How Gchq Prepares For Interception Of Telephone Calls From Satellite Links

(Updated: Jan 6, 2017)

Most of the Snowden-revelations are almost spying on the internet, but NSA too GCHQ are also conducting the to a greater extent than traditional collection of telephone communications that acquire through satellite links.

What needs to move done earlier telephone calls tin move collected, tin move learned from ii highly detailed technical reports from the GCHQ listening station close Bude inward the UK.

These reports were published on August 31 terminal twelvemonth yesteryear the German linguistic communication periodical Der Spiegel from Dec 20, 2013, they are from "a packet of documents filled with international telephone numbers too corresponding annotations" from Sigint Development (SD), which is a unit of measurement that identifies too develops novel targets.

The technical reports are almost bear witness runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" too whether for certain satellite links could move "of potential involvement for tasking". The reports give no indication almost whether the listed numbers were eventually tasked for collection too neither almost the intensity too length of whatsoever such surveillance.

Der Spiegel says these documents exhibit that GCHQ "at to the lowest degree intermittently, kept tabs on entire country-to-country satellite communication links, similar Germany-Georgia too Germany-Turkey, for example, of for certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they incorporate target's telephone numbers, shows they are looking for the most productive links to move eventually intercepted. During the parliamentary investigation inward Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.

Technical written report nr. 35

The kickoff technical written report is issue 35 from Oct 15, 2008. It is almost 4 satellite links betwixt the U.K. too Iraq, which were given the next instance notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:

- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite solid pose down stations) for these satellite links are inward the United Kingdom of Great Britain too Northern Ireland too inward Iraq, with the United Kingdom of Great Britain too Northern Ireland station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE too Egypt.

Multiplexing too compression

By analysing the C7 channel (see below), it was confirmed that the ii links from the United Kingdom of Great Britain too Northern Ireland to Republic of Iraq were load-sharing traffic betwixt the Rest-of-the-World too Iraq, equally was the instance for the link originating inward Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made yesteryear Dialogic. This is a high-capacity, multi-service, multi-rate vocalization too information compression system, which is able to simultaneously compress terms lineament voice, fax, Voice Band Data (VBD), native information (for example, V.35), too signaling information:

This sort of vocalization compression equipment is installed at either destination of long-distance links, similar from communications satellites or submarine fiber-optic cables. Telecommunication companies endeavour to pack equally much capacity into equally footling physical infinite equally possible, making it also to a greater extent than hard for intelligence engineers to unpack it.

Signaling System No. 7

Most of the information inward the written report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 equally specified yesteryear ITU-T recommendations. In the USA it is referred to equally SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a laid of protocols for setting upwardly too routing telephone calls. In the SS6 too SS7 versions of this protocol, this signalling information is "out-of-band", which agency it is carried inward a carve upwardly signaling channel, inward gild to maintain it apart from the end-user's well path.

In other words, SS7 contains the metadata for telephone conversations, similar the calling too the called telephone numbers too a make of switching instructions. This makes the SS7 or C7 channel the kickoff halt for intelligence agencies.

Analysis of the link

In gild to run across whether these 4 satellite links could incorporate traffic that is useful for unusual intelligence purposes, the analyst took about telephone numbers from Republic of Iraq (country code 964), Islamic Republic of Iran (98), Syrian Arab Republic (963) too the United Kingdom of Great Britain too Northern Ireland (44) too looked whether these appeared inward the information of the C7 channel.

All 4 links had hits, both for the called too the calling number. These numbers were redacted yesteryear The Intercept, except for the terms "Non Op Kurdish Extremism" too [Kurdish] "Leadership". The written report continues with a to a greater extent than detailed analysis of the links. As an illustration nosotros await at the i betwixt the United Kingdom of Great Britain too Northern Ireland too Iraq, which has the instance notation G2BCR too was paired with G2BCS:

On this link, the C7 channel runs betwixt destination points that are Intelsat 902 communications satellite, but the exact frequencies of the 4 links are redacted, only similar the Symbol Rate too the FEC Rate. FEC in all probability stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links too how they are collected. It seems unusual that this internal RASIN code is visible, piece the FEC rate, which is mutual technology, is redacted.

Conclusion

The determination on whether these satellite links tin move tasked on the collection organization is: "Due to express patching at that topographic point is currently no spare tasking availability on Lopers". LOPERS is i of the primary systems used yesteryear NSA for collecting telephone communications. According to Der Spiegel, about other reports concluded almost tasking: "Not currently due to the information charge per unit of measurement of the carriers."

Finally, this technical written report gives the (redacted) contact details at OPA-BUDE, with OPA existence the abbreviation of a yet unknown unit of measurement at the GCHQ Bude listening station inward Cornwall. The terminal department of the written report is fully blacked out yesteryear The Intercept, but the side yesteryear side written report volition exhibit what is evidently covered there.

Technical written report nr. 44

The instant technical written report is from Dec 1, 2008 too is almost a satellite link betwixt Hashemite Kingdom of Jordan too Belgium. It has the instance notation 8BBAC, with 8B existence the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are inward Hashemite Kingdom of Jordan too Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).

The link is an E1 carrier, which agency it runs 2048 Megabit/second too has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second too has 512 timeslots). Each timeslot tin send i telephone call, thence i E1 link tin transmit upwardly to thirty calls simultaneously. The remaining ii timeslots are used for the signaling information.

The analyst flora that inward this instance timeslots thirty too 31 were used to relay the C7 signaling information too that compression was achieved yesteryear the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, i Intelsat communications satellite tin relay upwardly to 112.500 vocalization circuits (telephone calls) simultaneously.

The written report also says that the "RLE to this link is believed to move 8BBNH. Currently inward thought at Sounder". RLE stands for Return Link End, which inward this instance would move the link dorsum from Kingdom of Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos inward Cyprus, which is evidently able to intercept the Intelsat downlink to Jordan.

The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) inward Cyprus

Analysis of the link's metadata

The technical written report says that on timeslot 30, the C7 channel runs betwixt destination points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) inward Jordan, too the Destination Point Code (DPC) 2-014-7 at F Belgacom inward Brussels, Belgium.

It's interesting to run across Belgacom here, equally from 2009, GCHQ got STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA mark SPOKE, which also denotes a command organization to boundary access to the document, but is rarely seen. Other British documents marked STRAP 1 ofttimes bring COMINT equally their American equivalent, which is the full general mark used for all information related to communications intelligence that hasn't to move to a greater extent than strictly controlled.

SPOKE is i of the codewords that NSA used inward the past, but which were presumably abandoned inward 1999. But from documents published equally business office of the Snowden-leaks nosotros know that from these codewords at to the lowest degree SPOKE too UMBRA are yet used.

Given what's inward the known documents that bring the SPOKE classification, it seems to encompass technical information almost targets, similar their telephone numbers too the communication links inward which these tin move found. The higher UMBRA mark is thence in all probability used for the actual content, when this is collected exterior the USA nether EO 12333 authority.

Updates:

On March 12, 2015, the Intelligence too Security Committee (ISC) of the British Parliament published an extensive report almost interception activities of the United Kingdom of Great Britain too Northern Ireland intelligence agencies, which says that GCHQ exclusively collects information from a pocket-size issue of fiber-optic cable channels ('bearers'), which are probable to incorporate traffic that is of intelligence value.

On Dec 8, 2016 the French paper Le Monde published about other laid of technical reports inward which, alongside many others, about targets from Israel, Hashemite Kingdom of Jordan too African countries were mentioned.