Compiled here is a quick primer on many of the most significant pieces of the surveillance revelations and debate. It should answer most questions on the specifics or at the very least give one a jumping off point in their own research. I will attempt to add onto and modify this as the changes come, so check back for future updates when/if new information rolls around. For now, you can check out ProPublica’s FAQ on the NSA’s Surveillance Programs. And also be sure to check out the Electronic Frontier Foundation’s timeline of NSA Domestic Spying, which reveals how persistent and common the issues we’re running into now really are.
Updated 2/11/2015: Added entries for EONBLUE,
Updated 4/14/2014: Updated TAO, UPSTREAM Programs – separated into SIGAD w/ sub-sections on FORNSAT, Upstream collection, MYSTIC, & Tempora. Added entries for DISHFIRE, GILGAMESH, SHENANIGANS, Section 215 FISC order, Special Collection Service, CO-TRAVELER, CHALKFUN, TAPERLAY, FASCIA, Treasure Map, Royal Concierge, 30-08 warrants, CSIS, CSEC, HAPPYFOOT, Squeaky Dolphin, Smurfs, ANT, Implants, TURBINE, QUANTUMHAND, SECONDDATE, FOXACID, QUANTUMCOPPER/QUANTUMSKY, Menwith Hill. Updated 11/7/2013: Added entries for MUSCULAR, INCENSER, MAINWAY, Executive Order 12333, Parallel Construction Updated 8/2/2013: Updated entry on X-Keyscore with new information. Added entries for Trafficthief, Pinwale, MARINA, and Tailored Access Operations.
30-08 warrants – The warrant required by Section 21 of the CSIS Act which states that the agency must receive the approval of a federal judge to actively investigate a potential threat to national security. In the past these warrants were permitted while it was presumed the targeting and surveillance would be carried out by the Canadian intelligence agencies (CSIS and CSEC) within Canadian borders. What occurred however was that CSEC, with the approved warrant, then let other intelligence agencies from the Five Eyes perform the jobs of targeting Canadian citizens.
ANT – AKA Advanced or Access Network Technology and home to the infamous ANT Catalog, ANT is a sub-division of the TAO that acts as the NSA’s own in-house version of Radio Shack. They specialize in computer engineering hacks that can exploit back doors in corporate networking devices or imbed “implants” so deep inside a computer’s memory that it’s nearly impossible to remove. Part of their inventory are various programs specifically tailored to certain networking routers or hard drives. One example is FEEDTROUGH, an implant that can break through the firewalls of popular corporate security company Juniper Networks. It imbeds itself so well in the software architecture that it can remain in place, smuggling hidden NSA surveillance and programs into the computer, even if the computer is wiped and reset. ANT have access to software which can exploit the products of a whole host of international and US-based companies including Western Digital, Seagate, Maxtor and Samsung. Read more.
Boundless Informant – A data-mining tool used by the NSA for recording and analyzing the amount of metadata collected globally. The program displays information in a heat map (with green being countries least subjected to surveillance and yellow, orange, and red being the most) and allows agents to check in real time what data has been collected from a particular country. Agents can then go through and see the specific details of that collected data.
CHALKFUN – A search tool used with the FASCIA repository to discover past or current location of mobile phones. Similar to TAPERLAY.
CSIS – The Canadian Security Intelligence Service is the Canadian intelligence service focused on HUMINT and foreign espionage. It was founded in 1984 and is overseen by the Security Intelligence Review Committee. It, alongside CSEC, is an active partner in the Five Eyes relationship and routinely shares intelligence with its counter-parts in the United States.
CSEC – The Communications Security Establishment Canada is the branch of the Canadian intelligence service which works with foreign SIGINT and protects government communications. Established shortly after World War 2, the agency’s existence was only admitted after a Fifth Estate expose in 1974. It was an active partner in the ECHELON project and routinely shares intelligence information with the other Five Eyes countries. Since 2001 and the passing of the Anti-Terrorism Act, the agency has only grown and can now monitor foreign communications that begin or end in Canada, similar to the NSA’s own policy.
CO-TRAVELER – A tool used for tracking targeted individuals and marking any unknown associates that may cross their path. Most communication devices, when powered on, give off a signal that registers with a provider and/or goes through a cell tower. NSA programs scoop up this metadata globally, amounting to about 5 billion records a day, and dump it in the FASCIA repository. From there, CO-TRAVELER analyses the metadata and using a device’s Global Cellphone-Tower Identifier (GCID) tracks a targeted individual’s movements through a city or region. What CO-TRAVELER watches for specifically is the consistency of other GCIDs or devices moving with the primary target across a distance. This way the NSA can map potential associates of a targeted individual or establish relationships and movement patterns. CO-TRAVELER is sophisticated in its mapping abilities, with the ability to track when a new device connects to a network after another disappears for the last time, discover waypoints of common activity between certain devices, and predict a target’s potential movements with mapping technology similar to turn-by-turn navigation systems. Read more. Summary of DNR and DNI Co-Travel Analytics. WaPo: How the NSA is tracking people right now.
DISHFIRE – A program which sweeps up all SMS text messages, including those of untargeted individuals; that is persons or smartphones not currently under surveillance. The specific collection method is unknown, but it has been collecting a high volume of text messages for some time. In April 2011, the program was collecting and storing around 194 million text messages a day. The reach of the program is global, with only US numbers being removed or minimized within the collection. DISHFIRE works in conjunction with subprogram known as ‘Prefer’, which analyzes messages for automated or “System Generated” texts and uses those alongside metadata to extract information. For example, the Prefer subprogram extracted more than 5 million missed-call alerts, which can be officially used for contact-chaining analysis (figuring out relations between people and when they contact each other). Border crossings were pin-pointed through the 1.6 million roaming alerts. and geolocation data was acquired through simple requests for meetings or travel directions. The combination of collected SMS metadata and Prefer’s system generated information gives the NSA and its partners a wealth of historical information for agents to leaf through once an individual becomes targeted.
ECHELON – The popular term for the software system used in the collection and analysis of signals intelligence, under the directive of the Five Eyes countries. Originally created to monitor military and diplomatic communications of the Soviet Union and Eastern Bloc countries in the Cold War, it relied on intercepting signals produced by high frequency radio, public switched telephone networks, or satellites by the way of microwave links. It did this by employing a number of ground stations, such as RAF Menwith Hill, positioned around the world to tap into downlinks and major communication hubs. Since the rise of fiber-optics, phone line and satellite transmissions have been relied upon less for moving internet traffic and general communication, making the old ECHELON ground station system somewhat obsolete, and giving rise to a new era of signal interception. Now, the collection of signals intelligence relies on tapping directly into the fiber-optic hubs, such as BLARNEY or FAIRVIEW.
Edward Snowden – A thirty year old IT specialist contracted to the NSA through the private consulting firm Booz Allen Hamilton. He had access to a multitude of internal NSA documents which detailed surveillance programs being used to collect data on Americans. He obtained a number of these documents in secret and leaked them to blogger and journalist Glenn Greenwald who, in conjunction with the British newspaper The Guardian, are slowly publishing these documents for the public. On May 20th he fled the United States for Hong Kong, performing interviews to reveal his intentions, before departing for Moscow on June 23rd. On June 14th he was charged with espionage and theft of government property and is currently seeking asylum in Ecuador.
EvilOlive – AKA One-End Foreign (1EF) solution, it was a program introduced in December 2012 and was described as “broadening the scope” of what metadata the NSA could collect. This would include all the information of say an email, without the actual content of the email itself. The 1EF solution refers to how the metadata collected always has at least one end of the communication coming from outside of the US. This program, and a partner program called ShellTrumpet, apparently opened the floodgates for the NSA, increasing data intercepts by 75 percent.
Executive Order 12333 – The executive order signed by Ronald Reagan which defines the responsibilities of the US intelligence agencies and directs other federal agencies to co-operate with their demands. Full text found here.
FASCIA – The NSA repository containing trillions of device location data from all over the world including Americans, compiled by a wide range of collection methods. As many as 5 billion records a day move into repository a day and about 27 terabytes worth over 7 months. FASCIA deals only with location metadata and not the content of calls or devices themselves. It acts as a kind of pool of data which other search and database programs then sift through automatically or when an agent queries. This “pool” is at the center of the bulk data collection debate, with NSA officials calling the service essential and legal because it does not target any specific individual. Read on what exactly FASCIA contains.
FISA – The Foreign Intelligence Surveillance Act, first enacted in 1978, is the law which covers both the physical and electronic surveillance of foreign powers or individuals. It was meant to protect US citizens from being monitored without a specific warrant from a FISA court, which would only be assigned if there was evidence showing probable cause that the person monitored was interacting with a foreign power or terrorist organization. The FISA court is entirely secret and is subject to no oversight, hearing only the NSA or FBI’s testimony and evidence before issuing a warrant. In 2008, this act was amended in the FISA Amendments Act or FAA, which made it easier for the NSA to acquire the data of US citizens in bulk and without a warrant. Currently, the NSA only has to submit an annual general procedures document to the court which outlines how they go about eavesdropping without a warrant. Once the FISA court approves these guidelines, the NSA is then free to send directives to telephone and internet companies requesting any and all data on whomever the NSA decides, including US citizens, with no further input from the FISA court. As well, every thirty days, the FISA court is given an aggregate number of database searches on US domestic phone records. Read more details.
FISA Amendments Act (FAA) – OR New FISA. This act, passed by Congress in 2008 in light of George W. Bush’s own surveillance program, and renewed in late 2012, amended FISA so a warrant was no longer required by the NSA to monitor and eavesdrop on any call, email, or online chat involving a US citizen. Individual warrants are still required if the specific target is a US citizen or a telephone call is entirely domestic. This means that while Americans still have the protection of a warrant if they themselves are the subject of an investigation, they do not have this same protection if any of their data or communications go outside the US or to a foreign national. The result is that the NSA collects the data of Americans in bulk, monitoring communications that may only be tangibly related to or several degrees removed from a case. Surveillance of foreign persons still does not require any suspicion of a terrorist connection or criminal activity. In a hearing before the Senate Judiciary Committee in 2006, Michael Hayden, then director of the NSA under President Bush, testified:
“Indeed, the dragnet surveillance of Americans’ international communications was one of the purposes of the Act. In advocating changes to FISA, the executive made clear that its aim was to enable broader surveillance of communications between individuals inside the United States and nonAmericans abroad. See Hayden Testimony (stating, in debate preceding passage of FAA’s predecessor statute, that certain communications “with one end in the United States” are the ones “that are most important to us”). Moreover, in advocating for the FAA, executive officials expressly sought the authority to engage in dragnet rather than individualized surveillance”
This amendment also granted legal immunity to private corporations who cooperated with the NSA in its surveillance efforts.
FOXACID – The NSA servers which QUANTUMHAND and SECONDDATE redirect to. FOXACID is part of the QUANTUM system which allows the NSA to spoof a target computer into believing it is on a certain website or connected to a certain server when it is really under NSA control and surveillance. It does this with split-second pings of data that come back quicker than the target’s original pings, and by redirecting an unsuspecting user’s traffic away from their intended server mid-connection.
GCHQ – The Government Communication Headquarters is the British intelligence agency tasked with signals intelligence and information assurance operations. Information collected by the GCHQ through their surveillance programs, like Tempora, are considered the largest of the Five Eyes, as they are freely able to collect information on the citizens of other foreign countries, and have little to no protections against the surveillance of their own citizens. As a member of the Five Eyes, the GCHQ and the NSA are closely linked, sharing much of the information which flows through their surveillance programs, as well as analysts used to sift through this information. This also ensures that while the NSA could potentially be blocked from collecting information on an individual US citizen, it can freely obtain that information from the GCHQ, who do not have the same restrictions.
GILGAMESH – A geolocation system attached to Predator drones. GILGAMESH works by spoofing the abilities of a cellphone tower, allowing a targeted individual’s device to connect to it and in the process allowing the operators to discover the location of the individual to within 30 feet. The individual holding the connected SIM card or handset is then presumed to be the same individual they are targeting.
HAPPYFOOT – A program designed to search for data traffic generated by apps that incidentally transmit a device’s location, such as for social media or game app purposes. Sometimes apps, in the process of performing their function like posting online or communicating with a developer’s server, have to transmit metadata that includes the devices relative GPS location. HAPPYFOOT jumps on these keywords and data as they appear to map devices to locations, which can later be used to infer relations between devices or people.
Implants – A piece of software or hardware specially designed to be installed on a targeted computer or device and remain active without being detected. They are similar to computer viruses in this way but the majority of implants do not seek to spread or do damage. Instead they are primarily for surveillance, watching packets or computer activity, and data interception. An example of a software implant would be DROPOUTJEEP for Apple iPhones. An example of a hardware implant would be FIREWALK, used to filter Gigabit Ethernet traffic.
INCENSER – A program revealed alongside MUSUCLAR, INCENSER’s exact purpose is not yet known but it is described as being closely related to MUSCULAR.
MAINWAY – A database and data analysis tool, first uncovered in 2006, which focuses specifically on the metadata of the billions of telephone records which pass through the major telephony companies (AT&T and Verizon). It was initiated about seven months after the 9/11 attacks and has since compiled over two trillion pieces of phone records, which, as of June 2013, is stored for five years. The program has come under some legal pressure before, with the White House evoking the State Secrets Privilege to keep them at bay. The program was not approved by the FISA court and does not record call contents, only call metadata (date, numbers, recipients, length). The FISA court, as of August 29th 2013, released an opinion stating in relation to MAINWAY that “metadata that includes phone numbers, time and duration of calls is not protected by the Fourth Amendment, since the content of the calls is not accessed.” and that the program would be authorized under Section 215 of the Patriot Act. It has since been renewed in 90 day intervals multiple times.
MARINA – A database that works in conjunction with X-Keyscore, it seems to act as a sort of run-off database, holding metadata and full user content after it has expired in the main X-Keyscore database. It can hold this content for up to five years. See X-Keyscore.
Menwith Hill – A satellite signal interception base in Northern England, Menwith Hill is a major component of the TURBINE system and is jointly operated by the NSA and GCHQ. Menwith Hill is home to up to five QUANTUM programs intended to attack and exploit targeted computers and mobile devices.
Metadata – On an electronic device, every picture taken, text sent, call made, or any other data “action” has a hidden, underlying set of data associated with it. That data, used mainly for device-to-device communication and programming reasons, can list various things about the action you just performed. For an email it can be the sender and recipient’s name or email address, the date and time it was made, the servers it passed through to be delivered, and the type of content in the email. For a photo it can be the location the photo was taken it, the type of camera that took it, and the photo’s date and time. The Guardian posted this example of metadata from a single tweet, and while they highlighted details like the name, location, language, etc. you can also see other information included such as the actual text of the tweet, its embedded url, your following/follower/listed amount, and various ID numbers that could be used to trace that particular bit of information.
All of this is what is considered “metadata” and it is this information which the NSA has been vacuuming up from undersea cables and fiber-optics for a number of years. This metadata acts as a sort of library reference card for your actual data, giving the broad details (book’s name, author, shelf number, year of publication, etc.), but not actual content.
One of the main crux of the current debate is over whether collecting metadata alone is an invasion of privacy, whether it could be used to really watch you as an individual, or reveal private information about your life. From these examples we can see that, for example, while the NSA may not know that you texted Sally saying you snuck out of the house to meet Chad in the park after dark, they can easily infer from your text metadata that you may be out after your bed time. Or if you have been attempting to self-diagnose an illness or find a support group for a physical or emotional issue through Google or any number of online searches, the metadata from your internet browser is now safely stored somewhere in the NSA’s servers, ready to be called upon at a moment’s notice.
Recently German Green party politician Malte Spitz made six months of his telephone metadata available to the news site Zeit Online. From this data they created an easily navigable map of Mr. Spitz’s movements as well as details of his calls, SMS, and internet connectivity time.
MoonLightPath – Metadata processing program similar to EvilOlive and ShellTrumpet which is expected to go online sometime in September 2013.
MUSCULAR – Source of the now infamous pencil diagram and NSA smiley, MUSCULAR is the backdoor entry to PRISM’s friendly front door knocking. It originated as a partnership between the NSA and the GCHQ to intercept data between the servers of major internet companies like Google and Yahoo without their knowledge. Whereas PRISM is executed with the compliance of internet companies through US law, MUSCULAR instead taps directly into the connections between major data hubs overseas, snatching up information as it is synchronized between “clouds”. These clouds are essentially data warehouses; large server banks which contain and share much of the information customers input into Google or Yahoo sites. For efficiency reasons, the entirety of a customer’s data, including emails, address books, search history, audio, video and any pertaining metadata, (what may be defined as “their account”) is passed between the servers as that data is accessed. Though one may be checking their contacts from the US, their line of connection to that information could pass to one of these servers outside the US. Or if one is travelling overseas, the information can be provided by a server closer to your location than one in the continental US. All this data housed and moving around outside US territory is particularly tempting to agencies like the NSA as it is outside the jurisdiction of the FISA regulations, so data on US citizens can be gathered without check or oversight. Once data is leeched from the fiber optic lines or the servers themselves, it is placed into a buffer area for three to five days where it is screened and processed for useful information.
NSA – The National Security Agency is the US intelligence branch focused on signals intelligence and counter-intelligence, as well as the protection of government intelligence and information systems. They are mandated to collect and analyze as much foreign data as possible, including through clandestine methods. It has a long history of various surveillance methods going back through the Cold War and into the warrantless wiretap days of George W. Bush. The recent construction of its new data center in Utah could see it be in possession of some of the largest storage and computing power in the world.
Parallel Construction – The process whereby law enforcement officials receive tips or information from NSA intelligence gathering to secure an arrest, before then “reconstructing” the investigative trail so as to hide the origins of the actual evidence from judicial review. This process has been performed for years by members of the DEA, FBI, CIA, DHS, and IRS to imprison and put pressure on various individuals. A division of the DEA, called the Special Operations Division (SOD), deals with handling FISA evidence and sharing it with various departments, while being beyond judicial review itself. The primary concern is that the process bypasses the defendant, prosecutor, and/or judge’s ability to review the origin and validity of evidence, particularly in pretrial, while also dolling out information intended for national security and terrorism purposes solely for use in criminal prosecutions. This lack of oversight could leave criminal cases open to entrapment, bias, or simple mistakes.
“Remember that the utilization of SOD cannot be revealed or discussed in any investigative function,” a document presented to agents reads. The document specifically directs agents to omit the SOD’s involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are instructed to then use “normal investigative techniques to recreate the information provided by SOD.”
Pinwale – A subset database of X-Keyscore which collects “interesting” content, most likely chosen by being filtered for specific dictionary or colloquial terms, which can then be stored and searched for up to five years. See X-Keyscore.
PRISM – The internal codename for one of many of the NSA’s surveillance programs, initiated in 2007 and under the jurisdiction of the FISA court. It is distinct from other NSA surveillance programs like BLARNEY, FAIRVIEW, OAKSTAR, and STORMBREW in that it does not deal with the “upstream” from underseas internet or fiber-optic cable, but works directly with private companies and their internal data servers to extract customer information. These private companies include Microsoft, Google, Apple, Yahoo!, Facebook, PalTalk, Facebook, Skype, and AOL. The information extracted can include emails, videos, voice or video chats, photos, VoIP calls, activity logs (log ins, setting changes, etc.), social networking details, and any other stored data. There has been some debate over how much “direct access” PRISM has to the servers of these private companies, ie whether PRISM can access internal data servers without the knowledge of those servers’ parent company. What appears to occur however is that when an NSA agent makes a query through PRISM, the company extracts any specific data relevant to the query and places it into a “dropbox” side-server, which PRISM then extracts and saves within the NSA’s own databases. The validity of this method is still under dispute.
Project Chess – A program set up in February 2011 between the owners of Skype (pre-Microsoft purchase) and the NSA which allowed security officials more direct and easy access to user information.
QUANTUMHAND – A malware attack known as the man-on-the-side technique, QUANTUMHAND detects when a computer attempts to connect to Facebook and signals back fake Facebook packets to the computer. To the user it looks like they are on the normal Facebook page when they are actually on an NSA imitation which siphons their internet and hard drive data as long as they’re connected. See FOXACID.
QUANTUMSKY/QUANTUMCOPPER – QUANTUMSKY was first developed in 2004 and designed as a way of blocking access to certain specified sites. QUANTUMCOPPER can corrupt a user’s downloads and was first tested in 2008.
Royal Concierge – A GCHQ program for tracking the hotel reservations of travelling diplomats and retrieving information like booking time and location. It does this by skimming foreign cellphone and internet data for reservation confirmation texts or emails commonly sent out by the high-end hotels (for example, a hotel sending an email to a government domain like gov.xx would be flagged). The GCHQ alone is said to have some 350 upscale hotels around the world monitored for the comings and goings of government officials. Once the GCHQ knows of a reservation in advance it can be better prepared for more direct surveillance (such as wiretapping).
SECONDHAND – A malware attack known as the man-in-the-middle technique, SECONDHAND sits between a computer and the internet server it’s trying to connect to and diverts the computer’s traffic from the intended destination to an NSA FOXACID server. Once the user is connected to the NSA server, their computer can be infected with implants or sent other malicious data that can be used to harvest the hard drive data over time.
Section 215 FISC order – The section of the Foreign Intelligence Surveillance Court’s order that defines the specifics of what telephony meta data can be collected. It is the order which periodically must be renewed by the FISC after review. On April 3rd, 2008, the section read,
Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer.
On August 19th, 2008 it was modified to,
Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer.
and has been renewed since. h/t emptywheel.
Section 215 of the Patriot Act – Section 215 is the specific article in the Patriot Act, passed after 9/11 and renewed in 2011, that allows the FBI to order the turnover of “any tangible thing” relating to an investigation as long as they are business records (ie metadata) instead of actual content (the audio of a phone call, the text in an email).
Section 702 of the FISA Amendments Act – Section 702, renewed for five years in late 2012, is what allows the NSA to collect data on a wide scale, including foreign communications between the US and other countries, as long as the target is overseas. Warrants issued under the FISA Amendments Act (FAA) by the FISA court last up to 12 months at a time and specifically authorize the bulk collection of data, which can include communications of US citizens or people inside the US. The difference being that if they wanted to intentionally target one of those two groups, they would need another more specific warrant.
ShellTrumpet – An apparent partner program to EvilOlive, it was introduced either prior to or in December 2012, filtering incoming information for metadata. By the end of the month it had “processed its One Trillionth metadata record”, with almost half of that processed in 2012 alone.
SHENANIGANS – A CIA operation that uses a pod attached to aircraft to suck up information from any wireless routers, computers, smartphones, or other devices within range. Can be used to “fingerprint”, ie retain device and communication metadata, a region, as successfully shown in operation VICTORYDANCE, conducted in Yemen in 2012. Related to GILGAMESH. Read more.
SIGAD – Or “Signals Intelligence Address”, SIGADs are sources of information which the NSA can penetrate or extract data. SIGADs can be physical like TIMBERLINE and GCHQ Bude, or software like PRISM or MYSTIC. There are currently 10 known major SIGADs used by the NSA: DANCINGOASIS, FAIRVIEW, MYSTIC, OAKSTAR, RAMPART-A, RAMPART-M, RESOLUTETITAN, STORMBREW, TIMBERLINE, and WINDSTOP. Three (FAIRVIEW, STORMBREW, and TIMBERLINE) are located in the US. We do not know what they all do or whether that is the complete list, but most are involved in some kind of signals or data interception. For example, STORMBREW is the code-name for a SIGAD which sits on 27 telephone links known as OPC/DPC pairs (Originate and Destination points that transfer traffic from one provider’s network to another’s), collecting phone data that passes through those links. FAIRVIEW is a similar SIGAD which collects data from 860 OPC/DPC pairs. But these are not the only kind, as there are many types of SIGADs at the NSA’s disposal:
==Upstream collection – Upstream can be defined as the communication information flowing at the speed of light through undersea and fiber-optic cables serving as the backbone of the internet. It is how all online traffic crosses local, state, and national boundaries. Due to how the infrastructure of the internet is set up, almost all major internet traffic flows through the US or the UK at some point. Particularly for underseas cables, a large amount of them make landfall on the US and UK coasts. BLARNEY, OAKSTAR, and STORMBREW are examples of SIGADs which collect upstream data and stores it in databases like FASCIA. This gives the NSA a wide access to global internet and telephone communication data, which is later sifted through by agents on programs like X-Keyscore or by automated flagging programs like Pinwale or CO-TRAVELER. Details on the information the NSA is collecting. Click here for more details on undersea cable tapping. Click here for a Google Maps-esque view of the world’s underseas cables. Click here for more information on undersea cables specifically.
==FORNSAT – A network of 13 stations operated by the NSA and its British partners, located around the world to intercept foreign satellite signals. The network is a mixture of new stations and leftovers from the ECHELON program. The most prominent stations are TIMBERLINE, located in Sugar Grove, W.VA, and GCHQ Bude, or Carboy, on the Cornwall coast. “Timberline and Carboy intercept high-priority communications traffic moving through communications satellites parked over the Atlantic. Together, these two stations covered much of a region that was of interest to [US] during the Cold War.” Many developing countries and governments still rely on satellites for data and telephone communication which is easily scooped up by these listening posts. The GCHQ Bude location also taps into many of the undersea internet cables just as they make landfall on the coast. Those cables include the Apollo (USA), TAT-3 (USA), CANTAT-1 (Canada), TAT-8 (USA and France – last used in 2002), TAT-14 (USA and Europe), AC-2 (USA), EIG (Europe and India) and GLO-1 (West Africa) lines. It was recently revealed the GCHQ Bude station was using access to these cables to collect data on a wide range of targets from the German government, to United Nations officials, American businesses, and foreign energy corporations. More on TIMBERLINE/Sugar Grove. More on GCHQ Bude.
==MYSTIC – A voice interception program which is designed to collect every single call routed from a certain country and storing the billions of calls it collects in a database for up to 30 days. The database works on a rolling buffer, removing older calls as newer ones come in. This enables the NSA to review the entirety of a phone conversation up to a month after it has taken place and without requiring that a target be marked in advanced. Although not every call is listened to, millions of voice clippings are said to be moved into long storage every month. MYSTIC became fully operational against its first country by 2011 and in last year’s secret intelligence budget five other countries were identified as providing “comprehensive metadata access and content,” through MYSTIC, with another expected by last October. American communications with foreign persons can get swept in these collections to, and because they are done so incidentally, as per the NSA, the same protections that apply in the US do not apply abroad. These types of calls with one end in America were once deemed by former director Michael Hayden as “the most important” to the NSA during bulk collection. WaPo has a description of data collection under MYSTIC.
==Tempora – The GCHQ’s equivalent of the NSA’s upstream programs. However, instead of vacuuming up just metadata like its US cousins, Tempora also pulls actual data from at least 200 different undersea and fiber-optic cables, including such data as phone calls, emails from Gmail, Yahoo!, and Outlook, Google and Yahoo! searches, and direct messages sent through Facebook and Twitter. This amounts to an estimated 21 million gigabytes of intercepted data per day, requiring 300 GCHQ and 250 NSA analysts to sift through it all.
Smurfs – Many of the intelligence gathering programs the NSA infect cellphones with are given the names of Smurfs corresponding with their function. Nosey Smurf has the ability to turn a phone’s microphone on remotely. Tracker smurf is a high precision geolocation tool. Dreamy Smurf can activate a phone that is sleeping or turned off, allowing other functions to then be used. These programs hide themselves in the phone firmware architecture with capabilities codenamed Paranoid Smurf. Smurfs are known to function on both iPhone and Android devices.
Special Collection Service – A unit run by a CIA and NSA partnership which performs wiretapping operations in American embassies in over 80 foreign locations. The most notable location revealed was Berlin, but 19 other European locations were cited, including Rome, Paris, Geneva, Madrid and Prague. SCS teams work undercover as accredited diplomats within “shielded” areas of American embassies. They use listening devices to intercept almost all types of communication including cellular signals, wireless networks and satellite communication. They operate on the upper floors of the embassy, near the rooftop, where antennas and other equipment can be camouflaged by aesthetic and design features. The eavesdropping could possibly extend beyond the embassy itself, with many SCS teams operating close to government buildings and business sectors which would be operating on local cell towers or radio links. Read more.
Spinneret – Metadata processing program similar to EvilOlive and ShellTrumpet which is expected to go online sometime in September 2013.
Squeaky Dolphin – A monitoring program designed by the GCHQ and showcased to the NSA in 2012. Designed as a “broad real-time monitoring of online activity” including everything from YouTube videos to Facebook likes or links shared and blog visits. It is first major extension of surveillance into social media realms which it has classically only drawn metadata from, all of which is performed without the target corporation’s consent. Squeaky Dolphin would map a network of trends such as which videos were popular for certain cities and also allow agencies to extract specific user information. The GCHQ revealed how they already exploited unencrypted Twitter data to identify users and target them for propaganda. Such kind of real-time surveillance is only possible by tapping directly into undersea internet cables and fiber-optic hubs, access the GCHQ and NSA have through their SIGAD programs worldwide.
SSO – Special Source Operations. A division within the NSA focused entirely on programs dealing with US corporate communications. Home to PRISM and other surveillance programs.
Stellar Wind – One of the first NSA programs dedicated to collecting email metadata on both foreigners and Americans, appearing soon after the 9/11 attacks. Initially not authorized by any court authority, it was discontinued in March 2004. On July 14th, 2004, the Department of Justice and NSA took the program to the FISA courts who reauthorized the program but limited the datalinks the NSA could access and who could access that data. This program continued two years into the Obama administration and it is unknown if it was discontinued or not.
TAO – AKA Tailored Access Operations. The NSA’s hacking central, responsible for the many “implants” which can be installed on a target computer and used for surveillance or data modification. The agency has rapidly grown over the past six to eight years, hiring new personal to design hundreds of new implant software for everything from network routing devices to mobile phones. TAO fills the NSA’s need for a more “active” form of surveillance and the TAO’s stated mission is to “aggressively scale” their hacking operations.
TAPERLAY – A search tool used with the FASCIA repository to find the registered location of a mobile device, its provider, and the country where the phone was originally located. Similar to CHALKFUN.
Trafficthief – A subset database to X-Keyscore, it holds metadata from strong selectors (email address) most likely after they have passed their time limit (for metadata, 30 days) in the main X-Keyscore database. See X-Keyscore.
Transient Thurible – The GCHQ’s version of metadata processing program, and new arm of the X-Keyscore surveillance program. Described as having been a modified version of the NSA’s own programs, with its metadata flowing into NSA repositories since 13 August 2012.
Treasure Map – A program which is said to provide the NSA with “a near real-time, interactive map of the global Internet.”. Relying on a holy trinity of Internet routing data (SIGAD), commercial information (PRISM), and Signals Intelligence, it allows agents to map, analysis, and explore computer networks all over the world. It collects between 30 and 50 million unique Internet provider addresses across WiFi networks and geolocation data, with one PowerPoint slide boasting it can map any device, anywhere, all the time.” Officials insist it is only targeted at foreign and Defense Department networks and is not used for surveillance but to study computer networks. The amount of data from IP addresses is actually too much at times, and thus the NSA is not able to retain all data all the time. “Packaged Goods” is a program used in conjunction with Treasure Map to track traceroutes through the internet, and with the program the NSA has gained access to “13 covered servers in unwitting data centers around the globe”.
TURBINE – A newly created program used to efficiently manage the many thousands of implants the NSA has in operation. TURBINE is intended to work as a sort of brain, automating much of the setting up and installing of implants on target computers, procedures that were manual before 2009. As one secret document stated. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.” This automation has the side effect of vastly increasing the NSA’s implant attack profile from thousands to millions. Because they don’t need an agent on hand for every implant, many more targets can be hit at once, the back and forth stream of information largely handled by TURBINE. The system works in conjunction with a program called TURMOIL, which scans internet data packets for communications between two targeted computers. Once it discovers that, it gives T URBINE a heads-up, allowing an automatic implant attack to occur.
UKUSA Agreement – A secret treaty between the British GCHQ and the American NSA intelligence departments first negotiated in March 1946, later expanded to include Canada in 1948 and Australia and New Zealand in 1956 (colloquially known as the “Five Eyes”). It allows the free sharing of intelligence, particularly of signal intercepts, between the five nations, assigning each to monitor a particular section of the globe, with an emphasis on the Soviet Union and Eastern European countries during the Cold War, but which has expanded to include the People’s Republic of China, South-East Asia, and Latin America. This program later led to the creation of the ECHELON signal collection and analysis program.
X-Keyscore – Described as the “widest reaching” system for working with online intelligence, X-Keyscore is the program which allows the NSA to search various tiered databases for both metadata and actual user content. Analysts search by using either a strong selector (an email address) or soft selectors (content; phone numbers,browser history, log ins, IP address) which can then return information on a designated target with no pre-authorization or oversight (though the process is described as “auditable”). X-Keyscore can be described as a mass pool of information, collecting both unfiltered metadata and almost all other internet activity such as the From/To/CC/BCC and contents of an email, Facebook chats and private messages, browser history, contact lists, and lists of IP addresses that have visited a targeted website. Due to the massive amount of data being collected (850 billion call events and 150 billion internet records by 2007, up to 20 trillion transactions by last year, with about 1.7 billion in emails, phone calls, and other types of communications collected every day), content only remains on the main X-Keyscore server for three to five days, while metadata is stored for 30 days. Other tiered databases, internally known as Trafficthief, Pinwale, and MARINA, can save “interesting” content from the main X-Keyscore server for up to five years. X-Keyscore is also noted to work on tracking and cracking VPNs, encrypted content, and “exploitable machines”. It is a system which is distributed over 700 servers across 150 global sites, and is claimed to have captured up to 300 terrorists using information gleaned from intelligence. Click here for the slides and more details on X-Keyscore.
From the various programs listed, one can tell that there is very little the NSA will not do to collect data. Every possible method is in use. While they extract corporate user data from the front (PRISM) they are also hoarding it secretly from the backend as well (MUSCULAR). While they scoop up all cellular and internet data (FASCIA, CO-TRAVELER, MYSTIC, FORNSAT) they also target users with malware attacks to infect their computers individually, posing as a US corporation while they do it (QUANTUMHAND). The Washington Post has a run-down of how the NSA deals with its data.