A Trail of Evidence Leading to AT&T’s Partnership with the NSA
Documents provided by Edward Snowden mention a special relationship between the National Security Agency and an unnamed telecommunications company. Here’s how we figured out that’s AT&T.
Today we reported that the National Security Agency’s ability to capture Internet traffic on United States soil has relied on its extraordinary, decadeslong partnership with a single company: the telecom giant AT&T.
While it has long been known that American telecommunications companies work closely with the spy agency, the documents we’ve published show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative” and another lauded the company’s “extreme willingness to help.”
By following breadcrumbs we found throughout the trove of documents released by Snowden, we were able to prove that a program called Fairview was the cover term for the agency’s partnership with AT&T. We also found evidence that Verizon participates in the agency’s smaller Stormbrew program.
We started with the basics. A slide deck called “Fairview Overview” described the partnership between NSA’s Special Source Operations unit and a corporate partner:
We inferred from this that the Fairview partner was a single big U.S. telecom. There are only a handful American operators at this scale: AT&T, Verizon, Sprint and Internet backbone providers such as CenturyLink, Cogent Communications and Level 3 Communications.
The Cable Cut
Our best clue came from an internal NSA newsletter, which contained an update about how data collection was restored after the Japanese earthquake of 2011:
On 5 Aug 2011, collection of DNR and DNI traffic at the FAIRVIEW CLIFFSIDE trans-pacific cable site resumed, after being down for approximately five months. Collection operations at CLIFFSIDE had been down since 11 March 2011, due to the cable damage as a result of the earthquake off of the coast of Japan.
Several submarine cables near Japan were damaged after the earthquake. However, only one of them was restored on August 5, 2011, according to Satoru Taira, vice president in the Crisis Management Planning Office at NTT Communications, the Japanese telecom that operates the Japan landing station for the cable. That restored cable is the northern leg of the Japan-US cable that is operated by AT&T in the United States, according to Federal Communications Commission filings.
Although there are many partners in the consortium that share ownership of the Japan-U.S. cable, AT&T is the primary network operator of the cable and owns the Manchester, California cable landing point for the U.S-Japan cable, according to FCC filings.
Our next clue was some jargon we found in an NSA glossary.
Even the NSA has a hard time keeping track of all its code words, so it has a dictionary of terms. Inside that dictionary, we found an entry that described a Fairview program using terminology we hadn’t heard before: “SNRC.”
SAGURA - DNI access from FAIRVIEW’s Partner’s DNI backbone which includes OC-192 and 10GE peering circuits. The Partner has provided a current view of the forecasted and equipped 10GE and OC-192 peering circuits at the eight SNRCs as of March 2009.
A little sleuthing revealed a 1996 article in the publiction Network World in which AT&T described its Internet hubs as Service Node Routing Complexes, or SNRCs. Former AT&T employees Jennifer Rexford, who is now a professor at Princeton University, and Joel Gottlieb, who now runs his own consulting service, confirmed for us that SNRC was AT&T-specific jargon. We also found that AT&T had included the term SNRC in a glossary of technical terms it submitted with a government contract.
Elsewhere, in a diagram of Fairview data flows, the term Common Backbone, or CBB is used to describe the Fairview partner’s Internet backbone. The term CBB is also specific to AT&T, according to Rexford and Steven Bellovin, another former AT&T employee, now a professor at Columbia University.
A network map of Fairview shows eight “Peering Link Router Complexes” A 2009 AT&T network map shows eight “Backbone Node with Peering” at roughly those same locations.
In April 2012, an internal NSA newsletter boasted about a successful operation in which NSA spied on the United Nations headquarters in New York City with the help of its Fairview and Blarney programs. Blarney is a program that undertakes surveillance that is authorized by the Foreign Intelligence Surveillance Court.
FAIRVIEW and BLARNEY engineers collaborated to enable the delivery of 700Mbps of paired packet switched traffic (DNI) traffic from access to an OC192 ring serving the United Nations mission in New York … FAIRVIEW engineers and the partner worked to provide the correct mapping, and BLARNEY worked with the partner to correct data quality issues so the data could be handed off to BLARNEY engineers to enable processing of the DNI traffic.
We found historical records showing that AT&T was paid $1 million a year to operate the U.N.’s fiber optic provider in 2011 and 2012. A spokesman for the U.N. secretary general confirmed that the organization “has a current contract with AT&T” to operate the fiber optic network at the U.N. headquarters in New York.
Cable Landing Stations
Internal NSA maps of Fairview’s backbone network show the partner company’s nine cable landing stations on the East and West coasts of the United States. Those positions correspond to cable landing stations owned by AT&T, documented by the company in regulatory filings to the FCC
The internal NSA slide below shows the locations of Fairview’s cable stations and other program locations. The map shows AT&T stations where submarine cables enter the United States.
A 2009 working draft of an NSA inspector general report about President Bush’s Stellar Wind warrantless wiretapping program, which was previously released by The Guardian, referred to the helpful cooperation of two companies — Company A and Company B, which provided “two of the most productive SIGINT collaborations that the NSA has with the private sector.”
Company A was described as having “access to 39% of international calls into and out of the United States” while Company B had access to 28 percent of international calls. At the time, AT&T had 39 percent and MCI had 28 percent of the international message telephone traffic, according to a 1999 FCC report.
Stormbrew Includes Verizon
We were also curious about the NSA’s next-biggest corporate partnership after Fairview, described in the documents as Stormbrew.
We found a 2013 presentation in the documents that showed a map of a Stormbrew submarine cable connecting the West Coast of the United States to five Asian cities: Chongming and Qingdao in China, Keoje and Shin-Maruyama in Japan, and Tanshui in Taiwan. Those landing points match exactly with the landing points of the Trans-Pacific Express submarine cable that is operated by Verizon.
In an internal NSA newsletter, we found a reference to the construction of the Stormbrew cable landing station:
Stormbrew has completed SCIF construction and also received security certification for BRECKENRIDGE, its latest collection site on 11 September 2009. The 10,000 square foot facility is equipped with the necessary power, communications and equipment racks to support the planned near-term deployment of 15 TURMOIL systems, providing 150G of processing against the newly acquired ••••••••••••••••.
Initial collection system deployments are scheduled for 2nd quarter 2010. The BRECKENRIDGE/••••••• effort commenced in February 2007 and is the first “cable-head” collection effort conducted under STORMBREW.
The date that the effort started — February 2007— is also when Verizon filed its initial request for “a license to construct, land and operate the TPE cable,” according to FCC filings.