New light on NSA spying

A former Internet expert for the FCC concludes that a secret AT&T installation was most likely used for government surveillance.

Published June 23, 2006 8:16PM (EDT)

A federal court in California released a previously sealed 40-page document on Thursday in the Electronic Frontier Foundation's lawsuit against AT&T, which bolsters allegations that the telecommunications giant built secret rooms to allow the National Security Agency to conduct widespread surveillance of Internet traffic. The document also paints a detailed scenario of how the NSA may be conducting the top-secret operation, which closely matches information given to Salon by a former AT&T employee who worked at the company's network operations center in Bridgeton, Mo.

The document, a statement by J. Scott Marcus, a former senior advisor for Internet technology to the Federal Communications Commission, was filed under seal on April 5 on behalf of the EFF to support its class-action suit against AT&T, which alleges that the company violated a number of federal laws in aiding the government's domestic spying operation against AT&T customers. The court sealed the document because it contained proprietary AT&T information, then ordered AT&T and EFF to work together to produce a redacted version to place in the public record, which they did on Thursday.

EFF asked Marcus to examine records from a former AT&T technician in California named Mark Klein that describe how AT&T reconfigured its network in San Francisco and installed special computer systems in a secret room, allegedly to divert and collect Internet traffic to help the NSA conduct warrantless surveillance. Were the records authentic and was it feasible that they described a government surveillance program, or could the reconfiguration and systems have been put in place for more innocuous uses?

Marcus concludes in his statement that the documents are authentic and, after considering a number of possible reasons for the reconfiguration -- such as legitimate network monitoring and maintenance -- writes that the system AT&T installed in a secret San Francisco room, and likely other cities, was "exceptionally well suited to a massive, distributed surveillance activity" and that "no other application provides as good an explanation for the combination of engineering choices that were made."

He considered that the system might be set up to accommodate lawful traffic intercepts under the Communications Assistance for Law Enforcement Act, but deemed this not a credible scenario, since there are far simpler and less expensive solutions for meeting CALEA, which required Internet service providers to make their networks wiretap-ready. He also concludes that given how cash strapped AT&T was in 2002 and 2003 when the expensive changes and additions to the system were made, it is "exceedingly unlikely" that AT&T financed the project on its own. "I therefore conclude that it is highly probable that funding came from an outside source, and consider the U.S. Government to be the most likely source," he writes in the document.

Over several pages that are redacted at key points, Marcus discusses technical details in the Klein documents that have previously been unavailable. (The Klein documents are under seal, and although some of them have made it to the Internet, others, judging by details revealed by Marcus, have never been made public.) According to Marcus, the Klein documents refer to a "private ... backbone network, which appears to partition from AT&T's main Internet backbone." This suggests the presence of a private network, Marcus writes, whose existence is "not consistent with normal AT&T practice."

"The most plausible inference is that this was a covert network that was used to ship data of interest to one or more central locations for still more intensive analysis," Marcus writes.

The most interesting aspect of the Marcus statement is the clear, though speculative, scenario he provides for how the National Security Agency is likely conducting its surveillance and data collection through that network. Marcus, currently a consultant with WIK-Consult GmbH in Bad Honnef, Germany, was unavailable for comment. But in the statement, he suggests that the secret San Francisco room is connected to two separate networks -- the regular commercial network on which e-mail, Web surfing and voice-over Internet Protocol traffic runs, and the second private, covert network that is partitioned off from the regular network and is used to divert traffic that has been copied and sent back to a central collection place. He suggests that massive amounts of data are collected at 15 to 20 locations around the country, where it is automatically screened and winnowed down to only "data of interest" by a special system installed in San Francisco (and likely elsewhere) before it is shipped off to one or two central collection points, where it is processed by powerful computers and analyzed by skilled staff.

This agrees with what several sources told Salon this week. A former AT&T network technician who is well acquainted with AT&T's common backbone and asked to remain anonymous, told Salon about a secret, heavily secured room located in AT&T's Bridgeton facility, where the company runs its technical command center from which it manages all of its backbone. From that facility, the company could send commands to any of its 1,500 to 2,000 routers around the country to filter and divert traffic from those locations. To do that, the technician said, AT&T would need to physically place network "sniffers" at key points in the company's backbone. "There are 10 or 15 data centers located in major cities around the country," he said. "So they would need to stick [a sniffer] in each of those data centers to capture all the information." Then the company could easily send commands from the Bridgeton room to the routers in those locations. The commands would indicate what data to collect and where to divert it afterward.

Marcus writes that although the configuration in San Francisco was deployed in early 2003, given AT&T processes, the planning for it was probably underway six to 12 months earlier. This coincides with the timing of the Bridgeton Network Operation Center, which was put in place about eight months before the San Francisco room was configured and was the place from which the work order for the secret room in San Francisco originated.

The Bridgeton room, guarded with a high-tech mantrap with retinal and fingerprint scanners, is restricted to government workers and AT&T employees with top-secret security clearances and is likely just used for remotely monitoring and maintaining the secret rooms around the country and sending commands. Russ Tice, a former NSA officer and senior analyst until last year, told Salon that the data once collected is probably not sent to Bridgeton but instead is diverted to an NSA facility where powerful processing equipment can analyze it.

As for the kind of data collected, Marcus infers from the Klein documents that the configuration in place in San Francisco would enable surveillance of "both overseas and purely domestic traffic." But the Klein evidence suggests that only "off net" traffic was being collected in San Francisco at the time the documents were written. "Off net" refers to traffic sent between AT&T customers and customers of other ISPs; "on net" traffic is sent strictly between one AT&T customer and another AT&T customer.

Still, this amounts to a lot of data, Marcus says. It would mean that any traffic that passed through AT&T's network from another ISP or network would be intercepted. He suggests the possibility, however, that authorities could conceivably weed out domestic traffic to collect only international traffic exchanged between an AT&T customer and noncustomer, given that software programs exist that can help distinguish domestic Internet traffic from traffic that travels from outside the United States. But he writes that even with such weeding, some purely domestic traffic would likely slip through the filter.

A hearing on the EFF lawsuit against AT&T is being held in San Francisco Friday to determine whether the case should be thrown out. The Department of Justice has interfered in the case, calling on the court to dismiss it on grounds that national security secrets would be exposed if a trial were to proceed.

By Kim Zetter

Kim Zetter is a freelance writer based near San Francisco.

MORE FROM Kim Zetter

Related Topics ------------------------------------------