This is a list of key terms that are used in the collection. In many cases they have been gleaned from definitions provided in the leaked documents or from insight provided by the news articles, and in some cases Wikipedia.


  1. Agencies and branches
  2. Security Classification
  3. Distribution
  4. Important Terms and Keywords
  5. Agencies

    • National Security Agency (NSA)

      The US government agency tasked with gathering intelligence for the country's government and military leaders, and preventing foreign adversaries from gaining access to classified national security information.

    • Communications Security Establishment (CSE)

      Communication Security Establishment is Canada's national cryptologic agency. CSE was formally established, by an Order­in­Council, in 1946 as the Communications Branch, National Research Council. In 1975, it was renamed the Communications Security Establishment and moved to the National Defence portfolio.

    • Government Communications Headquarters (GCHQ)

      The UK government's communications­focussed intelligence agency, employing about 5,000 people.

    • Foreign Intelligence Surveillance Court (FISC)

      A Washington­based tribunal that considers government agency requests to carry out surveillance for "foreign intelligence purposes" of suspects operating from within the US's borders.

    • Defence Signals Directorate / Australians Signals Directorate (ASD/DSD)

      An Australian government intelligence agency responsible for signals intelligence and information security, established in 1947.

    • Bundesnachrichtendienst ­ German Foreign Intelligence Service (BND)

      The foreign intelligence agency of Germany, established in 1956.

    • Government Communications Security Bureau (GCSB)

      New Zealand national intelligence service, established in 1977.

    • Five Eye Alliance (5VEY or FVEY)

      The security partnership between the U.S., Canada, UK, Australia and New Zealand intelligence agencies.

    • Special Source Operations (SSO)

      A division of the NSA responsible for overseeing programmes that source their data through "partnerships" with US and overseas-based companies.

    • Tailored Access Operations (TAO)

      A division of the NSA, which the agency says is "centred on computer network exploitation".

    • Covert Network Threats (CNT1)
    • A division of the CSE, Covert Network Threats mission is "to produce intelligence on the capabilities, intentions, and activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad."

    • Army Cryptologic Operations : Operations Division

      US Army Intelligence unit.

    • Network Analysis Centre (NAC)

      A joint network technology research unit with branches in the NSA, CSE, and GCHQ.

    • Joint Threat Research Intelligence Group (JTRIG)

      The Joint Threat Research Intelligence Group is a GCHQ unit focused on cyber forensics, espionage and covert operations.

    • Applied Research

      Research Unit for the GCHQ.

    • Office of SIGINT Development
    • Division of the NSA, with joint partners from within the five eye network, the SIGINT Development produces research and technology for use in signals intelligence.

    • NSA/CSS Europe (NCEUR)

      NCEUR is a division of the NSA with a focus in SIGINT in Europe

    • Special US Liaison Activity Germany (SUSLAG)

      SUSLAG is the NSA liaison to the German intelligence service (BND). It is the parent to the Joint Analysis Center (JAC) and the Joint SIGINT Activity (JSA).

    • Joint Analysis Center (JAC)

      The Joint Analysis Center, in 2005, comprised of five NSA civilian analysts who are integrated into the German intelligence service (BND).

    • Joint SIGINT Activity (JSA)

      The Joint SIGINT Activity is a NSA and BND intelligence partnership, operated from the German SIGINT facility Mangfall Kaserne in Bavaria.

    • Remote Operations Center (ROC)

      In 2006, the NSA announced the opening of a new Remote Operations Center, the "Epicenter for Computer Network Operations." The motto of the ROC is "Your data is our data, your equipment is our equipment – anytime, anyplace, by any legal means."

    • Digital Network Crypt Applications (DNCA)

      DNCA is a division of the NSA.

    • National Counterterrorism Center (NCTC)

      The National Counterterrorism Center (NCTC) is a United States government organization responsible for national and international counterterrorism efforts. Part of the Office of the Director of National Intelligence, the group brings together specialists from other federal agencies, including the NSA, CIA, the FBI, and the Department of Defense.

    • National Information Assurance Research Laboratory (NIARL)

      The National Information Assurance Research Laboratory (NIARL) is "responsible for conducting and sponsoring research in technologies and techniques needed to secure America's future information systems."

    • European Security Center (ESC)/European Security Operations Center (ESOC)

      Under the lead of the NSA, The European Security Center (ESC) is a "fixed site facility that provides provide crisis support to military operations throughout the European Command theater, which includes not only Europe, but also much of Africa and parts of the Middle East." In 2006, the European Security Center (ESC) was transitioned into the European Security Operations Center (ESOC) ­ a NSA lead project to "help build up the Center's capabilities to allow it to assume even greater responsibilities within thew orldwide SIGINT Enterprise."

    • European Cryptologic Center (ECC)

      The European Cryptologic Center (ECC) is a branch of the NSA in Darmstadt, Germany.

    • Cryptanalysis and Exploitation Services is an office of the NSA.
    • European Technical Center (ETC)

      The European Technical Center (ETC) in Wiesbaden, Germany, is NSA's "primary communication hub in that part of the world, providing communication connectivity, SIGINT collection, and data­flow services to NSAers [and partners]." The center was upgraded in 2011.

    • Global Access Operations (GAO) is a division of the NSA responsible for intercepts from satellites and other international SIGINT platforms.

    • Menwith Hill Station (MHS)

      Menwith Hill Station (MHS) "provides communications and intelligence support services to the United Kingdom and the United States of America. The site contains an extensive satellite ground station and is a communications intercept and missile warning site and has been described as the largest electronic monitoring station in the world." The NSA has led US operations at MHS since 1966.

    • Special Collection Service (SCS)

      The Special Collection Service (SCS) is a joint U.S. CIA­/NSA program that enables intelligence collection from highly sensitive places, "such as foreign embassies, communications centers, and foreign government installations." The unit combines the "communications intelligence capabilities of the NSA with the covert action capabilities of the CIA in order to facilitate access to sophisticated foreign communications systems."

    • NSA/CSS Threat Operations Center (NTOC)

      NSA/CSS Threat Operations Center (NTOC) is a division of the NSA with a "blended foreign intelligence (SIGINT) and information assurance mission."

    • Foreign Affairs Directorate (FAD)

      A division of the NSA, the Foreign Affairs Directorate which "acts as liaison with foreign intelligence services, counter­intelligence centers" and the Five Eye partners. The are different offices based on geographic region under FAD.

    Security Classification and Distribution

    All documents that contain classified information have to be marked with codes that detail appropriate control procedures. These are usually presented at the top of the document, and occaisonally at the beginning of each sub-heading and paragraph. They are usually comprised of three elements, separated by double slashes:


    Further information on security classification and distribution codes can be found at

    There are three main classification levels:

    • SECRET

    After the security classification, there is a series of Sensitive Compartmented Information (SCI) codes that further control access to the document. These are usually codewords, the meaning of which is unknown in some cases. There may be around 100-300 SCI compartments, grouped into about two dozen different control systems. Some of the codes that are known include:

    • COMINT / Special Intelligence (SI)

      This control system is for communications intercepts or Signals Intelligence, and contains various sub-control systems and compartments, identified by an abbreviation or codeword. They usually follow the code COMINT or SI with a hyphen. They include:

      • VTK : Very Restricted Knowledge
      • ECI : Exceptionally Controlled Information
      • G : Gamma
      • D : Delta


      This is a "controlled access signals intelligence program" created under presidential authorization after the attacks of September 11th. It includes information related to the President's Surveillance Program (PSP), the Terrorist Surveillance Program (TSP) and bulk telephony and metadata collection by the NSA.

    • ENDSEAL (EL)
    • This control system is reserved for finalized intelligence products. ENDSEAL information is always classified as Special Intelligence (SI). Documents with this classification are intended for dissemination to various consumers within the Intelligence Community.


      This control system is reserved for the products of overhead collection systems, including satellites and reconnaissance aircraft.


      This control system is used for compartments protecting new sources and methdos during research, development and acquisiton done by the National Reconnaissance Office (NRO).


      This control system has been developed for Geospatial Intelligence (GEOINT) produced by the National Reconnaissance Officer (NRO).

    • HUMINT Control System (HCS)

      This control system is for protecting Human Intelligence (HUMINT), which is derived from information collected or provided by human sources.

    • STRAP 1 / STRAP 2 / STRAP 3

      These are code terms for GCHQ documents, STRAP 1 being the lowest level, and STRAP 3 being the highest. No STRAP 3 documents have been published as of yet.

    Distribution Markings

    These codes are used to restrict the dissemination of information to only those with teh appropriate classification level and the need to know the information. They include the following:

    • For Official Use Only : FOUO
    • Originator Controlled : ORCON
    • No Foreign Nationals : NOFORN
    • Foreign Intelligence Surveillance Act : FISA
    • Five Eyes : 5EYE

      This code refers to the security alliance operating between the USA, Britain (GBR), New Zealand (NZA), Canada (CAN) and Australia (AUS)

    The NSA used to use special SIGINT Exchange Designators to refer to different countries. They have been largely replaced by the 'REL TO[...]' marking, which uses a country trigraph codes to indicate the relevant party.

    General Keywords

    The following are keywords that appear in document descriptions:

    • 5Alive : GCHQ metadata database

    • Back-door Access

      The principle that the intelligence agencies can access data held by organizations without having to formally ask them to hand over information through the "front door".


      A GCHQ database that is used for discovering VPNs which communicate data through encrypted tunnels across the internet.

    • Belgacom

      A Belgians telecom provider whose customers include several EU institutions. In September 2013 the firm revealed that its systems had been hacked since at least 2011.

    • BLEAKINQUIRY : Metadata database of potentially exploitable VPNs

    • Boundless Informant

      A tool used by the NSA to analyze the metadata that it holds. It allows analysts to determine what information is currently available about a specific country and whether certain trends can be deduced.

    • Cloud

      The term used to refer to information stored from a service provider's data centers, as opposed to being stored on the user's own computer.

    • Comint

      An abbreviation for Communications Intelligence.

    • Computer Network Exploitation - CNE

      A term used to refer to efforts to exploit data gathered from surveillance targets.

    • Computer Network Attack - CNA

      Operations to manipulate, disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.

    • Computer Network Defense - CND

      Efforts to defend against the CNO of others, especially that directed against U.S. and allied computers and networks.

    • Computer Network Operations - CNO

      CNE, CNA, and CND collectively.

    • Cryptanalytic vulnerability

      A flaw in the design, implementation or system integration of cryptography used in an information security device, or a flaw in the way that a cryptographic information security device is used.

    • Data mining

      The analysis of large stores of information in order to obtain new knowledge.

    • Deep Packet Injection

      The addition of data into an internet stream. The NSA and GCHQ have been alleged to do this in order to send codes to target's computers that causes them to be infected with spyware as part of an operation called QUANTUM.

    • Dial Number Recognition - DNR

      A term used to refer to infomation gathered from telephone taps.

    • Digital Network Intelligence

      A term used to refer to content sent over the internet.

    • Dishfire

      A codename used to refer to a system used by the NSA to processes and store information intercepted from SMS messages.

    • Dropmire

      The name for a surveillance program involving the infection of security-enhanced fax machines based in foreign embassies by the NSA and GCHQ.


      A codename that refers to a global intelligence-gathering network operated on behalf of the Five Eyes Alliance (Australia, Canada, New Zealand, the UK, and the US).

    • Encapsulating Security Payload - ESP

      Provides traffic confidentiality (via encryption) and optionally provides authentication and integrity protection.


      A surveillance program ran by GCHQ that aimed to break various encryption technologies used by Hotmail, Google, Yahoo and Facebook. It is named after the 1642 battle in the English Civil War.

    • EgotisticalGiraffe

      A codename given to a program ran by the NSA's Tailored Access Operations (TAO). This program involves techniques used to undermine the TOR network.

    • ELINT - Electronic Intelligence.

    • Exfiltrate : To extract data through a target's defenses.

    • FASCIA

      An NSA data repository, FASCIA is used to store the location information of mobile devices.


      A PPTP repository.

    • Global Telecom Exploitation - GTE

      A GCHQ unit that collects data from fibre optic cable.

    • Human Intelligence - HUMINT

      The term used for the gathering of information from human sources.

    • Hyperion

      CSEC metadata database.

    • Implant

      A software or hardware subcomponent that is surreptitiously placed in a target environment (CPU, router, etc) to pass selected information back to NSA, where it is processed for analysis.

    • Indigenous (systems and devices)

      Non­-commercial cryptographic information security system or device developed by a SIGINT target.

    • Information Operations (IO)

      Actions taken to affect adversary information and information systems while defending one's own information and information systems.

    • Information security device or system

      A device or system that provides any of the following services for communication or information systems: confidentiality, data integrity, authentication, and authorization.

    • Intrusive Access

      Refers to CNE operations involving remote manipulation, hardware/software modifications, or sensing of environment changes in a computer device or system, and/or occasionally the facilities that house the systems.

    • Internet Protocol Security - IPsec

      Protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

    • JWICS

      Joint Worldwide Intelligence Communications System, operated by Defense Intelligence Agency (DIA) and serving the Department of Defense (DoD) and Intelligence Community (IC).


      CSE's "behaviour­based target discovery project," LEVITATION is an effort to monitor file sharing sites in order to locate extremist training and propaganda materials. This program is capable of monitoring 10­15 million interactions with file sharing sites such as Megaupload, Rapidshare and Sendspace.

    • Signals Intelligence Activity Designator : SIGAD

      The NSA gives a SIGAD code to each one of its surveillance programs. For example, the SIGAD name for PRISM is US-984XN.

    • NIOC

      Navy Information Operations Command Maryland.

    • MARINA : Metadata or "structured data" long-term repository.


      A program administered by GCHQ that collects the internet "cloud" traffic of Yahoo and Google from an interception point on British territory.

    • MYSTIC

      NSA program for monitoring voice call and metadata content.

    • Off­-Net Operations

      Refers to covert or clandestine field activities of personnel carried out in support of CNE activities.


      CSE network intelligence database which makes collected network metadata accessible and can be used as an analytic tool.

    • OTR

      A protocol called Off­-the-­Record (OTR) for encrypting instant messaging in an end­-to-­end encryption process.

    • PINWALE : Long­-term primary content repository for tasked SIGINT collect.

    • Physical subversion

      Subverts with physical access to a device or host facility. Other terms sometimes used to connote physical subversion are close access enabling, exploitation, or operations; off-net enabling, exploitation, or operations; supply­chain enabling, exploitation, or operations; or hardware implant enabling, exploitation, or operations.

    • PRESSUREWAVE : NSA primary content repository.

    • PRISM : Collection directly from the servers of U.S. service providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.


      A general NSA surveillance program code for a host of computer network operations. Programs include diverse operations devised for SIGINT development, such as redirecting communications for surveillance, controlling target's computer, denial of access attacks, and file upload/download disruption. Sub­programs include QUANTUMTHEORY, QUANTUMBOT, QUANTUMCOPPER among others.

    • Remote subversion

      Subverts without physical access to a device or host facility; obtains unauthorized permission. Other terms sometimes used to connote remote subversion are computer network exploitation; endpoint access, exploitation, or operations; on­net access, exploitation, or operations; software implant access, exploitation, or operations; or accessing or exploiting data at rest.

    • Re­-purposing

      An intelligence innovation technique that utilizes captured foreign CNE components (implants, exploits, etc) to shorten the development cycle of new CNE tools.

    • Signals Intelligence - SIGINT

      The term used for the gathering of information from electronic signals and systems, whether created by humans or machines.

    • Signals Intelligence Activity Designator - SIGAD

      The NSA gives a SIGAD code to each one of its surveillance programs. For example, the SIGAD name for PRISM is US­984XN.

    • SRI : Signals related Information.

    • Supply Chain Operations

      Interdiction activities that focus on modifying equipment in a target's supply chain.

    • Telecom data intelligence (TDI),is the ability of a telecommunications company (mobile operator and/or fixed line carrier), to extract detailed customer­profiling data from the data that is generated in the network combined with the data that is collected directly from the customers.

    • TOYGRIPPE : VPN metadata repository

    • Transport Layer Security (TLS) / Secure Sockets Layer (SSL)

      Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over a computer network. Widely used on the internet to provide secure web browsing, webmail, instant messaging, electronic commerce, etc.

    • Victim stealing

      An intelligence technique which exploits weaknesses in foreign CNE implants to gain access to victims and either take control of the foreign implant or replace it with our own.

    • UPSTREAM : Collection of communications on fiber cable and infrastructure as data flows past.

    • UTT : Unified Targeting Tool

    • VULCANDEATHGRIP - Repository for tasked, full-take VPN collection.

    • VPN : Virtual Private Network.


      Processes and databases digital network intelligence collected from various field sites, targeted and non­targeted. Developed by the NSA and shared among the Five Eyes.