Dagbladet Information: NSA 'third party' partners tap the Internet backbone in global surveillance program

http://www.information.dk/501280

NSA 'third party' partners tap the Internet backbone in global surveillance program

'Third parties' give NSA access to international fiber-optic cables, sharing massive amounts of phone and Internet data, new Snowden documents show. Germany and, by all accounts, Denmark, are among the partners in the NSA mass surveillance program codenamed RAMPART-A.

Anton Geist, Sebastian Gjerding, Henrik Moltke, Laura Poitras

19 June 2014

Top-secret NSA documents from whistleblower Edward Snowden provide insight into a new and controversial chapter in the NSA's global mass surveillance plot. Under the codename RAMPART-A, 'third party' countries tap fiber optic cables carrying the majority of the world's electronic communications in collaboration with the NSA. These partnerships are among the NSAs closest-guarded secrets, and play a central role in the NSA's ambition to be able to intercept any electronic communication, anywhere in the world.

It has previously been revealed that the UK monitors, records, and shares large volumes of data intercepted from the Internet backbone, which carries everything from emails to Skype calls across the globe at the speed of light. But the new documents show that a number of nations with weaker ties to the NSA -- so-called "third party" partners -- are more deeply involved in the NSAs global mass surveillance of individuals and organizations than previously known.

According to the Snowden documents, there are 33 third party countries. While the documents do not explicitly state which countries participate in the RAMPART-A program, details in the documents and extensive reporting points to Denmark and Germany being partners.

Access to everything

Special Source Operations (SSO), a top-secret NSA division, referred to by Snowden as the NSA's "crown jewel" oversees the corporate and foreign intelligence partnerships that make the NSA's vital cable access programs possible. Its logo, an eagle clasping trunks of brightly lit fiber crisscrossing the globe, leaves little room for interpretation: The SSO's mission is to intercept and extract large data volumes from cables and networks worldwide.

"If you look at a map of the Internet, there are surprisingly few trunks. Most data flows through a surprisingly small number of choke points. If you get access to them, you get access to everything" says security expert and technologist Bruce Schneier whom Dagbladet Information has shown RAMPART-A documents: "The goal must be to cover the most of the world with as few access points as possible. A lot of Internet traffic flows through the US but a bunch doesn't. So you're going to look in places in the world where the data is, if not in the US."

Cold war cover

Diagrams in two classified SSO PowerPoint presentations illustrate how a "Typical RAMPART-A Operation" works. Partner country "X" taps an international cable at an access point somewhere in country "X," and forwards the data to a processing center. Equipment provided by the NSA processes the data intercepted at the access point, before the data is forwarded to an NSA site located, according to the diagram, in the US.

According to a presentation slide describing "Sensitivity Factors," "Most RAMPART-A Third-party partners work the fiber projects under the cover of an overt Comsat effort." This suggests that the sophisticated data processing operation happens concealed by the characteristic satellite dishes and radomes typically constructed during the cold war era. Presumably the cover would work because intelligence activities carried out inside existing listening stations would surprise few outsiders, even if the physical facility, collection methods and staffing change.

All communication technologies

An excerpt from the US Intelligence "Black Budget" detailing the "Foreign Partner Access Project" provides insight into how important RAMPART-A is to the US government. In 2011, the NSA spent a total of $91 million on foreign cable access programs, out of which RAMPART-A accounted for $76.55 million, or 84 per cent. Second party cable access programs, codenamed WINDSTOP, make up the rest. The fiscal year 2013 requested spending for RAMPART-A was down to $46.2 million but still accounts for 82 per cent of the total requested spending on foreign access projects.

The "Black Budget" also provides details about the volume of data collected by the NSA via third party cable taps. The introductory project description states that "RAMPART-A has access to over 3 Terabits per second of data streaming world-wide." According to analysis provided by TeleGeography this was more than five times the average international traffic from Denmark in 2013, or 362 million ordinary CD-ROMs if stored on a daily basis.

The most recent SSO overview lists thirteen secret RAMPART-A sites out of which nine were active in April 2013. One site only provided metadata. The three largest sites -- codenamed AZUREPHOENIX, SPINNERET and MOONLIGHTPATH, the locations of which are unknown -- tap a total of seventy different cables or networks and figure in several documents among the NSAs most productive sources. The large amount of RAMPART-A cable taps, according to the leaked documents, gives access to "international communications from anywhere around the world," and "all communications technologies" including "Digital Network Intelligence, voice, fax, telex, e-mail, internet chat, VPN and VoIP communications."

The efforts pay off. According to a 2010 briefing intelligence collected via RAMPART-A was used across all NSA Analysis and Production centers, and yielded over 9000 intelligence reports the previous year, out of which half was based solely on intelligence intercepted through RAMPART-A.

Denmark's cable access partnership

Details about which countries participate in RAMPART-A and where a given access is located are extremely sensitive, the documents show, and no identifying information can be found in the RAMPART-A documentation. In addition to the top-secret classification, a unique access control system dubbed REDHARVEST ensures that only a limited number of cleared personnel can access this information.

Based on the documents and extensive reporting, however, Dagbladet Information can identify Germany as among the NSA's partners in the RAMPART-A-program. Denmark, most likely, is a partner too. The Danish participation seems to follow from the fact that RAMPART-A is the only program, in which the cable access is managed in collaboration with NSAs third party intelligence partners. This is consistent with information from a document containing former NSA Director Keith Alexander's talking points for a 2012 strategic meeting between the NSA and the Danish Defense Intelligence Service (DDIS). A key passage reads:

"Emphasize NSA's commitment to the special access and assisting DDIS in managing the access. Remind the Danes of the long NSA-DDIS partnership working cable access with."

The sentence is incomplete. It may be a simple mistake, but it's possible that one or several words have been removed in order to protect a third partner. It does, however, indicate that the Danish Defense Intelligence Service has a cable access partnership with the NSA.

This is further supported by the fact that the NSA, according to a top-secret "Information Paper" describing relations with Denmark, provides its Danish sister agency with "collection and processing equipment." This corresponds to a RAMPART-A briefing which specifies, with near-identical wording, that NSA "Collection and Processing assets" are hosted on partner soil.

Legal in Denmark?

Denmark has never had a public debate about cable access programs and very little is known about DDIS' operations. Presented with the documentation for this article, DDIS Director Thomas Ahrenkiel would neither confirm nor deny a NSA/DDIS cable access partnership, and referred to Minister of Defense Nicolai Wammen, who told Dagbladet Information:

"I cannot comment on the question regarding any of DDIS' possible, concrete activities. In general, I can say that the DDIS cooperates with foreign intelligence services in order to protect Denmark and the Danes in the best possible way." Wammen adds that "this happens within Danish law."

Three legal experts tell Dagbladet Information that DDIS could legally tap cables in Denmark. Similarly, an NSA/DDIS cable access partnership could be within the law, as long as the NSA does not operate in ways that would be illegal for the DDIS. But the law is not clear on this point, experts point out.

DDIS has broad powers and can obtain information both within Denmark and abroad, as long as it is "targeting conditions abroad," according to the law governing DDIS. The only real limitation is that DDIS is not allowed to target Danes, but information about Danes happened upon by coincidence, when collecting against foreign targets, is not off limits. And raw data can be shared with foreign intelligence partners almost without limitations.

The largest Danish telecommunications companies, when asked by Dagbladet Information, would neither confirm nor deny giving cable access to DDIS. A spokesperson from TDC, Denmark's largest telecommunications company, said: "We are subject to certain obligations under the law governing the police and military intelligence services, and of course we abide by them." The law does not, however, oblige telecommunications companies to assist DDIS in their collection, but TDC declined to comment further.

The Russian connection

Denmark's value as a cable access partner depends on which traffic flows through its cables. According to data provided by TeleGeography, Denmark has the best connectivity, in terms of bandwidth, to Germany, followed by Sweden and Norway. "If your country is in a key location, and if a lot of interesting traffic happens to flow through it, that makes you an important partner," says Mikko Hypponen, who has worked with Internet security since 1991 at Helsinki-based F-Secure: "A large part of the Internet traffic from Russia and the rest of Scandinavia flows through Danish networks, which justifies the US interest in working together with the authorities" says Hypponen. He adds that a lot of German traffic transits through Denmark:

"It might not be obvious to casual surfers, but for example a lot of German users will connect to Facebook and Google services via Denmark. This is because Facebook and Google have large datacenters in the Nordics and traffic is predominantly routed via Denmark."

Germany a partner too

German participation in RAMPART-A can be inferred from NSA documents reported by Der Spiegel earlier this week in combination with documents seen by Dagbladet Information. In March 2013, Spiegel reports, "unwitting" employees at a telecommunications facility discovered a cable tap, referred to as "Wharpdrive." The same WHARPDRIVE figures in documents seen by Dagbladet Information, listed as a RAMPART-A project.

According to the document reported by Der Spiegel "witting partner personnel" removed the evidence "a plausible cover story was created," and the partner offered to discreetly reinstall the equipment. WHARPDRIVE appears in another document about a meeting between the NSA and the German intelligence service BND. Here the operation is described as a trilateral program between NSA, BND, and an unknown third partner, possibly the above mentioned telecommunications company.

A European bazaar

The documents specify that in a typical operation partner countries and the NSA share "tasking and collection" i.e. the targets selected for surveillance and data intercepted from the cables. At the same time, the partner country and the US agree not to use the access to spy on each other: "No U.S. collection by Partner and No Host Country collection by U.S." The same point is repeated in an SSO presentation marked NOFORN, which means it cannot be seen by non-US nationals. Here a small, but not insignificant modification, is added to the same sentence: " -- there ARE exceptions."

Which exceptions there are is not clear. It is also an open question whether there would be any repercussions should the NSA violate the agreement. The documents indicate that partners retain some control over which data the NSA can access through partner sites, and that the NSA tries to avoid political conflicts based on lists of topics and targets that would potentially offend the partner. However, according to Bruce Schneier, these agreements will not protect citizens in partner countries from being monitored by the NSA:

"Remember, if there's an intercept in Denmark, and the NSA has agreed to spy on the Danes, and there's one in Germany, and the NSA has an agreement not to spy on the Germans there, they can spy on the Germans from Denmark, and the Danes from Germany," Schneier says.

Edward Snowden made the same argument earlier this year. In a statement to a European Parliament committee, he mentioned Denmark and Germany as examples of how this could be carried out:

"The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.

Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole." In the same statement Snowden also gave an impression of how effective the NSA's surveillance programs are: "I am telling you that without getting out of my chair, I could have read the private communications of any member of this committee, as well as any ordinary citizen."

'Strengthens the security of all'

Dagbladet Information has asked the NSA to comment on RAMPART-A. Spokesperson Vanee' Vines responded: "We are not going to comment on specific, alleged foreign intelligence activities. However, the fact that the U.S. government works with other nations, under specific and regulated conditions, mutually strengthens the security of all. NSA's efforts are focused on ensuring the protection of the national security of the United States, its citizens, and our allies through the pursuit of valid foreign intelligence targets only.

In January, President Obama issued U.S. Presidential Policy Directive 28, which affirms that all persons -- regardless of nationality -- have legitimate privacy interests in the handling of their personal information, and that privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. All of NSA's efforts are strictly conducted under the rule of law, including the President's new directive. The agency collects data to meet specific security and intelligence requirements, such as force protection for U.S. troops and allies, counterintelligence, counterterrorism, counterproliferation, and combating transnational crime."

Download the documents here

Reported in collaboration with The Intercept