Monday, February 10, 2014

Metadata collection by Dutch MIVD instead of NSA

  Metadata collection by Dutch MIVD instead of NSA

(Updated: February 10, 2014)

Today, the Dutch newspaper NRC Handelsblad finally published the complete BOUNDLESSINFORMANT screenshot that shows data related to the Netherlands.

This came after a surprising revelation by the Dutch government that the 1,8 million metadata shown in that screenshot were not from Dutch citizens and intercepted by NSA, but actually from a legitimate collection against foreign targets by the Dutch military intelligence agency MIVD which was passed on to the Americans.

Here, I will analyse the chart and compare it with similar charts about various other countries that were published earlier. More about the background, which caused some severe political problems for the Dutch interior minister, will be added soon!

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

The first thing that catches the eye is that the screenshot is shown here on paper, together with another sheet with an orange bar bearing a classification marking and a cardboard folder. The sheets look like as if they became wet and also show some white paint brush-like stains (all previous screenshots were published as digital files).

Probably these effects were photoshopped by the paper to make it look extra special. For example, the classification marking on the second sheet seems fake, as it reads: TOPSECRET//S//NOFORN, where in reality Top Secret are two separate words and the compartment for this kind of information is not S, but SI for Special Intelligence.

That said, we now take a look at the information in the screenshot itself. In the upper part there's the bar chart which was already published back in August 2013 by Der Spiegel. The green bars show that only DNR (Dialed Number Recognition, which is telephony) metadata were collected. In the lower part, which was published for the first time today, there are three sections with some details about this collection:

Signal Profile

This section has a pie chart which can show various types of communication. In this case, all metadata were collected from PSTN, which stands for Public Switched Telephone Network, the traditional telephone infrastructure.

It's assumed that in this case, MIVD collected the metadata using their satellite station, which is next to a big commercial ground station of Inmarsat, so it can easily intercept this Inmarsat, as well as Intelsat satellite communication links. Whereas nowadays almost all intercontinental communications pass undersea fiber optic cables, some remote and less-developed countries like Afghanistan and Somalia apparently still use satellite links for their international telephone calls.

An example given by the NRC newspaper is that of calls made by Somali people from call shops in a Dutch city like Rotterdam to the Somali capital Mogadishu. If these calls travel through Inmarsat satellite links, the MIVD is able to collect their metadata. The agency only gathers communications that are related to terrorism and those that are necessary to support international military operations.

Once these metadata are collected, the MIVD filters out those ones that are related to Dutch citizens. The remaining data are shared with NSA. According to the Dutch government, metadata of Dutch citizens are filtered out by selecting the phone numbers

The satellite intercept station of MIVD near Burum
(photo: ANP)

Most Volume

All records were collected through a facility designated by the SIGAD US-985Y.

According to NRC, Dutch government sources say that this SIGAD does not designate a single facility, but rather "metadata collected by MIVD that are shared with NSA".

This means that these data can be derived from multiple collection platforms and not just from the Dutch satellite intercept station near the village of Burum, although the Dutch government said that in this case the 1,8 million metadata were collected through satellite interception. Besides Burum, the Dutch signals intelligence unit NSO also has a high-frequency radio intercept station near Eibergen and some mobile SIGINT units which can be deployed in foreign operations.

US-985Y is from the same range as US-985D, which is the SIGAD in the screenshot about the collection of metadata related to France, and also near the range of US-987 SIGADs which are used for collection by Spanish, Norwegian, German and Italian agencies. Interestingly, it was Der Spiegel noticing already in August 2013, that SIGADs like the US-987 series were among those assigned by NSA to the SIGINT activities of 3rd Party partner agencies.

If the Dutch interpretation is correct, we have to assume that also the SIGADs for other countries do not designate a particular physical interception facility, but rather a foreign agency as the single source of shared data, with divisions not according to collection facilities, but according to data types like metadata, content, phone and internet. This makes some sense, as it's not up to NSA to assign designations to individual foreign collection platforms.

Top 5 Techs

This section mentions the technical systems or programs used to collect or process the data. Here, only a single system was used, called CERF CALL.

Sources contacted by NRC say this stands for "Contact Event Record Call", which refers in a more technical way to (telephony) metadata. "Contact" and "event" are terms which are also seen in other NSA documents related to metadata, so that seems to make sense. A strange thing however, is that in this explanation there's no word for the letter F. This needs to be clarified.

The same tech was also in the BOUNDLESSINFORMANT screenshot about Germany, where CERF CALL MOSES1 was the fourth biggest one. Seeing CERF in the Dutch chart came somewhat as a surprise, because in almost all screenshots that followed the German one (France, Spain, Italy, Norway and a chart about Afghanistan) we saw DRTBOX, which is a technique used for handling metadata derived from mobile communication systems (PCS).

DRTBOX refers to surveillance devices made by DRT, which are used to locally intercept radio and cell phone communications, and are widely used in war zones like Afghanistan. This also provides a very strong indication that the metadata for those other countries were collected during or in support of military operations abroad.

The sharing of this kind of military intelligence can take place on a bilateral basis, but also in multinational groups like the 9-Eyes and the 14-Eyes (SIGINT Seniors Europe), which consist of the Five Eyes plus a number of 3rd Party nations.

The headquarters of the Dutch military intelligence agency MIVD,
which is located in the Frederikkazerne in The Hague
(photo: GPD)

We should also be aware of the possibility that the BOUNDLESSINFORMANT screenshot doesn't show everything that the Dutch agency MIVD shares with NSA, as in this one there are only telephony metadata. This is the lesson that was learned from the screenshot about Afghanistan, which was published by Glenn Greenwald in a Norwegian paper last November.
That chart also shows just telephony metadata from one single source, but communications from Afghanistan are of course intercepted by numerous collection facilities. This means that such a document bearing the name of a particular country doesn't necessarily contains everything what's collected from or by that nation.
This problem arises from the fact that these screenshots are published without their original context, so we don't know which selections in the BOUNDLESSINFORMANT interface were made prior to resulting in the output we see in these charts.
Unfortunately, Glenn Greenwald isn't able or willing to answer these kind of questions.

> More about the background of this story will follow soon!

Links and Sources
- Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- The Netherlands, not USA, gathered info from 1.8 million phone calls
- NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- MIVD: Interceptie van telecommunicatie

No comments:

Post a Comment