ANNEX 7: THE SNOWDEN ALLEGATIONS
extract information from missed call alerts or texts with international roaming charges.
Missed call alerts could allow contact chaining, i.e., working out someone’s social
network. Border crossings could be worked out from roaming charges texts and
names could be extracted from electronic business cards.
13.
The XKEYSCORE system was said to be developed by the NSA, to allow analysts to
carry out a search, using a single search term, such as an email address, or telephone
number, across three days worth of raw data collected via a number of programmes
such as PRISM and UPSTREAM. According to documents relating to OPTIC NERVE,
the webcam material collected via this programme was fed into XKEYSCORE.
XKEYSCORE indexed data sources including email addresses, IP addresses, port
numbers, file names, cookies and buddy-lists. Monitoring of Facebook chats was said
to be possible simply by entering a Facebook user name and date range. A slide
labelled “future” listed VOIP as a target. Another slide described how 300 terrorists
were captured using intelligence generated from XKEYSCORE.11
14.
DEEP DIVE was said to have a greater capability than traditional XKEYSCORE which
handles low rates of data and ingests all of it. DEEP DIVE could handle 10 gigabytes
of data. It “promoted” data that has a “potential intelligence value” and only that is
ingested into XKEYSCORE. Data “that is not allowed to be in the system – UK-UK”
is blocked. DEEP DIVE XKEYSCORE was said to be used by the TEMPORA
programme though this was not the only way in which data was promoted to
TEMPORA. Promotion also took place based simply on technology type or IP
subnet.12
Computer Network Exploitation
15.
Documents referred to a number of programmes aimed at “Active SIGINT” or CNE.
They were said to involve implanting malware (software designed to disrupt a
computer) directly onto a user’s computer. Examples in the documents describing
the use of this technique by GCHQ included a programme called NOSEY SMURF
which involved implanting malware to activate the microphone on smart phones,
DREAMY SMURF, which had the capability to switch on smart phones, TRACKER
SMURF which had the capability to provide the location of a target’s smart phone with
high-precision, and PARANOID SMURF which ensured malware remained hidden.13
16.
It was also said that a GCHQ project called OPERATION SOCIALIST used
technology called QUANTUMINSERT to direct staff at Belgacom, without their
knowledge, to fake websites in order to plant malware on their computers.14 GCHQ
was also said to have gained access via CNE to the entire network of a company
called Gemalto, which produces SIM cards, including their encryption keys.15
17.
Documents also said that implants of malware can take place in bulk. An automated
system called TURBINE, allows “the current implant network to scale to large size
(millions of implants) by creating a system that does automated control implants by
11
12
13
14
15
https://www.eff.org/document/2013-07-31-guard-xkeyscore-training-slides.
Ibid.
https://www.eff.org/document/20140128-guard-leaky-phone-apps.
https://www.eff.org/document/2013-09-20-spiegel-belgacom.
https://www.eff.org/document/20150219-intercept-sim-card-encryption-key-theft-and-mobile-networkaccess.
332