Individual Post Archive
« Lawmakers Raise Questions About International Spy Network |
Main
| Interception Capabilities 2000 - PART 2 »
December 18, 2003
Interception Capabilities 2000 - PART 1
Report to the Director General for Research of the European Parliament
(Scientific and Technical Options Assessment programme office)
on the development of surveillance technology and risk of abuse of economic information.
This study considers the state of the art in Communications intelligence (Comint) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to Comint targeting and selection, including speech recognition .
Contents
1. Organisations and methods
What is communications intelligence?
UKUSA alliance
Other Comint organisations
How intelligence works
Planning
Access and collection
Processing
Production and dissemination
2. Intercepting international communications
International Leased Carrier (ILC) communications
High frequency radio
Microwave radio relay
Subsea cables
Communications satellites
Communications techniques
ILC communications collection
Access
Operation SHAMROCK
High frequency radio interception
Space interception of inter-city networks
Sigint satellites
COMSAT ILC collection
Submarine cable interception
Intercepting the Internet
Covert collection of high capacity signals
New satellite networks
3. ECHELON and Comint production
The "Watch List"
New information about ECHELON sites and systems
Westminster, London : Dictionary computer
Sugar Grove, Virginia : COMSAT interception at ECHELON site
Sabana Seca, Puerto Rico and Leitrim, Canada : COMSAT interception sites
Waihopai, New Zealand : Intelsat interception at ECHELON site
ILC processing techniques
4. Comint and Law Enforcement
Misrepresentation of law enforcement interception requirements
Law enforcement communications interception - policy development in Europe
5. Comint and economic intelligence
Tasking economic intelligence
Disseminating economic intelligence
The use of Comint economic intelligence product
Panavia European Fighter Aircraft consortium and Saudi Arabia
Thomson CSF and Brazil
Airbus Industrie and Saudi Arabia
International trade negotiations
Targeting host nations
6. Comint capabilities after 2000
Developments in technology
Policy issues for the European Parliament
Technical annexe
Broadband (high capacity multi-channel) communications
Communications intelligence equipment
Wideband extraction and signal analysis
Filtering, data processing, and facsimile analysis
Traffic analysis, keyword recognition, text retrieval, and topic analysis
Speech recognition systems
Continuous speech recognition
Speaker identification and other voice message selection techniques
"Workfactor reduction"; the subversion of cryptographic systems
Glossary and definitions
Footnotes
Summary
1. Communications intelligence (Comint) involving the covert interception of foreign communications has been practised by almost every advanced nation since international telecommunications became available. Comint is a large-scale industrial activity providing consumers with intelligence on diplomatic, economic and scientific developments. The capabilities of and constraints on Comint activity may usefully be considered in the framework of the "intelligence cycle" (section 1).
2. Globally, about 15-20 billion Euro is expended annually on Comint and related activities. The largest component of this expenditure is incurred by the major English-speaking nations of the UKUSA alliance.(1) This report describes how Comint organisations have for more than 80 years made arrangements to obtain access to much of the world's international communications. These include the unauthorised interception of commercial satellites, of long distance communications from space, of undersea cables using submarines, and of the Internet. In excess of 120 satellite systems are currently in simultaneous operation collecting intelligence (section 2).
3. The highly automated UKUSA system for processing Comint, often known as ECHELON, has been widely discussed within Europe following a 1997 STOA report.(2) That report summarised information from the only two primary sources then available on ECHELON.(3) This report provides original new documentary and other evidence about the ECHELON system and its involvement in the interception of communication satellites (section 3). A technical annexe give a supplementary, detailed description of Comint processing methods.
4. Comint information derived from the interception of international communications has long been routinely used to obtain sensitive data concerning individuals, governments, trade and international organisations. This report sets out the organisational and reporting frameworks within which economically sensitive information is collected and disseminated, summarising examples where European commercial organisations have been the subject of surveillance (section 4).
5. This report identifies a previously unknown international organisation - "ILETS" - which has, without parliamentary or public discussion or awareness, put in place contentious plans to require manufacturers and operators of new communications systems to build in monitoring capacity for use by national security or law enforcement organisations (section 5).
6. Comint organisations now perceive that the technical difficulties of collecting communications are increasing, and that future production may be costlier and more limited than at present. The perception of such difficulties may provide a useful basis for policy options aimed at protective measures concerning economic information and effective encryption (section 6).
7. Key findings concerning the state of the art in Comint include :
Comprehensive systems exist to access, intercept and process every important modern form of communications, with few exceptions (section 2, technical annexe);
Contrary to reports in the press, effective "word spotting" search systems automatically to select telephone calls of intelligence interest are not yet available, despite 30 years of research. However, speaker recognition systems - in effect, "voiceprints" - have been developed and are deployed to recognise the speech of targeted individuals making international telephone calls;
Recent diplomatic initiatives by the United States government seeking European agreement to the "key escrow" system of cryptography masked intelligence collection requirements, and formed part of a long-term program which has undermined and continues to undermine the communications privacy of non-US nationals, including European governments, companies and citizens;
There is wide-ranging evidence indicating that major governments are routinely utilising communications intelligence to provide commercial advantage to companies and trade.
1. Organisations and methods
What is communications intelligence?
1. Communications intelligence (Comint) is defined by NSA, the largest agency conducting such operations as "technical and intelligence information derived from foreign communications by other than their intended recipient". (4)Comint is a major component of Sigint (signals intelligence), which also includes the collection of non-communications signals, such as radar emissions.(5) Although this report deals with agencies and systems whose overall task may be Sigint, it is concerned only with Comint.
2. Comint has shadowed the development of extensive high capacity new civil telecommunications systems, and has in consequence become a large-scale industrial activity employing many skilled workers and utilising exceptionally high degrees of automation.
3. The targets of Comint operations are varied. The most traditional Comint targets are military messages and diplomatic communications between national capitals and missions abroad. Since the 1960s, following the growth of world trade, the collection of economic intelligence and information about scientific and technical developments has been an increasingly important aspect of Comint. More recent targets include narcotics trafficking, money laundering, terrorism and organised crime.
4. Whenever access to international communications channels is obtained for one purpose, access to every other type of communications carried on the same channels is automatic, subject only to the tasking requirements of agencies. Thus, for example, NSA and its British counterpart GCHQ, used Comint collected primarily for other purposes to provide data about domestic political opposition figures in the United States between 1967 and 1975.
UKUSA alliance
5. The United States Sigint System (USSS) consists of the National Security Agency (NSA), military support units collectively called the Central Security Service, and parts of the CIA and other organisations. Following wartime collaboration, in 1947 the UK and the US made a secret agreement to continue to conduct collaborative global Comint activities. Three other English-speaking nations, Canada, Australia and New Zealand joined the UKUSA agreement as "Second Parties". The UKUSA agreement was not acknowledged publicly until March 1999, when the Australian government confirmed that its Sigint organisation, Defence Signals Directorate (DSD) "does co-operate with counterpart signals intelligence organisations overseas under the UKUSA relationship".(6) The UKUSA agreement shares facilities, tasks and product between participating governments.
6. Although UKUSA Comint agency staffs and budgets have shrunk following the end of the cold war, they have reaffirmed their requirements for access to all the world's communications. Addressing NSA staff on his departure in 1992, then NSA director Admiral William Studeman described how "the demands for increased global access are growing". The "business area" of "global access" was, he said, one of "two, hopefully strong, legs upon which NSA must stand" in the next century.(7)
Other Comint organisations
7. Besides UKUSA, there at least 30 other nations operating major Comint organisations. The largest is the Russian FAPSI, with 54,000 employees.(8) China maintains a substantial Sigint system, two stations of which are directed at Russia and operate in collaboration with the United States. Most Middle Eastern and Asian nations have invested substantially in Sigint, in particular Israel, India and Pakistan.
How intelligence works
8. In the post cold war era, Comint interception has been constrained by recognisable industrial features, including the requirement to match budgets and capabilities to customer requirements. The multi-step process by means of which communications intelligence is sought, collected, processed and passed on is similar for all countries, and is often described as the "intelligence cycle". The steps of the intelligence cycle correspond to distinct organisational and technical features of Comint production. Thus, for example, the administration of NSA's largest field station in the world, at Menwith Hill in England and responsible for operating over 250 classified projects, is divided into three directorates: OP, Operations and Plans; CP, Collection Processing; and EP, Exploitation and Production.
Planning
9. Planning first involves determining customer requirements. Customers include the major ministries of the sponsoring government - notably those concerned with defence, foreign affairs, security, trade and home affairs. The overall management of Comint involves the identification of requirements for data as well as translating requirements into potentially achievable tasks, prioritising, arranging analysis and reporting, and monitoring the quality of Comint product.
10. Once targets have been selected, specific existing or new collection capabilities may be tasked, based on the type of information required, the susceptibility of the targeted activity to collection, and the likely effectiveness of collection.
Access and collection
11. The first essential of Comint is access to the desired communications medium so that communications may be intercepted. Historically, where long-range radio communications were used, this task was simple. Some important modern communications systems are not "Comint friendly" and may require unusual, expensive or intrusive methods to gain access. The physical means of communication is usually independent of the type of information carried. For example, inter-city microwave radio-relay systems, international satellite links and fibre optic submarine cables will all usually carry mixed traffic of television, telephone, fax, data links, private voice, video and data.
12. Collection follows interception, but is a distinct activity in that many types of signals may be intercepted but will receive no further processing save perhaps technical searches to verify that communications patterns remain unchanged. For example, a satellite interception station tasked to study a newly launched communications satellite will set up an antenna to intercept all that the satellite sends to the ground. Once a survey has established which parts of the satellite's signals carry, say, television or communications of no interest, these signals will not progress further within the system.
13. Collection includes both acquiring information by interception and passing information of interest downstream for processing and production. Because of the high information rates used in many modern networks, and the complexity of the signals within them, it is now common for high speed recorders or "snapshot" memories temporarily to hold large quantities of data while processing takes place. Modern collection activities use secure, rapid communications to pass data via global networks to human analysts who may be a continent away. Selecting messages for collection and processing is in most cases automated, involving large on-line databanks holding information about targets of interest.
Processing
14. Processing is the conversion of collected information into a form suitable for analysis or the production of intelligence, either automatically or under human supervision. Incoming communications are normally converted into standard formats identifying their technical characteristics, together with message (or signal) related information (such as the telephone numbers of the parties to a telephone conversation).
15. At an early stage, if it is not inherent in the selection of the message or conversation, each intercepted signal or channel will be described in standard "case notation". Case notation first identifies the countries whose communications have been intercepted, usually by two letters. A third letter designates the general class of communications: C for commercial carrier intercepts, D for diplomatic messages, P for police channels, etc. A fourth letter designates the type of communications system (such as S for multi-channel). Numbers then designate particular links or networks. Thus for example, during the 1980s NSA intercepted and processed traffic designated as "FRD" (French diplomatic) from Chicksands, England, while the British Comint agency GCHQ deciphered "ITD" (Italian diplomatic) messages at its Cheltenham headquarters. (9)
16. Processing may also involve translation or "gisting" (replacing a verbatim text with the sense or main points of a communication). Translation and gisting can to some degree be automated.
Production and dissemination
17. Comint production involves analysis, evaluation, translation and interpretation of raw data into finished intelligence. The final step of the intelligence cycle is dissemination, meaning the passing of reports to the intelligence consumers. Such reports can consist of raw (but decrypted and/or translated) messages, gists, commentary, or extensive analyses. The quality and relevance of the disseminated reports lead in turn to the re-specification of intelligence collection priorities, thereby completing the intelligence cycle.
18. The nature of dissemination is highly significant to questions of how Comint is exploited to obtain economic advantage. Comint activities everywhere are highly classified because, it is argued, knowledge of the success of interception would be likely to lead targets to change their communications methods to defeat future interception. Within the UKUSA system, the dissemination of Comint reports is limited to individuals holding high-level security "SCI" clearances.(10) Further, because only cleared officials can see Comint reports, only they can set requirements and thus control tasking. Officials of commercial companies normally neither have clearance nor routine access to Comint, and may therefore only benefit from commercially relevant Comint information to the extent that senior, cleared government officials permit. The ways in which this takes place is described in Section 5, below.
19. Dissemination is further restricted within the UKUSA organisation by national and international rules generally stipulating that the Sigint agencies of each nation may not normally collect or (if inadvertently collected) record or disseminate information about citizens of, or companies registered in, any other UKUSA nation. Citizens and companies are collectively known as "legal persons". The opposite procedure is followed if the person concerned has been targeted by their national Comint organisation.
20. For example, Hager has described (11) how New Zealand officials were instructed to remove the names of identifiable UKUSA citizens or companies from their reports, inserting instead words such as "a Canadian citizen" or "a US company". British Comint staff have described following similar procedures in respect of US citizens following the introduction of legislation to limit NSA's domestic intelligence activities in 1978.(12) The Australian government says that "DSD and its counterparts operate internal procedures to satisfy themselves that their national interests and policies are respected by the others ... the Rules [on Sigint and Australian persons] prohibit the dissemination of information relating to Australian persons gained accidentally during the course of routine collection of foreign communications; or the reporting or recording of the names of Australian persons mentioned in foreign communications".(13) The corollary is also true; UKUSA nations place no restrictions on intelligence gathering affecting either citizens or companies of any non-UKUSA nation, including member states of the European Union (except the UK).
2. Intercepting international communications
International Leased Carrier (ILC) communications
21. It is a matter of record that foreign communications to and from, or passing through the United Kingdom and the United States have been intercepted for more than 80 years.(14) Then and since, most international communications links have been operated by international carriers, who are usually individual national PTTs or private companies. In either case, capacity on the communication system is leased to individual national or international telecommunications undertakings. For this reason, Comint organisations use the term ILC (International Leased Carrier) to describe such collection.
High frequency radio
22. Save for direct landline connections between geographically contiguous nations, high frequency (HF) radio system were the most common means of international telecommunications prior to 1960, and were in use for ILC, diplomatic and military purposes. An important characteristic of HF radio signals is that they are reflected from the ionosphere and from the earth's surface, providing ranges of thousands of miles. This enables both reception and interception.
Microwave radio relay
23. Microwave radio was introduced in the 1950s to provide high capacity inter-city communications for telephony, telegraphy and, later, television. Microwave radio relay communications utilise low power transmitters and parabolic dish antennae placed on towers in high positions such as on hilltops or tall buildings. The antennae are usually 1-3m in diameter. Because of the curvature of the earth, relay stations are generally required every 30-50km.
Subsea cables
24. Submarine telephone cables provided the first major reliable high capacity international communications systems. Early systems were limited to a few hundred simultaneous telephone channels. The most modern optical fibre systems carry up to 5 Gbps (Gigabits per second) of digital information. This is broadly equivalent to about 60,000 simultaneous telephone channels.
Communications satellites
25. Microwave radio signals are not reflected from the ionosphere and pass directly into space. This property has been exploited both to provide global communications and, conversely, to intercept such communications in space and on land. The largest constellation of communications satellites (COMSATs) is operated by the International Telecommunications Satellite organisation (Intelsat), an international treaty organisation. To provide permanent communications from point to point or for broadcasting purposes, communications satellites are placed into so-called "geostationary" orbits such that, to the earth-based observer, they appear to maintain the same position in the sky.
26. The first geostationary Intelsat satellites were orbited in 1967. Satellite technology developed rapidly. The fourth generation of Intelsat satellites, introduced in 1971, provided capacity for 4,000 simulataneous telephone channels and were capable of handling all forms of communications simultaneously -telephone, telex, telegraph, television, data and facsimile. In 1999, Intelsat operated 19 satellites of its 5th to 8th generations. The latest generation can handle the equivalent to 90,000 simultaneous calls.
Communications techniques
27. Prior to 1970, most communications systems (however carried) utilised analogue or continuous wave techniques. Since 1990, almost all communications have been digital, and are providing ever higher capacity. The highest capacity systems in general use for the Internet, called STM-1 or OC-3, operates at a data rate of 155Mbs. (Million bits per second; a rate of 155 Mbps is equivalent to sending 3 million words every second, roughly the text of one thousand books a minute.) For example, links at this capacity are used to provide backbone Internet connections between Europe and the United States. Further details of communications techniques are given in the technical annexe.
ILC communications collection
Access
28. Comint collection cannot take place unless the collecting agency obtains access to the communications channels they wish to examine. Information about the means used to gain access are, like data about code-breaking methods, the most highly protected information within any Comint organisation. Access is gained both with and without the complicity or co-operation of network operators.
Operation SHAMROCK
29. From 1945 onwards in the United States the NSA and predecessor agencies systematically obtained cable traffic from the offices of the major cable companies. This activity was codenamed SHAMROCK. These activities remained unknown for 30 years, until enquiries were prompted by the Watergate affair. On 8 August 1975, NSA Director Lt General Lew Allen admitted to the Pike Committee of the US House of Representatives that :
"NSA systematically intercepts international communications, both voice and cable".
30. He also admitted that "messages to and from American citizens have been picked up in the course of gathering foreign intelligence". US legislators considered that such operations might have been unconstitutional. During 1976, a Department of Justice team investigated possible criminal offences by NSA. Part of their report was released in 1980. It described how intelligence on US citizens:
"was obtained incidentally in the course of NSA's interception of aural and non-aural (e.g., telex) international communications and the receipt of GCHQ-acquired telex and ILC (International Leased Carrier) cable traffic (SHAMROCK)" (emphasis in original).(15)
High frequency radio interception
31. High frequency radio signals are relatively easy to intercept, requiring only a suitable area of land in, ideally, a "quiet" radio environment. From 1945 until the early 1980s, both NSA and GCHQ operated HF radio interception systems tasked to collect European ILC communications in Scotland.(16)
32. The most advanced type of HF monitoring system deployed during this period for Comint purposes was a large circular antenna array known as AN/FLR-9. AN/FLR-9 antennae are more than 400 metres in diameter. They can simultaneously intercept and determine the bearing of signals from as many directions and on as many frequencies as may be desired. In 1964, AN/FLR-9 receiving systems were installed at San Vito dei Normanni, Italy; Chicksands, England, and Karamursel, Turkey.
33. In August 1966, NSA transferred ILC collection activities from its Scottish site at Kirknewton, to Menwith Hill in England. Ten years later, this activity was again transferred, to Chicksands. Although the primary function of the Chicksands site was to intercept Soviet and Warsaw Pact air force communications, it was also tasked to collect ILC and "NDC" (Non-US Diplomatic Communications). Prominent among such tasks was the collection of FRD traffic (i.e., French diplomatic communications). Although most personnel at Chicksands were members of the US Air Force, diplomatic and ILC interception was handled by civilian NSA employees in a unit called DODJOCC.(17)
34. During the 1970s, British Comint units on Cyprus were tasked to collect HF communications of allied NATO nations, including Greece and Turkey. The interception took place at a British army unit at Ayios Nikolaos, eastern Cyprus.(18) In the United States in 1975, investigations by a US Congressional Committee revealed that NSA was collecting diplomatic messages sent to and from Washington from an army Comint site at Vint Hill Farms, Virginia. The targets of this station included the United Kingdom.(19)
Space interception of inter-city networks
35. Long distance microwave radio relay links may require dozens of intermediate stations to receive and re-transmit communications. Each subsequent receiving station picks up only a tiny fraction of the original transmitted signal; the remainder passes over the horizon and on into space, where satellites can collect it. These principles were exploited during the 1960s to provide Comint collection from space. The nature of microwave "spillage" means that the best position for such satellites is not above the chosen target, but up to 80 degrees of longitude away.
36. The first US Comint satellite, CANYON, was launched In August 1968, followed soon by a second. The satellites were controlled from a ground station at Bad Aibling, Germany. In order to provide permanent coverage of selected targets, CANYON satellites were placed close to geostationary orbits. However, the orbits were not exact, causing the satellites to change position and obtain more data on ground targets.(20) Seven CANYON satellites were launched between 1968 and 1977.
37. CANYON's target was the Soviet Union. Major Soviet communications links extended for thousands of miles, much of it over Siberia, where permafrost restricted the reliable use of underground cables. Geographical circumstances thus favoured NSA by making Soviet internal communications links highly accessible. The satellites performed better than expected, so the project was extended.
38. The success of CANYON led to the design and deployment of a new class of Comint satellites, CHALET. The ground station chosen for the CHALET series was Menwith Hill, England. Under NSA project P-285, US companies were contracted to install and assist in operating the satellite control system and downlinks (RUNWAY) and ground processing system (SILKWORTH). The first two CHALET satellites were launched in June 1978 and October 1979. After the name of the first satellite appeared in the US press, they were renamed VORTEX. In 1982, NSA obtained approval for expanded "new mission requirements" and were given funds and facilities to operate four VORTEX satellites simultaneously. A new 5,000m2 operations centre (STEEPLEBUSH) was constructed to house processing equipment. When the name VORTEX was published in 1987, the satellites were renamed MERCURY.(21)
39. The expanded mission given to Menwith Hill after 1985 included MERCURY collection from the Middle East. The station received an award for support to US naval operations in the Persian Gulf from 1987 to 1988. In 1991, a further award was given for support of the Iraqi war operations, Desert Storm and Desert Shield.(22) Menwith Hill is now the major US site for Comint collection against its major ally, Israel. Its staff includes linguists trained in Hebrew, Arabic and Farsi as well as European languages. Menwith Hill has recently been expanded to include ground links for a new network of Sigint satellites launched in 1994 and 1995 (RUTLEY). The name of the new class of satellites remains unknown.
Sigint satellites
40. The CIA developed a second class of Sigint satellite with complementary capabilities over the period from 1967 to 1985. Initially known as RHYOLITE and later AQUACADE, these satellites were operated from a remote ground station in central Australia, Pine Gap. Using a large parabolic antenna which unfolded in space, RHYOLITE intercepted lower frequency signals in the VHF and UHF bands. Larger, most recent satellites of this type have been named MAGNUM and then ORION. Their targets include telemetry, VHF radio, cellular mobile phones, paging signals, and mobile data links.
41. A third class of satellite, known first as JUMPSEAT and latterly as TRUMPET, operates in highly elliptical near-polar orbits enabling them to "hover" for long period over high northern latitudes. They enable the United States to collect signals from transmitters in high northern latitudes poorly covered by MERCURY or ORION, and also to intercept signals sent to Russian communications satellites in the same orbits.
Comint satellites in geostationary orbits, such as VORTEX, intercept terrestial microwave spillage
Inter-city microwave radio relay tower pills" signals into space
42. Although precise details of US space-based Sigint satellites launched after 1990 remain obscure, it is apparent from observation of the relevant ground centres that collection systems have expanded rather than contracted. The main stations are at Buckley Field, Denver, Colorado; Pine Gap, Australia; Menwith Hill, England; and Bad Aibling, Germany. The satellites and their processing facilities are exceptionally costly (of the order of $1 billion US each). In 1998, the US National Reconnaissance Office (NRO) announced plans to combine the three separate classes of Sigint satellites into an Integrated Overhead Sigint Architecture (IOSA) in order to " improve Sigint performance and avoid costs by consolidating systems, utilising ... new satellite and data processing technologies". (23)
43. It follows that, within constraints imposed by budgetary limitation and tasking priorities, the United States can if it chooses direct space collection systems to intercept mobile communications signals and microwave city-to-city traffic anywhere on the planet. The geographical and processing difficulties of collecting messages simultaneously from all parts of the globe suggest strongly that the tasking of these satellites will be directed towards the highest priority national and military targets. Thus, although European communications passing on inter-city microwave routes can be collected, it is likely that they are normally ignored. But it is very highly probable that communications to or from Europe and which pass through the microwave communications networks of Middle Eastern states are collected and processed.
44. No other nation (including the former Soviet Union) has deployed satellites comparable to CANYON, RHYOLITE, or their successors. Both Britain (project ZIRCON) and France (project ZENON) have attempted to do so, but neither persevered. After 1988 the British government purchased capacity on the US VORTEX (now MERCURY) constellation to use for unilateral national purposes.(24) A senior UK Liaison Officer and staff from GCHQ work at Menwith Hill NSA station and assist in tasking and operating the satellites.
COMSAT ILC collection
45. Systematic collection of COMSAT ILC communications began in 1971. Two ground stations were built for this purpose. The first at Morwenstow, Cornwall, England had two 30-metre antennae. One intercepted communications from the Atlantic Ocean Intelsat; the other the Indian Ocean Intelsat. The second Intelsat interception site was at Yakima, Washington in the northwestern United States. NSA's "Yakima Research Station" intercepted communications passing through the Pacific Ocean Intelsat satellite.
46. ILC interception capability against western-run communications satellites remained at this level until the late 1970s, when a second US site at Sugar Grove, West Virginia was added to the network. By 1980, its three satellite antenna had been reassigned to the US Naval Security Group and were used for COMSAT interception. Large-scale expansion of the ILC satellite interception system took place between 1985 and 1995, in conjunction with the enlargement of the ECHELON processing system (section 3). New stations were constructed in the United States (Sabana Seca, Puerto Rico), Canada (Leitrim, Ontario), Australia (Kojarena, Western Australia) and New Zealand (Waihopai, South Island). Capacity at Yakima, Morwenstow and Sugar Grove was expanded, and continues to expand.
Based on a simple count of the number of antennae currently installed at each COMSAT interception or satellite SIGINT station, it appears that the UKUSA nations are between them currently operating at least 120 satellite based collection systems. The approximate number of antennae in each category are:
- Tasked on western commercial communications satellites (ILC) 40
- Controlling space based signals intelligence satellites 30
- Currently or formerly tasked on Soviet communications satellites 50
Systems in the third category may have been reallocated to ILC tasks since the end of the cold war.(25)
47. Other nations increasingly collect Comint from satellites. Russia's FAPSI operates large ground collection sites at Lourdes, Cuba and at Cam Ranh Bay, Vietnam.(26) Germany's BND and France's DGSE are alleged to collaborate in the operation of a COMSAT collection site at Kourou, Guyana, targeted on "American and South American satellite communications". DGSE is also said to have COMSAT collection sites at Domme (Dordogne, France), in New Caledonia, and in the United Arab Emirates.(27) The Swiss intelligence service has recently announced a plan for two COMSAT interception stations.(28)
Satellite ground terminal at Etam, West Virginia connecting Europe and the US via Intelsat IV
GCHQ constructed an identical "shadow" station in 1972 to intercept Intelsat messages for UKUSA
Submarine cable interception
48. Submarine cables now play a dominant role in international telecommunications, since - in contrast to the limited bandwidth available for space systems - optical media offer seemingly unlimited capacity. Save where cables terminate in countries where telecommunications operators provide Comint access (such as the UK and the US), submarine cables appear intrinsically secure because of the nature of the ocean environment.
49. In October 1971, this security was shown not to exist. A US submarine, Halibut, visited the Sea of Okhotsk off the eastern USSR and recorded communications passing on a military cable to the Khamchatka Peninsula. Halibut was equipped with a deep diving chamber, fully in view on the submarine's stern. The chamber was described by the US Navy as a "deep submergence rescue vehicle". The truth was that the "rescue vehicle" was welded immovably to the submarine. Once submerged, deep-sea divers exited the submarine and wrapped tapping coils around the cable. Having proven the principle, USS Halibut returned in 1972 and laid a high capacity recording pod next to the cable. The technique involved no physical damage and was unlikely to have been readily detectable.(29)
50. The Okhotsk cable tapping operation continued for ten years, involving routine trips by three different specially equipped submarines to collect old pods and lay new ones; sometimes, more than one pod at a time. New targets were added in 1979. That summer, a newly converted submarine called USS Parche travelled from San Francisco under the North Pole to the Barents Sea, and laid a new cable tap near Murmansk. Its crew received a presidential citation for their achievement. The Okhotsk cable tap ended in 1982, after its location was compromised by a former NSA employee who sold information about the tap, codenamed IVY BELLS, to the Soviet Union. One of the IVY BELLS pods is now on display in the Moscow museum of the former KGB. The cable tap in the Barents Sea continued in operation, undetected, until tapping stopped in 1992.
51. During 1985, cable-tapping operations were extended into the Mediterranean, to intercept cables linking Europe to West Africa. (30) After the cold war ended, the USS Parche was refitted with an extended section to accommodate larger cable tapping equipment and pods. Cable taps could be laid by remote control, using drones. USS Parche continues in operation to the present day, but the precise targets of its missions remain unknown. The Clinton administration evidently places high value on its achievements, Every year from 1994 to 1997, the submarine crew has been highly commended.(31) Likely targets may include the Middle East, Mediterranean, eastern Asia, and South America. The United States is the only naval power known to have deployed deep-sea technology for this purpose.
52. Miniaturised inductive taps recorders have also been used to intercept underground cables.(32) Optical fibre cables, however, do not leak radio frequency signals and cannot be tapped using inductive loops. NSA and other Comint agencies have spent a great deal of money on research into tapping optical fibres, reportedly with little success. But long distance optical fibre cables are not invulnerable. The key means of access is by tampering with optoelectronic "repeaters" which boost signal levels over long distances. It follows that any submarine cable system using submerged optoelectronic repeaters cannot be considered secure from interception and communications intelligence activity.
USS halibut with disguised chamber for diving
Cable tapping pod laid by US submarine off Khamchatka
Intercepting the Internet
53. The dramatic growth in the size and significance of the Internet and of related forms of digital communications has been argued by some to pose a challenge for Comint agencies. This does not appear correct. During the 1980s, NSA and its UKUSA partners operated a larger international communications network than the then Internet but based on the same technology.(33) According to its British partner "all GCHQ systems are linked together on the largest LAN [Local Area Network] in Europe, which is connected to other sites around the world via one of the largest WANs [Wide Area Networks] in the world ... its main networking protocol is Internet Protocol (IP).(34) This global network, developed as project EMBROIDERY, includes PATHWAY, the NSA's main computer communications network. It provides fast, secure global communications for ECHELON and other systems.
54. Since the early 1990s, fast and sophisticated Comint systems have been developed to collect, filter and analyse the forms of fast digital communications used by the Internet. Because most of the world's Internet capacity lies within the United States or connects to the United States, many communications in "cyberspace" will pass through intermediate sites within the United States. Communications from Europe to and from Asia, Oceania, Africa or South America normally travel via the United States.
55. Routes taken by Internet "packets" depend on the origin and destination of the data, the systems through which they enter and leaves the Internet, and a myriad of other factors including time of day. Thus, routers within the western United States are at their most idle at the time when central European traffic is reaching peak usage. It is thus possible (and reasonable) for messages travelling a short distance in a busy European network to travel instead, for example, via Internet exchanges in California. It follows that a large proportion of international communications on the Internet will by the nature of the system pass through the United States and thus be readily accessible to NSA.
56.Standard Internet messages are composed of packets called "datagrams" . Datagrams include numbers representing both their origin and their destination, called "IP addresses". The addresses are unique to each computer connected to the Internet. They are inherently easy to identify as to country and site of origin and destination. Handling, sorting and routing millions of such packets each second is fundamental to the operation of major Internet centres. The same process facilitates extraction of traffic for Comint purposes.
57. Internet traffic can be accessed either from international communications links entering the United States, or when it reaches major Internet exchanges. Both methods have advantages. Access to communications systems is likely to be remain clandestine - whereas access to Internet exchanges might be more detectable but provides easier access to more data and simpler sorting methods. Although the quantities of data involved are immense, NSA is normally legally restricted to looking only at communications that start or finish in a foreign country. Unless special warrants are issued, all other data should normally be thrown away by machine before it can be examined or recorded.
58. Much other Internet traffic (whether foreign to the US or not) is of trivial intelligence interest or can be handled in other ways. For example, messages sent to "Usenet" discussion groups amounts to about 15 Gigabytes (GB) of data per day; the rough equivalent of 10,000 books. All this data is broadcast to anyone wanting (or willing) to have it. Like other Internet users, intelligence agencies have open source access to this data and store and analyse it. In the UK, the Defence Evaluation and Research Agency maintains a 1 Terabyte database containing the previous 90 days of Usenet messages.(35) A similar service, called "Deja News", is available to users of the World Wide Web (WWW). Messages for Usenet are readily distinguishable. It is pointless to collect them clandestinely.
59. Similar considerations affect the World Wide Web, most of which is openly accessible. Web sites are examined continuously by "search engines" which generate catalogues of their contents. "Alta Vista" and "Hotbot" are prominent public sites of this kind. NSA similarly employs computer "bots" (robots) to collect data of interest. For example, a New York web site known as JYA.COM (http://www.jya.com/crypto.htm) offers extensive public information on Sigint, Comint and cryptography. The site is frequently updated. Records of access to the site show that every morning it is visited by a "bot" from NSA's National Computer Security Centre, which looks for new files and makes copies of any that it finds.(36)
60. It follows that foreign Internet traffic of communications intelligence interest - consisting of e-mail, file transfers, "virtual private networks" operated over the internet, and some other messages - will form at best a few per cent of the traffic on most US Internet exchanges or backbone links. According to a former employee, NSA had by 1995 installed "sniffer" software to collect such traffic at nine major Internet exchange points (IXPs).(37) The first two such sites identified, FIX East and FIX West, are operated by US government agencies. They are closely linked to nearby commercial locations, MAE East and MAE West (see table). Three other sites listed were Network Access Points originally developed by the US National Science Foundation to provide the US Internet with its initial "backbone".
Internet site Location Operator Designation
FIX East College Park, Maryland US government Federal Information Exchange
FIX West Mountain View, California US government Federal Information Exchange
MAE East Washington, DC MCI Metropolitan Area Ethernet
New York NAP Pennsauken, New Jersey Sprintlink Network Access Point
SWAB Washington, DC PSInet / Bell Atlantic SMDS Washington Area Bypass
Chicago NAP Chicago, Illinois Ameritech / Bellcorp Network Access Point
San Francisco NAP San Francisco, California Pacific Bell Network Access Point
MAE West San Jose, California MCI Metropolitan Area Ethernet
CIX Santa Clara California CIX Commercial Internet Exchange
Table 1 NSA Internet Comint access at IXP sites (1995) (38)
61. The same article alleged that a leading US Internet and telecommunications company had contracted with NSA to develop software to capture Internet data of interest, and that deals had been struck with the leading manufacturers Microsoft, Lotus, and Netscape to alter their products for foreign use. The latter allegation has proven correct (see technical annexe). Providing such features would make little sense unless NSA had also arranged general access to Internet traffic. Although NSA will not confirm or deny such allegations, a 1997 court case in Britain involving alleged "computer hacking" produced evidence of NSA surveillance of the Internet. Witnesses from the US Air Force component of NSA acknowledged using packet sniffers and specialised programmes to track attempts to enter US military computers. The case collapsed after the witnesses refused to provide evidence about the systems they had used.(39)
Covert collection of high capacity signals
62. Where access to signals of interest is not possible by other means, Comint agencies have constructed special purpose interception equipment to install in embassies or other diplomatic premises, or even to carry by hand to locations of special interest. Extensive descriptions of operations of this kind have been published by Mike Frost, a former official of CSE, the Canadian Sigint agency.(40) Although city centre embassy premises are often ideally situated to intercept a wide range of communications, ranging from official carphone services to high capacity microwave links, processing and passing on such information may be difficult. Such collection operations are also highly sensitive for diplomatic reasons. Equipment for covert collection is therefore specialised, selective and miniaturised.
63. A joint NSA/CIA "Special Collection Service" manufactures equipment and trains personnel for covert collection activities One major device is a suitcase-sized computer processing system. ORATORY. ORATORY is in effect a miniaturised version of the Dictionary computers described in the next section, capable of selecting non-verbal communications of interest from a wide range of inputs, according to pre-programmed selection criteria. One major NSA supplier ("The IDEAS Operation") now offers micro-miniature digital receivers which can simultaneously process Sigint data from 8 independent channels. This radio receiver is the size of a credit card. It fits in a standard laptop computer. IDEAS claim, reasonably, that their tiny card "performs functions that would have taken a rack full of equipment not long ago".
New satellite networks
64. New network operators have constructed mobile phone systems providing unbroken global coverage using satellites in low or medium level earth orbits. These systems are sometimes called satellite personal communications systems (SPCS). Because each satellite covers only a small area and moves fast, large numbers of satellites are needed to provide continuous global coverage. The satellites can relay signals directly between themselves or to ground stations. The first such system to be completed, Iridium, uses 66 satellites and started operations in 1998. Iridium appears to have created particular difficulties for communications intelligence agencies, since the signals down from the Iridium and similar networks can only be received in a small area, which may be anywhere on the earth's surface.
3. ECHELON and Comint production
65. The ECHELON system became well known following publication of the previous STOA report. Since then, new evidence shows that ECHELON has existed since the 1970s, and was greatly enlarged between 1975 and 1995. Like ILC interception, ECHELON has developed from earlier methods. This section includes new information and documentary evidence about ECHELON and satellite interception.
The "Watch List"
66. After the public revelation of the SHAMROCK interception programme, NSA Director Lt General Lew Allen described how NSA used "'watch lists" as an aid to watch for foreign activity of reportable intelligence interest".(41) "We have been providing details ... of any messages contained in the foreign communications we intercept that bear on named individuals or organisations. These compilations of names are commonly referred to as 'Watch Lists'", he said.(42) Until the 1970s, Watch List processing was manual. Analysts examined intercepted ILC communications, reporting, "gisting" or analysing those which appeared to cover names or topics on the Watch List.
New information about ECHELON sites and systems
67. It now appears that the system identified as ECHELON has been in existence for more than 20 years. The need for such a system was foreseen in the late 1960s, when NSA and GCHQ planned ILC satellite interception stations at Mowenstow and Yakima. It was expected that the quantity of messages intercepted from the new satellites would be too great for individual examination. According to former NSA staff, the first ECHELON computers automated Comint processing at these sites.(43)
68. NSA and CIA then discovered that Sigint collection from space was more effective than had been anticipated, resulting in accumulations of recordings that outstripped the available supply of linguists and analysts. Documents show that when the SILKWORTH processing systems was installed at Menwith Hill for the new satellites, it was supported by ECHELON 2 and other databanks (see illustration).
69. By the mid 1980s, communications intercepted at these major stations were heavily sifted, with a wide variety of specifications available for non-verbal traffic. Extensive further automation was planned in the mid 1980s as NSA Project P-415. Implementation of this project completed the automation of the previous Watch List activity. From 1987 onwards, staff from international Comint agencies travelled to the US to attended training courses for the new computer systems.
70. Project P-415/ECHELON made heavy use of NSA and GCHQ's global Internet-like communication network to enable remote intelligence customers to task computers at each collection site, and receive the results automatically. The key component of the system are local "Dictionary" computers, which store an extensive database on specified targets, including names, topics of interest, addresses, telephone numbers and other selection criteria. Incoming messages are compared to these criteria; if a match is found, the raw intelligence is forwarded automatically. Dictionary computers are tasked with many thousands of different collection requirements, described as "numbers" (four digit codes).
71. Tasking and receiving intelligence from the Dictionaries involves processes familiar to anyone who has used the Internet. Dictionary sorting and selection can be compared to using search engines, which select web pages containing key words or terms and specifying relationships. The forwarding function of the Dictionary computers may be compared to e-mail. When requested, the system will provide lists of communications matching each criterion for review, analysis, "gisting" or forwarding. An important point about the new system is that before ECHELON, different countries and different stations knew what was being intercepted and to whom it was sent. Now, all but a fraction of the messages selected by Dictionary computers at remote sites are forwarded to NSA or other customers without being read locally.
List of intelligence databanks operating at ECHELON Menwith Hill in 1979 included the second generation of ECHELON
Satellite interception site at Sugar Grove, West Virginia, showing six antennae targeted on European and Atlantic
Ocean regional communications satellites
Westminster, London - Dictionary computer
72. In 1991, a British television programme reported on the operations of the Dictionary computer at GCHQ's Westminster, London office. The system "secretly intercepts every single telex which passes into, out of or through London; thousands of diplomatic, business and personal messages every day. These are fed into a programme known as `Dictionary'. It picks out keywords from the mass of Sigint, and hunts out hundreds of individuals and corporations".(44) The programme pointed out that the Dictionary computers, although controlled and tasked by GCHQ, were operated by security vetted staff employed by British Telecom (BT), Britain's dominant telecommunications operator.(45) The presence of Dictionary computers has also been confirmed at Kojarena, Australia; and at GCHQ Cheltenham, England.(46)
Sugar Grove, Virginia - COMSAT interception at ECHELON site
73. US government documents confirm that the satellite receiving station at Sugar Grove, West Virginia is an ECHELON site, and that collects intelligence from COMSATs. The station is about 250 miles south-west of Washington, in a remote area of the Shenandoah Mountains. It is operated by the US Naval Security Group and the US Air Force Intelligence Agency.
74. An upgraded system called TIMBERLINE II, was installed at Sugar Grove in the summer of 1990. At the same time, according to official US documents, an "ECHELON training department" was established.(47) With training complete, the task of the station in 1991 became "to maintain and operate an ECHELON site".(48)
75. The US Air Force has publicly identified the intelligence activity at Sugar Grove: its "mission is to direct satellite communications equipment [in support of] consumers of COMSAT information ... This is achieved by providing a trained cadre of collection system operators, analysts and managers".(49) In 1990, satellite photographs showed that there were 4 satellite antennae at Sugar Grove. By November 1998, ground inspection revealed that this had expanded to a group of 9.
Sabana Seca, Puerto Rico and Leitrim, Canada - COMSAT interception sites
76. Further information published by the US Air Force identifies the US Naval Security Group Station at Sabana Seca, Puerto Rico as a COMSAT interception site. Its mission is "to become the premier satellite communications processing and analysis field station".(50)
77. Canadian Defence Forces have published details about staff functions at the Leitrim field station of the Canadian Sigint agency CSE. The station, near Ottawa, Ontario has four satellite terminals, erected since 1984. The staff roster includes seven Communications Satellite Analysts, Supervisors and Instructors.(51)
78. In a publicly available resume, a former Communication Satellite Analyst employed at Leitrim describes his job as having required expertise in the "operation and analysis of numerous Comsat computer systems and associated subsystems ... [utilising] computer assisted analysis systems ... [and] a broad range of sophisticated electronic equipment to intercept and study foreign communications and electronic transmissions.(52) Financial reports from CSE also indicate that in 1995/96, the agency planned payments of $7 million to ECHELON and $6 million to Cray (computers). There were no further details about ECHELON.(53)
Waihopai, New Zealand - Intelsat interception at ECHELON site
79. New Zealand's Sigint agency GCSB operates two satellite interception terminals at Waihopai, tasked on Intelsat satellites covering the Pacific Ocean. Extensive details have already been published about the station's Dictionary computers and its role in the ECHELON network.(54) After the book was published, a New Zealand TV station obtained images of the inside of the station operations centre. The pictures were obtained clandestinely by filming through partially curtained windows at night. The TV reporter was able to film close-ups of technical manuals held in the control centre. These were Intelsat technical manuals, providing confirmation that the station targeted these satellites Strikingly, the station was seen to be virtually empty, operating fully automatically. One guard was inside, but was unaware he was being filmed.(55)
ILC processing techniques
80. The technical annexe describes the main systems used to extract and process communications intelligence. The detailed explanations given about processing methods are not essential to understanding the core of this report, but are provided so that readers knowledgeable about telecommunications may fully evaluate the state of the art.
81. Fax messages and computer data (from modems) are given priority in processing because of the ease with which they are understood and analysed. The main method of filtering and analysing non-verbal traffic, the Dictionary computers, utilise traditional information retrieval techniques, including keywords. Fast special purpose chips enable vast quantities of data to be processed in this way. The newest technique is "topic spotting". The processing of telephone calls is mainly limited to identifying call-related information, and traffic analysis. Effective voice "wordspotting" systems do not exist are not in use, despite reports to the contrary. But "voiceprint" type speaker identification systems have been in use since at least 1995. The use of strong cryptography is slowly impinging on Comint agencies' capabilities. This difficulty for Comint agencies has been offset by covert and overt activities which have subverted the effectiveness of cryptographic systems supplied from and/or used in Europe.
82. The conclusions drawn in the annexe are that Comint equipment currently available has the capability, as tasked, to intercept, process and analyse every modern type of high capacity communications system to which access is obtained, including the highest levels of the Internet. There are few gaps in coverage. The scale, capacity and speed of some systems is difficult fully to comprehend. Special purpose systems have been built to process pager messages, cellular mobile radio and new satellites.
December 18, 2003 at 11:21 PM in Echelon | Permalink | Top of page | Blog Home