers.

A surveillance base in the north of England played a key role. Menwith Hill, located about 9 miles from the small town of Harrogate in North Yorkshire, began listening in on calls that were passing between the U.K. and foreign countries. The base – a “ground station” from which spy satellites are operated – used its surveillance technology to home in on calls associated with Thuraya satellite phones, which are often used in remote parts of the world where there is no access to conventional cellphone or landline networks.

“We worked with GCHQ’s International Terrorism Team to put coverage on nine U.K. cities, and compiled a list of U.K. cities and external locations (including Copenhagen, Brussels, and various locations in Spain, South Africa, and Morocco) requiring tighter focus,” explained an NSA employee who was working at Menwith Hill through the incident. “At GCHQ’s request, analysts examined calls from [Thuraya satellite] handsets that had dialed into London from Iraq.”

Analysts at Menwith Hill discovered that “high priority targets … had phoned specific areas in the U.K. from Pakistan, Afghanistan, Egypt, and Iraq.” They identified particular calls of interest that appeared to be coming from a compound in the self-governing Azad Kashmir region of northeastern Pakistan. The documents do not state whether a link was proven between these calls and the bombings. However, it was reported in 2012 that a British-born Al Qaeda operative named Rashid Rauf – who lived in Pakistan – helped direct the 2005 attack, which was carried out by four men, three of whom were born and raised in England, and one of whom was born in Jamaica and brought to England as a young child.

The NSA worked closely with GCHQ through the investigation, providing analysis and technical advice on surveillance methods. Twenty-two NSA employees were transferred to a specialist unit to help with the effort, alongside a department called the Counterterrorism Primary Production Center. After three months, the 22 analysts moved on to other operations. But the impact of the London attack continued to be felt across the Western intelligence community.

In June 2004, the Five Eyes had negotiated a secret treaty called the Alice Springs Resolution. The arrangement laid out plans for a single surveillance system that each of the five countries’ spies would be able to access. The system would be used to share metadata, which reveals information about a communication – such as the sender and recipient of an email, or the phone numbers someone called and at what time – but not the written content of the message or the audio of the call. Analysts would be able to search across all available metadata with a single query.

The aim of the Alice Springs Resolution was to “enable unfettered access to metadata repositories among our five agencies,” according to an NSA document. The agreement was personally signed off by the director of each agency, presumably during a meeting held in the Australian town of Alice Springs, which hosts a large surveillance facility. The text of the resolution stated that the new arrangement was necessary due to the “increasing importance of the analysis of metadata to the generation of intelligence, particularly against the terrorist target.” The NSA later cited the agreement as a “foundational document” for the agency.

The secret agreement aimed to “enable unfettered access to metadata repositories.”

When the London bombings occurred, the implementation of the agreement accelerated. According to an October 2006 document, following the attack there was “unprecedented metadata sharing” between the NSA and GCHQ and a “solid commitment to action” regarding the Alice Springs Resolution. The agencies developed a system called the “Sensitive Metadata Analytic Collaboration,” known as SMAC, through which the Five Eyes agencies planned to share their troves of metadata records, the October 2006 document reveals.

By October 2007, each of the partners had a representative participating in SMAC at NSA’s Fort Meade headquarters. The agency announced in a top-secret report that the mission to share the metadata had been “accomplished, just not as initially contemplated.” The NSA voiced displeasure that the Canadian and Australian participants, in particular, had “not taken full advantage” of the program, and complained that policy differences were among several “systemic barriers” to its progress. Three years later, in 2010, a GCHQ document seemed to declare the effort dead or supplanted, noting that “SMAC was an effective approach for a while, but is now no longer required.” A takeaway for GCHQ, the document added, was to look for “opportunities to circumvent policy challenges.”

GCHQ’s work related to the bombings was code-named OCTAMER. Working alongside the NSA, as well as the British domestic and foreign spy agencies MI5 and MI6, GCHQ sifted through troves of communication records in an effort to identify people associated with the attackers. The British eavesdropping agency developed a specialized tool that it called MOAG, which was used to carry out “contact chaining.” This involves an analyst looking at the phone number or email address of a target, and then reviewing all of the people the target had made or received calls or messages to or from. The aim of the method was to discover new, previously unknown individuals who may be of interest to investigators.

In the days and weeks after the bombings, the U.K.’s media and lawmakers questioned how the security services had failed to prevent the atrocity from taking place. Two of the four attackers had been under surveillance before they carried out their plot, but they had not been fully investigated due to a lack of resources, an inquiry later found.

GCHQ documents offer insight into another reason why the attackers may have managed to evade detection: At least three of them used cheap Nokia 1100 phones – probably “burner” devices that were not registered to them personally – and they communicated in what GCHQ called a “closed loop.” In other words, they only used their phones to talk to each other and did not make calls to anyone else, which appears to have thwarted the spy agency’s powerful surveillance apparatus.

GCHQ later began specifically seeking out closed loops. In an October 2011 document, the agency described how it had analyzed “anonymised metadata for bulk U.K.-U.K. mobile call records” in an effort to identify people who were communicating exclusively in small groups. They were a “rare phenomenon,” the agency concluded, but it added that among the few cases it did find, there were “possible target discovery opportunities.”

The NSA declined to comment for this story. GCHQ declined to comment on specifics and instead, issued a statement asserting that its work is “carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.”

———
Documents published with this article:

• MHS lends a hand in the aftermath of the London bombings
• CT staff and augmentees focus on bombings in London
• The London bombings: an insider’s view
• Contact chaining – GCHQ
• Graph theory in the operational environment – GCHQ
• SMAC concept of operations
• Alice Springs Resolution
• Transnational DNI training

———

Top photo: A front view of the bus which was destroyed by a bomb in London on Thursday, July 7, 2005.

The post How London’s 7/7 Bombings Led to “Unprecedented” Surveillance Tactics appeared first on The Intercept.

NSA agents successfully targeted “the entire business chain” connecting foreign cafes to the internet, bragged about an “all-out effort” to spy on liberated Iraq, and began systematically trying to break into virtual private networks, according to a set of internal agency news reports dating to the first half of 2005.

British spies, meanwhile, were made to begin providing new details about their informants via a system of “Intelligence Source Descriptors” created in response to intelligence failures in Iraq. Hungary and the Czech Republic pulled closer to the National Security Agency.

And future Intercept backer Pierre Omidyar visited NSA headquarters for an internal conference panel on “human networking” and open-source intelligence.

These stories and more are contained in a batch of 294 articles from SIDtoday, the internal news website of the NSA’s core Signals Intelligence Directorate. The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.

In addition to the aforementioned highlights, summarized in further detail below, the documents show how the NSA greatly expanded a secret eavesdropping partnership with Ethiopia’s draconian security forces in the Horn of Africa, as detailed in an investigation by longtime Intercept contributor Nick Turse. They describe the NSA’s operations at a base in Digby, England, where the agency worked with its British counterpart GCHQ to help direct drones in the Middle East and tap into communications through the Arab Spring uprisings, according to a separate article by Intercept reporter Ryan Gallagher. And they show how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer file sharing through the apps Kazaa and eDonkey, as explained here by Intercept technologist Micah Lee.

NSA did not comment for this article.

American Intelligence Agents Outed Themselves Online

Members of the U.S. intelligence community routinely thwarted a system designed to mask their identities online by using it for personal shopping and to log on to websites, according to an NSA information technology manager.

The system, called “AIRGAP,” was run by “one of the world’s largest ISPs” and created around 1998 at the behest of the NSA, according to NSA Internet Program Manager Charlie Speight, writing in SIDtoday. Its purpose was to allow “non-attribution internet access,” Speight added, meaning that intelligence analysts could surf the internet without revealing that they were coming from U.S. spy agencies. By 2005, it was used by the whole U.S. intelligence community.

One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but “occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned,” Speight wrote.

Speight added that the “greater security concern” was the very intelligence agents the system was designed to protect. “Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors,” Speight wrote in a classified passage. “By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for ‘non-attribution.'”

This sort of sloppiness mirrors behavior that has undermined Russian intelligence operatives. A slide presentation by Canadian intelligence, dating to 2011 or later, labeled as “morons” members of a Russian hacking group code-named “MAKERSMARK,” who thwarted a “really well-designed” system to hide their identities by using it to log on to their personal social and email accounts.

The two situations are not perfectly comparable; the U.S. system was managed as part of a network for obtaining unclassified information, while the Russian system was used for the more sensitive activity of staging hack attacks. But Speight hinted at aggressive use of the U.S. system, writing in his piece that the NSA had begun “using AIRGAP for reasons and in volumes not intended in its formation” — the agency thus began developing its own separate firewall.

The NSA had systems with the same goal as AIRGAP — anonymization — but for phone calls. According to a February 2005 SIDtoday article, the NSA controlled 40,000 telephone numbers, but these were almost all prefixed with area- and exchange-code combinations that were publicly associated with the agency. An analyst who needed to make a public phone call without leaking their affiliation could use “anonymous telephones,” most of them registered to Department of Defense, or “cover telephones,” registered using alias names and P.O. boxes. No security protocol lapses were described in connection with the old-fashioned voice networks.

NSA Targeted “the Entire Business Chain” to Spy on Internet Cafes

While hiding, or at least trying to hide, its own online operations, the NSA launched an all-encompassing campaign to trace online activity in internet cafes, down to specific seats.

A program called “MASTERSHAKE” accomplished this by exploiting equipment used by the cafes, including satellite internet modems, according to top-secret information reported by SIDtoday. “MASTERSHAKE targets the entire business chain, from manufacturer to Internet café installation, to ascertain any and all available data regarding … geolocation, the network connectivity of the modem, as well as the actual physical location of the installation,” according to SIDtoday.

MASTERSHAKE data was “enriched” with other information, including “geolocatable phone events,” as well as intelligence from throughout the NSA’s Signals Intelligence Directorate and from the agency’s XKeyscore search system.

The NSA knew the precise location of over 400 internet cafes. For over 50 of these cafes, it could locate a target to a specific seat within the cafe. One goal of the monitoring was to hunt down Al Qaeda leaders, like Abu Musab al-Zarqawi. SIDtoday focused on the use of MASTERSHAKE in Iraq, describing an incident in the city of Ramadi where two “counterterrorism targets” began using a messenger service at an internet cafe, and the two men were arrested. But it also indicated the system was used more broadly, “in the Middle East and Africa.”

As the Intercept previously reported, the NSA has surveilled internet cafes in Yemen, Afghanistan, Syria, Lebanon, and Iran, as detailed in agency documents.

Sunni Arab member of Iraqi Transitional National Assembly and a candidate for the post of parliament speaker Misha’an al-Juburi speaks on the phone April 2, 2005 in Baghdad.

An “All-Out Effort” To Spy on Liberated Iraq

The NSA’s surveillance against Iraqis went far beyond cafe computers. Two years after President George W. Bush’s infamous “Mission Accomplished” speech and a year after the Coalition Provisional Authority handed over the reins to the Iraqi Interim Government, the agency was trying to tap the nation’s communications — and enlist friendly Iraqis and the new government to do likewise.

In a top-secret SIDtoday report, an NSA “data acquisition lead” in Baghdad described “an all-out effort to penetrate Iraqi networks using everything in the tool box of the most sophisticated SIGINT agency in the world.” The “very forward-leaning and aggressive” collection effort brought “our technology to bear at the optimum access points” in the country. The identity of those access points is hinted at by the list of people the NSA staffer met with as the “field rep on a number of projects”: “Iraqi government personnel engaged in telecommunications and IT issues for Iraq; small and medium sized Iraqi communications contractors; the CEO’s and Chief Technical Officers of the major Iraqi telecommunications service providers; [and] Iraqi cabinet level officials,” among others.

Another article confirmed the NSA was spying on Iraqi telecommunications, describing a “dramatic drop” in information the agency collected from links carrying mobile phone traffic between Fallujah and northern Baghdad and a consequent gap in intelligence gathering. A team from the NSA and CIA was able to restore the collection within two weeks by targeting microwave signals carrying the traffic.

In addition to its own electronic spying within Iraq, the NSA sought to rebuild the country’s ability to spy on itself through another joint project with the CIA, along with GCHQ. The Western intelligence entities would build a new Iraqi spy agency, dubbed the Iraq SIGINT Element, according to another SIDtoday article. The Iraqi SIGINT Element’s expertise would come, of course, from veterans of Saddam Hussein’s regime; the NSA and GCHQ made a list of candidates “gleaned from years of targeting the Iraqi civil and military SIGINT units,” SIDtoday reported. The former targets were the new recruits. The CIA assisted in the vetting process with polygraphers, psychologists, and background checks, and the NSA trained the selected candidates on “how we do SIGINT.” The new intelligence agents’ first assignment was to find communications of former Saddam “elements” and insurgents in Baghdad. They went covertly into Baghdad neighborhoods, which U.S. and U.K. forces were unable to do.

It was at the behest of the director of central intelligence that the NSA “moved aggressively to help [Iraq] establish and enhance their signals intelligence capabilities,” SIDtoday reported separately. A similar effort was underway in Afghanistan. “Both relationships come with risks, but the overall benefit to U.S. objectives in the region outweighs these risks,” wrote an NSA foreign affairs staff officer.

Targeting Bombers in Iraq

Mass surveillance efforts in Iraq were part of a broader NSA effort to address the consequences of the coalition’s victory over Saddam Hussein. Immediately after the Ba’athist government fell to the invading forces in 2003, signals intelligence collection on the regime ceased to exist. NSA staff, some of whom had been monitoring the country for more than a decade, woke up to “no more audio cuts, no more transcripts … no more product reports,” according to an account in SIDtoday. One official wondered, “Will we lose resources because of our success?” Postwar insurgency and sectarian strife ensured this was not the case.

For example, an NSA team set about thwarting detonation systems for bombs set by insurgents. The bombs, known within the U.S. military as improvised explosive devices, were triggered from a distance, often using high-powered cordless phone systems, in which a common base station, controlled by a triggerman, connects to a cluster of wireless handsets. The team devised a way to locate triggermen: Intercepting and identifying security codes emitted by captured handsets. The codes, intended to tether a handset to a particular base station, could then be used to locate base stations, resulting in military targeting and “hopefully, the IED makers neutralized,” SIDtoday stated.

The NSA may have had a chance to deploy this technique at the end of January 2005, when Iraq’s first parliamentary elections took place. An article in SIDtoday said that signals intelligence helped prevent 50 to 60 suicide bombers from making it into polling centers. Still, 285 other insurgent attacks occurred that day, and CNN reported several incidents of suicide bombings that hit police officers and Iraqis waiting to vote.

How British Spies Were Made To Atone for Bad Iraq Intel

In Iraq and elsewhere, the NSA expanded the scope of its intelligence sharing to U.S. government “customers,” as described in a January 2005 article, in which an NSA staffer in Baghdad read a new sharing guideline aloud to a hesitant colleague: “It’s OK to talk about, show and share evaluated, minimized unpublished SIGINT to customers/partners in order to facilitate analytic collaboration.”

Even amid the aggressive intelligence sharing, the NSA was taking note of what could happen when such sharing went terribly wrong. A SIDtoday story about a British government inquiry into prewar intelligence on Iraq, the Butler Review, describes how the U.K.’s signals intelligence agency GCHQ was now required to provide “Intelligence Source Descriptors” on all intel reports. This requirement came in response to the finding that the British foreign spying agency, MI6, did not adequately check human sources and relied on third-hand reporting about Iraqi chemical weapons, including “seriously flawed” information from “another country’s intelligence service.”

The new British source descriptors would include identification of sources by name or role along with judgments on whether the source had direct or indirect access to the information reported. The GCHQ descriptor would also indicate whether a source is “reliable,” “unknown,” or “uncertain” as to reliability. “There are no plans at present to use a like program on NSA reports,” SIDtoday reported.

Despite reporting on fallout from the U.K. postwar review, SIDtoday did not cover a U.S. presidential commission that prominently reported in March 2005 on how the American intelligence community was “dead wrong” in its prewar assessment of weapons of mass destruction in Iraq.

NSA Works with Hungary, Pakistan, Ethiopia — and an Eager Czech Republic

In parallel with its efforts to share information with more U.S. government and intelligence agencies, the NSA also forged connections with foreign partners whose collaboration would have, in previous decades, seemed inconceivable.

In early 2005, the NSA entered into a partnership with Hungary’s Military Intelligence Office, inviting the spy agency to “work with NSA as part of our extended SIGINT enterprise,” according to SIDtoday, and “write SIGINT reports for dissemination through the NSA system to our intelligence community customers.” The partnership allowed the NSA to tap into the Hungarian agency’s “unique access to Serbian and Ukrainian military targets.”

A contemporaneous NSA visit to the Czech Republic, as described in SIDtoday, showed how such “third party” partnerships can come to fruition. The trip was conducted to establish whether the NSA should partner with the Czech External Intelligence Service, or ÚZSI, which wanted to tap NSA expertise “on many technical issues.” In order to win over the Americans, spy agency “personnel essentially opened the door to their SIGINT vault,” displaying an “exceptional degree of openness.” The NSA team came away impressed, judging ÚZSI “exceptionally good at analysis of material associated with Russian [counterintelligence] targets,” and impressed with the agency’s “very good analytic effort against Russian and Ukrainian HF networks” and “overall levels of sophistication, knowledge, practical experience, ingenuity and enthusiasm that allow them to overcome many financial and equipment shortfalls.” Perhaps best of all, ÚZSI “has not requested financial support from the NSA.” The Czech Republic eventually became a third-party partner.

A March 2005 SIDtoday article, summarizing a briefing from the NSA’s principal director for foreign affairs, alluded to agency “relationships” with Pakistan and Ethiopia, “work” with Iraq (discussed elsewhere in this article) and Afghanistan, and a “multinational collaboration in the Pacific.”

More generally, third parties became vital at this time simply for providing additional staffing and coverage. For instance, after the U.S. closed several bases, the NSA developed a reliance on third-party partners to participate in High Frequency Directional Finding networks for locating the origins of targeted radio signals. And the U.S. partnered with Hungary’s military intelligence organization in part because it “has been instrumental in providing intelligence that answers high-priority CIA and DIA (Defense Intelligence Agency) requirements that NSA would otherwise not be able to answer due to manpower constraints.”

Intercept Backer Spoke at NSA Headquarters

Back in the U.S., the NSA’s post-9/11 “transformation,” initiated by Director Michael Hayden, promoted information sharing and collaboration to the traditionally closed community at Fort Meade. Invitations to participate at agency seminars and conferences were made not just to partners from the intelligence and military communities, but also to members of private industry and academia.

An announcement in SIDtoday for the third annual Analysis Conference from the NSA’s Analysis and Production division proclaimed the need to “keep communications open and leverage our partners’ insights.” Speakers at the May 2005 event, held at agency headquarters, included authors, U.S. senators, corporate executives, and journalists.

One “high-powered panel” at the conference on “human networking” featured eBay founder Pierre Omidyar, who would go on to provide funding for The Intercept, which covers and is frequently critical of the NSA. A separate SIDtoday article touting the panel  indicated that corporate anthropologist Karen Stephenson and Wired founding executive editor Kevin Kelly also participated and that panelists were recruited through the Global Business Network, a consulting firm specializing in scenario-based forecasting. The GBN had been asked to harness its network of experts, “most of whom have had no previous involvement with the intelligence community,” to apply strategies from “the competitive marketplace” to NSA challenges.

Omidyar told The Intercept that the GBN “asked me to participate in an unclassified meeting at NSA headquarters at Fort Meade on the topic of ‘open source’ intelligence. My recollection of the people I met there is that they were very smart and genuinely interested in bringing outside ideas into the agency. I stayed involved with the GBN for some time after that meeting but when they approached me many months later to participate in additional meetings with the NSA, I declined. The invitation was made after news broke in December 2005 about the agency’s ‘warrantless wiretapping’ — and those events were deeply concerning to me. In addition, I didn’t have anything else to add beyond what I had already shared. I was not asked to meet with the NSA again after declining that invitation.”

Omidyar said he was not paid for his appearance.

Advanced Word on Indian Nuclear Weapons

A series of nuclear weapons tests conducted by India in the spring of 1998 took the intelligence community by surprise, prompting an internal investigation into why these tests had not been foreseen; a subsequent report was harshly critical of the U.S. intelligence community. A similar lapse in data gathering would not happen again in 2005. An Australian NSA site, RAINFALL, isolated a signal it suspected was associated with an Indian nuclear facility, according to SIDtoday. Collaboration between RAINFALL and two NSA stations in Thailand (INDRA and LEMONWOOD) confirmed the source of the signals and allowed for the interception of information about several new Indian missile initiatives. Although these missile systems did not come to public attention for several more years (the Sagarika submarine-launched ballistic missile was first tested in 2008), the NSA’s access to these signals gave them foreknowledge of their Third Party SIGINT partner’s (see last image) actions.

Attacking VPNs

An NSA working group focused on virtual private networks, or VPNs, was established in November 2004 to “conduct systematic and thorough SIGINT Development of VPN communications (typically encrypted),” SIDtoday reported — meaning that the agency wanted to break into the networks. The group published regular “VPN Target Activity Reports” on a large number of countries throughout Europe, the Middle East, North Africa, Russia, and China, as well as “specific financial, governmental, communication service providers and international organizations.” These reports may help analysts “exploit targets’ VPNs more successfully.”

Women at the NSA

Sonia Kovalevsky Days take place at schools and colleges nationwide, with competitions and talks to encourage young women to pursue careers in mathematics. Although the events’ namesake was a radical socialist and pioneering female mathematician, members of the NSA’s Women in Mathematics Society participated as part of the agency’s effort to recruit more female mathematicians. The NSA believed itself to be the largest employer of mathematicians in the country, but between 1987 to 1993, only one of the 30 math Ph.D.s the agency hired identified as a woman, and only 26 percent of women hired into the agency’s mathematics community had an advanced degree, according to SIDtoday. After the Women in Mathematics Society was formed, from 1994 through 2005, about 38 percent of women mathematicians hired into NSA had a doctoral degree and 27 percent held a master’s degree.

Hold the Spam, Please

“Spam affects NSA by impeding our collection, processing and storage of [Digital Network Intelligence] traffic,” said the author of a February 2005 SIDtoday article. “Unfortunately, filtering out spam has proven to be an extremely difficult and cumbersome task.”According to the author, analysts developed technology that tagged “an average of 150,000 spam sessions a day,” which greatly reduced the amount of spam that shows up in “daily searches” of intercepted emails.

Correction: September 13, 2017, 9:15 p.m.
Due to an editing error, an earlier version of this story gave an incorrect year for the NSA’s third annual Analysis Conference; the event occurred in May 2005, not May 2015.

Top photo: In this May 1, 2003 file photo, President George W. Bush gives a “thumbs-up” sign after declaring the end of major combat in Iraq as he speaks aboard the aircraft carrier USS Abraham Lincoln off the California coast.

The post Sloppy U.S. Spies Misused a Covert Network for Personal Shopping — and Other Stories from Internal NSA Documents appeared first on The Intercept.

“A warm friendship connects the Ethiopian and American people,” U.S. Secretary of State Rex Tillerson announced earlier this year. “We remain committed to working with Ethiopia to foster liberty, democracy, economic growth, protection of human rights, and the rule of law.”

Indeed, the website for the U.S. Embassy in Ethiopia is marked by press releases touting U.S. aid for farmers and support for public health infrastructure in that East African nation. “Ethiopia remains among the most effective development partners, particularly in the areas of health care, education, and food security,” says the State Department.

Behind the scenes, however, Ethiopia and the U.S. are bound together by long-standing relationships built on far more than dairy processing equipment or health centers to treat people with HIV. Fifteen years ago, the U.S. began setting up very different centers, filled with technology that is not normally associated with the protection of human rights.

In the aftermath of 9/11, according to classified U.S. documents published Wednesday by The Intercept, the National Security Agency forged a relationship with the Ethiopian government that has expanded exponentially over the years. What began as one small facility soon grew into a network of clandestine eavesdropping outposts designed to listen in on the communications of Ethiopians and their neighbors across the Horn of Africa in the name of counterterrorism.

In exchange for local knowledge and an advantageous location, the NSA provided the East African nation with technology and training integral to electronic surveillance. “Ethiopia’s position provides the partnership unique access to the targets,” a commander of the U.S. spying operation wrote in a classified 2005 report. (The report is one of 294 internal NSA newsletters released today by The Intercept.)

The NSA’s collaboration with Ethiopia is high risk, placing the agency in controversial territory. For more than a decade, Ethiopia has been engaged in a fight against Islamist militant groups, such as Al Qaeda and Shabab. But the country’s security forces have taken a draconian approach to countering the threat posed by jihadis and stand accused of routinely torturing suspects and abusing terrorism powers to target political dissidents.

“The Ethiopian government uses surveillance not only to fight terrorism and crime, but as a key tactic in its abusive efforts to silence dissenting voices in-country,” says Felix Horne, a senior researcher for Human Rights Watch. “Essentially anyone that opposes or expresses dissent against the government is considered to be an ‘anti-peace element’ or a ‘terrorist.’”

The NSA declined to comment for this story.

In February 2002, the NSA set up the Deployed Signals Intelligence Operations Center – also known as “Lion’s Pride” – in Ethiopia’s capital, Addis Ababa, according to secret documents obtained by The Intercept from the whistleblower Edward Snowden. It began as a modest counterterrorism effort involving around 12 Ethiopians performing a single mission at 12 workstations. But by 2005, the operation had evolved into eight U.S. military personnel and 103 Ethiopians, working at “46 multifunctional workstations,” eavesdropping on communications in Somalia, Sudan, and Yemen. By then, the outpost in Addis Ababa had already been joined by “three Lion’s Pride Remote Sites,” including one located in the town of Gondar, in northwestern Ethiopia.

“[The] NSA has an advantage when dealing with the Global War on Terrorism in the Horn of Africa,” reads an NSA document authored in 2005 by Katie Pierce, who was then the officer-in-charge of Lion’s Pride and the commander of the agency’s Signal Exploitation Detachment. “The benefit of this relationship is that the Ethiopians provide the location and linguists and we provide the technology and training,” she wrote.  According to Pierce, Lion’s Pride had already produced almost 7,700 transcripts and more than 900 reports based on its regional spying effort.

Pierce, now a lieutenant colonel in the Army Reserve and a lawyer in private practice, had noted her role with the NSA’s Ethiopia unit in an online biography. When contacted by The Intercept, she said little about her time with Lion’s Pride or the work of the NSA detachment. “We provided a sort of security for that region,” she said. The reference to the NSA in Pierce’s online biography has since disappeared.

Reta Alemu Nega, the minister of political affairs at the Ethiopian Embassy in Washington, D.C., told The Intercept that the U.S. and Ethiopia maintained “very close cooperation” on issues related to intelligence and counterterrorism. While he did not address questions about Lion’s Pride, Alemu described regular meetings in which U.S. and Ethiopian defense officials “exchange views” about their partnership and shared activities.

Lion’s Pride does not represent the first time that Ethiopia has played a vital role in U.S. signals surveillance. In 1953, the U.S. signed a 25-year agreement for a base at Kagnew Station in Asmara, Ethiopia (now the capital of Eritrea), according to a declassified NSA report obtained by the nonprofit National Security Archive. Navy and Army communications facilities based there were joined by an NSA outpost just over a decade later.

On April 23, 1965, the Soviet Union launched Molniya-1, its first international communications satellite. The next month, the NSA opened STONEHOUSE, a remote listening post in Asmara. The facility was originally aimed at Soviet deep space probes but, in the end, “[its] main value turned out to be the collection of Soviet MOLNIYA communications satellites,” according to a 2004 NSA document that mentions STONEHOUSE.

STONEHOUSE was closed down in 1975 due to a civil war in Ethiopia. But its modern-day successor, Lion’s Pride, has proved to be “such a lucrative source for SIGINT reports” that a new facility was built in the town of Dire Dawa in early 2006, according to a secret NSA document. “The state of the art antenna field surrounded by camels and donkey-drawn carts is a sight to behold,” reads the NSA file. The effort, code-named “LADON,” was aimed at listening in on communications across a larger swath of Somalia, down to the capital Mogadishu, the Darfur region of Sudan, and parts of eastern Ethiopia.

At a May 2006 planning conference, the Americans and Ethiopians decided on steps to “take the partnership to a new level” through an expanded mission that stretched beyond strictly counterterrorism. Targeting eastern Ethiopia’s Ogaden region and the nearby Somali borderlands, the allied eavesdroppers agreed on a mission of listening in on cordless phones in order to identify not only “suspected al-Qa’ida sympathizers” but also “illicit smugglers.”

“It is very troubling to hear the U.S. is providing surveillance capacities to a government that is committing such egregious human rights abuses in that region.”

From the time Lion’s Pride was set up until predominantly Christian Ethiopia invaded mostly Muslim Somalia in December 2006, the U.S. poured about $20 million in military aid into the former country. As Ethiopian troops attempted to oust a fundamentalist movement called the Council of Islamic Courts, which had defeated several warlords to take power in Somalia, Pentagon spokesperson Lt. Cmdr. Joe Carpenter said the two nations had “a close working relationship” that included sharing intelligence. Within a year, Ethiopian forces were stuck in a military quagmire in Somalia and were facing a growing rebellion in the Ogaden region as well.

“While the exact nature of U.S. support for Ethiopian surveillance efforts in the Ogaden region is not clear, it is very troubling to hear the U.S. is providing surveillance capacities to a government that is committing such egregious human rights abuses in that region,” says Horne, the Human Rights Watch researcher.  “Between 2007-2008 the Ethiopian army committed possible war crimes and crimes against humanity against civilians in this region during its conflict with the Ogaden National Liberation Front.”

For the U.S., “the chaos” caused by the invasion “yielded opportunities for progress in the war on terrorism,” stated a top secret NSA document dated February 2007.  According to the document, the Council of Islamic Courts was harboring members of an Al Qaeda cell that the NSA’s African Threat Branch had been tracking since 2003. After being flushed from hiding by the Ethiopian invasion, the NSA provided “24-hour support to CIA and U.S. military units in the Horn of Africa,” utilizing various surveillance programs to track Council of Islamic Courts leaders and their Al Qaeda allies. “Intelligence,” says the document, “was also shared with the Ethiopian SIGINT partner to enable their troops to track High Value Individuals.” The NSA deemed the effort a success as the “#1 individual on the list” was “believed killed in early January” 2007, while another target was arrested in Kenya the next month. The identities of the people killed and captured, as well as those responsible, are absent from the document.

As the Council of Islamic Courts crumbled in the face of the invasion, its ally, the militant group Shabab, saw Somalis flock to its resistance effort. Fueled and radicalized by the same chaos exploited by the NSA, Shabab grew in strength. By 2012, the terrorist group had formally become an Al Qaeda affiliate. Today, the U.S. continues to battle Shabab in an escalating conflict in Somalia that shows no sign of abating.

At the time the NSA set up Lion’s Pride, the U.S. State Department had criticized Ethiopia’s security forces for having “infringed on citizens’ privacy rights,” ignoring the law regarding search warrants, beating detainees, and conducting extrajudicial killings. By 2005, with Lion’s Pride markedly expanded, nothing had changed. The State Department found:

The Government’s human rights record remained poor. … Security forces committed a number of unlawful killings, including alleged political killings, and beat, tortured, and mistreated detainees. … The Government infringed on citizens’ privacy rights, and the law regarding search warrants was often ignored. The Government restricted freedom of the press. … The Government at times restricted freedom of assembly, particularly for members of opposition political parties; security forces at times used excessive force to disperse demonstrations. The Government limited freedom of association. …

A separate State Department report on Ethiopia’s counterterrorism and anti-terrorism capabilities, issued in November 2013 and obtained by The Intercept via the Freedom of Information Act, noted that there were “inconsistent efforts to institutionalize” anti-terrorism training within Ethiopian law enforcement and added that while the Ethiopian Federal Police use surveillance and informants, “laws do not allow the interception of telephone or electronic communications.” The readable sections of the redacted report make no mention of the NSA program and state that the U.S. “maintains an important but distant security relationship with Ethiopia.”

A 2010 NSA document offers a far different picture of the bond between the security agencies of the two countries, noting that the “NSA-Ethiopian SIGINT relationship continues to thrive.”

In an after-action report, a trainer from NSA Georgia’s “Sudan/Horn of Africa Division” described teaching a class attended by soldiers from the Ethiopian National Defense Forces and civilians from Ethiopia’s Information Network Security Agency. He praised the Ethiopians for “work[ing] so hard on our behalf” and wrote that his students were “excited and eager to learn.”

According to the documents, analysts from the Army’s 741st Military Intelligence Battalion were still detailed to Lion’s Pride while the Ethiopians they worked beside had increased their skills at analyzing intercepted communications. “More importantly, however,” the American trainer noted, “is the strengthening of the relationship” between NSA and Ethiopian security forces. NSA Georgia, he declared, was eager to continue “developing the relationship between us and our Ethiopian counterparts.”

The NSA refused to comment on whether Lion’s Pride continues to eavesdrop on the region, but no evidence suggests it was ever shut down. There is, however, good reason to believe that U.S. efforts have strengthened the hand of the Ethiopian government. And a decade and a half after it was launched, Ethiopia’s human rights record remains as dismal as ever.

“Governments that provide Ethiopia with surveillance capabilities that are being used to suppress lawful expressions of dissent risk complicity in abuses,” says Horne. “The United States should come clean about its role in surveillance in the Horn of Africa and should have policies in place to ensure Ethiopia is not using information gleaned from surveillance to crack down on legitimate expressions of dissent inside Ethiopia.”

———

Documents published with this article:

• Lion’s Pride: Fighting terrorism in the Horn of Africa
• Instability creates opportunity against counter-terrorism targets
• A behind the scenes look at the NSA-Ethiopian relationship
• Expanding joine US-Ethiopian SIGINT collection
• NSA and Ethiopians take SIGINT partnership to new level

Top photo: Ethiopian President Mulatu Teshome holds a press conference at the National Palace in Addis Ababa, Ethiopia, on May 7, 2015.

The post How the NSA Built a Secret Surveillance Network for Ethiopia appeared first on The Intercept.

Civil war was raging in Libya, and Col. Moammar Gadhafi was in hiding. Two thousand miles away, on the outskirts of a small village in the English countryside, British and American spies were monitoring the chaos, listening in on the Gadhafi regime’s phone calls.

The spies were part of a group known as Joint Service Signal Unit Digby, operating from within a nearly 100-year-old military base near the village of Ashby de la Launde in Lincolnshire, a county in England’s east midlands. About a three-hour drive north of London, it is a scantly populated area encompassing flat fields that stretch across the landscape. The British government says publicly that the Digby facility conducts “research into new communications systems.” A more truthful account is that it is an important part of the sprawling covert surveillance network maintained by British and American spy agencies, GCHQ and the National Security Agency.

Digby has attracted little media scrutiny in the United Kingdom, perhaps because it is smaller in size and not as visually striking as other surveillance bases in the country. It consists of a nondescript, single-story building and a series of attached offices, all in the southwest corner of a larger military compound. There is an adjacent field equipped with about two dozen antennas, according to maps of the area, but these cannot be seen from a distance. Unlike better-known NSA and GCHQ bases in England, such as the facilities in Bude, Cornwall, and Menwith Hill, Yorkshire, there are no massive, golf ball-like domes visible from miles away; instead, Digby blends in with the landscape.

The NSA’s presence at Digby has never been reported before. And secret documents published Wednesday by The Intercept show that the agency has prized its low profile at the obscure site. The base “does not attract the kind of press attention lavished on RAF Menwith Hill to the north — and long may that continue,” one NSA employee wrote in a March 2005 article for SIDtoday, an internal NSA newsletter. “The American presence here is a quiet one,” the employee added, “but [it] has a profound impact as soldiers, sailors and airmen work together with their British counterparts to produce critical intelligence on an amazing variety of targets.”

The documents, obtained from NSA whistleblower Edward Snowden, indicate that Digby focuses on monitoring communications across the Middle East and North Africa. In recent years, it has targeted Lebanese, Sudanese, and Palestinian communications. And through the Arab Spring uprisings that spread across the region between 2010 and 2011, the base was at the forefront of British and American government efforts to get a handle on events.

In Libya, where pro-democracy protests spiraled into a full-blown civil war, Digby’s electronic eavesdroppers were at one point working 24 hours a day, seven days a week to analyze what was happening on the ground. In mid-May 2011, with the conflict at its height and a NATO-led coalition enforcing a no-fly zone across the North African country, GCHQ employees at the Lincolnshire spy base identified their primary target as “Libyan regime command and control use of mobile satellite phones.” By late June, the Digby team was still tapping into the regime’s calls, but it was also focused on gathering intelligence about the command and control structure of opposition forces located in the mountainous Jabal Nafusa area, about 120 miles southwest of Tripoli.

Similarly, through the conflict in Syria, personnel at Digby closely watched the situation. A top-secret April 2013 document, authored by senior NSA officials, noted that GCHQ staff at the base were paying particular attention to Syrian President Bashar al-Assad’s security services in the country’s coastal region. A small team of five Digby-based analysts were tasked with the Syrian surveillance mission, according to the document, after the intelligence community assessed that the “regime will relocate and create a strong-hold there [on the coast] should Damascus fall.”

Digby’s function is not limited to that of a passive observer, however. Its central mission, one GCHQ document explains, is to “produce and deliver near-real time intelligence … in order to support military and contingency operations.” It has been integral to a program code-named “AIRHANDLER,” for example, which uses surveillance equipment on Predator and Reaper drones to gather data that is then passed to military commanders. During one six-month period in 2009, there were 148 AIRHANDLER missions flown out of Digby – averaging about five each week. The base was also equipped with a capability enabling it to perform “(near) real-time co-location” of GSM cellphones.

The documents indicate that Digby’s assistance to military forces on the ground has centered around missions in Iraq and Afghanistan, where British and American troops have been deployed. But the facility also carries out a broader global role when it comes to providing tactical military support. One confidential document describes Digby as a “unique” site because it has a joint British and American navy surveillance department within it. This department – known as a Maritime Cryptologic Integration Center – backs up mobile sea, air, and land units operating in parts of the North Atlantic Ocean, the Barents, Baltic, and Black seas, and across North and sub-Saharan Africa.

According to the 2005 NSA report, in addition to providing direct support to operations in Iraq and Afghanistan, Digby performs an “incredibly diverse” mission that is tailored to the intelligence needs of U.S. Strategic Command, Central Command, Northern Command, and European Command. In recent years, it is likely that its capabilities have been expanded. A GCHQ planning document dated from 2011 revealed that the British agency was working to broaden Digby’s function, “growing a cyber mission” out of the base. The agency also wanted to develop a “center of excellence” at the facility, which it said would be a key hub for delivering intelligence to “military partners and customers.”

The NSA and GCHQ declined to comment for this story. GCHQ said in a statement that its work “is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary, and proportionate.”

Other NSA documents — some 294 — and related stories released by The Intercept today are available here.

———

Documents published with this article:

• The other end-to-end SIGINT site in the UK
• AIRHANDLER missions Feb 2010
• Cryptologic shore support
• Producing the best possible SIGINT on Sudan
• Virtual teaming pays off
• NSA posture on Syria
• UK AIRHANDLER trainees
• Event RARE weekly summaries
• Digby geolocation

Top photo: Image of U.K. Digby base from Google Maps.

The post NSA’s Quiet Presence at a Base in England’s Countryside Revealed in Snowden Documents appeared first on The Intercept.

Before services like Spotify and Netflix proliferated, people who wanted to listen to music or watch movies online, on demand, had few legal options. Instead, they would download copies of pirated media using file-sharing technology. In early 2004, close to 8 million people in the U.S. alone were estimated to have downloaded music through so-called peer-to-peer apps like LimeWire, eDonkey, Kazaa, and BitTorrent. While it’s difficult to measure exactly how much of the world’s internet traffic consists of people swapping files, at the time some estimates said it was approaching 40 percent. (It was closer to 11 percent by 2016, according to another estimate.)

With this much file sharing occurring online, it’s no surprise that the National Security Agency took notice. According to documents provided by NSA whistleblower Edward Snowden, the spy agency formed a research group dedicated to studying peer-to-peer, or P2P, internet traffic. NSA didn’t care about violations of copyright law, according to a 2005 article on one of the agency’s internal news sites, SIDtoday. It was trying to determine if it could find valuable intelligence by monitoring such activity.

“By searching our collection databases, it is clear that many targets are using popular file sharing applications,” a researcher from NSA’s File-Sharing Analysis and Vulnerability Assessment Pod wrote in a SIDtoday article. “But if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended).”

In order to monitor peer-to-peer networks, the NSA needed to both decode the protocols that various services used and, in some cases, break the encryption to see which files were being swapped. This last hurdle was cleared in at least two cases. “We have developed the capability to decrypt and decode both Kazaa and eDonkey traffic to determine which files are being shared, and what queries are being performed,” the researcher wrote.

The NSA developed ways to exploit Kazaa in order to extract information from registry entries stored on a computer, including “e-mail addresses, country codes, user names, location of the downloaded files, and a list of recent searches — encrypted of course,” according to the article. And, while the author doesn’t go into details, they claim that they “discovered that our targets are using P2P systems to search for and share files which are at the very least somewhat surprising — not simply harmless music and movie files.”

Kazaa is no longer in use and its website shut down in 2012.

The eDonkey network, however, is still active, although the system is not nearly as popular as it once was. EDonkey still uses the same vulnerable encryption it did in 2004. EMule, a popular program for connecting to the eDonkey network, hasn’t had an update in over seven years.

A representative of the eMule developer team told The Intercept that security was never a goal for eDonkey’s encryption. “EMule calls its protocol encryption ‘obfuscation’ rather than encryption,” the developer said. “It was a feature intended to stop ISPs and local routers from throttling the protocol by doing simple deep packet inspections, not one to mainly protect the communication against eavesdropping.”

“There is no doubt the NSA could spy on the traffic if they wanted to,” the developer added, “preventing this was not the aim of the protocol encryption (and not much of an issue back then in the old days when this feature was coded).”

Researchers from NSA’s FAVA Pod were not the only spooks interested in peer-to-peer technology. An NSA program called GRIMPLATE was developed to study how Department of Defense employees used BitTorrent, discover if this use was malicious, and potentially build a case for ending such use. According to a classified presentation from the 2012 iteration of the NSA’s annual SIGDEV conference, which aims to develop new sources of signals intelligence, “BitTorrent sessions are seen on a daily basis between NIPRnet hosts,” referring to computers on the DOD network for sensitive but unclassified information, “and [in] adversary space,” that is, outside networks run by U.S. targets like Russia and China.

By 2010, the British electronic eavesdropping agency Government Communications Headquarters was also interested in “active P2P exploitation research,” according to a page on an internal GCHQ wiki. The page describes DIRTY RAT, a GCHQ web application used by analysts that at the time had “the capability to identify users sharing/downloading files of interest on the eMule (Kademlia) and BitTorrent networks. … For example, we can report on who (IP address and user ID) is sharing files with ‘jihad’ in the filename on eMule. If there is a new publication of an extremist magazine then we can report who is sharing that unique file on the eMule and BitTorrent networks.”

The wiki article also hints at information sharing with law enforcement. “DIRTY RAT will soon be delivered to the [London] Metropolitan Police and we are in the early stages of relationships with [U.K. child protection agency] CEOP and the FBI,” it stated.

GCHQ also developed the technology to leverage its peer-to-peer monitoring for active attacks against users of file-sharing networks. A tool called PLAGUE RAT “has the capability to alter the search results of eMule and deliver tailored content to a target,” the wiki article states. “This capability has been tested successfully on the Internet against ourselves and testing against a real target is being pursued.”

NSA declined to comment. GCHQ did not address specific questions and sent a statement saying, “All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorized, necessary, and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Investigatory Powers Commissioner’s Office (IPCO), and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position. In addition, the U.K.’s interception regime is entirely compatible with the European Convention on Human Rights.”

Other stories and NSA documents released today by The Intercept are available on our SIDtoday home page.

Top photo: Kazaa’s website for music downloads.

The post NSA Broke the Encryption on File-Sharing Apps Kazaa and eDonkey appeared first on The Intercept.

It began as routinely as any other passenger flight. At gate 15 of New York City’s JFK Airport, more than 200 men, women, and children stood in line as they waited to board a Boeing 747. They were on their way to Seoul, South Korea’s capital city. But none would ever make it to their destination. About 14 hours after its departure, the plane was cruising at around 35,000 feet not far from the north of Japan when it was shot out of the sky.

The downing of Korean Airlines Flight 007 occurred on September 1, 1983, in what was one of the Cold War’s most shocking incidents. The plane had veered off course and for a short time entered Soviet airspace. At Dolinsk-Sokol military base, Soviet commanders dispatched two fighter jets and issued an order to “destroy the intruder.” The plane was hit once by an air-to-air missile and plummeted into the sea, killing all passengers and crew. President Ronald Reagan declared it a “crime against humanity,” marking the dawn of a volatile new chapter in relations between the United States and the Soviet Union. Soon, tensions would escalate to a level not seen since the Cuban missile crisis, which 20 years earlier had brought the world to the brink of nuclear war.

As the international confrontation between the two adversaries played out publicly, behind closed doors another problem — which has never before been revealed — was developing. The U.S. and one of its closest allies, Japan, were embroiled in a dispute involving secret surveillance. Soviet officials were flat-out denying they had any role in shooting down the jet. At a spy base on Japanese territory, however, communications had been intercepted proving the Soviet military was the perpetrator. The U.S. wanted to obtain copies of the tapes but had to first receive approval from the head of a shadowy Japanese surveillance organization known as the “G2 Annex.”

After some bureaucratic wrangling, the Japanese eventually signed off on the release and the highly sensitive recordings were sent to Washington. From there, the tapes were forwarded to New York City, where U.S. Ambassador Jeane Kirkpatrick brought them to the United Nations headquarters in Manhattan. On September 6 — just five days after the Korean Airlines jet was shot down — Kirkpatrick attended a meeting at the U.N. Security Council where she blasted the Soviet Union for telling “lies, half lies and excuses” about its involvement in the downing of the plane. She then proceeded to play the copy of the intercepted conversations, stating that the evidence was being presented in “cooperation with the government of Japan.”

The case Kirkpatrick put forward against the Soviets was irrefutable and damning. But Japan’s spying capabilities had now been exposed — and the country’s officials were not pleased about it. The G2 Annex received new orders limiting its cooperation with the U.S., which affected the NSA’s relationship with its Japanese counterparts for the better part of a decade, at least until the Cold War ended in the early 1990s.

The details about the Korean Airlines case are revealed in classified National Security Agency documents, obtained by The Intercept from the whistleblower Edward Snowden. The documents, published Monday in collaboration with Japanese news broadcaster NHK, reveal the complicated relationship the NSA has maintained with Japan over a period of more than six decades. Japan has allowed NSA to maintain at least three bases on its territory and contributed more than half a billion dollars to help finance the NSA’s facilities and operations. In return, NSA has kitted out Japanese spies with powerful surveillance tools and shared intelligence with them. However, there is a duplicitous dimension to the partnership. While the NSA has maintained friendly ties with its Japanese counterparts and benefited from their financial generosity, at the same time it has secretly spied on Japanese officials and institutions.

The NSA declined to comment for this story.

On August 14, 1945, Japan announced its unconditional surrender just days after U.S. Air Force planes dropped two atomic bombs on the cities of Nagasaki and Hiroshima, killing more than 100,000 people. The war was over, but as part of the peace agreement, Japan agreed to U.S. military occupation. American forces — led by Gen. Douglas MacArthur — drafted a new Japanese constitution and reformed the country’s parliamentary system. In April 1952, Japan’s sovereignty was restored, but the U.S. continued to maintain a major presence in the country — and that is where the NSA’s story begins.

According to the agency’s documents, its relationship with Japan dates back to the 1950s. NSA’s presence in the country was for many years managed out of a “cover office” in the Minato area of downtown Tokyo, within a U.S. military compound called the Hardy Barracks. From there, NSA maintained close relations with a Japanese surveillance agency that it refers to as Japan’s Directorate for Signals Intelligence, or SIGINT.

At first, the NSA appears to have kept a low profile in Japan, concealing details about its presence and operating undercover. But as its relationship with the country developed, that changed. By 2007, the agency had determined that “cover operations are no longer required” and it relocated its main office in Japan to a space within the U.S. Embassy in Tokyo. “NSA’s partnership with Japan continues to grow in importance,” the agency noted in a classified October 2007 report, adding that it planned to take the country “to the next level as an intelligence partner with the U.S.”

Beyond Tokyo, NSA has a presence today at several other facilities in Japan. The most important of these is located at a large U.S. airbase in Misawa, about 400 miles north of Tokyo. At what it calls its “Misawa Security Operations Center,” the agency carries out a mission under the code name LADYLOVE. Using about a dozen powerful antennas contained within large golf ball-like white domes, it vacuums up communications — including phone calls, faxes, and internet data — that are transmitted across satellites in the Asia-Pacific region.

As of March 2009, Misawa was being used to monitor “over 8,000 signals on 16 targeted satellites,” one NSA document noted. At the same time, the agency was working on beefing up the spy hub’s systems, so that it could meet a challenge set by then-Director Keith Alexander to “collect it all” — meaning, to sweep up as many communications as possible. Misawa’s NSA employees responded to Alexander’s call by developing technology to automatically scan and process more satellite signals. “There are multitude of possibilities,” one Misawa-based NSA engineer reported, predicting that the base would soon be “one step closer to ‘collecting it all.’”

Strategically, Japan is one of the NSA’s most valuable partners. Because of its close proximity to major U.S. rivals like China and Russia, it has been used as a launching pad to spy on those countries. But NSA’s operations in Japan are not limited to monitoring the communications of nearby adversaries. At Misawa, the NSA deployed programs called APPARITION and GHOSTHUNTER, which pinpoint the locations of people accessing the internet across the Middle East and North Africa. NSA documents detailing GHOSTHUNTER’s deployment at the NSA’s British base Menwith Hill state the program was used to facilitate lethal strikes, enabling “a significant number of capture-kill operations” against alleged terrorists. One November 2008 document noted that Misawa had proved particularly useful in tracking down terror suspects in Afghanistan and Pakistan, and was also being used in an effort to identify targets in Indonesia.

Over the past decade, the NSA’s tactics have evolved dramatically — and it has rolled out new and more controversial methods. By 2010, with the internet surging in popularity, the agency was continuing to focus on long-established spying tactics like eavesdropping on phone calls, but it was increasingly adopting more aggressive methods, such as hacking into its targets’ computers.

At Misawa, the NSA began integrating hacking operations into its repertoire of capabilities. One such method it deployed at the base is called a “Quantum Insert” attack, which involves monitoring the internet browsing habits of people targeted for surveillance, before covertly redirecting them to a malicious website or server that infects their computers with an “implant.” The implant then collects data from the infected computer and returns it to the NSA for analysis. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an NSA employee claims in one document describing the hacking techniques. “The only limitation is the ‘how.’”

The Yokota Air Base, another U.S. military facility, sits at the foothills of Okutama mountains near the city of Fussa. The base is about a 90-minute drive west from central Tokyo and houses more than 3,400 personnel. According to the U.S. Air Force, Yokota’s function is to “enhance the U.S. deterrent posture and, if necessary, provide fighter and military airlift support for offensive air operations.” But it also serves another, more secret, purpose.

NSA documents reveal that Yokota is home to what the agency calls its Engineering Support Facility, which supplies equipment used for surveillance operations across the world. In 2004, the agency opened a major new 32,000 square foot building at the site – about half the size of a football field – for the repair and manufacture of surveillance antennas it said would be used in places like Afghanistan, Korea, Thailand, the Balkans, Iraq, Central and South America, and Cyprus. The construction cost $6.6 million, which was paid almost entirely by the government of Japan, a July 2004 NSA report stated. Within the facility, Japan would finance the staff as well, the report noted, including seven designers, machinists, and other specialists, who were collectively receiving salaries worth $375,000.

About 1,200 miles southwest of Yokota is the NSA’s most remote Japanese spying station, located on the island of Okinawa at a large U.S. Marine Corps base called Camp Hansen. It, too, has greatly benefited from a massive injection of Japanese money. In the early 2000s, NSA constructed a state-of-the-art surveillance facility on the island, paid for in full by Japan at a cost of some $500 million, according to the agency’s documents. The site was carved out of a “dense, hilly area” called Landing Zone Ostrich that the Marines had previously used for jungle training. The facility, built to include an “antenna field” for its spying missions, was designed to be low profile, blending in with the landscape. It replaced a previous spy hub NSA had maintained on Okinawa that the island’s Japanese residents had complained was unsightly. The role of the remote eavesdropping station is to collect high-frequency communications signals as part of a mission called STAKECLAIM. The NSA does not appear to have a large number of employees stationed on the island; instead, it remotely operates the Okinawa facility from a “24-hour collection operations center” in Hawaii.

Hiroshi Miyashita, a former Japanese government data protection official, told The Intercept that Japan’s funding of U.S. intelligence activities is withheld from public disclosure under a state secrecy law, which he criticized. “It’s our money — Japanese taxpayers’ money,” he said. “We should know how much was spent for intelligence activities in Japan.” Miyashita, now an associate professor at Chuo University in Tokyo, said it was his understanding that NSA operates in the country outside Japan’s legal jurisdiction due to an agreement that grants U.S. military facilities in Japan extraterritoriality. “There is no oversight mechanism,” Miyashita said. “There is limited knowledge of activities within the bases.”

As recently as 2013, the NSA claimed to maintain “robust” working relations with its Japanese counterparts. The agency has two surveillance partners in Japan: the Directorate for SIGINT, and the Japanese National Police Agency. Japan has collaborated closely with the NSA on monitoring the communications of neighboring countries, and it also appears to rely heavily on U.S.-provided intelligence about North Korean missile launches. As of February 2013, the NSA was increasingly collaborating with its Japanese counterparts on cybersecurity issues. And in September 2012, Japan began sharing information with the NSA that could be used to identify particular kinds of malicious software being used by hackers. This was the first time the country had shared this kind of data and the NSA viewed it as highly valuable, potentially leading to the prevention or detection of hacking attacks on “critical U.S. corporate information systems.”

“Japanese citizens know almost nothing about Japanese government surveillance. It is extremely secret.”

In return, the NSA has provided Japanese spies with training, and it has also furnished them with some of its most powerful spying tools. An April 2013 document revealed that the NSA had provided the Japanese Directorate for SIGINT with an installation of XKEYSCORE, a mass surveillance system the NSA describes as its “widest reaching” for sweeping up data from computer networks, monitoring “nearly everything a typical user does on the internet.”

Igeta Daisuke, a Japanese lawyer who specializes in civil liberties cases, said that the XKEYSCORE revelation was “very important” for the country. The Japanese government’s use of the system could violate Japan’s Constitution, which protects privacy rights, Daisuke told The Intercept. He added that Japan has a limited legal framework covering surveillance issues, largely because the scope of the government’s spying has never before been disclosed, debated, or ruled upon by judges. “Japanese citizens know almost nothing about Japanese government surveillance,” said Daisuke. “It is extremely secret.”

The Japanese government’s defense ministry, which oversees the country’s surveillance capabilitites, declined to comment.

The NSA works with a diverse range of counterparts in countries across the world — from the United Kingdom and Sweden to Saudi Arabia and Ethiopia. But the agency’s partnership with Japan is one of its most complex and seems tainted by a degree of distrust, highlighted by the dramatic aftermath of the Korean Airlines incident in 1983.

In a November 2008 document, one of NSA’s then most senior officials in Japan offered an insight into the relationship. He described the Japanese as “very accomplished” at conducting signals intelligence but lamented that they were excessively secretive. The country’s spies were “still caught in a Cold War way of doing business,” the official wrote. “They treat SIGINT as a special-access program — the most sensitive program they have. The result is that they are rather stove-piped, somewhat like NSA was 10-or-more years ago.”

The NSA participates in a group called the SIGINT Seniors Pacific, which has included surveillance agencies from Australia, Canada, the United Kingdom, France, India, New Zealand, Thailand, South Korea, and Singapore. The group keeps tabs on security issues in the Asia-Pacific region — issues of great interest to Japan, given its geographic location. Yet the country refused to join the meetings. “Japan was the only nation who was actually offered membership but turned it down,” wrote one NSA employee in a March 2007 document. “At the time, Japan expressed concerns that unintended disclosure of its participation would be too high a risk and had other reasons as well.”

Some of the difficulties have directly impacted the NSA’s operations. According to the agency’s documents, for many years Japan participated in a surveillance program called CROSSHAIR, which involved sharing intelligence gathered from high-frequency signals. However, in 2009, the country abruptly ceased its participation in the program.

Four years later, the issue was still causing NSA concern. Ahead of a February 2013 meeting the agency had scheduled with the deputy director of Japan’s Directorate for SIGINT, it prepared a briefing document that outlined the CROSSHAIR problem and warned of a “potential landmine” associated with the discussions. “In the past, the partner has mistakenly perceived that NSA was trying to force [the Directorate for SIGINT] to use U.S. technical solutions in place of their own,” the memo stated. “When this occurred, the partner reacted in a strong, negative manner.”

But while NSA employees may walk on eggshells with Japan during face-to-face meetings, they have taken a different approach on a covert level. An NSA document from May 2006 indicated that a division of the agency — called Western Europe and Strategic Partnerships — was spying on Japan in an effort to gather intelligence about its foreign policy and trade activities. Moreover, as of July 2010, the NSA had obtained domestic court orders enabling it to conduct surveillance on U.S. territory of Japanese officials and the Bank of Japan, which has offices in Washington, D.C., and New York City.

The NSA’s covert eavesdropping operations give it an insight into the Japanese government’s private negotiations and dealmaking. As was the case in late May 2007, during a secret meeting at the luxury Hotel Captain Cook in downtown Anchorage, Alaska.

The 59th annual gathering of the International Whaling Commission was being held in the hotel — and Japan was lobbying to end a moratorium preventing countries from hunting whales for commercial purposes. U.S. officials supported maintaining the moratorium and called in the NSA to help spy on Japan’s representatives ahead of a crucial vote. The agency worked with its New Zealand counterparts to conduct the surveillance. “New Zealand had the target access, and collected and provided insightful SIGINT that laid out the lobbying efforts of the Japanese and the response of countries whose votes were so coveted,” noted an NSA document from July 2007, which outlined the operation.

One morning into the four-day gathering, at 7 a.m., an NSA employee arrived in a taxi at the agency’s Alaska Mission Operations Center, a 20-minute drive from the hotel. She collected printed copies of the intelligence that had been gathered from the Japanese communications. She then returned to the hotel with the information stored in a locked bag, and brought it to a private conference room in the hotel. There, the material was shared with two U.S. delegates from the Department of Commerce, two officials from the State Department, two representatives from New Zealand, and one from Australia. The officials read the material in silence, pointing and nodding while they studied it.

The 77-member commission voted at the meeting to allow aboriginal whaling for indigenous people in the U.S., Russia, and Greenland. Japan put forward a proposal that it should be permitted to hunt minke whales for similar reasons, claiming that doing so has been part of its culture for thousands of years. But it failed in its efforts; at the end of proceedings in Anchorage, the moratorium stood and Japan was not granted any special exemptions.

Japan’s representatives were furious and threatened to quit the commission altogether. “This hypocrisy leads us to seriously question the nature by which Japan will continue participating in this forum,” complained Joji Morishita, Japan’s deputy whaling commissioner. As far as NSA was concerned, however, it was a job well done. Whatever intelligence the agency had gathered during the meetings — the specifics of which are not revealed in the document — it had apparently helped sway the vote and scupper Japan’s plans. “Was the outcome worth the effort? The Australian, New Zealand, and American delegates would all say ‘yes,’” noted one agency employee who was involved in the covert mission. “I believe the whales would concur.”

———
Documents published with this article:

• What are the Japanese like as SIGINTers
• NSA opens new engineering support facility in Japan
• The story behind the move
• The KAL 007 shootdown
• Japan provided with XKEYSCORE
• NSA special SIGINT delivery
• U.S. and Japan now exchanging collection from reconnaissance missions
• Shift to software demodulation in Misawa expands collection, saves money
• NSA liaison in Tokyo opens new office
• Crosshair: foreign partners filling HFDF gaps for the U.S.
• NSA policy and trade surveillance of Japan
• Japan official NSA visit, cyber briefing
• Japan official NSA visit, HF briefing

Top photo: US Secretary of Defense Leon Panetta delivers a speech after arriving at the Yokota airforce base in Tokyo on October 24, 2011.

The post Japan Made Secret Deals With the NSA That Expanded Global Surveillance appeared first on The Intercept.

By the first half of 2004, the National Security Agency was drowning in information. It had amassed 85 billion phone and online call records and cut the ribbon on a new hacking center in Hawaii — but it was woefully short on linguists who could make sense of captured communications and lacked enough network analysts to effectively monitor all the systems it had hacked.

The signals intelligence collected by the agency was being used for critically important decisions even as NSA struggled to understand it. Some bombs in Iraq were being targeted based entirely on signals intelligence, a senior NSA official told staff at the time — with decisions being made in a matter of “minutes” with “less and less review.”

Information overload is just one of several themes running through 262 articles from the NSA’s internal news site, SIDtoday, which The Intercept is now releasing after careful review. The documents also detailed an incident in which the Reagan administration appears to have leaked classified intelligence to the press for political purposes, described in an accompanying article by reporter Jon Schwarz.

SIDtoday articles published today also describe how the NSA trained FBI agents, enabled U.S. intervention in Latin America, and, with the help of a gifted analyst at the Defense Intelligence Agency, learned the value of simply reading information that was already public. One document even suggests that NSA personnel routinely got dangerously chatty at restaurants near headquarters. These stories and more are described in the highlights reel below. The NSA declined to comment.

Dropping Bombs in Iraq “With Less and Less Review”

A top NSA official disclosed in a January 2004 SIDtoday column that U.S. forces were “dropping bombs” based entirely on signals intelligence, the type of intelligence collected by the agency. He then implied that the American officers involved risked prosecution for war crimes.

Charles Berlin, chief of staff in the Signals Intelligence Directorate, recounted an anecdote about a former commander of his who, in one session in the winter of 1995-96, personally reviewed more than 100 possible airstrike targets in the Balkans. The commander’s motivation, Berlin said, was to protect his underlings from being prosecuted for war crimes, and his actions “really brought home the concepts of responsibility and accountability.”

“For us today this lesson is especially important,” he added. “The planning cycle for dropping a bomb has compressed from a day to minutes and the criterion for the aiming point has less and less review.”

“As many of you know, our forces in Iraq are dropping bombs on the strength of SIGINT alone. We are proud of their confidence in us, but have you ever considered the enormous risk the commanders are assuming in this regard? Are you ready to share that risk?”

Inside the NSA’s Call-Logging Machine

Among the ways the NSA identified potential terrorists was through a practice known as “information chaining,” which uses communications metadata to draw a social graph. And there’s no question the agency had lots of metadata: As of 2004, the NSA had amassed a database of more than 85 billion metadata records related to phone calls, billing, and online calls — and was adding 125 million records a day, according to a January 2004 SIDtoday article titled “The Rewards of Metadata.”

The database, known as FASCIA II, would at some unspecified point in the future begin processing 205 million records a day and storing 10 years of data, the article added. One of the world’s largest Oracle databases at the time, FASCIA II held metadata records from telephone calls, wireless calls, billing, the use of media over the internet, and high-powered cordless phones, with plans to add email metadata in the future.

The article explained that metadata is used by the agency in the process of “information chaining,” in which analysts spy on relationships between people. It further claimed that two senior al Qaeda operatives had been captured with the help of such techniques. A March 2004 SIDtoday article said a chaining tool called MAINWAY helped a counterterrorism analyst uncover six new “terrorist-related numbers.”

Short on Linguists, NSA Struggled to Understand Targets

It’s one thing to collect phone calls, email messages, and other signals intelligence. It’s quite another to make sense of it. Several SIDtoday articles from the first half of 2004 made clear that the NSA was falling far short in its attempts to process communications conducted in languages other than English.

Only half of the agency’s more than 2,300 “language missions” worldwide had qualified personnel, according to a June 2004 SIDtoday article by an NSA “senior language authority.” The author declared that “this shortcoming must be rectified.” An NSA report to an oversight council, quoted in the article, said that the lack of qualified language analysts was particularly acute in the “Global War on Terrorism.”

Exacerbating the situation was the fact that captured communications require a high level of linguistic proficiency to understand. “The cryptologic language analyst must be able to read and listen ‘between the lines’ to unformatted, unpredictable discourse,” as the article put it. Only a quarter of military cryptologic linguists, who formed the vast majority of the workforce, could work at this level, known as “level 3” proficiency, while barely half of the civilian cryptologic linguists could, according to a follow-up SIDtoday article. The military’s language training institute offered “virtually no existing curriculum” above level 2.

NSA’s plan to address the problem included reforms to the training institute and on-site instruction to bring existing linguists up to higher levels. The agency planned to invest about $80 million per year in training over five years. Other efforts included an internal online language training tool, an evaluation of redundant Arabic machine translation projects underway in various government agencies, and the formation of a language technology team within the NSA.

How the NSA Over-Hacked

Sometimes metadata isn’t enough and the NSA decides it needs to compromise targets’ computers to collect much more data. The first half of 2004 saw a ramp-up of NSA’s hacking capabilities. In March, SIDtoday reported, the agency’s elite hacking team Tailored Access Operations approved Kunia Regional Security Operations Center in Hawaii — the same facility where Edward Snowden later worked — as the first NSA field office to conduct “advanced” Computer Network Exploitation. Other facilities conduct the first stage of hacking, “target mapping,” but the Kunia facility began doing “vulnerability scanning” all the way through to “sustained SIGINT collection.”

Another March SIDtoday article said that an advanced network analysis division used to help “exploit targets of interest” had “played an instrumental part” in capturing alleged al Qaeda operative Husam al-Yemeni, had developed a “more complete understanding of the Pakistani Army Defense Network (ADN) infrastructure,” and had assisted with the hacking of “an important digital network associated” with the leader of Venezuela at the time, referred to erroneously as “Victor Chavez.”

The NSA was so successful at hacking networks that the agency was overwhelmed with information. “We simply do not have enough network analysts to effectively monitor these targeted networks,” an NSA division chief wrote in an April 2004 SIDtoday article. To solve the problem, the agency began prototyping an automated monitoring system.

“Outstanding” Bookworm Spy Doesn’t Need to Really Spy

Even as the NSA made enormous efforts to collect vast quantities of private communications, a lone SIDtoday article extolled the value of publicly available data. The piece, from May 2004, gushed about a Defense Intelligence Agency analyst who dug up leads by poring over Russian material that was “open source.” The DIA bookworm searched in newspapers, government documents, and “obscure websites” for information that aided the NSA in collecting intelligence, including names, telephone numbers, and addresses. The article, co-authored by an NSA director with responsibility for Russia, praised the analyst’s “outstanding language and research skills.” It turned out that “critical lead information” on Russian underground facilities, including a mysterious and widely discussed site at Yamantau Mountain in the Urals, was “often only available in open source literature, such as the Internet.”

Cuba’s President Raul Castro whispers in Venezuelan President Hugo Chavez’s ear during the South America and the Caribbean Summit in Sauipe, Brazil, on Dec. 16, 2008.

How the NSA Secures — and Routinely Puts at Risk — Sensitive Information

Knowing how much intelligence value could be reaped from openly circulated information, the NSA worked to encourage discretion among members of its workforce. NSA employees practiced poor operational security on a “monthly” basis by disclosing too much information in restaurants and other public settings near the agency’s Fort Meade headquarters, an agency security manager indicated in a tutorial on operational security that ran in SIDtoday in April 2004.

The article used a hypothetical scenario to explain why operational security, or OPSEC, was important for everyone. The author, OPSEC manager for the NSA’s Signals Intelligence Directorate, wrote: “You’re at a luncheon at a local restaurant to bid farewell to Sue, a co-worker who is moving on to a new office.” Your boss makes a toast to Sue, describing her contributions against organized crime and offering various details of her work. Sue then gives a toast thanking some of the gathered individuals.

“Sound familiar?” the OPSEC manager asked. “Then you’ve witnessed (or perhaps participated in) a demonstration of poor OPSEC. … Have you ever stopped to consider what your unclassified public discussions might be giving away? Take the scenario, for instance. This is a scene that is played out monthly in the Fort Meade area.” The article went on to list the pieces of information that an adversary, who could have been listening in from a nearby table, would have learned.

OPSEC turned out to be a recurring theme for SIDtoday — OPSEC training is, after all, mandatory for all NSA personnel. A January 2004 article, written by the author of the April 2004 piece, listed some tips to help personnel to apply OPSEC to their day-to-day activities: Identify your critical information, analyze the threat, identify vulnerabilities, assess risk, and apply countermeasures.

NSA employees aren’t the only ones trained to practice good OPSEC. A March 2005 article reported that the leaders of Venezuela and Cuba practiced OPSEC successfully. President Bush considered Venezuelan President Hugo Chavez a “threat to democracy in the region and a threat to U.S. interests in particular.” But “from a SIGINT perspective, Venezuela poses a particularly difficult challenge. With Castro as his mentor, Chavez has learned the importance of communications security and has made sure that his subordinates understand this as well.”

Law & Order & the NSA

Various 2004 SIDtoday articles highlight the NSA’s behind-the-scenes work on behalf of federal law enforcement.

One detailed a two-week training course on “intelligence reporting” given by NSA staff to FBI officers working on terrorism cases. The course, which had a component dubbed “SIGINT Reporting 101,” aimed to provide “insight into the complexity and difficulty of our business” and to dispel “Hollywood myths about the NSA.”

Another SIDtoday article showed how the U.S. Coast Guard was able to interdict a boat carrying 3.2 metric tons of cocaine thanks to the NSA’s monitoring of VHF radio signals, which carried voice communications of narcotraffickers. An official Coast Guard history of the incident elides the NSA’s role. The same SIDtoday article also disclosed that the Colombian air force carried out a strike against a suspected trafficker aircraft after a tip-off from the NSA.

NSA vs. FARC

Colombian guerrillas holding American hostages evaded massive NSA surveillance, according to a February 2004 SIDtoday article.

One year after three American contractors, who had been on a surveillance mission for the U.S. military, were captured by the Revolutionary Armed Forces of Colombia, a Marxist guerilla group, the U.S. “has not been able to determine with high confidence the exact location and status of the hostages,” wrote an NSA account manager for the military’s Southern Command. This despite “hundreds” of U.S. government personnel having worked to gain their release. U.S. efforts were stymied when FARC’s leadership ordered that personnel cease mentioning hostage operations directly in their communications; the best the NSA could achieve at the time of the SIDtoday article was to monitor calls between two radio operators, “Paula and Adriana,” who in turn were connected to the FARC leaders “we strongly suspect are linked to the hostages.”

The author of the SIDtoday article added that the agency continued to try and get a fix on the location of the hostages. Yet their captors eluded the Americans for another four years. The three Americans were freed by Colombian commandos in July 2008.

A March 2004 SIDtoday article noted a success against FARC, bragging that the arrest of FARC financial leader Anayibe Rojas Valderrama, known as “Sonya,” and a number of her associates a month earlier “resulted from years of monitoring. … Accurate geolocational data as to where she was and when, allowed a vetted Colombian team to capture them by surprise and without any loss of life.” Valderrama was extradited to the United States where she was tried and convicted on drug trafficking charges in 2007.

Internal NSA Criticism of Political Groups and the News Media

A national intelligence officer gave a top-secret “issue seminar” to NSA staff on the question of “where political action fades into terrorism,” according to a seminar announcement published in June 2004. The announcement suggested that the line between “legitimate political activity” and “activity that is the precursor to, or supportive of, terrorism” is fuzzy. The course used the Vienna-based organization Anti-Imperialist Camp as a case study, describing it as “ostensibly a political organization” but noting that “its many ties to terrorist organizations — and its attempts to collaborate with Muslim extremists — raise questions about where political action fades into terrorism.” No further details were given to substantiate the alleged ties; the group’s website remains online. A spokesperson for the group, Wilhelm Langthaler, told The Intercept that the group was targeted for such accusations for political reasons, including its opposition to the war in Iraq and “our public support for the resistance against occupation which we have compared with the antifascist resistance against German occupation.”

Another seminar announcement said the news media helped stymie U.S. intelligence collection. “A day hasn’t gone by that our adversaries haven’t picked up a newspaper or gone on the Internet to learn something new about how the US intelligence gathering system operates and what its capabilities or limitations are,” the course overview explained. “And in response, a day hasn’t gone by that our adversaries haven’t modified their operations and activities to avoid being detected and collected against by the US intelligence gathering system.”

NSA’s Role in the Failed Iran Hostage Rescue Attempt

In an anecdote about signals intelligence during the 1980 Iranian hostage rescue mission, a SIGINT staffer recalled the night of April 24 of that year, when he was told he was monitoring the ongoing “Operation Ricebowl.” In a May 2004 SIDtoday article, the staffer wrote: “We knew the parameters of the Iranian Air Defense system because it was U.S. equipment and installed by U.S. contractors while the Shah of Iran was still in power. We knew exactly where the gaps in coverage were and we exploited it during the rescue attempt.” The author went on to describe his shock the next morning when he saw on TV news at home that the mission had ended with a disastrous helicopter crash.

Top photo: American soldiers from the 1st Cavalry Division 2nd Battalion 7th Cavalry run through a smoke screen as they try to avoid sniper fire during an offensive operation on Aug. 16, 2004, in Najaf, Iraq.

The post Drowning in Information: NSA Revelations From 262 Spy Documents appeared first on The Intercept.

The 166 articles we’re releasing today from an internal NSA publication, SIDtoday, were subjected to a careful process of research, editorial evaluation, legal review, reporting, redaction, and digital processing. This article explains how that process worked.

After deciding it was in the public interest to release and write about large batches of documents supplied by whistleblower Edward Snowden, The Intercept settled on beginning with SIDtoday, the online newsletter of the NSA’s core spying division, the Signals Intelligence Directorate. Written in accessible, non-technical language, SIDtoday offers a window into the NSA’s culture and operations. Although much of its content is unclassified and often appears largely designed to burnish the agency’s self-image, SIDtoday also includes more revelatory sections that are officially “secret” and “top secret.”

Our initial goal was to release in one batch the first three months of SIDtoday, starting at the end of March 2003, as well as all 2003 installments of SIDtoday article series that began during this period. Before we could do that, we needed to build a pipeline that would allow us to securely handle these sensitive documents and prepare them for publication.

From Messy HTML to Clean PDF

In its original home at the NSA, SIDtoday is a website, but, unlike normal websites that are accessible from the internet, this one is only accessible from computers that are connected to an internal spy agency network. This means SIDtoday articles, as provided by Snowden, were in Hypertext Markup Language, or HTML, the native format of the web. To be fully readable, most webpages require HTML files as well as associated images, stylesheets, and other files, but unfortunately those other elements were not included in the Snowden archive. This meant the original webpages looked rather chaotic when viewed in a web browser. They also included broken links to the internal NSA network.

Staff technologist Micah Lee prepared software that parsed the original SIDtoday HTML files and extracted the usable content. This content was then placed into a template with minimalist design and converted to PDF format. PDF files, unlike HTML files, could be edited by multiple staffers using widely available, easy-to-use software tools with native redaction facilities.

The PDF files don’t look the same way the original SIDtoday website looked — they don’t use the original layout or style elements — but they do contain the same text content. They also include the original clip art-style SIDtoday logo.

Research and Redaction

Once the files were formatted, Research Editor for Investigations Margot Williams combed through each article, doing several things at once: identifying names that we might need to redact, researching those individuals to see what was publicly known about them, summarizing the document, and looking for material that could be the basis of stories for The Intercept.

In keeping with The Intercept’s editorial standards, we redacted the names of covert agents and the names and contact information of government personnel who are neither high-ranking nor already publicly associated with the NSA. We also removed information if we believed its release could cause serious injury or death to innocent people.

After Williams reviewed each article, the article was reviewed again by Lee, by a senior editor, and by our legal counsel. Redacted articles were also shown to the NSA, which was offered a chance to respond, resulting in the redaction of two additional names.

Writing and Publishing

The Intercept’s examination of this first batch of SIDtoday content yielded an article on the NSA’s involvement with interrogations at Guantánamo Bay as well as a “highlights reel” summarizing insights gleaned from the material that struck us as most relevant for our readers. In addition, Senior Editor Peter Maass places SIDtoday in context with his story describing the publication, and co-founder Glenn Greenwald explains why we decided to begin making large batches of Snowden material available to the public. While we have focused on the parts of these documents we find most compelling, we anticipate readers will find other information of interest in the files we are sharing — which is why we decided to approach the release in the way we did.

A landing page dedicated to our SIDtoday releases is available. On this special section of The Intercept’s website, readers can download the files individually or all at once, navigate by tag or date, and view SIDtoday articles alongside a wealth of metadata, including summary, original publication date, citations pointing to prior publication of unredacted names, tags, and related links. This represents the first phase of an evolving project, which will eventually include additional features, such as a search capability, as well as a growing number of documents.

Related Stories:

• Snowden Archive — The SIDtoday Files
• The Intercept Is Broadening Access to the Snowden Archive. Here’s Why
• The Most Intriguing Spy Stories From 166 Internal NSA Reports
• NSA Closely Involved in Guantánamo Interrogations, Documents Show
• The NSA’s Newspaper Reveals the Human Side of America’s Digital Spies

The post How We Prepared the NSA’s Sensitive Internal Reports for Release appeared first on The Intercept.