Public Intelligence

The following sworn declaration of William Binney, a former employee of the NSA and specialist in traffic analysis, was filed July 2, 2012 in support of the Electronic Frontier Foundation’s case against the National Security Agency (Jewel v. NSA) regarding their illegal domestic surveillance programs which, according to Binney “are consistent, as a mathematical matter, with seizing both the routing information and the contents of all electronic communications” inside the U.S.  Thanks to Jacob Appelbaum for originally drawing attention to the declaration.

DECLARATION OF WILLIAM E. BINNEY IN SUPPORT OF PLAINTIFFS’ MOTION FOR PARTIAL SUMMARY JUDGMENT REJECTING THE GOVERNMENT DEFENDANTS’ STATE SECRET DEFENSE

• 10 pages
• July 2, 2012

I, William Binney, declare:

1. I am a former employee of the National Security Agency (“NSA”), the signals intelligence agency within the Department of Defense. Unless otherwise indicated, I have personal knowledge of each and every fact set forth below and can competently testify thereto.

2. A true and correct copy of my resume is attached hereto as Exhibit A.

3. In the late 1990′s, the increasing use of the Internet for communications presented the NSA with a special kind of problem: The NSA could not collect and smartly select from the large volume of data traversing the Internet the nuggets of needed information about “Entities of Interest” or “Communities of Interest,” while protecting the privacy of U.S. persons. Human analysts had to manually identify the groups and entities associated with activities that the NSA sought to monitor. That process was so laborious that it significantly hampered the NSA’s ability to do large scale data analysis.

4. One of my roles at the NSA was to find a means of automating the work of human analysts. I supervised and participated in the development of a program called “Thin Thread” within the NSA. Thin Thread was designed to identify networks of connections between individuals from their electronic communications over the Internet in an automated fashion in real time. The concept was for devices running Thin Thread to monitor international communications traffic passing over the Internet. Where one side of an international communication was domestic, the NSA had to comply with the requirements of the Foreign Intelligence Surveillance Act (“FISA”). With Thin Thread, the data would be encrypted (and the privacy of U.S. citizens protected) until such time as a warrant could be obtained from the Foreign Intelligence Surveillance Comi.

5. The advent of the September 11 attacks brought a complete change in the approach 18 of the NSA toward doing its job. FISA ceased to be an operative concern, and the individual liberties preserved in the U.S. Constitution were no longer a consideration. It was at that time that the NSA began to implement the group of intelligence activities now known as the President’s Surveillance Program (“PSP”). While I was not personally read into the PSP, various members of my Thin Thread team were given the task of implementing various aspects of the PSP. They confided in me and told me that the PSP involved the collection of domestic electronic communications traffic without any of the privacy protections built into Thin Thread.

6. I resigned from the NSA in late 2001. I could not stay after the NSA began purposefully violating the Constitution.

7. The NSA chose not to implement Thin Thread. To the best of my knowledge, the NSA does not have a means of analyzing Internet data for the purpose of identifying Entities or Communities of Interest in real time. The NSA has the capability to do individualized searches, similar to Google, for particular electronic communications in real time through such criteria as target addresses, locations, countries and phone numbers, as well as watch-listed names, keywords, and phrases in email. The NSA also has the capability to seize and store most electronic communications passing through its U.S. intercept centers. The wholesale collection of data allows the NSA to identify and analyze Entities or Communities of interest later in a static database. Based on my proximity to the PSP and my years of experience at the NSA, I can draw informed conclusions from the available facts. Those facts indicate that the NSA is doing both.

8. The NSA could have installed its intercept equipment at the nation’s fiber-optic cable landing stations. See Greg’s Cable Map, cablemap.info. There are more than two dozen such sites on the U.S. coasts where fiber-optic cables come ashore. If the NSA had taken that route, it would have been able to limit its interception of electronic communications to international/international and international/domestic communications and exclude domestic/domestic communications. Instead the NSA chose to put its intercept equipment at key junction points (for example Folsom Street) and probably throughout the nation, thereby giving itself access to purely domestic communications. The conclusion of J. Scott Marcus in his declaration that the “collection of infrastructure … has all the capability necessary to conduct large scale covert gathering of IP-based communications information, not only for communications to overseas locations, but .for purely domestic communications as well,” is correct.

9. I estimate that the NSA installed no fewer than ten and possibly in excess of twenty intercept centers within the United States. I am familiar with the contents of Mark Klein’s declaration. The AT&T center on Folsom Street in San Francisco is one of the NSA intercept centers. Mr. Klein indicated that the NSA’s equipment intercepted Internet traffic on AT&T’s peering network. It makes sense for the NSA to intercept traffic on AT &T’s peering network. The idea would be to avoid having to install interception equipment on each of the thousands of parallel data lines that eventually lead into and out of peering networks. By focusing on peering networks, the NSA intercepts data at the choke point in the system through which all data must pass in order to move from one party’s network to another’s. This is particularly important because a block data is often broken up into many smaller packets for transmission. These packets may traverse different routes before reaching the destination computer which gathers them and reassembles the original block.

10. One of the most notable pieces of equipment identified in Mr. Klein’s declaration is the NARUS Semantic Traffic Analyzer. According to the NARUS website, each NARUS device collects telecommunications data at the rate of ten gigabits per second and organizes the data into coherent streams based on the protocol associated with a specific type of collected data. A protocol is an agreed-upon way for data to be broken down into packets for transmission over the Internet, for the packets to be routed over the Internet to a designated destination and for the packets to be re-assembled at its destination. Protocols exist at each layer of the OSI (Open Systems Interconnection) 7-layer telecommunications model and are used for a wide variety of data, not just electronic communications. That means that NARUS can reconstruct all information transmitted through the peering network and forward all of the electronic communications to a database for analysis. The NARUS device can also select predetermined data from that path and forward the data to organizations having interest in the data. As I indicated above, the predetermined data would involve target addresses, locations, countries, and phone numbers, as well as watch-listed names, keywords, and phrases.

11. A further notable development has been the NSA’s public announcement in October 2009 that it was building a massive, $1.2 billion digital storage facility in Ft. Williams, Utah. According to some reports, the Utah facility will eventually have a data storage capacity measured in yottabytes (1024 bytes). Even if the Utah facility were to have no more than the amount of data storage that is presently commercially available, then one would expect the data storage to be in the range of multiples often exebytes (1018 bytes). See www.cleversafe.com. (According to Cleversafe, its ten exebyte storage solution fills no more than two hundred square feet). In April 2011, the NSA also announced that it would build a new supercomputing center at its Ft. Meade, Maryland headquarters.

12. The amount of data that each NARUS device can process per second is large (10 gigabits is 10 billion bits). To illustrate the sheer size of the data storage capacity ofthe Utah facility, one could assume the installation of twenty-five NARUS devices in the U.S. and that all of 2 the NARUS-processed data is sent via fiber-optic cable to Utah. That means that the NARUS processing rate of 10 billion bits per second means that one machine can produce approximately 4 x 1016 bytes per year. That in turn means that it would take twenty-five devices one year to fill an exebyte or ten years to fill ten exebytes.

13. The sheer size of that capacity indicates that the NSA is not filtering personal electronic communications such as email before storage but is, in fact, storing all that they are collecting. The capacity of NSA’s planned infrastructure far exceeds the capacity necessary for the storage of discreet, targeted communications or even for the storage of the routing information from all electronic communications. The capacity of NSA’s planned infrastructure is consistent, as a mathematical matter, with seizing both the routing information and the contents of all electronic communications.