In 2013, journalists began revealing secrets associated with members of the Five Eyes (FVEY) intelligence alliance. These secrets were disclosed by Edward Snowden, a US intelligence contractor. The journalists who published about the documents did so after carefully assessing their content and removing information that was identified as unduly injurious to national security interests or threatened to reveal individuals’ identities. During my tenure at the Citizen Lab I provided expert advice to journalists about the newsworthiness of different documents and, also, content that should be redacted as its release was not in the public interest. In some cases documents that were incredibly interesting were never published on the basis that doing so would be injurious to national security, notwithstanding the potential newsworthiness of the documents in question.

Since 2013 I have worked with the Snowden documents for a variety of research projects. As part of these projects I have tried to decipher the meaning of the covernames that litter the document (e.g., CASCADE, MEMORYHOLE, SPEARGUN, or PUZZLECUBE), as well as objectively trying to summarise what is contained in the documents themselves without providing commentary on the appropriateness, ethics, or lawfulness of the activities in question.

In all cases the materials which are summarised on my website have been published, in open-source, by professional news organizations or other publishers. None of the material that I summarise or host is new and none of it has been leaked or provided to me by government or non-government bodies. No current or former intelligence officer has provided me with details about any of the covernames or underlying documents. This said, researchers associated with the Citizen Lab and other academic institutions have, in the past, contributed to some of the materials published on this website.

As a caveat, all descriptions of what the covernames mean or refer to, and what are contained in individual documents leaked by Edward Snowden, are provided on a best-effort basis. Entries will be updated periodically as time is available to analyse further documents or materials.

Summaries are organized by the year in which the underlying documents were made public, as opposed to the year they may have been authored internal to the agency.

This page was last updated January 17, 2023.

Hackers are Humans too: Cyber leads to Cl leads

Summary: This slide set showcases one method that the CSE uses to expose the management structure and operators behind Computer Network Exploitation (CNE) activities, namely using passive infrastructure tasking and contact chaining. By monitoring infrastructure that was exposed through malware or content delivery for anomalous network sessions the CSE was subsequently able to trace MAKERSMARK (i.e. Russian) operations.

While MAKERSMARK’s less attributed (LA) systems can make it challenging to effectively trace to operators, these were poorly used and the operators exposed information associated with their’ personal lives. Furthermore, the development organization responsible for MAKERSMARK’s less attributed systems was infected by crimeware such as the GUMBLAR botnet, and the CSE (or other friendly intelligence agencies) were consequently able to collect information which was being exfiltrated to criminal organizations.

The slide deck concludes with the warning that it is important to follow counter intelligence leads quickly, because opportunities do not last forever. Moreover, there was a warning that as a CNE program matures, such as that run by MAKERSMARK, the operational security associated with the program will similarly mature.

Document Published: August 2, 2017
Document Dated: Undated
Document Length: 13 pages
Associated Article: White House Says Russia’s Hackers Are Too Good To Be Caught But NSA Partner Called Them “Morons”
Download Document: Hackers are Humans too: Cyber leads to CI leads
Classification: TS//SI/REL TO CAN, AUS, GBR, NZL, and USA
Authoring Agency: CSE
Codenames: MAKERSMARK

SID Today: CANSLOW Can’t Slow Down

Summary: This article, published in SID Today, explains to readers what the Canadian Special Liaison Office (CANSLOW) does to enhance the NSA-CSE relationship. The CANSLOW is “accountable for the health of the CSE-NSA partnership” (1) which, in part, involved CANSLOW “working with CSE HQ to develop a partnership framework which will entrench a corporate culture of always seeking opportunities to make valuable, tangible contributions to NSA” (1). The office, in 2004, was composed of six staff members on the NSA campus and they were beside their UK counterpart. Staff focused on SIGINT, INFOSEC, and enabling corporate functions, though CSE staff in Canada were encouraged to “establish and maintain peer-to-peer partnerships with their NSA counterparts” (1). CANSLOW also played a supporting role in the annual NSA/CSE SIGINT bilateral, including helping with advance preparations, attending the meetings, and tracking follow-on actions.

Document Published: April 24 2017
Document Dated: December 20, 2004
Document Length: 2 pages
Associated Article: The SIDToday Files
Download Document: SID Today: CANSLOW Can’t Slow Down
Classification: U//FOUO
Authoring Agency: CSE
Covernames: None

CROSSHAIR — Foreign Partners Filling HF/DF Gaps for the US

Summary: This brief article identifies the number of second-party High Frequency Direction Finding (HF/DF) resources, along with contributing third-parties, which collectively compose the CROSSHAIR network with US government assets. The CROSSHAIR covername refers to a project that consolidated all US Service Cryptologic Element (SCE) HF/DF resources and enables data operability with partners.

Canada possessed four sites at time of writing, Great Britain six, and Australia and New Zealand one each. Third-parties, including Austria, Denmark, Ethiopia, Hungary, Israel, India, Italy, Japan, Jordan, Korea, Netherlands, Norway, Pakistan, Saudi Arabia, Sweden, and Taiwan, also shared with the NSA and, in some cases, directly with one another. The NSA recognizes, in this document, that without the third-party collaborators the NSA would lack a world-wide network for Direction Finding.

Document Published: April 24, 2017
Document Dated: February 25, 2005
Document Length: 1 page
Associated Article: Japan Made Secret Deals With The NSA That Expanded Global Surveillance
Download Document: CROSSHAIR — Foreign Partners Filling HF/DF Gaps for the US
Classification: TOP SECRET//SI//TK//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: CROSSHAIR

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The NTAT aimd to develop replicable and shareable methods to enable network analysis and exchange knowledge across the Five Eyes SIGDEV community. The slides focus on how to develop and document tradecraft which is used to correlate telephony and internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTYSHACK tradecraft documentation system over the course of these workshops.

In an experiment, codenamed IRRITANTHORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man-in-the-Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications’ servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015
Document Dated: 2012 or later
Document Length: 52 pages (including speaking notes)
Associated Article: Spy agencies target mobile phones, app stores to implant spyware
Download Document: Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)
Classification: TOP SECRET//SI
Authoring Agency: CSE, DSD, GCHQ, GCSB, NSA
Codenames:  ATLAS, ATHENA, BLAZINGSADDLES, CRAFTYSHACK, DANAUS, EONBLUE, FRETTINGYETI, HYPERION, IRRITANTHORN, MASTERSHAKE, PEITHO, PLINKO, SCORPIOFORE, XKEYSCORE (XKS)

CASCADE: Joint Cyber Sensor Architecture

Summary: This document discusses the configuration of the CSE’s sensor networks as of 2011, and the CSE’s plans for developing the network in the future. The discussion only revolved around passive sensors and their supporting infrastructure. Two sensor systems were identified: PHOTONIC PRISM, for monitoring Government of Canada networks, and EONBLUE, a passive SIGINT system that was used to collect ‘full-take’ data, as well as to conduct signature and anomaly-based detections on network traffic.

EONBLUE systems were deployed in select government networks, and were also used for monitoring Foreign Satellite (FORNSAT) communications; they may also be used for monitoring cellular or radio-based telecommunications traffic. The INDUCTION system, which has similar capacities as EONBLUE, was deployed domestically at gateways between domestic and international network domains. The document also discusses a metadata production and processing program, THIRD-EYE, which operated at select new sites. Finally, the document also discusses an unclassified sensor, CRUCIBLE, which was designed to track targets in pre-Sensitive Compartmentalized Information Facilities (SCIF).

CASCADE is the codename for a project focused on standardizing Information Technology Security (ITS) and SIGINT sensors, so that the above-mentioned sensors can be seamlessly integrated and enable a common analyst platform for captured data.

By 2015, the CSE hoped to increase its Special Source Operations (SSO) access to include all international gateways accessible from Canada along with a multi-layered sensor network meant to enhance the security of Government of Canada systems. Further, operational capacity was meant to be enhanced such that SIGINT, ITS, and cryptologic partner sensors interoperated seamlessly. It is unclear what, precisely, these partner sensors may encompass. Authority was also sought for ‘Effects’ operations, as well as the infrastructure, policies, and tradecraft required to conduct such operations.

As a result of these activities, the CSE hoped to detect threats before they entered national infrastructure, to identify exfiltration and command and control systems, and transform the network itself into a defensive domain. This final objective would require the CSE to be able to change data traffic routes, silently discard packets, and insert payloads into data packets. The CSE regarded such expansive ‘defensive’ activities as necessary because gateway or end-node defence was insufficient to protect government systems.

If the sensors were upgraded, then the CSE suggested that changes to basic Five Eyes interoperations might follow. Such changes included the following: tipping and queuing might no longer be used for sharing threats to government systems and instead could be exclusively used to enable intelligence collection; and there would be no need to make tasking/targeting requests concerning those common actors who target the CSE and other Five Eyes alliance members. The result would be that foreign SIGINT would become a domain for ‘hunting’ and domestic defence would be integrated into the very core of the internet itself— domestic and foreign.

Document Published: March 23, 2015
Document Dated: 2011
Document Length: 66 pages
Associated Article: Communication Security Establishment's cyberwarfare toolbox revealed
Download Document: CASCADE: Joint Cyber Sensor Architecture
Classification: TOP SECRET // COMINT // REL FVEY
Authoring Agency: CSE
Codenames: CASCADE, CASSIOPEIA, CHOKEPOINT, CRUCIBLE, EONBLUE, GAZEBO, INDUCTION, JAZZFLUTE, PHOTONICPRISM, SEEDSPHERE, SUNWHEEL, TEXPRO, THIRD-EYE

Cyber Network Defence R&D Activities

Summary: This slide deck provides an overview of the research and development activities that were being undertaken by the Cyber Network Defence (CND) group. The core focus of the CND at the time was on PHOTONIC PRISM, a sensor network designed to protect Government of Canada networks and devices from external threats.

The CND primarily leveraged the R&D of external partners because its size precluded it from conducting low level research. As examples of the CND’s relationships with outside partners, it used POPQUIZ from R23 and an email attachment scanner from GCHQ. Projects in which the CND was engaged at the time include PONYEXPRESS, an email scanning program, the previously mentioned PHOTONIC PRISM, and dynamic defence enabled by software installed on Consumer Off The Shelf (COTS) hardware.

The CND noted that challenges included the length of its research activities, translating classified requirements to an unclassified domain, properly engaging industry and academia, and policy, amongst other challenges. The final slide reflects the CND’s view that, at the time, the CND does not have adequate research within cyber defence.

Document Published: March 23, 2015
Document Dated: 2010
Document Length: 26 pages
Associated Article: Communication Security Establishment's cyberwarfare toolbox revealed
Download Document: Cyber Network Defence R&D Activities
Classification: SECRET
Authoring Agency: CSE
Codenames: 8BALL, AGGPONY, CORNERPOCKET, FLOWPONY, MAILPONY, METAPONY, PHOTONICPRISM (P2), PONYEXPRESS, POOLCUE, POOLTABLE, POPEYESEAR, POPQUIZ, SCANPONY, SLIPSTREAM, SMTPPONY, SYNCPONY, TONTO

CSEC ITS/N2E Cyber Threat Discovery

Summary: This slide deck provides some context about the N2E unit of Information Technology Security (ITS), its existing capabilities, and a series of experiments run during a 2010 workshop held in Canada. The N2E team was established in 2010 and uses full-take data and, at the time, was making headway on putting policies in place to use intercepted private communications and either share, or gain access, to data. They stored full packet captures of Government of Canada-destined traffic for days to months, and metadata for months to years.

The core issue facing N2E, or perhaps the CSE more broadly, was the volume of data that is acquired, retained, summarized, analyzed, and presented to analysts. The 2010 workshop held in Canada addressed some of these challenges by developing a process to reduce the volume email URL metadata information presented to analysts, which lowered false positive rates compared to URL inspections. The workshop also analyzed how to predict whether email attachments were malicious, which led to reducing data retention by 85% with only a 1-3% loss of ‘interesting’ emails. Participants also investigated how to more effectively detect threat actors who used masquerading Windows Preinstallation Environment (PE) downloads which led to progress in identifying offending kinds of downloads.

Document Published: March 23, 2015
Document Dated: 2010
Document Length: 60 pages (including speaking notes)
Associated Article: Communication Security Establishment's cyberwarfare toolbox revealed
Download Document: CSEC ITS/N2E Cyber Threat Discovery
Classification: TOP SECRET
Authoring Agency: CSE
Codenames: 8BALL, PONYEXPRESS, POPQUIZ, SLIPSTREAM, STRIPSEARCH

CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach

Summary: This slide deck provides an overview of how SIGINT and government Information Technology Security (ITS) interoperate for ‘defensive’ operations. Data traffic is analyzed through various sensors, including: Government of Canada sensors; sensors tasked by CSIS for warranted full-take collection using S. 16 of the CSIS Act; sensors located at Canadian/International internet gateways; and sensors situated within the broader internet. Data traffic is also analyzed on devices the CSE has ‘exploited’.

EONBLUE is used for non-Government of Canada network analysis and involves discovering targets, tracking them, as well as producing metadata out of the traffic exposed to EONBLUE. EONBLUE is a deep packet inspection-based system that, when paired with warranted full-take, lets the CSE discover network beacons. ITS’ equivalent program is PHOTONIC PRISM.

The CSE’s network sensors were processing 125GB/hour of HTTP metadata and relied on 50TB of high-speed storage to conduct analysis towards the front end of the data intake. ITS stored 300TB of full-take data—the equivalent of months of traffic.

In the process of analyzing data from ITS and SIGINT sensors, anomalies and events are detected, which are processed through alerting engines and decision logic servers; the logic information is shared with all Five Eyes partners as a result of the Sydney Resolution. The logic is based, in part, on tipping and cueing information; such information can facilitate warnings or indications of attacks in near real time and enable collaborative defence across all Five Eyes nations.

CSE identified ’dynamic defence’ as involving both localized actions at the network edge by ITS, as well as operating in the core of the global internet to act on and modify data traffic, and also as implanting malware on foreign infrastructure to probe, explore, and learn about adversary network space and gather information and tools used by adversaries. These ‘defensive’ operations may be supplemented with influencing technology, such as anti-virus companies’ signatures, developing relationships with supply chains, or political maneuvers. Such activities are segregated in the ‘Cyber Activity Spectrum’ from active operations and deception techniques.

The penultimate slide identifies next steps, which include synchronizing the SIGINT and ITS missions, funding, developing joint sensor and analytics capabilities, and more international interoperability and policy coordination. It also considers legislative amendments, though specific amendments are not mentioned in the slide.

Document Published: March 23, 2015
Document Dated: Undated (post-May 5, 2010)
Document Length: 46 pages
Associated Article: Communication Security Establishment's cyberwarfare toolbox revealed
Download Document: CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach
Classification: TOP SECRET // COMINT // REL TO FVEY
Authoring Agency: CSE
Codenames: COVENANT, DARKSPACE, EONBLUE, PHOTONICPRISM, QUANTUM, SEEDSPHERE, STREAMINGSENTRY, SUPERDRAKE

Cyber Threat Detection

Summary: This document summarizes how the CSE monitors for threats using the EONBLUE system alongside traditional metadata collection systems. These latter systems are deployed at Special Source (SSO) locations, rely on warrant access, and tap into foreign satellite communications. Domestic and SIGINT (international) sensors are used in detecting and mitigating threats, with China (i.e. SEEDSPHERE) used as an example of a recurring threat actor.

OLYMPIA, the CSE’s network knowledge engine, is used in analyzing or sorting data stored at high-speed clustered storage at the CSE’s collection sites to facilitate DNS Response harvesting and to de-dupe data.

The detection of Fast Flux Botnets, denoted as CROSSBOW, relies on target discovery algorithms deployed at CSE SSO sites; the sensors these algorithms run on may be CRUCIBLE servers that are low-cost, rapidly deployed passive systems that use Top Secret/Special Intelligence targeting signatures in non-Sensitive Compartmentalized Information Facilities (SCIF).

Document Published: March 23, 2015
Document Dated: November 2009
Document Length: 14 pages
Associated Article: Communication Security Establishment's cyberwarfare toolbox revealed
Download Document: Cyber Threat Detection
Classification: TOP SECRET // COMINT
Authoring Agency: CSE
Codenames: COVENANT, CROSSBOW, CRUCIBLE, DIESELRATTLE, DOWNGRADE, EONBLUE, LODESTONE, SEEDSPHERE, SIENNABLUE

NSA Intelligence Relationship with New Zealand

Summary: This document summarizes the status of the NSA’s relationship with New Zealand Government Communications Security Bureau (GCSB). The GCSB has been forced to expend more of its resources on compliance auditing following recommendations after it exceeded its authority in assisting domestic law enforcement, but continues to be focused on government and five eyes priorities and encouraged to pursue technical interoperability with NSA and other FVEY nations.

The NSA provides GCSB with “raw traffic, processing, and reporting on targets of mutual interest, in addition to technical advice and equipment loans.” The GCSB primarily provides the NSA with access to communications which would otherwise remain inaccessible. These communications include: China, Japanese/North Korean/Vietnamese/South American diplomatic communications, South Pacific Island nations, Pakistan, India, Iran, and Antartica, as well as French police and nuclear testing activities in New Caledonia.

Of note, GCSB is a member of SIGINT Seniors Pacific (SSPAC) (includes Australia, Canada, France, India, Korea, New Zealand, Singapore, Thailand, United Kingdom, and United States) as well as SIGINT Seniors Europe (SSEUR) (includes Australia, Belgium, Canada, Denmark, France, Germany, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, United Kingdom, and United States).

Document Published: March 11, 2015
Document Dated: April 2013
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: NSA Intelligence Relationship with New Zealand
Classification: TOP SECRET//SI//REL TO USA, FVEY
Authoring Agency: NSA
Codenames: None

SIGINT Development Forum (SDF) Minutes

Summary: This document summarizes the state of signals development amongst the Five Eyes (FVEY). It first outline the core imperatives for the group, including: ensuring that the top technologies are being identified for use and linked with the capability they bring; that NSA shaping (targeting routers) improves (while noting that for CSE and GCSB shaping involves “industry engagement and collection bending”); improving on pattern of life collection and analysis; improving on IP address geolocation that covers Internet, radio frequency, and GSM realms; analyzing how convergence of communications systems and technologies impacts SIGINT operations.

Privacy issues were seen as being on the groups’ radar, on the basis that the “Oversight & Compliance team at NSA was under-resourced and overburdened.” Neither GCSB or DSD were able to sponsor or audit analysts’ accounts similar to the NSA, and CSEC indicated it had considered funding audit billets; while dismissed at the time, the prospect has re-arisen. At the time the non-NSA FVEYs were considering how to implement ‘super-user’ accounts, where specific staff will run queries for counterparts who are not directly authorized to run queries on selective databases.

GCSB, in particular, was developing its first network analyst team in October 2009 and was meant to prove the utility of network analysis so as to get additional staff for later supporting STATEROOM and Computer Network Exploitation tasks. Further, GCSB was to continue its work in the South Pacific region, as well as expanding cable access efforts and capabilities during a 1 month push. There was also a problem where 20% of GCSB’s analytic workforce lacked access to DSD’s XKEYSCORE, which was a problem given that GCSB provided NSA with raw data. The reason for needing external tools to access data is GCSB staff are prohibited from accessing New Zealand data.

Document Published: March 11, 2015
Document Dated: June 8-9, 2009
Document Length: 3 pages
Associated Article: Snowden revelations: NZ’s spy reach stretches across globe
Download Document: SIGINT Development Forum (SDF) Minutes
Classification: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: STATEROOM, XKEYSCORE

Open Source for Cyber Defence/Progress

Summary: This GCHQ wiki entry identifies current and future sources of data for cyber defence actions. All of the sources are open source. In the future there are plans to integrate sources of vulnerability intelligence, bulk infrastructure data, as well as a set of miscellaneous kinds of data (e.g. what .gov.uk addresses should be protected).

The wiki entry describes GhostNet as a “known ORB server” under the ‘Bulk Infrastructure Data’ heading. GhostNet is a command and control infrastructure that was mainly used by the People’s Republic of China in the course of targeting organizations such as foreign embassies and the Tibetan Government-In-Exile. Research on GhostNet was conducted by a collection of academic institutions, including the Citizen Lab at the Munk School of Global Affairs, University of Toronto. Operational Relay Boxes (ORBs) are used by SIGINT agencies as proxies and let SIGINT actors to take actions that victims cannot positively attribute to the responsible agency. It is unclear from the document whether GCHQ or other Five Eyes agencies plan to use GhostNet infrastructure as their own ORBs or whether they classified activities coming from that infrastructure as likely attributable to Chinese-signals intelligence groups.

Document Published: February 4, 2015
Document Dated: Last Updated June 25, 2012
Document Length: 2 pages
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download Document: Open Source for Cyber Defence/Progress

Who Else Is Targeting Your Target? Collecting Data Stolen By Hackers

Summary: This NSA bulletin describes CSE and GCHQ discovery of hackers who are exfiltrating email data from targets of interest to the agencies. CSE and GCHQ have exploited hacker-based stolen data (codenamed INTOLERANT) and used it to enrich the agencies’ own data stores. Victims targeted by the hackers, and thus exploited by the SIGINT agencies, fell into the following categories: Indian Diplomatic and Indian Navy, Central Asian Diplomats, Chinese Human Rights Defenders, Tibetan Pro-Democracy Personalities, Uighur Activists, European Special Representative to Afghanistan and Indian photo-journalists, and the Tibetan Government-In-Exile. Though the hackers are believed to be state-sponsored neither CSE or CCHQ could positively attribute their actions to a particular state. Canadian, American, or other Five Eyes nations’ institutions that liaise with the victims may have been notified of the hacking though there is no evidence that the actual victims were notified.

Document Published: February 4, 2015
Document Dated: June 5, 2010 (Last Updated October 11, 2012)
Document Length: 1 page
Associated Article: Western Spy Agencies Secretly Rely On Hackers For Intel And Expertise
Download Document: Who Else Is Targeting Your Target? Collecting Data Stolen By Hackers

LEVITATION and the FFU Hypothesis

Summary: This CSE slide deck describes the effectiveness of the LEVITATION program. LEVITATION is used to monitor and identify persons who download materials from Free File Upload (FFU) sites. At the time of the presentation, LEVITATION monitored for file URLs, as well as for sequential numbers, selector names, and web search terms. In the future, the CSE proposed integrating GPS data, devices close to places, telephony gaps, information about the targets of foreign SIGINT agencies, and missed call data. The document does not state how integrating this data would enrich the LEVITATION program.

LEVITATION begins with the CSE’s Web Operations Centre (CWOC) identifying URLs on FFU sites linking to documents of interest. A special source, codenamed ATOMIC BANJO, provides 10-15 million ‘download events’ to the CSE each day from 102 FFU sites. All of these events are available using OLYMPIA, the CSE’s network knowledge engine. The CSE examines the aggregate events against CWOC’s list of roughly 2,200 URLs, which yields roughly 350 download events of interest each month. It is unclear whether the remaining event data is purged from the CSE’s databases.

Information from interesting download events are then processed by the CSE. The Establishment first examines whether the IP address associated with the download event have been seen five hours before and after the event by Five Eyes listening posts. If a given IP address was seen, then the MARINA or MUTANT BROTH databases are queried to correlate the IP address with personal identifiers in those databases, thereby identifying the person who likely downloaded the material in question. MARINA is an NSA database containing intercepted metadata and the GCHQ’s MUTANT BROTH database contains similar metadata. Though not discussed elsewhere, the CSE notes successes derived from monitoring file uploads — and then disseminating intelligence to organizations such as the CIA — for intelligence gathering as well.

Document Published: January 27, 2014
Document Dated: Unknown (Post March 2012)
Document Length: 21 pages
Associated Article: CSE tracks millions of downloads daily: Snowden documents
Download Document: LEVITATION and the FFU Hypothesis
Classification: TOP SECRET // SI // REL CAN, AUS, GBR, NZL, USA
Authoring Agency: CSE
Codenames: ATOMICBANJO, LEVITATION, MARINA, MUTANTBROTH, OLYMPIA, STALKER

Pay attention to that man behind the curtain: Discovering clients on CNE infrastructure

Summary: This CSE document describes how the Establishment analyzes its targets as part of Counter Computer Network Exploitation (CCNE) operations. CCNE operations draw data from the Computer Network Exploitation (CNE) group, the Global Network Discovery group, and the Cyber Counter Intelligence group. CCNE analyses ideally identify whether a foreign party has already exploited a CSE targeted device or infrastructure and, if so, which party has done so.

CCNE relies heavily on the outputs of WARRIOR PRIDE, which is the CSE’s computer network exploitation platform. These outputs, codenamed REPLICANTFARM, let CCNE identify whether there are other actors, implant technologies, or other anomalies present on the targeted device or system.

As part of its operations, CCNE can use covert infrastructure that is identified and mapped as part of the LANDMARK system. The infrastructure, referred to as ‘Operational Relay Boxes’ (ORBs), lets CCNE plausibly deny its activities.

The core takeaway from this document is that CCNE provides situational awareness to CNE, insofar as it alerts the CNE team about possible cohabitation of common infrastructure. CCNE further lets the CSE identify new actors when detecting previously-unseen anomalies, and also enables the Establishment to track known actors. As a result, CCNE is able to ‘deconflict’ where a piece of infrastructure has multiple state agencies intruding upon it while providing information about the tradecraft and tools used by foreign actors discovered in the world.

Document Published: January 17, 2015
Document Dated: June 2010
Document Length: 30 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: Pay attention to that man behind the curtain: Discovering aliens on CNE infrastructure
Classification: TOP SECRET // COMINT
Authoring Agency: CSE
Codenames: ALOOFNESS, BYZANTINE, BLAZINGANGEL, CARBON, CHOCOPOP, CIVETCAT, DAREDEVIL, DIESELRATTLE, DOGHOUSE, DOURMAGNUM, FANNER, GOSSIPGIRL, LASEX, MAKERSMARK,  NAMEDROPPER, QUIVERINGSQUAB, REGBACKUP, REPLICANTFARM, SEEDSPHERE,SHEPHERD,  SLIPSTREAM, SNOWGLOBE, SHARPR, SSLINST, SUPERDRAKE, TINYWEB, VOYEUR, WALKER, WATERMARK, WINBEE, WINDO, WINDOWKEY, WORMWOOD

CSE SIGINT Cyber Discovery: Summary of the current effort

Summary: This CSE slide deck describes the integration between the Counter Computer Network Exploitation (CCNE), Global Network Discovery (GND), and Cyber Counterintelligence (CNT1) units. Whereas CCNE and GND are responsible for collecting data, CNT1 is responsible for analyzing and reporting on the discovered data.

CCNE uses plugins from the WARRIORPRIDE to parse data sent from CSE-exploited devices and systems. CCNE’s goal is to determine if a non-CSE implant or other actor has already exploited the device or system, as well as evaluate whether anomalous files are present on the device or system, or whether anomalous data traffic is coming from the device or system.

GND uses over 200 sensors deployed around the world to track threats; this sensor network is codenamed EONBLUE. EONBLUE sensors scale to 10Gbps of data traffic and there were plans to increase detection speeds to multi-10Gbps rates. Data traffic is analyzed to discover targets (relying on the SLIPSTREAM machine reconnaissance WARRIORPRIDE plugin), as well as to track targets (codenamed SNIFFLE) and extract Domain Name System and HTTP metadata.

As part of future work, GND planned to test EONBLUE’s ability to send metadata into a localized XKEYSCORE database and, potentially, to share metadata with other nations’ XKEYSCORE databases. XKEYSCORE is used to hold raw and unselected communications data. GND also planned to share CSE EONBLUE data with the DSD’s EONBLUE program. Curiously, GND also has a system of detecting QUANTUM, which is a system that injects data packets into network traffic for computer network exploitation activities.

CNT1 analyzes the data or leads provided by CCNE and GND groups to pursue interesting leads and conducts analyses of information derived from the other groups. Received data can come from special source, warranted, and second party data, malware analysis and reverse engineering, as well as forensic analyses of implants. The analysis is used to produce reports on the anomalies or activities seen by CCNE and GND, as well as to try and attribute the data or leads to specific actors.

Document Published: January 17, 2015
Document Dated: November 2010
Document Length: 22 pages
Associated Article: The Digital Arms Race: NSA Preps America for Future Battle
Download Document: CSEC SIGINT Cyber Discovery: Summary of the current effort
Classification: TOP SECRET // COMINT // REL TO FVEY
Authoring Agency: CSE
Codenames: CHORDFLIER, DAREDEVIL, DEADSEA, EONBLUE, FASTFLUX, HALTERHITCH, QUANTUM, REPLICANTFARM, SLIPSTREAM, SNIFFLE, WARRIORPRIDE, XKS

TLS Trends: A roundtable discussion on current usage and future directions

Summary: Inspired by their British colleagues, the CSE initiated analyses of the warranted SSL/TLS traffic they capture. These analyses are designed to identify trends and let the CSE proactively understand the state of online encryption. Operationally, the project lets analysts identify the known services that a target used and changes in the target’s use of TLS. The project also provided broader analyses of sites’ TLS traffic.

The slide deck draws examples from warranted traffic, though also included is a flow chart of receiving SSL/TLS traffic from a special source. Special source traffic, unlike warranted traffic, is passed into OLYMPIA, the CSE’s network knowledge engine.

Future work included conducting trend analyses on special source traffic. Such work also included enhancing collaboration between the team conducting TLS trend analysis and the CSE’s data mining team.

Document Published: December 28, 2014
Document Dated: Unknown
Document Length: 15 pages
Associated Article: Prying Eyes: Inside the NSA's War on Internet Security
Download Document: TLS Trends A roundtable discussion on current usage and future directions
Classification: TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA
Authoring Agency: CSE
Codenames: OLYMPIA, PHOENIX

Automated NOC Detection

Summary: Major enterprise networks manage their networks from Network Operations Centres (NOCs). GCHQ and CSE analysts evaluated whether they could implement NOCTURNAL SURGE in OLYMPIA, CSE’s network knowledge engine, during a March 2011 meeting in Canada.

Analysts use NOCTURNAL SURGE to find NOCs. The system draws from pre-existing databases to identify ‘Access Control Lists’. GCHQ draws from the 5-ALIVE database and CSE from the HYPERION databases. Access control lists include commonly used ports that network administrators use in initiating TELNET or SSH connections to systems they administrate. Similar port information is recorded for Virtual Teletype (VTY) lines; VTY is a legacy term associated with older systems’ (e.g. routers) command line interfaces.

After combing through databases using NOCTURNAL SURGE and identifying NOCs, the NOCs can be targeted for computer network exploitation operations. Exploitation involves correlating NOC IP addresses with affiliated identifiers from the MUTANT BROTH database. MUTANT BROTH stores correlations between IP addresses with cookies and other identifying data. The QUANTUM INSERT⁵exploitation system is used to target administrators after analysts have correlated NOC data with information from MUTANT BROTH.

Document Published: December 13, 2014
Document Dated: Unknown
Document Length: 25 pages
Associated Article: Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco
Download Document: Automated NOC Detection

2nd SCAMP at CSEC process (Part of AURORAGOLD)

Summary: The SCAMP document outlines progress made in enhancing and evaluating existing CSE capabilities focused around signals intelligence. The document does not explicitly address CSE’s network exploitation or government defence operations.

New systems (IRASCIABLE RABBIT and TOYGRIPPE) were integrated with OLYMPIA according to the document. Progress was also made towards identifying virtual private networks of interest for cryptanalysis. The SCAMP document notes that there was ‘progress’ in sharing and analyzing SIGINT-collected International Roaming documents (i.e. IR.21).

The CSE-specific document is part of a larger collection of documents linked to the AURORAGOLD project. AURORAGOLD maintains and collects information about mobile telecommunications networks’ properties so analysts can understand the current state of global mobile systems’ networks, trending patterns in the state of these networks, and future evolutions of the networks. Much of this information is contained in IR.21 documents. Also included are e-mail selectors and metadata that is captured alongside the content of the documents themselves. Page 38 of the AURORAGOLD documents indicates that there had been no significant analysis of Canadian mobile telecommunications infrastructure at the time the document was produced.

Significantly, a slide linked to AURORAGOLD includes bullet points about finding, or introducing, vulnerabilities in mobile infrastructures for later exploitation (page 45). It is unclear whether this is a process flow for the AURORAGOLD group itself; it is possible that another party within the NSA or other agency is responsible for these aspects of the signals intelligence or development process.

Document Published: December 4, 2014
Document Dated: Unknown
Document Length: 1 page (SCAMP) // 63 pages (AURORAGOLD)
Associated Article: Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide
Download Document: SCAMP // AURORAGOLD

Summary: This NSA document identifies the extent of the NSA’s cooperation with other nations’ military and intelligence organizations. The policy document applies to sharing computer network exploitation and computer network defence information between intelligence agencies, such as CSE, as well as to sharing cryptologic information with other militaries. Canada is listed as one of the “Tier A: Comprehensive Cooperation” partners along with Australia, New Zealand, and the United Kingdom.

Document Published: October 30, 2014
Document Dated: Unknown (likely November 23, 2005 based on declassification date of November 23, 2029)
Document Length: 2 pages
Associated Article: El CNI facilitó el espionaje masivo de EEUU a España (ES) // Spain colluded in NSA spying on its citizens, Spanish newspaper reports
Download Document: Sharing Computer Network Operations Cryptologic Information With Foreign Partners

LANDMARK Presentation Outline

Summary: The LANDMARK presentation outlines The CSE’s plan to automate the identification of devices that can be used as operational relay boxes (ORBs). These boxes (i.e. computer devices and systems that are linked to the internet) are used by CSE and other intelligence partners to provide a level of non-attribution for their activities online. The boxes are also used to access networks or network traffic.

Analysts use LANDMARK to run queries against the aggregate of data that is accessible via CSE’s OLYMPIA network knowledge engine. These queries reveal whether a network is already known to be vulnerable based on historically collected data that is accessible using OLYMPIA, as well as whether any device on the network has already been compromised. This analysis takes less than 5 minutes and has been integrated into OLYMPIA itself.

LANDMARK is made possible because of data sourced from GCHQ’s HACIENDA. HACIENDA was developed by GCHQ and partnered agencies include CSE, NSA, and ASD. It maps the contours of the internet by conducting port scans of internet-connected devices. The IP addresses of these devices are correlated with geolocation information to situate identified addresses and their corresponding ports. Intelligence partners use HACIENDA information to conduct computer network exploitation and signals discovery operations.

Document Published: August 15, 2014
Document Dated: Undated (post February 2010)
Document Length: 6 pages
Associated Article: NSA/GCHQ: The HACIENDA Program for Internet Colonization
Download Document: LANDMARK // HACIENDA and LANDMARK
Classification: TOP SECRET // COMINT
Authoring Agency: CSE // GCHQ & NSA
Codenames: GEOFUSION, GLOBAL SURGE, HACIENDA, LANDMARK, LONGRUN, MAILORDER, OLYMPIA, TIDALSURGE, WIRESHARK

Non-targetable 2nd Party Countries, Territories & Individuals

Summary: This NSA-published document identifies the territories that are controlled or administrated by the United States, Australia, the United Kingdom, and New Zealand. Canada is noted as lacking any territories beyond its national borders. The territories controlled or administered by members of the Five Eyes intelligence network cannot be targeted by fellow members of the signals intelligence alliance.

The second page of the document juxtaposes the different signals intelligence targeting authorization requirements between the aforementioned five nations. This juxtaposition includes the CSE’s limitations in targeting nationals in Canada, nationals overseas, foreign nationals in Canada, and foreign nationals overseas. Though not included in the document, the CSE can and does target Canadians when fulfilling its mandate to assist federal law enforcement and security agencies.

Document Published: June 30, 2014
Document Dated: August 1, 2007
Document Length: 2 pages
Associated Article: Court gave NSA broad leeway in surveillance, documents show
Download Document: Non-targetable 2nd Party Countries, territories & individuals
Classification: SECRET//COMINT//REL TO USA, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

SNOWGLOBE: From Discovery to Attribution

Summary: The CSE’s Counter-Intelligence branch identified a spyware-based intelligence program, codenamed SNOWGLOBE, that may have been crafted by France’s intelligence service. SNOWGLOBE was found using the REPLICANTFARM anomaly detection system that is part of the CSE’s WARRIORPRIDE computer network exploitation platform.

Various versions of the spyware implants were found since November 2009 (SNOWBALL 1, SNOWBALL 2, and SNOWMAN). Together they compose the SNOWGLOBE program. The program’s infrastructure was identified using the CSE’s passive collection system (EONBLUE). Infrastructure was found in the US, Canada, UK, Czech Republic, Poland, and Norway. The infrastructure was found on free hosting services as well as attached to existing non-free systems. The CSE could not determine if access to those systems involved the foreign actor using an exploit or special source access, or a combination of the two.

The spyware was found to have infected Iranian (e.g. Atomic Energy Organization), European (e.g. European Financial Association), African, and Canadian organizations. A French-language Canadian news organization was also infected by SNOWGLOBE. Based on the victims, the CSE did not believe that SNOWGLOBE fit a cybercrime profile. At the time when the CSE presented these findings it assessed, with moderate certainty, that SNOWGLOBE was a state-sponsored operation by a French intelligence agency, though CSE could not identify the specific agency., nor did the CSE know how the French agency gained access to the non-free parts of its infrastructure.

Document Published: March 21, 2014 // January 17, 2015
Document Dated: 2011
Document Length: 9 pages // 25 pages
Associated Article: Quand les Canadiens partent en chasse de ‘Babar’ (Fr); French spy software targeted Canada: report (En)
Download Document: SNOWGLOBE: From Discovery to Attribution (9 pages) // SNOWGLOBE: From Discovery to Attribution (Expanded Edition) (25 pages)
Classification: TOP SECRET // COMINT // REL TO CAN, AUS, GBR, NZL, USA
Authoring Agency: CSE
Codenames: CANDLEGLOW, EONBLUE, REPLICANTFARM, SNOWBALL, SNOWBALL2, SNOWGLOBE, SNOWMAN, WARRIORPRIDE

IP Profiling Analytics & Mission Impacts

Summary: The CSE used domestic Canadian data to develop and test a system to geolocate IP addresses as individuals moved around the world. The CSE used IP address information from Canadian airports, hotels, internet cafes, ‘transportation hubs’, conference centres, wifi hotspots, enterprises, libraries, and wireless gateways more generally. This information was used for IP profiling, partly to contribute to the Tipping and Cueing Task Force (TCTF), a Five Eyes effort to obtain real-time alerts on network events of interest throughout the SIGINT ecosystem.

The system was also designed to associate individuals’ identities to ‘air gapped’ communications. An air gap attempts to separate secured from unsecured communications systems. This aspect of the test correlated unencrypted identity-linked information (e.g. web cookies that could be tied to identifiable persons) with air gapped landline phone calls. By correlating the phone information and web cookies, the CSE and its partners could attribute who was likely to have been making the call.

Document Published: January 30, 2014
Document Dated: May 10, 2012
Document Length: 27 pages
Associated Article: CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents
Download Document: IP Profiling Analytics & Mission Impacts
Classification: TOP SECRET
Authoring Agency: CSE
Codenames: ATLAS, QUOVA

Mobile Theme Briefing

Summary: This GCHQ briefing presentation outlines the importance of mobile communications devices for the intelligence agency and discusses the development of the Mobile Applications Project. The Mobile Applications Project was created to develop capacities towards mobile applications writ large, as well as to facilitate target-centric analysis of voice, text, computer-to-computer, and geolocation data.

A part of the Mobile Applications Project included GCHQ porting WARRIOR PRIDE to the iPhone. WARRIOR PRIDE is a computer network exploitation program. GCHQ also developed specialized plugins for iOS.

CSE initiated a similar port of WARRIOR PRIDE to the Android platform. The Establishment created Android plugins similar to those created for iOS.

Document Published: January 28, 2014
Document Dated: May 28, 2010
Document Length: 6 pages
Associated Article: Angry Birds and 'leaky' phone apps targeted by NSA and GCHQ for user data
Download Document: Mobile Theme Briefing

NSA Intelligence Relationship with Canada’s Communications Security Establishment Canada (CSEC)

Summary: This NSA memo notes that Canada and the United States enjoy a cooperative relationship that is driven by a mutual desire to protect North America. The memo also discusses that Canada is a large consumer of the NSA’s products and works with the NSA to target approximately 20 countries. It also explains that the NSA provides funds for some CSE research and development projects. In addition to providing analysis of received intelligence, the CSE “shares with NSA their unique geographical access to areas unavailable to the U.S.”

Document Published: December 9, 2013
Document Dated: April 3, 2013
Document Length: 2 pages
Associated Article: Snowden document shows Canada set up spy posts for NSA
Download Document: NSA Intelligence Relationship with Canada’s Communications Security Establishment Canada (CSEC)
Classification: TOP SECRET//SI//NOFORN
Authoring Agency: NSA
Codenames: None

BOUNDLESSINFORMANT Documents (Collection)

Summary: BOUNDLESSINFORMANT is a NSA tool that reveals the Global Access Operations’ (GAO’s) collection capabilities by revealing the volume of metadata record collections that occur against any given country. At a high-level, BOUNDLESS INFORMANT can show aggregate records against an entire country whereas drilling into particular countries will show how many records a given program or cover term is collecting. In addition to record counts, BOUNDLESSINFORMANT provides information about the type of collection (e.g. signals versus communications intelligence) and the contributing SIGINT Activity Designator (SIGAD). SIGADs refer to signals collections stations, such as in diplomatic facilities, at undersea cable landing points, and at internet exchange points, in addition to other locations.

The BOUNDLESSINFORMANT Maps show the amounts of data that can be aggregated against different countries. Page 2 of that document reveals the global aggregate number of records parsed by BOUNDLESSINFORMANT (221,919,881,317) as well as the aggregate number records collected against the United States (2,095,533,478). The United States is shown in yellow, whereas Canada is shown in green, suggesting there are fewer records collected against Canada than the United States. Page 3 shows that of the world aggregate of 124,808,692,959 Dial Network Recognition (DNR)⁶ there were 203,190,032 collected against the United States. Based on the colouring of the global map, fewer DNR records were collected against Canada.

It is unclear from the slides what ‘collected against’ means; it could refer to data that is shared by nations’ intelligence services or data the NSA collects from its SIGINT sites located within those nations. Alternately, it could include both of these ways of collecting data.

Document Published: June 11, 2013 - December 5, 2013
Document Dated: BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records (July 13, 2012) // BOUNDLESS INFORMANT Frequently Asked Questions (June 9, 2012) // BOUNDLESSINFORMANT Countries Data (Unknown) // BOUNDLESSINFORMANT Maps (January 8, 2007)
Document Length: 8 pages (BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records) // 3 pages (BOUNDLESS INFORMANT Frequently Asked Questions) // 15 pages (BOUNDLESSINFORMANT Countries Data) // 2 pages (BOUNDLESSINFORMANT Maps)
Associated Articles: Boundless Informant: the NSA's secret tool to track global surveillance data // France in the NSA's crosshair : phone networks under surveillance // La NSA espió 60 millones de llamadas en España en sólo un mes // Friedrichs Wunschliste: Datensaugen wie die NSA // NSA-files repeatedly show collection of data «against countries» - not «from» // Revealed: How the Nsa Targets Italy
Download Document: BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records // BOUNDLESS INFORMANT Frequently Asked Questions // BOUNDLESSINFORMANT Countries Data // BOUNDLESSINFORMANT Maps

Cheltenham Working Document (Fragments)

Summary: Only 4 out of 48+ paragraphs were published of the Cheltenham Working Document. Paragraph 4 summarizes CSE’s inability to share bulk, unselected data to other intelligence agencies circa 2008. Also included are summarizations of the ASD’s general willingness to share unredacted metadata with its intelligence partners so long as those partners are not intending to target Australian nationals using the shared data.

Document Published: December 2, 2013
Document Dated: April 22-23, 2008 (Alleged)
Document Length: 4 pages
Associated Article: Australian spy agency offered to share data about ordinary citizens
Download Document: Cheltenham Working Document (Fragments)

And They Said To The Titans: Watch Out Olympians In The House

Summary: This slide deck was prepared by the Advanced Network Tradecraft group within CSE, and discusses the OLYMPIA system, which CSE developed to help its analysts access databases, combine data, and perform analyses to identify new targets and determine ways to monitor their communications. After a brief introduction to OLYMPIA the authors demonstrate how the system can be used for signals intelligence development operations, using the Brazilian Ministry of Mines and Energy as an example.

The slides present the surveillance of Brazilians as a case study that used a single domain (@mme.gov.br) and 9 DNR selectors as the original ‘seeds’. IP addresses for the mail servers were identified, in part using QUOVA (a database that retains information concerning anonymizers) as well as EONBLUE (CSE’s global sensor network) to link hostnames, IP addresses, the owners of those addresses, and the carrier used to carry the traffic. In this case the sources were used to identify mail servers as well as to determine the different IP addresses that targets were communicating with. The goal was to ascertain whether or not there was potential for man-on-the-side operations against chosen targets.

The operation was successful in analyzing the Brazilian targets’ telecommunications environment and, as a result, there were subsequent proposals to conduct network exploitation (relying on man-on-the-side, cookie replay, or CDR), passive tasking, and human intelligence-enabled operations to collect information concerning the targets’ communications. CSE was working with TAO to evaluate the possibility of running a man-on-the-side operation.

Document Published: November 30, 2013
Document Dated: June 2012
Document Length: 18 pages
Associated Article: Read a CSEC document that was first acquired by Edward Snowden
Download Document: And They Said To the Titans: Watch Out Olympians In The House
Classification: TOP SECRET//SI
Authoring Agency: CSE
Codenames: ATHENA, ATLAS, BLACKPEARL, COEUS, DANAUS, DISHFIRE, EONBLUE, EVILOLIVE, FASCIA, FASTBALL, FRIARTUCK, GNDB, GEOFUSION, HYPERION, LEVITATE, MAINWAY, MARINA, MASTERSHAKE, OCTSKYWARD, OLYMPIA, PACKAGEDGOODS (ARK), PEITHO, PEPPERBOX, PROMETHEUS, QUOVA, SLINGSHOT, STALKER, STARSEARCH, STRATOS, TIDALSURGE, TOYGRIPPE, TRITON, TWINSERPENT

NSA Lends Support to Upcoming G8 and G20 Summits in Canada

Summary: This SID Today article outlines the kinds of support that the Agency will provide to G8 and G20 event security. The event took place in Canada.

The NSA identified the primary threats as “issue-based extremists” who had engaged in vandalism at past Summits. The NSA and broader Intelligence Community did not assess a credible terrorist threat to the event. It is unclear whether the Community referred to is the American Intelligence Community or if it includes the Five Eyes and other parties, though common parlance would suggest it refers to the American Community..

NSA support planning was coordinated with the Special U.S. Liaison Office in Ottawa (SUSLOO), NSA’s representatives at CSE. NSA officers were not physically in the threat integration centre at the U.S. Embassy in Ottawa. They instead operated through the Director of National Intelligence Representative in Ottawa. The memo also recognizes that the National Security Operations Centre (NSOC) would “provide reachback” to Target Offices of Primary Interest (TOPIs) as well as policy support.

Document Published: November 27, 2013
Document Dated: June 23, 2010
Document Length: 4 pages
Associated Article: New Snowden docs show U.S. spied during G20 in Toronto

Download Document: NSA Lends Support to Upcoming G8 and G20 Summits in Canada

Classification: TOP SECRET // SI / TK // REL TO USA, AUS, CAN, GBR, NZL
Authoring Agency: NSA
Codenames: None

STATEROOM Guide (NSA)

Summary: The STATEROOM Guide outlines the classification of facts about covert signals intelligence collection that takes place from diplomatic facilities. Included in the leaked document are two screenshots of a much larger Guide.

Canada is noted, on page 2, as hosting intelligence collection sites at some Canadian diplomatic facilities. Notably these covert sites are “small in size and number of personnel staffing them” and “their true mission is not known by the majority of the diplomatic staff at the facility where they are assigned.” It is unclear from the document whether these collection sites are run by CSE or host NSA equipment or operations.

Document Published: October 28, 2013
Document Dated: Unknown
Document Length: 2 pages
Associated Article: US on Spying Scandal: 'Allies Aren't Always Friends’
Download Document: STATEROOM Guide (NSA)

Memorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (ISNU) Pertaining To The Protection Of U.S. Persons

Summary: This NSA document outlines the privacy protections and policies that the Israeli SIGINT National Unit (ISNU) agrees to in order to receive SIGINT technology and equipment, as well as ‘raw SIGINT’. Raw SIGINT includes collected data that has not been “evaluated for foreign intelligence and minimized.” Minimization involves evaluating whether a U.S. person’s identity is essential to “understand the significance of the foreign intelligence” as well as applying identity-shielding protections to persons who are to be minimized. Per the document, citizens of Canada, Australia, the United Kingdom, and New Zealand enjoy the same protections as Americans and thus all procedures outlined in this MoU must also apply to persons of these countries..

ISNU is expected not to use U.S.-supplied equipment or raw intelligence to intentionally target other ‘U.S. Persons’ (including Canadians), to limit access to raw NSA intelligence generally, to only disseminate raw-intelligence based information after shielding the identities of U.S. Persons (and receive written permission from the NSA prior to disclosing shielded identities), to retain files with Canadians/U.S. Persons for no more than one year to destroy any communications from raw NSA SIGINT that are either to or from an official in the U.S. Government, and to only process communications that refer “to activities, policies, and views of U.S. officials” for purposes unrelated to intelligence against the US.

It is unclear from the document whether protections ascribed to U.S. government officials, such as members of the Executive Branch, U.S. House of Representatives and Senate, or U.S. Federal Court system, also are ascribed to equivalent Canadian government officials. Similarly, it is unclear whether the CSE would provide written authority to disclose Canadians’ identities to ISNU customers. However, since the memorandum is between the NSA and ISNU, the CSE might not be contacted directly by ISNU about revealing the identities of Canadians to Israeli intelligence customers.

Document Published: September 11, 2013
Document Dated: Unknown (likely March 2009)
Document Length: 5 pages
Associated Article: NSA shares raw intelligence including Americans’ data with Israel
Download Document: Memorandum Of Understanding (MOU) Between the National Security Agency/Central Security Service (NSA/CSS) And The Israeli SIGINT National Unit (INSU) Pertaining To The Protection Of U.S. Persons
Classification: TOP SECRET//COMINT//REL TO USA, ISR
Authoring Agency: NSA
Codenames: CHIPPEWA

Office of the Communications Security Establishment Commissioner Reports

Technology, Thoughts & Trinkets

Touring the Digital Though Type

CSE Summaries