XKEYSCORE, ACLU document archive, slide #11.
XKEYSCORE is an NSA search and analysis system for data collected by other surveillance programmes. The system is described by Snowden as a search engine that provides a “one-stop shop” for access to content, metadata and real-time tracking and monitoring of user activities (COU01). Access to XKEYSCORE is shared with a number of other intelligence agencies including GCHQ (COU01, GUA01). In 2012, GCHQ’s TEMPORA programme was the largest source of XKEYSCORE data (EFF01).
The system incorporates user interfaces, databases and algorithms to select specific types of content and metadata that have already been collected by other surveillance programmes. Data can be retrieved using “strong selectors” such as email addresses and “soft selectors” such as keywords (ACU01). Rules for identifying particular kinds of data can be created and stored in the system. For example, analysts can target Tor users through rules that select web searches related to Tor and connections to the Tor network (NDR01). XKEYSCORE also has the ability to alert analysts to the activities of specific email and IP addresses (GUA02).
In 2008, the system included over 700 servers at approximately 150 locations around the world (ACU01). Content remains in the XKEYSCORE environment for three to five days, while metadata is stored for 30 days.
PRISM – NSA programme for content and metadata collection from service providers via the FBI.
MUSCULAR – GCHQ programme for bulk data collection from service provider data centres.
INCENSER – GCHQ programme for bulk data collection from fibre-optic cables.
TEMPORA – GCHQ programme for bulk data collection and buffering.
TRAFFICTHIEF – NSA repository for metadata about selected targets.
MARINA – NSA repository for bulk Internet metadata.
PINWALE – NSA repository for selected content.
XKEYSCORE training materials detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search (GUA02). Requests are not reviewed by a court or any NSA personnel before being processed. The programme covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata (GUA02). The programme also allows for on-going “real-time” interception of an individual’s Internet activity (GUA02).
Data storage is an issue. According to leaked documents, “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours” (GUA02). In response, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named PINWALE, which can store material for up to five years (GUA02).
American Civil Liberties Union (ACU)
1) https://www.aclu.org/files/natsec/nsa/NSA%20XKeyscore%20Powerpoint.pdf
Courage Foundation (COU)
1) https://edwardsnowden.com/2014/01/27/video-ard-interview-with-edward-snowden
Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/report_on_the_nsas_access_to_tempora.pdf
Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html
Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection
2) http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
NDR Panorama (NDR)
1) http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html
Robert Sesek (SES)
1) https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html
The Week (WEE)
1) http://theweek.com/articles/461482/4-nsa-terms-should-know
FASCIA, Washington Post, slide 1.
FASCIA is the US National Security Agency’s (NSA) data storage and analyse programme focused on mobile phone location metadata. Approximately 5 billion records per day are collected [WAH01]. The programme exploits the SS7 (Signaling System No. 7) data exchange protocol, which links mobile network providers together.
Two kinds of data are collected from mobile devices [WAH01].
Additionally it has the ability to analyse communication security (COMMSEC) behaviours such as Behaviours around communication security “frequent power-down, handset swapping, SMS behaviour” [NSA01].
The leaked documents show that the GCHQ works in partnership with the NSA in DNI collection, specifically to track location using the Google tracking cookie PREFID that is gathered with personal data communications. This cookie can be used to hack into devices [WAH02].
The FASCIA programme uses a variety of data analysis techniques to locate and track individuals using these two sources of data (DNR and DNI) including [WAH01; NSA01]:
R6 SORTINGLEAD – Cloud-based version of CHALKFUN that includes additional features such as search by countries or locations of interest [NSA01].
HAPPY FOOT – Analytic tool that aggregates leaked location-based service data to map the physical locations of IP addresses [WAH01].
TAPERLAY – The NSA’s tool for looking up the registered location of a mobile device — the provider and country where a phone was originally activated — in the Global Numbering Database [WAH01].
TUSKATTIRE – System used for metadata processing [WAH01]
JUGGERNAUT – A signals processing system that can process raw feeds between mobile carriers through the SS7 protocol [WAH01].
GHOSTMACHINE – The NSA’s cloud analytics platform [WAH03].
FASCIA is the National Security Agency’s enormous database containing trillions of device-location records that are collected from a variety of sources. The leaked documents show the volume and types of device-location data collected. Mobile phone metadata analysis can reveal a high-level of detail regarding people’s movements.
When mobile devices are turned on and begin searching for wireless signals, they show their locations to any radio receivers in the vicinity. When a mobile phone connects to a network, it registers its location to one or more signalling towers that store this information in databases (known as Home Location Registers and Visitor Location Registers) maintained by telephone providers and clearing houses so that calls can be made and received.
These registers store a device’s approximate location using service providers positioning of devices by triangulating their distance between multiple towers in the vicinity. These can reveal the country, town, and even street level of the person. In addition, some mobile devices use WiFi and GPS signals to fix their locations, which provides geo-location data. Smartphones can also display their location through mobile apps, built-in location based services and IP addresses [WAH01].
National Security Agency (NSA) document, (provided by the Washington Post)
1) National Security Agency white paper: Summary of DNR and DNI Co-Travel Analytics
https://s3.amazonaws.com/s3.documentcloud.org/documents/888734/cotraveler-tracking-redacted.pdf
Washington Post (WAH)
2) http://apps.washingtonpost.com/g/page/world/nsa-signal-surveillance-success-stories/647
]]>The Intercept – Applying Advanced Cloud-based Behavior Analytics, slide 1.
SKYNET is a behaviour profiling programme that attempts to identify “interesting travel patterns”, including how often a person travels and to where [SKYNET-02, Slide13]. Specifically, the programme aims to identify “courier-like travel patterns” [SKYNET-02, Slide20].
It achieves this by analysing mobile phone metadata that reveals both location and communication data from bulk call records [INT01]. Using this metadata SKYNET looks for patterns amongst different people who use phones in similar ways [SKYNET-02, Slide2].
For this programme “call data is acquired from major Pakistani telecom providers” but the technical means for obtaining the data is not divulged in the slides [INT01]. It uses a cloud computing technology to store and analyse Call Data Records (CDRs) from Pakistani Telecoms uploaded to an NSA cloud [SKYNET-01, Slide6]. Analysis of the data examines [SKYNET-02, Slide3]:
This is done using geospatial, geotemporal, pattern-of-life and travel analytics [SKYNET-01, Slide3]. Specifically, by identifying a mobile phone’s IMSI or International Mobile subscriber Identity [SKYNET-01, Slide13]. This number is a unique identification associated with all mobile phones on a cellular network. It is stored as a 64-bit field and is sent by the phone to the network [TFA01].
Behaviours SKYNET attempts to identify include [INT01]:
DEMONSPIT – dataflow of Call Data Records (CDRs) from Pakistan [SKYNET-01, Slide6]
MAINWAY – collection of telephone metadata
The SKYNET programme collected 55 million cell phone records from Pakistan to identify ‘interesting’ or ‘suspect’ behaviours [INT01].
Questions are being raised about the “method of identifying terrorist targets based on metadata” [INT01] because it may identify false positives especially when it comes to the activities of journalists who seek to contact terrorists. In particular an Al Jazeera journalist, Ahmad Muaffaq Zaidan was singled out as someone whose “movements and calls mirrored those of known Al Qaeda couriers” [INT01].
Intercept (INT)
1) https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-prominent-al-jazeera-journalist-al-qaeda-member-put-watch-list/
2) SKYNET01 – https://firstlook.org/theintercept/document/2015/05/08/skynet-applying-advanced-cloud-based-behavior-analytics/
3) SKYNET02 – https://firstlook.org/theintercept/document/2015/05/08/skynet-courier/
Tech Faq (TFA)
1) http://www.tech-faq.com/imsi.html
]]>
MARINA is an NSA repository for metadata. It stores information about millions of Internet users for up to a year (GUA01). The repository contains contact information, browsing history and other metadata. It also has the ability to export data in a variety of formats, including charts that assist in pattern-of-life analysis (GUA01).
MARINA aggregates metadata from a variety of sources, including online social networks, billing records, bank transactions, insurance information, passenger manifests, voter registration rolls, GPS location information, property records, and unspecified tax data (NYT01).
MAINWAY is the counterpart programme for storing telephone metadata (MOJ01).
XKEYSCORE – NSA system for searching and analysing data from a wide range of sources.
PRISM – NSA programme for collecting content and metadata from service providers via the FBI.
TEMPORA – GCHQ programme for bulk data collection and buffering.
MAINWAY – NSA repository for telephone metadata.
MARINA exploits a trend known as convergence, referred to in an NSA slide as “The gradual ‘blurring’ of telecommunications, computers, and the Internet” (ACU01).
This convergence of computerised data makes it easier to combine data from various sources, thus developing an understanding of both the social networks and the activities of people. MARINA is part of the Target Knowledge Database (TKB), a repository of data about targeted individuals including German Chancellor Angela Merkel (SPI01).
American Civil Liberties Union (ACU)
1) https://www.aclu.org/sites/default/files/assets/social_convergence.pdf
Guardian (GUA)
1) http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents
Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs
New York Times (NYT)
1) http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html
Spiegel (SPI)
1) http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html