Well here’s an interesting development. Wired Magazine has published the full text of some of the documents that Mark Klein has provided against AT&T. The court had placed a gag order on the Electronic Frontier Foundation to prevent the information from being released to the public, ostensibly because it contained proprietary technical information, which, if released, would harm AT&T’s business. Apparently, “How To Spy On Americans” is a trade secret. Wired released the documents anyways, claiming that they “believe the public’s right to know the full facts in this case outweighs AT&T’s claims to secrecy.”

According to Wired, since the gag order applied only to “the EFF, its representatives and its technical experts,” and not to Mark Klein or any of the other news agencies, Wired was free to release the information they had. I’m not a lawyer of course, but I have a funny feeling that AT&T may try to sue anyways.

Room 641a In AT&T Headquarters

The interesting part though, is not that Wired released the documents. The interesting part is that, so far as I can tell, Mark Klein’s evidence basically consists of “AT&T installed a Narus STA 6400 in Room 641a.” Which basically doesn’t mean anything unless you know what a Narus STA 6400 is.

First, a bit of explanation of how the Internet works. The vast majority of internet traffic is transferred using a protocol called TCP, or Transmission Control Protocol. TCP works by splitting up the data that needs to be sent between two computers into “packets” — smaller chunks of information that are sent independently and reassembled on the other end. This allows for reliable communication across unreliable network infrastructure, because, if one packet is lost in transmission, and the receiving computer doesn’t acknowledge that the packet was received, the sending computer will automatically resend the data. That way only that tiny chunk of data will have to be resent instead of the whole thing. Even better, packets don’t have to be sent directly from the sending computer to the receiving computer. The underlying protocol for TCP — IP, or the Internet Protocol — allows packets to be relayed between several different computers before arriving at the final destination computer.

Now, back to the whole spying business… If you want to spy on everybody, everywhere, there’s really only one way to do it. You need to function as a man-in-the-middle. And if you want to do that, you need to locate the major hubs of communication and tap into them. This sort of thing is much simpler with circuit-switched networks (such as standard telephone calls) because all the information is basically sent in one go, across a single route for the whole transmission. But with packet-switched networks (the Internet), because they break everything up into chunks of data, if you want to get at that information, you have to first reassemble the packets.

Which is where the Narus STA 6400 comes in apparently. From what I can gather (there’s not much information to be had on the thing, for obvious reasons), Narus’s “Semantic Traffic Analyzer” technology reassembles the packets back into the full data that was sent, and is able to identify exactly what type of data it is, whether it be email, VOIP/Skype, P2P/filesharing, web-browsing, instant messaging, or streaming media.

Now, of course, there are plenty of reasons why a carrier would install one of these things, and by itself, evidence that AT&T had installed one probably wouldn’t mean anything illegal was going on. But there’s only one obvious reason the NSA would install one inside a secret room in a carrier’s headquarters. And that’s why Mark Klein is now the key witness for the EFF in their class-action lawsuit against AT&T for illegally working with the NSA on warrentless wiretaps.

What makes this whole thing especially alarming though, is that by tapping into AT&T, the NSA actually has access to much more than just AT&T customers’s data. Qwest was apparently the only major US telecom company that refused to work with the NSA on this program. So let’s say you’re a Qwest customer. You instant message a friend of yours who, unfortunately, is an AT&T customer. Because of the nature of IP routing, your traffic may very well have been routed through the NSA’s no longer very secret room even though you have no relationship with AT&T at all. According to Wired, ConXion, Verio, XO, Genuity, Qwest, PAIX, Allegiance, AboveNet, Global Crossing, C&W, UUNET, Level 3, Sprint, Telia, PSINet and Mae West were all compromised as a result of the fiber optic splitters that were installed at AT&T. The claim that this is targetted surveillance is growing much harder to believe, though from what I’ve heard, a single Narus STA device would be unable to monitor all traffic through an internet backbone, so in this case we’re probably talking about specific subnets being examined.

By the way, Narus, by their own admission, is a <sarcasm>really delightful company</sarcasm>. They also appear to be the guys who are supplying the equipment that allows telecoms to stomp all over the concept of “net neutrality” and it seems that they’re the ones supplying the Voice Over IP identification and blocking equipment. (They help block VOIP to prevent “revenue leakage” of course.)

  • Don

    “…a single Narus STA device would be unable to monitor all traffic through an internet backbone, so in this case we’re probably talking about specific subnets being examined.”

    Of course, this hinges on the idea that AT&T bought only one STA 6400 for NSA use, and installed it in a single room on the west coast to monitor a single trunk.

    Do you really think they’d stop there?

  • Justin Gardner

    Do you really think they’d stop there?

    Oh…they haven’t.

    The problem is one of security. The way the internet was built did not factor in privacy. That can be both good and bad. Recently, many have been clamoring for building a completely new infrastructure for a more secure, private internet…meaning private for the user to view whatever he or she wishes without others knowing about it. Will it happen? Unlikely.

  • David

    The article is quite breathless, and wrong on a lot of details. Many details which I would expect a source who is ostensibly familiar with backbone operations to get right, aren’t. Getting those details wrong hurts the credibility of the entire piece, in my opinion.

    While it would not surprise me if AT&T were quite annoyed about the publication of those documents, it would surprise me very much if the content of them pointed to anything which can in any way be described as criminal.

    AT&T has a (well-deserved) reputation as a very conservative company compared to other data companies. Their lawyers and policymakers tend to be risk-averse, and that’s why I’d be surprised if anything they did did not have sufficient legal foundation. That doesn’t mean that it’s good PR, and “we read your email” isn’t exactly something which the company would want to put on its promo posters…

  • Bob Aman

    David: My piece was “breathless” or Wired piece? Not sure which you’re referring to.

    If my piece, please, by all means, elaborate on the inaccuracies. I freely admit that I don’t have an incredible amount of knowledge about backbone operations as I’m more of a software/protocol guy, but I did do several hours of research, and I’m pretty sure my sources were good.

    The Wired piece, however, did get a lot of criticism from the community, so if that’s what you’re referring to, I can believe that, though again, I’d love to hear specifics beyond “wrong on a lot of details.”

    Don: A former employee of Narus explained that the “Semantic Traffic Analyzerâ€Â? is basically just a Linux or Solaris box that generally just shunts off “interesting” information into an Oracle database. He said that he found the claim that Narus devices could reliably process even a fraction of the data coming through a backbone to be highly dubious despite the fact that they’re supposedly rated for OC-192 in certain circumstances, and suggested that Mark Klein had misidentified the room and that it was actually meant for normal lawful intercept purposes. Since this setup apparently uses an optical splitter, I’m assuming that besides the probable degredation resulting from inserting the splitter into the middle of the fiber, this setup isn’t really going to slow the backbone down, rather it’s just an issue of whether or not it can handle that much information coming through at once.

    On the subject of “risk-aversion,” I think that describes the vast majority of American corporate culture. Nothing unusual there at all. In the corporate world, perceived risk has always been treated like the devil. What I’m concerned about is more that fighting a government request would be seen as a “risk.”