(Updated: January 3, 2014)
A http://nandncomputers.blogspot.com /2013/11/screenshots-from-boundlessinformant-can.html">previous article on this website showed that the charts in the NSA's BOUNDLESSINFORMANT tool are not so easy to interpret as it may seem. Screenshots from this tool were published by a number of European newspapers saying that they are proving that NSA is intercepting phonecalls from these countries. This article will show and examine a new image which literally provides context to these screenshots.
In a less known follow-up article from November 4 on the website of the spanish paper El Mundo there are four slides from a powerpoint presentation about BOUNDLESSINFORMANT. Three of the slides were published earlier, but the fourth one was never shown before. This new slide shows a screenshot of an Internet Explorer browser window with the BOUNDLESSINFORMANT tool in it:
For the first time, this screenshot reveals what the actual BOUNDLESSINFORMANT interface looks like. It shows that the bar charts and the details below it, as published by the newspapers, appear in a pop-up window above the world map of the global overview.
The global overview window
The presentation slide shows that the main screen of this tool is the global overview, which was initially published by The Guardian in June and later by some other media too. Here's a high resolution version of this screen (click for a bigger version):
On the left side we see the overall numbers for DNI (internet), DNR (telephony), SIGADs, Case Notations and Processing Systems for the last 30 days. This time period can be changed, probably by using the slide button underneath this list, next to the dark grey box. It seems that 30 days is its maximum. In the slide screenshot this time period is 7 days, which can be seen in the pop-up window and explains the smaller numbers in the list at the left side of the map.
The lower part of the screen shows a Top 5 of countries and their total numbers of DNI and DNR records. These total amounts of data can be sorted in three different ways: Aggregate, DNI and DNR, which can be selected with the radio buttons above the map. Each option results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map. These three versions were published by the USAn paper The Hindu last September.
Next to these radio buttons is a search box with a button named "Country View", which is maybe for entering a country name. Finally, there are two buttons in the upper right corner to switch between the two main viewing modes of this tool:
- The Map View, which "allows users to select a country on a map and view the metadata volume and select details about the collection against that country".
- The Org View, which "allows users to view high level metrics by organization [NSA divisions] and then drill down to a more actionable level - down to the program and cover term".
The Map View pop-up window
In the Map View, users can click on a country from the world map and then a pop-up window appears. According to the BOUNDLESSINFORMANT FAQ paper this window shows "the collection posture (record counts, type of collection, and contributing SIGADS or sites) against that particular country in addition to providing a graphical display of record count trends". These elements are in the screenshot of this window:
Unfortunately the resolution of the slide is too low to make everything readably, but still we can see that in this screen there's a lot more than in the images which were published by the various newspapers. For comparison, here's the screenshot that was shown in Norwegian media (click for a bigger version):
Comparing these two screenshots reveal that the images shown in the papers are just a part of the actual pop-up window. We recognize the four sections with the different charts, but there are also some minor differences. The slightly different layout may have been caused by the different time period: 30 days gives in a much wider bar chart than 7 days.
Apart from that, we see that in the screenshots from the newspapers the whole frame is missing. The example from the presentation has "SIGAD" with a symbol next to it in the upper left corner, but we don't know if that's standard, or that it indicates a specific view mode.
Below this are a search box and a scroll box with a relatively long list of options - unfortunately impossible to read, but it's not a list of SIGADs. The display section has two tabs, the active one white, the other one black, indicating that there are apparently two main options for presenting the information.
Left of the bar chart there's a section that could be titled "Active Summary" and seems to contain symbols and headers very similar to those below the bar chart. Probably one can select different kinds of details about the data collection to be shown. The images from the papers have "Top 5 Techs" in the lower section at the right side, but in the pop-up example something different is shown, ineligble again.
Another small difference is in the "Signal Profile" section: the pop-up screen shows four different types of communication systems (maybe DNI, DNR and two others), but the screenshots from the papers have seven. As the presentation is from July 2012 and the images in the papers are from early 2013, maybe during that period more options were added to the tool.
Screenshot from a Brazilian television report, showing some files opened in a TrueCrypt window on the laptop of Glenn Greenwald. In the upper left corner we see an unpublished screenshot from BOUNDLESSINFORMANT with three bar chart sections, apparently about Computer
Network Exploitation (CNE), which is computer hacking by the TAO division
(click to enlarge)
All this shows that in the Map View alone there are more options to select than just clicking a country and getting one standard overview of NSA's collection against that country - that's how Glenn Greenwald and the newspapers brought it.
The fact that there are more ways to select and present the information already became clear by analysing the screenshots published by the papers. For at least five countries (France, Spain, Norway, Afghanistan and Italy) the charts only show one technique, DRTBOX.
If NSA really spies on these countries, it's unlikely they use only one system and collect only telephone (meta)data. Therefore, it seems more as if in this case DRTBOX was used as the primary selector, resulting in charts showing how many data this system processed from different SIGADs and different countries.
A more complete overview of data collection against a country is given by the screenshot for Germany, which shows multiple systems collecting both internet and telephone data. Also interesting to see is that there are not only such charts about countries, but also about collection programs like WINDSTOP (which could be from the 'Org View' mode).
Now that we have a picture of the complete BOUNDLESSINFORMANT interface, we've seen that this tool has many options to present information about NSA's (meta)data collection.
The screenshots published in various European newspapers were cut out from their original pop-up windows, which makes that we are missing their context. We can't see what options there were and which selections were made to present the information as we see it.
We don't know who cut out the charts: was it Edward Snowden, or someone else at NSA (for preparing a presentation), or was it Glenn Greenwald? These questions are of some importance, because these screenshots are used as evidence for rather grave accusations.
Until now, neither Glenn Greenwald, nor editors of some of the involved newspapers were willing to answer any questions about the origins of these screenshots. Instead, Greenwald still sticks to his own initial interpretation and lets papers publish that over and over.
Links and Sources
- The Guardian: BOUNDLESSINFORMANT - Frequently Asked Questions
- Wikipedia: Boundless Informant