Slides Close Nsa's Upstream Collection

(Updated: August 16, 2015)

In July as well as September of finally year, the Brazilian weekly boob tube mag Fantástico broadcasted tidings reports most NSA operations, piece showing a serial of slides from an unpublished NSA powerpoint presentation inwards the background.

The slides look to hold upwardly most NSA's corporate partners for the "collection of communications on fiber cables as well as infrastructure every bit information flows past" - which became known every bit "Upstream collection", a term mentioned inwards 1 of the PRISM-slides.

The corporate partnerships are 1 of three ways NSA is intercepting the world's principal cyberspace cables:

- Cooperation amongst telecommunication companies
- Cooperation amongst unusual intelligence agencies
- Unilateral cable tapping operations

On twitter, Glenn Greenwald 1 time said that these slides would also hold upwardly published as well as explained separately, but so far this hasn't happened - that's why it's done here.

UPDATE:
Almost ii years after these slides were shown on Brazilian television, the total NSA presentations to which to a greater extent than or less of them belong were finally published, every bit purpose of a study past times The New York Times as well as Pro Publica from August 15, 2015.

> See: FAIRVIEW: Collecting unusual intelligence within the US

-----O-----

The showtime serial of slides was shown inwards a Fantástico report from September 8, 2013. These slides are posted hither inwards the society inwards which they were seen inwards the report, which powerfulness hold upwardly the society of the master NSA powerpoint presentation.

The slides exhibit the logos of the National Security Agency (top left) as well as its Special Source Operations (SSO) sectionalization (top right). They are marked TOP SECRET // COMINT // NOFORN, which agency they are classified Top Secret, inwards the compartment for Special (Signals) Intelligence as well as that it's non allowed to distribute them to foreigners, non fifty-fifty to the Five Eyes partners.

Probably 1 of the showtime slides of the presentation shows a map of "optical fibre submarine networks", which was prepared past times the telecommunication society Alcatel Lucent inwards 2007. Based upon dates inwards to a greater extent than or less of the slides, this NSA presentation seems to hold upwardly from piece of cake 2011 or early on 2012.

The Corporate Portfolio of collection programs inwards which SSO is cooperating amongst corporate partners is listed inwards the next slide. It is assumed that FAIRVIEW, BLARNEY as well as STORMBREW are for collection within the US as well as the programs nether the OAKSTAR umbrella are intercept facilities elsewhere inwards the world. Two programs look to hold upwardly conducted past times SSO inwards cooperation amongst TAO, which is NSA's reckoner hacking division:

The side past times side slide is most the Transit Authority, which is the most mysterious of the iv legal authorities that principle NSA operations. Until now, it's non clear what the legal footing of the Transit Authority is. One selection is a undercover presidential directive signed past times Bill Clinton or George W. Bush, to a greater extent than or less other selection is that this method was authorized past times the FISA court.

Transit Authority applies when both ends of a communication are foreign, which is checked past times filters at the front-end collection systems. When the TOPI (Target Office of Primary Interest, a unit of measurement that conducts the information analysis) discovers that accidently 1 halt of the communication is inwards the US, the SSO Corp Team has to hold upwardly informed, which reports to the Oversight as well as Compliance unit of measurement (NSA/SV):

The Transit Authority is illustrated inwards the side past times side slide. With a unopen hold off 1 tin run into there's a star placed betwixt Islamic Republic of Iran as well as Iraq, 1 inwards the US as well as 1 somewhere nigh French Guyana. There's an elliptical trace connecting them, every bit an instance of communications traffic from Islamic Republic of Iran to Guyana, which transits the United States:

Some "unique aspects" of the upstream collection are that it takes house nether diverse legal authorizations:

- Executive Order 12333: for collection exterior the US
- Transit: for collection within the US, amongst both ends unusual
- FISA: for collection within the US, amongst 1 halt unusual as well as targets approved individually past times the FISA Court
- FAA: for collection within the US, amongst 1 halt unusual as well as a listing of targets approved anually past times the FISA Court

Under department 702 FAA, NSA is also collecting information from cyberspace service providers nether the PRISM program. From a 2011 FISA Court ruling (pdf) that was declassified upon asking of the Electronic Frontier Foundation nosotros larn that nether department 702 FAA, NSA acquires to a greater extent than than 250 meg "internet communications" each year. This issue breaks downwards every bit follows:

- Upstream: ca. 9% or to a greater extent than than 22 meg communications *
- PRISM: ca. 91% or to a greater extent than than 227 meg communications

The ruling doesn't explicate what precisely a "internet communication" is. H5N1 work that troubled both NSA as well as the FISA courtroom was that nether Upstream it's technically rattling hard to distinguish betwixt unmarried communications to, from or most targeted persons as well as those containing multiple communications, non all of which may hold upwardly to, from or most approved targeted addresses. The latter may comprise to upwardly to 10,000 domestic communications each year.*

The actual intercept facilities are in all likelihood located at sites of telecommunication companies or collection is done amongst their assistance.
There are delays betwixt the tasking, which is when an analyst orders especial information to hold upwardly collected, as well as the actual collection of those data.

The next slides exhibit details of a issue of dissimilar programs involved inwards the Upstream collection. For each programme there's the SIGINT Activity Designator (SIGAD), the Producer Designator Digraph (PDDG), the legal authority, what is collected, the key targets as well as inwards to a greater extent than or less cases a custom logo for the program. There are no slides amongst details most DARKTHUNDER, STEELFLAUTA, ORANGEBLOSSOM, BLUEZEPHYR as well as COBALTFALCON.

SILVERZEPHYR is for collecting cyberspace content as well as metadata nether FAA authority, as well as telephony content as well as metadata nether Transit Authority, focussed on South, Central as well as Latin America. As the programme operates nether Transit Authority, the intercept facility is most probable located inwards the US. The corporate partner is codenamed STEELKNIGHT:

YACHTSHOP is for collecting worldwide cyberspace metadata, which are stored inwards the MARINA database. Probably the programme operates nether EO 12333 authorization as well as the corporate partner, codenamed BLUEANCHOR, is exterior the US:

ORANGECRUSH was non active at the fourth dimension of the presentation, but was intended to collect cyberspace as well as telephony content as well as metadata at an intercept facility exterior the US inwards cooperation amongst a corporate partner codenamed PRIMECANE as well as a 3rd Party partner agency.

Update:
According to the mass 'Der NSA-Komplex' past times Spiegel journalists Marcel Rosenbach as well as Holger Stark, ORANGECRUSH is a cooperation amongst an American high-tech society as well as a Polish intelligence agency to collect metadata as well as content related to the Middle East as well as Transitional Islamic State of Afghanistan from fiber oculus cables inwards Europe. This agency PRIMECANE is the comprehend cry of this American tech society as well as confirms that Poland is a 3rd Party partner of NSA.

SHIFTINGSHADOW is for collecting telephony content as well as metadata from the telecommunication providers MTN Afghanistan, Roshan GSM as well as Afghan Wireless Communication Company (AWCC). This is done through an intercept facility which is in all likelihood inwards or nigh Afghanistan. It seems NSA is non cooperating amongst these Afghan telecom providers, hence they wouldn't hold upwardly named openly inwards this slide:

MONKEYROCKET is for collecting cyberspace metadata as well as content focussed on counter-terrorism inwards het Middle East, Europe as well as Asia. The collection takes house at an intercept facility exterior the US as well as is thus authorized nether EO 12333:

There are also a issue of programs as well as partners for collection of both cyberspace as well as telephony information nether FAA authority. They are designated past times a SIGAD inwards the format US-984X*. From to a greater extent than or less other source nosotros know that at that spot are:

- Eight facilities nether STORMBREW (US-984XA-H)
- Two facilities nether FAIRVIEW (US-984XR as well as US-984X2)
- Nine companies cooperating inwards the PRISM programme (US-984XN)

As this is nether FAA authority, the intercept facilities as well as corporate partners are inwards the United States. Maybe to a greater extent than or less of these partners are the ones amongst the codenames WOLFPOINT, ARTIFICE, LITHIUM, SERENADE as well as STEELKNIGHT, which are mentioned inwards other documents.

The side past times side slide shows a bar nautical chart amongst greenish bars for sources where the SSO sectionalization uses arrangements amongst corporate partners, as well as bluish bars for sources where at that spot are no such arrangements needed, which agency SSO tin collect the information on its own. From the most to the to the lowest degree productive source, the bars represent:

- US-984X*: Programs nether FAA authority
- US-990: FAIRVIEW (Transit authorization only)
- US-3237: SMOKYSINK
- USJ-751: ?
- US-3167: SARATOGA
- US-3171: DANCINGOASIS
- US-3310BG: SCALAWAG
- US-3180: SPINNERET
- US-984: BLARNEY nether FISA authority
- USJ-799: LADYLOVE (the satellite station inwards Misawa, Japan)

BLARNEY is for collecting telephony as well as cyberspace information nether FISA authority, which agency a FISA Court society is needed. Main targets are unusual diplomats as well as governments, terrorists as well as economical targets. As collection is nether FISA authority, the intercept facility is inwards the US. According to the Wall Street Journal as well as confirmed past times Marc Ambinder, BLARNEY stands for cooperation amongst AT&T.

MADCAPOCELOT is for collecting cyberspace content as well as metadata focussed on Russian Federation as well as European counter-terrorism. Collected information are processed as well as analysed past times XKEYSCORE amongst metadata beingness stored inwards MARINA as well as content inwards PINWALE. As the programme is operating nether EO 12333, the intercept facility must hold upwardly exterior the US. For reasons unknown, MADCAPOCELOT is closely related to the STORMBREW program.

For the STORMBREW programme a map shows a trace marked every bit OC-3, which runs across the United States. OC-3 is a network trace amongst a transmission information rate of upwardly to 155.52 Mbit/s using fiber optics. This is likewise depression for beingness a regional, permit solitary a national backbone link, so the bluish trace does non correspond an intercepted cyberspace backbone. The cable connects 8 locations marked amongst a greenish dot, 1 amongst a gray dot, 1 amongst a Sun symbol as well as 1 marked every bit "Site C":

UPDATE:
The important of this map was claryfied past times a novel slide from a dissimilar NSA presentation, which was disclosed inwards Glenn Greenwald's mass 'No Place To Hide' on May 13, 2014. It shows 7 international choke points of telecommunication cables that serve every bit access points for the STORMBREW collection program:

- BRECKENRIDGE
- TAHOE
- SUNVALLEY
- WHISTLER
- MAVERICK
- COPPERMOUNTAIN
- KILLINGTON

In the book, Greenwald lists an additional site called QUAILCREEK. These comprehend names are existent names of vacation as well as ski resorts, to a greater extent than or less of them truly fifty-fifty nigh the dots on the map. These locations jibe to the greenish dots inwards the previous slide, so the OC-3 cable inwards that map most probable connects these diverse collection sites to transfer the information to a key location. The gray dot powerfulness as well as then hold upwardly an intercept site that is non active yet/anymore as well as "Site C" mayhap the location where the centralized "Collection" takes place.

STORMBREW is for collecting cyberspace information nether FISA as well as FAA authorization as well as telephony information according to a sure enough directory. With collection beingness authorized nether FISA as well as FAA, the interception takes house inwards cooperation amongst a major US telecommunication provider amongst access to international cables, routers as well as switches. According to NSA historian other documents, WOLFPOINT, ARTIFICE, LITHIUM as well as SERENADE are also mentioned every bit covernames for corporate partners. Most probable all iv are American companies.

-----O-----

Another serial of slides was shown inwards a Fantástico report from July 9, 2013. Maybe they are from to a greater extent than or less other presentation, but because they direct keep the same layout as well as are also most "upstream collection" it's also possible they belong to the serial posted above.

This serial comprise a issue of maps, which, according to Brazilian media, exhibit the amount of exchanged messages as well as telephone calls (although truly DNI alone refers to cyberspace traffic) past times diverse countries inwards the globe amongst North Korea, Russia, Islamic Republic of Pakistan as well as Islamic Republic of Iran on March 4-5, 2012.

In the showtime slide nosotros run into cyberspace traffic to Pakistan, which is eligible for collection nether Transit authority:

The slide below has a map showing the cyberspace traffic to Pakistan, which is eligible for collection nether FAA authority:

The side past times side slide shows a listing of "Top twenty Pakistani domains (.pk)" which where tracked betwixt Feb 15, 2012 as well as March 11, 2012:

H5N1 map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to Democratic People's South Korea within FAIRVIEW environment", which agency cyberspace traffic which is eligible for collection nether FAA authority:

Next is a listing op "Top twenty North Korean domains (.kp)" which where tracked betwixt Feb 15, 2012 as well as March 11, 2012. Note that alone ii websites generate notable traffic, all other direct keep less than 1 Kbps:

H5N1 map showing cyberspace traffic to Iran, which is eligible for collection nether FAA authority:

H5N1 map showing cyberspace traffic to Russia, which is eligible for collection nether Transit authority:

The next slide says the collection programs inwards which Special Source Operations (SSO) cooperates amongst corporate parters, contributed to 1230 reports of NSA's Counter Foreign Intelligence Product Line (S2D). As this represented circa 29%, this production trace produced a total of to a greater extent than or less 4240 reports inwards 2011:

The side past times side slide shows a tabular array amongst the headers and/or to a greater extent than or less of the pinnacle rows evidently blacked out, so nosotros tin alone run into a listing of to a greater extent than or less programs as well as a gain of numbers without knowing what they stand upwardly for. The SIGADs at the left designate the next programs:

- US-983: STORMBREW
- US-984*: BLARNEY nether FISA authority
- US-984X*: Programs nether FAA authority
- US-990: FAIRVIEW
- US-3140: MADCAPOCELOT
- US-3273: SILVERZEPHYR
- US-3354: COBALTFALCON

Although nosotros don't know what the numbers stand upwardly for, it's clear that the programs nether FAA authorization (which also include PRISM) are past times far the most productive ones:

Probably 1 of the terminal slides provides contact information: showtime the names/e-mail aliasses of the collection managers for the FAIRVIEW, STORMBREW, BLARNEY, OAKSTAR, as well as MADCAPOCELOT programs. Brazilian boob tube showed this slide uncensored amongst the names visible, but hither nosotros blacked them out. Under "Mission Management" is an email address (in the unusual format NSA uses for internal messages, amongst DL standing for Distribution List) for contacting the SSO corporate programme mission administration as well as finally at that spot are keywords for finding out to a greater extent than information on NSA's intranet as well as the NOFORN-Wiki:

Update:
An article inwards the French newspaper Le Monde from May 8, 2014 lists a issue of targets of the Upstream collection method during a calendar month inwards 2013. These targets included the vice president of the Philippines Jejomar Binay; the interior government minister of that province Manuel Roxas; the Ensenada Resort & Convention Center inwards Tela, Honduras; the International Centre for Theoretical Physics (ICTP) inwards Trieste, Italy; the American att.net as well as the Austrian chello.at email domains, every bit good every bit the stc.com.sa top-level domain of the Saudi Telecom Company. Finally the Pakistani information technology safety work solid Tranchulas as well as the Lybian International Telecom Company were mentioned every bit beingness targets of NSA.

UPDATE:
Almost ii years after these slides were shown on Brazilian television, the total NSA presentations to which to a greater extent than or less of them belong were finally published, every bit purpose of a study past times The New York Times as well as Pro Publica from August 15, 2015.

> See: FAIRVIEW: Collecting unusual intelligence within the US