Title: Sharing of MetaData across the IC —- Dissemination of SIGINT Metadata Beyond NSA

Release Date: 2014-08-25

Document Date: 2005-07-06

Description: This memorandum dated 6 July 2005 describes features of the intelligence sharing systems that preceded ICREACH: see the Intercept article The Surveillance Engine: How the NSA Built Its Own Secret Google, 25 August 2014.

Document: SECRET//NOFORN//MR

UNITED STATES GOVERNMENT

memorandum

TAC-0xx-05

DATE: 06 July 2005

REPLY TO ATTN OF: TD/TAC

SUBJECT: Sharing of MetaData across the IC —Dissemination of SIGINT Metadata
Beyond NS A

(FOUO)- MEMORANDUM OF UNDERSTANDING
TO: DIR

THRU: D/DIR____,IG__,OGC____,DK____JTD____, SE__, NCR CIA__,

D/S ID__,S02____,S 1__S2___,S3___

REFERENCES: A. (C) Request for additional NSA data for CIA’s PROTON

Program, (dtd: 10 Mar 2005)

B. (C) Minimization Plan for the Application of CRISSCROSS

Analytical Software to NSA SIGINT Acquired Telephone
Call Control Data, dated 20 Jan 1999.

C. (C) MOU between NSA and FBI for Access to NSA Data in

the CRISSCROSS Program, dated 19 Jan 2001.

D. (C) MOU between NSA and DIA Regarding the

CRISSCROSS Program, dated 19 Jan 2001.

E. (U) NSA/CSS Policy 1-9, Information Sharing , dated 26 May
2005.

PURPOSE: (U) To establish the DIRNSA/CHCSS and NSA/CSS as the U.S. IC
Executive Agent for IC-wide metadata sharing.

BACKGROUND:

(S//NF) Except for a few point to point sharing initiatives, CRISSCROSS/PROTON is
the current IC (plus) information sharing structures. CRISSCROSS/PROTON is a CIA-
managed program which provides extracts from selected Agency (NSA, CIA, DIA, FBI
and DEA) databases of telephone call records and reference data obtained from

Derived From: NSA/CSSM 1-52

Dated: 20041123
Declassify On: 20300707

SECRET//NOFORN//MR

SECRET//NOFORN//MR

HUMINT, SIGINT, Open and law enforcement related sources to analysts in U.S. law-
enforcement and intelligence communities at a CONFIDENTIAL NOFORN level. The
key data elements are stored and retrieved for display by the PROTON Interface include:
called and calling telephone numbers, date, time, and duration of calls.

(S//NF) For approximately the last 5 V2 years, the CIA CRISSCROSS (now PROTON)
program has been incorporating NSA provided SIGINT-derived (U.S. and Second/Third
Party) data. NSA provides this information to CRISSCROSS/PROTON Agencies for

(S//NF) The decision to disseminate SIGINT-derived signaling outside COMINT
Channels also hadjpolicy and operational dimensions. Tests have demonstrated that
SIGINT- derived and traditional HUMINT-derived call record data can be stored and
displayed in a manner which makes them appear to be indistinguishable, which in general
terms make the risks to sources and methods approximately equal. However, under some
circumstances, e.g., signaling data form a unique target area, which could have come only
from a sensitive SIGINT source, dissemination of data to CRISSCROSS would be
inappropriate. This is the case when the data also includes information elements that are
only available and could only come from exploitation of signaling. The MOA is silent on
this point, leaving to NSA full decision authority to decide which data to provide and not
provide.

(C) For several years prior, NSA had been providing SIGINT-derived signaling
information to CIA and DEA to support multi-agency counter narcotics analysis, as
approved by DDO, OGC, and the Office of Policy. Calling data from several Latin
American collectors, and from Thailand, had been of great value to the DEA and to the
DCI Crime and Narcotics Center, and there were no adverse operational or legal impacts
to NSA.

(S//NF) Operationally, the flow of large volumes of intercepted signaling data
could place additional burden onNSA’s IT infrastructure. While, as above, the MOA did
not address IT infrastructure, NSA retained full discretion over volume and timing of
information flow, even as NSA chose to support the CRISSCROSS/PROTON program
with certain SIGINT inputs.

(S//NF) Requisite human and communications resources are in place in SID to
support the transfer of moderate volumes of signaling-derived call record data to the CIA
CRISSCROSS/PROTON Program Office. No increase in personnel was required to
initiate data flow. Under the terms of MOA, CIA provided the list of US overseas
commercial phone numbers to be minimized in NSA processing of signaling data.
Similarly, the Department of State and Department of Defense telephone directories will
be researched by NSA to identify official US government overseas phone numbers in
order to minimize call records associated with them. To this end, the NSA
CRISSCROSS/PROTON Program Manager agreed to obtain the DOS and DOD
directories annually and, with CIA assistance, extract the overseas numbers. That
function was transferred to the Communications Event Analysis Center (CEAC), in S2S,
in 2(X)4. The software to extract call record data and to support minimization exists on a

Handle Via COMINT Channels Only

SECRET//NOFORN//MR

SECRET//NOFORN//MR

server under S2S control. A huge volume of signaling data (~4(X)M records) flows to that
server on a daily basis to meet NSA analytic needs, and sufficient communication
bandwidth is currently available to support the transfer of processed call records (~37M
per day) to CIA’s CRISSCROSS/PROTON Program for reformatting. We anticipate S21
will continue to be responsible for loading CIA CRISSCROSS/PROTON output on
NSA’s CRISSCROSS/PROTON server, and CEAC will continue to be responsible for
maintaining minimization and audit controls on all-source data received from CIA.
Finally, SID Office of Oversight and Compliance would be responsible for oversight of
USSID 18 compliance.

(S) Community analytic interest in dialing analysis continues to grow and is
directed at discovery of new specific targets or topics, and demand for additional call
record volume to support contact chaining and geolocation has increased. Signaling links
are competing for collection priority just like any other potential SIGINT target. As with
other targets, the potential to expand collection is limited by available resources, to
include field processing of signaling links as well as bandwidth to support forwarding
from collection sites to NSA.

(S//NF) The CRISSCROSS program, in which NSA already participates as a user
of data, has had notable successes since its inception in 1990, such as enabling major
narcotics arrests, monitoring Ramsi Yousefs colleagues, unraveling the Mubarak
assassination plot, and providing insight into Pakistani nuclear weapon test activities. The
program has received high marks from senior Community levels, such as the PFIAB, and
Assistant DCI’s for both Collection and Production. CRISSCROSS was also cited in the
report by Admiral Jeremiah on Indian nuclear testing as a potential improvement to
Community analytic strength. Since 9/11, the contributions to the GWOT due to our
increased collection of signaling metadata are innumerable and significant. It is safe to
say that it has been a contribution to virtually every successful rendition of suspects and
often, the deciding factor. Hence the benefit to the intelligence and law enforcement
communities of any SIGINT-augmented inputs could be considerable, as SIGINT has the
potential to access a broad range of targets.

CURRENT PROPOSAL: (S//NF) Ref A. requests additional data elements from
SIGINT collection be included in the data set transferred to PROTON. Specifically, they
want mobility management information relating to digital cellular and mobile satellite
systems to include Global Cell ID’s, Location Area Codes, spot beams, International
Mobile Subscriber Identifications, International Mobile Equipment Identifications,
Latitude/Longitude, and Inmarsat Return ID’s. They also requested content from Short
Message Service exchanges (which we are required to audit queries against).

DISCUSSION: (S//NF) The current data push to CIA/PROTON is roughly 40
Million records per day which has resulted in approximately 30% of the PROTON data
set (1996-2005) coming from SIGINT sources (2002-2005). The addition of the
requested data elements would more than double the volume of data sent to PROTON on
a daily basis. This would increase the percentage of SIGINT contribution to PROTON
significantly. CIA is positing PROTON as the community resource for target/lead

Handle Via COMINT Channels Only

SECRET//NOFORN//MR

SECRET//NOFORN//MR

development based on contact chaining techniques. In this regard it is extremely difficult
to envision it playing that role at NSA. PROTON requires a NOFORN/ORCON access,
must be licensed, has no API that would allow access integration with other tools (E.G.
Federated query) and, represents a significant funding investment and dependency on a
CIA contractor.

RECOMMENDED RESPONSE: (S//NF) In the context of the atmosphere
created by the events of 09/11/01 and the following investigations into the perceived
‘intelligence failure’ a recurring theme has been the lack of data sharing on the part of the
IC members. Against that background, it is difficult to deny requested access to SIGINT-
only datasets that are thought to have value to other intelligence analysts/missions. In an
effort to:

a. ) provide access to the requested data and,

b. ) break new ground in the information sharing arena while,

c. ) not moving any more data out of NSA and into duplicative storage.

We propose to utilize the IC shared information space ICSIS on INTELINK and
implement IC access to our GLOBALREACH federated query service via accounts

and access verified by PKI certificates. This service will provide the access requested and
permit the auditing legally required of NSA. Further, we request that CIA forward
PROTON data from non-SIGINT sources to NSA for inclusion in the dataset searched by
GLOBALREACH. For data that must remain in HCS channels, we will create an HCS
partition in FASCIA II. This will permit one-stop access to contact information for IC
analysts. We believe that we can have GLOBALREACH available in the ICSIS shared
space by 01 Oct 2(X)5.

RECOMMENDATION: (FOUO) That you sign the enclosed note to the Office
of the Director, National Intelligence. Questions of a legal nature should be directed to

AGC (Operations),

Operational question should be directed

SIGDEV/TAC Technical Director,

SIGDEV/TAC TD

Handle Via COMINT Channels Only

SECRET//NOFORN//MR

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh