October 3, 2017

The hotline between Washington and the former German capital Bonn

Today, it's the German Unity Day or Tag der Deutschen Einheit, which commemorates the anniversary of the reunification of East and West Germany in 1990.

In recent years, Germany's relationship with the United States had some tough times after it was revealed that chancellor Angela Merkel had been on an NSA targeting list, and a 3-year parliamentary inquiry showed a close cooperation between the NSA and the German foreign intelligence agency BND.

One part of the relationship between Germany and the US that was never reported before, is the existance of a hotline between the White House and the office of the German chancellor. Described for the first time is also the telephone equipment that was used for this kind of top level communications links.



The hotline (German: heißer Draht) between Washington and Bonn was established on Marz 16, 1962, after German chancellor Konrad Adenauer had met US president John Kennedy in Washington in November 1961. Apparently it was Kennedy who came up with the idea, maybe inspired by the secure telephone line with the British prime minister that already existed since World War II. The famous hotline between Washington and Moscow was established more than a year later, in August 1963.

In October 1966, the newspaper General Anzeiger reported that besides their initial call, Kennedy and Adenauer never used the hotline, and that at the American embassy, no one was aware of this telephone link.

This had led to the strange situation that on September 27, 1966, chancellor Ludwig Erhard and US president Lyndon Johnson, unaware of the hotline established under Kennedy, also agreed to set up a direct telephone line between the White House and Palais Schaumburg, which was the German chancellor's office (Kanzleramt) from 1949 till 1976.

After the press had reported about this agreement, Adenauer said that such a hotline already existed: he had used it for four years and had calls with Kennedy quite frequently. Multiple government spokesmen then claimed that the former chancellor was wrong, until an eye-witness was found who finally confirmed what Adenauer had said.

It's not clear how often Erhard and Johnson used the hotline: one source says they used it several times, another one that it was never used, neither by Johnson and Erhard, nor by Johnson and Kurt Georg Kiesinger, who succeeded Erhard in December 1966.* Under Adenauer and Erhard, the hotline consisted of a normal telephone line without encryption.

Secure teletype

In March 1969, US president Nixon offered chancellor Kiesinger to set up a secure teletype link between the White House and Palais Schaumburg. Were they again unaware of the earlier hotline, or was an encrypted link considered more secure? In those days it was much easier to encrypt teletype messages than a telephone channel.

We don't know whether this secure link was actually established and what equipment was used, but if so, it probably consisted of the same devices used for the hotline between Washington and Moscow: a standard teleprinter made by Teletype Corp. with the encryption being performed by an Electronic Teleprinter Cryptographic Regenerative Repeater Mixer II (ETCRRM II, see photo).

The ETCRRM II used the Vernam stream cipher, in which the plain text message is mixed with a random stream of data of the same length to generate the ciphertext. If used correctly, this method has been proved to be unbreakable.

There are no reports or other sources that mention the hotline between Bonn and Washington after 1969. But a close look at some photos of the chancellor's office show dedicated American telephone sets that enable a direct and secure communications link with the White House.

STU-I telephone

The secure teletype hotline was replaced by a secure telephone link, probably by the end of the 1970s, after the German chancellor had moved his office to the newly built Federal Chancellery in 1976. This modern, dark brown office building with lots of glass is located near the Rhine, right next to Palais Schaumburg.

Office of chancellor Helmut Kohl in the Kanzleramt building in Bonn, 1985
(photo: Archiv Friedrich/Interfoto - click to enlarge)

On the shelf beneath the painting on the right side of the wall we see two telephone sets: at the left a common gray phone without rotary dial, which was probably part of a dedicated telephone network for government (Bonner Behördennetz?) or military communications. On the right there's a standard American telephone set with some additional buttons, which can be recognized as the STU-I secure telephone:

The STU-I was developed by the NSA and introduced in 1977. It was the first secure telephone system that used a central Key Distribution Center (KDC), as well as Linear Predictive Coding (LPC) for better speech quality. Encryption was conducted through the (classified) SAVILLE algorithm, which was developed in the late 1960s by GCHQ in cooperation with NSA for cryptographic devices used by NATO and NATO countries.

It was intended that STU-I would be as compact as possible, but in the end it became a system that consisted of two units: a converted Western Electric telephone set as voice and control terminal, and the actual encryption unit which still had the size of a small refrigerator. Therefore it was often placed in an adjacent room, with a thick gray cable leading to the voice terminal. The price of one STU-I system was 35.000,- US Dollar.

STU-I voice and control terminal
(photo: Cryptomuseum.com)

In the US, the STU-I system was replaced by the STU-II and in 1987, NSA introduced the STU-III. This one-piece secure telephone became very successful and widely used throughout the US government and military. For use by NATO forces and governments of friendly nations there was a modified version designated STU-II/B.

It seems that for the hotline with Bonn though, the old STU-I was kept operational, as its voice terminal can still be recognized in this picture of Helmut Kohl's office in 1991:

Office of chancellor Helmut Kohl in the Kanzleramt building in Bonn, 1991
(photo: picture alliance/Ulrich Baumg - click to enlarge)

IST telephone

Eventually, the hotline between Bonn and Washington did get an upgrade, and the STU-I was replaced by the Integrated Services Telephone (IST). Unlike the STU phones, which are able to encrypt the voice audio themselves, the IST has no encryption capability. Instead, it is connected to a central switch, which separates secure and non-secure traffic, after which the secure traffic is encrypted in bulk by a network encryptor.

On the far right of this photo of the chancellor's office, we can recognize an IST telephone on almost the same spot as where the STU-I phone set was:

Guided tour in the chancellor's office in the Kanzleramt building in Bonn, 1999
(photo: Wikimedia Commons/Ziko-C - click to enlarge)

The phone we see here is about half the size of the standard IST: instead of the 40 direct line buttons, there are just 6, replacing some of the special function buttons above the AUTOVON keypad with the four red keys for the Multilevel Precedence and Preemption (MLPP) function:

The IST was designed by Electrospace Systems Inc. (ESI) and manufactured by Raytheon as a dedicated device for the Defense Red Switch Network (DRSN) - hence it was called a "red phone". The DRSN is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

The small version of the IST is rarely seen, but it was in the collection of the JKL Museum of Telephony in Mountain Ranch, California, which unfortunately was completely destroyed by a wildfire two years ago:

The small version of the IST displayed
in the JKL Museum of Telephony

It is interesting to see that a secure telephone system that was developed for the internal communications of the United States military was also used for links to foreign government leaders. For this purpose the small IST phone was only seen at the German Chancellery, as well as in the office of British prime minister Tony Blair in 2003 - just like there was also an STU-I in the office of Margaret Thatcher in 1987.

Besides the hotline with Washington, there was a direct facsimile communications link between Bonn and Moscow, which was established in 1989.* The Soviet Union also had a hotline with Erich Honecker as leader of the former East-German Republic (DDR) and during a short period before East and West Germany were united in 1991, there was a hotline between Honecker and Helmut Kohl.*



On October 3, 1990, East and West Germany were reunited and it was decided to make Berlin the capital again. After being elected chancellor late 1998, Gerhard Schröder moved to Berlin in 1999 and occupied the brand new Chancellery building in May 2001. With over 300 office rooms, this is said to be the largest government headquarters building in the world.

There are several pictures available of the chancellor's office in the Berlin Kanzleramt building, but no one in which equipment for the hotline can be recognized. If this telephone link is still operational, it will be part of the "Head of State network", which is used by the US president to communicate with foreign leaders and was upgraded to an IP-network by the White House Communications Agency (WHCA) in 2009.

Angela Merkel in her office in the new Chancellery building in Berlin, 2016
On her desk there are two regular high-end office phones,
apparently one for secure and one for non-secure calls
(photo: Reuters - click to enlarge)

In October 2013 it was revealed that NSA had tried to eavesdrop on chancellor Merkel's non-secure cell phone. This target was set in 2002, when Merkel was CDU party leader and because then Bundeskanzler Gerhard Schröder refused to join the US in the war against Iraq, the US government was probably interested in knowing the position of his main political opponent.

Although Merkel was an obvious espionage target, the fact that the Americans did so too made her angry: "Spying among friends - that simply isn’t done." She expressed this to president Obama in a phone call on October 23, 2013 and already on July 3, she had talked to him about the Snowden-revelations about Germany. It's not known whether these calls were made using the hotline of the Heads of State network.

This would have been rather ironic, but also typical for the world of espionage and signals intelligence, that on one hand, NSA tried to eavesdrop on chancellor Merkels cell phone, while on the other hand, the US provided highly encrypted equipment for the hotline between both countries.

Links and sources
- Der Westen: Diplomatie am Telefon - Der kurze Draht der Mächtigen
- Telefon Forum: Helmut Kohls Telefone

September 14, 2017

Are the Shadow Brokers identical with the Second Source?

(Updated: September 23, 2017)

What a lot of people don't know, is that a range of classified documents from the NSA have not been attributed to Edward Snowden, which means that there was at least one other leaker inside the NSA.

Initially, this leaker was called the "second source", and although he was responsible for significant leaks, they got little attention in the US. More media coverage gained the release, since 2016, of NSA hacking tools by the mysterious "Shadow Brokers".

Now, a close look at documents published by the German magazine Der Spiegel in December 2013 provided new indications that the second source could be identical with the Shadow Brokers.

NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)

The second source

The first leak that was not attributed to Snowden, was of an internal NSA tasking record, showing that German chancellor Angela Merkel was apparently on the NSA's targeting list. The second revelation that was said to come from the same source as the Merkel record, was that of the ANT product catalog, containing a wide range of sophisticated eavesdropping gadgets and techniques.

Security expert Bruce Schneier, who was probably the first to write about the possibility of a second source, said that this source apparently passed his documents to a small group of people in Germany, including hacktivist Jacob Appelbaum and documentary film maker Laura Poitras.

Because Poitras also received one of the initial sets of documents from Snowden, it is sometimes assumed that the documents from the Second Source may actually stem from the Snowden trove, despite not being attributed as such. For some of the individual documents this was contradicted by Glenn Greenwald and Edward Snowden though.

Spiegel reportings

The ANT catalog was published by the German magazine Der Spiegel on December 29, 2013. The original article was in German and written by Jacob Appelbaum, Judith Horchert, Ole Reißmann, Marcel Rosenbach, Jörg Schindler and Christian Stöcker. A translation in English mentioned the names of Jacob Appelbaum, Judith Horchert and Christian Stöcker.

Although this catalog got most of the attention, not at least because Appelbaum explained the various tools during a presentation at the hackers conference CCC on December 30, it was actually just an addition to Der Spiegel's extensive main piece about the hacking division of the NSA, called Tailored Access Operations (TAO).

This article was written by Jacob Appelbaum, Marcel Rosenbach, Jörg Schindler, Holger Stark and Christian Stöcker, with the cooperation of Andy Müller-Maguhn, Judith Horchert, Laura Poitras and Ole Reißmann. There was also a translation in English prepared by the Spiegel staff based upon reporting "by Jacob Appelbaum, Laura Poitras, Marcel Rosenbach, Christian Stöcker, Jörg Schindler and Holger Stark."

TAO documents

This main piece was accompanied by various NSA documents: one slide about FOXACID, a partial presentation about QUANTUM, two separate pages from other documents, as well as complete powerpoint presentations about QUANTUM tasking, the TAO unit at NSA/CSS Texas, and the QFIRE architecture:

(click to go to the various documents)

Not Snowden?

Apparently never noticed before, is that not only the ANT product catalog, but also these other presentations and documents were not attributed to Snowden. In both the German and the English version, the whole lengthy article contains multiple times phrases like "internal NSA documents viewed by SPIEGEL" but never in combination with the name of Edward Snowden.

This is remarkable, because for the media, it's usually almost some kind of honor to publish documents provided by Snowden, which is then clearly mentioned in their reporting. In those cases, the byline includes the name of the one who actually provided the documents on Snowden's behalf, often Glenn Greenwald and for Der Spiegel, Laura Poitras.

But both articles from December 29 have Jacob Appelbaum, instead of Poitras in the byline, which seems to be an indication that here, the top secret NSA documents were provided by Appelbaum, likely as the middleman for the mysterious second source.

Exception: FOXACID slide

There's one exception though: the description of the FOXACID slide says that it is from an NSA presentation from the Snowden cache - this was confirmed when on August 19, 2016, The Intercept eventually published the full presentation about FOXACID.

This slide was probably provided by Laura Poitras, from her cache of Snowden documents, which would explain why she was mentioned as one of the persons that provided assistance for Der Spiegel's main piece of December 29.

The other presentations have not been published as part of the Snowden revelations, there's only one with a similar layout (from Booz Allen's SDS unit), but is about a different topic.


If not only the ANT Product Catalog, but also these other NSA presentations about the TAO division were not provided by Snowden, but by the second source, what's the significance of that?

Analysing the range of revelations that were not attributed to Snowden, resulted in the following list of documents that were likely leaked by the second source:

- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting France, Germany, Brazil, Japan
- XKEYSCORE agreement between NSA, BND and BfV(?)
- NSA tasking & reporting EU, Italy, UN

Except for the TAO catalog, one of the things that all these documents have in common, is that they are different from the usual powerpoint presentations, program manuals and internal wiki pages that make up the biggest part of the Snowden revelations.

(Of course, absence of evidence is no evidence of absence, but as these second source documents are often more significant than many other Snowden files, there seems to be no reason not to publish them)

The additional December 29 files do actually fit the typical sort of documents from Snowden, which makes it more difficult to distinguish between documents from Snowden and those from the other leaker(s).

The Shadow Brokers

If we look at the content of the files, we see that those from Der Spiegel's December 29 article are all about NSA's hacking operations. There have been several Snowden stories about that topic, but more spectacular became the release, since August 2016, of actual NSA hacking tools by a mysterious person or group called The Shadow Brokers (TSB or SB).

There has been a lot of speculation about who could be behind this and how he, she or they got access to these sensitive files. One option is an NSA insider, either on his own, in cooperation with crypto-anarchists, or as a mole directed by a hostile intelligence agency.

Another suggestion was that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA's secure networks (also called a "staging server" or "redirector" to mask its true location) and that someone was able to grab the files from there - this option was for example favored by Snowden.


The latter theory was falsified when on April 14, 2017, the Shadow Brokers did not only publish an archive containing a series of Windows exploits, but also several documents and top secret presentation slides about NSA's infiltration of the banking network SWIFT - things unlikely to be on a staging server, which makes that the source behind the Shadow Brokers is most likely an insider.

On July 28, the website CyberScoop reported that as part of their investigation into the Shadow Brokers leaks, US government counterintelligence investigators contacted former NSA employees in an effort to identify a possible disgruntled insider.

(just a few days ago, the Shadow Brokers released a manual for the hacking framework UNITEDRAKE, strangely enough without date and classification markings, but again something that one wouldn't find on an outside staging server)

Same source?

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source? (see update)

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there's probably also a much more direct connection: the batch of documents published along with Der Spiegel's main piece from December 29, 2013 include a presentation about the TAO unit at NSA's Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):

TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)

And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)


It's quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.

Update: The three Shadow Brokers slides from NSA/CSS Texas show operations against EastNets and Business Computer Group (BCG), which are both Service Bureaus for the banking network SWIFT. EastNets has offices in Belgium, Jordan, Egypt and UAE and was targeted under the codename JEEPFLEA_MARKET, while BCG serves Panama and Venezuela and was targeted under JEEPFLEA_POWDER.

Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.

So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source - and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.


This person may only have stolen files that were available at his own workplace, as it should be realized that not every leaker necessarily has similar broad access like Snowden had (and gained) in his job as a systems administrator.

Snowden on the other hand may only have downloaded things from an intranet for NSA as a whole (assuming that would contain the most interesting files) and leaving the local network for his Hawaii office untouched - which would explain why we never saw any documents marked NSA/CSS Hawaii (another reason could be that such documents would have made it easier to identify him).

Given the many hacking files, it's tempting to assume that the second source/Shadow Brokers was an NSA hacker at the Texas TAO unit. It's not clear though whether someone in such a position would also have had the access to the intelligence reports and traditional tasking lists which were published by Wikileaks. It's also possible that those documents came from a different source.


One final thing that the revelations from the second source and the Shadow Brokers seem to have in common is the motivation: none of their documents reveal serious abuses or illegal methods, but only compromise methods and operations, and discredit US intelligence.

Most of these documents weren't vetted by professional journalists either: although initially published by Der Spiegel and some other German media, later files were made public by the uncritical website Wikileaks, while the Shadow Brokers postings come without any intermediary on sites like Pastebin, Medium and Steemit.

(In March 2017, Wikileaks started the "Vault 7" series in which they publish secret hacking tools from the CIA. These files have dates between November 2003 and March 2016 and are therefore more recent that those from the Shadow Brokers, with their newest files being dated October 18, 2013 - some 5 months after Snowden left the NSA and around the same time when Der Spiegel published the first document from the second source)


On the weblog EmptyWheel.net there are some additional thoughts about this issue: the author is, for various reasons, skeptical about the Shadow Brokers being a disgruntled NSA employee or contractor, and therefore that he could be identical with the Second Source. As an alternative, EmptyWheel suggests that Jakob Appelbaum and the Shadow Brokers may have a mutually shared source.

I can agree with that, as I may not have made clear enough that the Second Source is the person who was able to actually steal documents from inside NSA, while the Shadow Brokers is a group or a single person who is responsible for publishing the files, just like Der Spiegel and Wikileaks did for most of the documents attributed to the Second Source.

Of course it would be possible that the Second Source eventually started to publish his documents himself under the covername Shadow Brokers, but as noted by EmptyWheel, there are several indications that makes this less likely.

A slightly different option is that the Second Source provided his documents to Jacob Appelbaum and that he had them published by Der Spiegel and Wikileaks, and that later on, either Appelbaum himself acted as the Shadow Brokers, or gave the files to someone else operating under that guise.

Links and sources
- Emptywheel.net: UNITEDRAKE and hacking under FISA Orders
- Emptywheel.net: Shadow Brokers' Persistence: Where TSB has signed, message, hosted, and collected
- Schneier.com: The US Intelligence Community has a Third Leaker

August 13, 2017

Do NSA compliance reports point to an unknown classification compartment?

(UPDATED August 14, 2017)

On July 12, the American Civil Liberties Union (ACLU) published two Top Secret NSA compliance reports, which were obtained after declassification under the Freedom Of Information Act (FOIA). Here we will take a look the classification marking of these reports, of which one part has been redacted:

Both documents are quarterly reports from the NSA to the Foreign Intelligence Surveillance Court (FISC) on compliance under Section 702 of the FISA Amendments Act (FAA), which governs both the PRISM and the Upstream collection efforts. One of the reports is from March 2014, the other one from March 2015.

More about the content of these two compliance reports can be found in this article by The Hill, as well as in this posting on the weblog EmptyWheel.net. Here we will take a look at the classification of these reports.

Classification marking

The classification line of both reports is: TOP SECRET//[...]/SI//ORCON/NOFORN, which stands for:

- TOP SECRET: the highest classification level
- [...]: an unknown SCI control system
- SI: the SCI control system "Special Intelligence"
- ORCON: the dissemination restriction "Originator Controlled"
- NOFORN: the dissemination restriction "No Foreign Nationals"

As we can see, the double slash behind TOP SECRET is followed by a short space that has been redacted. Then comes a single slash, followed by SI for the control system for Signals Intelligence (SIGINT), which was formerly denoted as COMINT. This means that the redaction also hides a so-called control system, used for protecting national intelligence information concerning sources and methods.

The semiannual Section 702 FAA compliance reports, like this one from 2015, which are prepared by the Attorney General and the Director of National Intelligence, don't have the redacted marking and are just TOP SECRET//SI//NOFORN.


Meanwhile, a reader suggested that the redacted part of the classification line might hide HCS, which is the abbreviation for HUMINT Control System. HUMINT stands for Human Intelligence, and therefore, HCS is the control system that protects intelligence from the CIA. And indeed, it appears that "HCS" fits the redacted space perfectly:

HCS itself isn't classified, so the reason why this marking appears redacted here, is probably that NSA only declassified its own part and redacted everything related to the CIA. Analysts of the CIA request and receive information from 702 FAA collection, but the scope of their involvement remains classified.

With HCS being the most likely option for the redacted space in the 2014 and 2015 compliance reports, please read the following with that in mind!


Another option that comes to mind is the STELLARWIND compartment, which was created in October 2001 to protect NSA's new collection methods as authorized by president George W. Bush. This is officially known as the President's Surveillance Program (PSP) and more popular as the "warrantless wiretapping".

For classification purposes, the abbreviation of STELLARWIND is STLW, which is too long for the redacted space in the marking on the compliance reports. The STELLARWIND classification guide from January 2009 does provide an interesting alternative though, where it says:

"The markings "TSP" and "Compartmented" were at times used in briefing materials and documentation associated with the STELLAR WIND program. "TSP" and "Compartmented" were used primarily by the National Security Agency (NSA) Legislative Affairs Office (LAO), NSA Office of General Counsel (OGC), and the Executive Branch in briefings and declarations intended for external audiences, such as Congress and the courts. The term "TSP" was initially used in relation to only that portion of the Program that was publicly disclosed by the President in December 2005. These markings should be considered the same as the STELLARWIND marking, but should not be directly associated with the program."

In several documents that had been presented to the FISA Court and meanwhile have been declassified by the US government, we can see this TSP marking:

Classified declaration of NSA director Alexander, April 20, 2007.

The two recently declassified compliance reports from 2014 and 2015 were also meant for the FISA Court, and if we try out "TSP", it fits the redacted space remarkably well:


PSP/TSP collection (2001-2007)

Under the President's Surveillance Program (PSP), as protected by the STELLARWIND compartment, it became possible for NSA to not only collect fully foreign communications, but also those with just one end foreign - the express aim was to find foreign terrorists with connections inside the US. Under the PSP the following data were collected (with their succeeding legal authorizations):

- Telephony content (since 2008: Section 702 FAA Upstream collection)
- Internet content (since 2008: Section 702 FAA Upstream collection)

- Telephony metadata (2006-2015: Section 215 (BR/FISA) bulk collection)
- Internet metadata (2004-2011: Section 402 (PR/TT) bulk collection)

The bulk collection of internet metadata was brought from the president's authority under that of the FISA Court (FISC) in July 2004, and the same happened with the bulk telephone metadata in May 2006.

The collection of both telephone and internet content became also authorized by FISC orders as of January 2007, which was temporarily replaced by the Protect America Act (PAA) in August 2007 and then permanently by Section 702 of the FISA Amendments Act (FAA) in July 2008.

Section 702 FAA is also the legal foundation for PRISM collection, which started in September 2007 with data being provided by Microsoft. Until October 2012, another eight internet companies had followed. While Upstream collection, at major telecom switches, only provides future communications in transit, PRISM gives access to stored data from a target's past too.

After revelations by the New York Times in December 2005, president Bush admitted that NSA was collecting the one-end foreign telephone and internet content and named it the Terrorist Surveillance Program (TSP). Bush stayed silent though about the other part of the PSP, which involved the bulk collection of domestic metadata. This came to light in June 2013, when Snowden provided the Verizon order to the press.

Another option

As we have seen, the TSP marking fits the redacted space in the classification line of the compliance reports very well, but of course it's always possible that a different abbreviation might be hidden there. In documents that have been declassified earlier, "TSP" was not redacted, so strictly spoken, it shouldn't have been redacted here.

And there's indeed another option: on September 6, 2014, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program. The classification line of this document has a similar short redaction right after "Top Secret", just like in the compliance reports:

Classification marking of the 2004 DoJ memorandum about STELLAR WIND

Interestingly, "TSP" would also fit the redacted space here - but this wouldn't make much sense, as TSP was meant as a replacement for STELLARWIND for audiences who didn't have a need-to-know for the STELLARWIND cover term - and "STELLAR WIND" is in the classification line here too. Also, the name Terrorist Surveillance Program probably didn't exist in 2004, as it was apparently first used by President Bush in a speech on January 23, 2006.

So, it's not very likely that "TSP" is the marking that was redacted in the 2004 memorandum, but position and length of the marking indicate that it's very well possible that it's actually the same control system as in the classification line of the compliance reports from 2014 and 2015 - with an abbreviation of almost exactly the same length as "TSP".

Regarding the status of this mysterious marking: in the 2004 document it's shown between double slashes, which is strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below).

If this double slash is correct, then we would have a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.

Another option is that the double slash behind the redacted marking is actually a mistake and there should have been just a single slash, just like in the classification lines of the 2014 and 2015 compliance reports. In this case, the marking represents a normal control system like SI, HCS, and several others mentioned in the classification manuals.

Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)

July 14, 2017

Dutch report provides metadata numbers to compare with Snowden documents

(Updated: September 21, 2017)

Since the Snowden revelations, we know that signals intelligence agencies are trying to acquire large sets of telephone metadata in order to analyse them in support of protecting their national security.

Less known is that commercial companies also analyse similar big data sets, albeit for research purposes and with personal information being anonymized.

Now, a research report from the Netherlands provides us with actual numbers of mobile telephone metadata, which can be used to compare with the numbers that NSA and GCHQ collected according to the Snowden documents.

Tourist movements

Recently published was a report about visitor movements in and around the Dutch capital of Amsterdam. It was prepared by the economic research company Decisio on behalf of the province of Noord-Holland and the municipalities of Amsterdam and Zandvoort.

Since a few years, Amsterdam almost suffers from a huge increase of tourists, but it was difficult to get detailed insights in where they come from, where they stay and which areas of the city, as well as which surrounding towns are most popular.

Now, these insights became available by using information from the "tracking device" carried by almost every individual: the mobile phone.

Anonymized data sets

Decisio acquired a huge set of mobile telephone metadata from Vodafone, which is the second largest provider in the Netherlands, with over 5 million customers. When they use their mobile phones, they connect to one of the 32.000 cell towers or base stations, which associate the phone number with a location.

Each month, Vodafone provides these data to another research company called Mezuro, which processes and analyses them to map the movements using a grid of 1250 regions containing multiple base station cells. The results were then analysed by Decisio and compared with other information sources.

But before that, the Vodafone metadata were anonymized by replacing every phone number with a random number that changes every month. Foreign phone numbers were replaced daily. Also, only the movements of groups of more than 15 numbers were reported, so it's impossible to track the movements of individual phone users.

Development of the average number of daily mobile phone transactions
from Vodafone users between January 2013 and September 2015
(source: Decisio research report)

Mobile phone metadata

Most interesting parts of the report are the details about the telephone metadata: Mezuro periodically receives information about some 3 million Vodafone phone numbers that are active on a daily basis. These phones generated 400 million "transactions", or Call Detail Records (CDRs) a day.

These transactions are the moments that a mobile phone connects to a cell tower, not only for a phone call or a text message (SMS), but increasingly often for a social media posting, sending or receiving an e-mail, a Google search or checking a website - for Dutch users, this is on average 100 times a day.

An article from October 2013 about Mezuro says that the company analyzed some 150 million data points daily and that an average smartphone connects 150 to 200 times a day with a cell tower.

This number was confirmed during a parliamentary hearing in Germany, when someone from BND explained that one cell phone generates between 100 and 200 metadata and business records a day.

Update: similar numbers come from the Russian billing (and interception) company Peter-Service, which installs billing installations capable of 18 million subscribers creating 2,851 billion transactions a day, which equals 158 transactions per person per day.

If we take these metadata as the rows of a (database) table, each of them contain multiple fields, corresponding to columns for information pieces like for example the number calling, the number called, date, time, cell tower location, and information needed to transfer various types of messages.


For the tourism research, the Vodafone data were multiplied in order to get the numbers for the full population. The multiplier changes daily depending on the day of the week, holidays, etc, but lies roughly around 5 (for foreign visitors it's much more difficult to calculate this number).

As this total also includes people who don't use a mobile phone, the multiplier for the total number of metadata must be lower. According to the report, the users of the Vodafone network account for 1/3 of all mobile phone users in the Netherlands, so here we can use 3 as multiplier.

That makes that in 2016, all Dutch mobile phones generated some 1200 million transactions a day. In a month that's over 36 billion and in a year 432 billion telephone metadata records.

For comparison with the numbers from the Snowden documents, we have to look for the numbers from early 2013. The chart from the report shows that in January 2013, there were ca. 85 million transactions by Vodafone users a day, which makes 255 million for all Dutch users. In a month that's 7,65 billion.


Now, let's take a look at some of the numbers from the Snowden revelations. For the Netherlands there was a chart from the NSA tool BOUNDLESSINFORMANT, which shows 1,8 million telephone metadata records for 30 days around January 1, 2013.

Initially it was thought that this were Dutch data sucked up by NSA, but later it came out that they were actually collected by Dutch military intelligence, most likely in Afghanistan, and subsequently shared with the Americans.

Now that we know that in the same period of time, the Dutch mobile phone users alone already accounted for over 7 billion metadata, 1,8 million is a tiny number, maybe generated by not more than 2500 smartphones. In Afghanistan, old fashioned cell phones may have created less transactions, so the 1,8 million metadata could have been the traffic captured from a small town.

Update: On Twitter, a Dutch journalist involved with the Snowden revelations said that the 1,8 million records represent some 12 million pieces of metadata (which means one record consists of at least 6 fields) and that the Dutch Ministry of Defence had confirmed that they were collected from Somalia.

The BOUNDLESSINFORMANT chart for the Netherlands with data
collected from December 10, 2012 to January 8, 2013
(click to enlarge)

Late 2013, major European newspapers published similar charts for other countries too, again claiming that they showed how many phone calls NSA was intercepting. But even if those claims were true, the 70 million the BOUNDLESSINFORMANT chart presented for France, 60 million for Spain, 45 million for Italy and 33 million for Norway, are tiny numbers given the actual 7,65 billion metadata for a small country like the Netherlands.

Even the 552 million metadata in the chart for Germany doesn't come close. If the Netherlands with some 16 million people generated 7,65 billion mobile phone metadata a month, then for 80 million German citizens that number would be over 38 billion.

And to be clear: the data represented in these specific BOUNDLESSINFORMANT charts were not collected by NSA in Europe, but shared with NSA by European intelligence agencies, as part of their military cooperation in various crisis zones.

NSA and GCHQ totals

Finally, we can look at how many telephony metadata NSA and GCHQ collect in total and compare that with the numbers from the Netherlands. In 2012, the British GCHQ "was handling 600m "telephone events" each day" - according to Snowden documents seen by The Guardian.

This seems a surprisingly small number compared to the 225 million transactions generated by Dutch users, but it's possible that the 600 million only apply to traditional telephone and SMS metadata, excluding the internet data from smartphones.

The NSA collected a total of 135 billion telephone metadata a month during the first half of 2012. This is some 17 times the amount for the Netherlands as a whole - again not a very excessive number, as it would roughly equal the telephone metadata of around 300 million people, which is more or less the population in the Middle East.

The volumes of NSA metadata collection between January and June 2012
(click to enlarge)


During the Snowden revelations, the press was eager to present numbers about NSA and GCHQ data collection that seemed impressingly high. But not a single media outlet took the time or effort to come up with the total numbers of telephone and internet communications, needed to put them in the right perspective.

From the research report about Amsterdam tourism we finally learned what the actual number of mobile telephone metadata for a western country look like. Although we still don't know how exactly NSA and GCHQ are counting their metadata, comparing them to the numbers from the Netherlands shows that their collection efforts may be not as excessive as initially thought.

Links and sources
- Decisio: Bezoekersstromen Amsterdam - Zandvoort (2017)
- Autoriteit Consument & Markt: Telecommonitor eerste kwartaal 2016 (2016)
- ITU: Innovation of tourism statistics through the use of new big data sources (2014)
- CBS: Rapportage project impact ICT; Mobiele telefonie (2013)

One interesting result from the tourism report is that measuring the number of visitors of Amsterdam's annual Gay Pride showed that instead of the 560.000 visitors according to the organisation, only 115.000 visitors came from outside the city center, additional to the 235.000 people who are present on every Saturday and may or may not have watched the event. This confirms that visitor numbers for free public events are often significantly exaggerated.