This is a list of key terms that are used in the collection. In many cases they have been gleaned from definitions provided in the leaked documents or from insight provided by the news articles, and in some cases Wikipedia.
The US government agency tasked with gathering intelligence for the country's government and military leaders, and preventing foreign adversaries from gaining access to classified national security information.
Communication Security Establishment is Canada's national cryptologic agency. CSE was formally established, by an OrderinCouncil, in 1946 as the Communications Branch, National Research Council. In 1975, it was renamed the Communications Security Establishment and moved to the National Defence portfolio.
The UK government's communicationsfocussed intelligence agency, employing about 5,000 people.
A Washingtonbased tribunal that considers government agency requests to carry out surveillance for "foreign intelligence purposes" of suspects operating from within the US's borders.
An Australian government intelligence agency responsible for signals intelligence and information security, established in 1947.
The foreign intelligence agency of Germany, established in 1956.
New Zealand national intelligence service, established in 1977.
The security partnership between the U.S., Canada, UK, Australia and New Zealand intelligence agencies.
A division of the NSA responsible for overseeing programmes that source their data through "partnerships" with US and overseas-based companies.
A division of the NSA, which the agency says is "centred on computer network exploitation".
A division of the CSE, Covert Network Threats mission is "to produce intelligence on the capabilities, intentions, and activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad."
US Army Intelligence unit.
A joint network technology research unit with branches in the NSA, CSE, and GCHQ.
The Joint Threat Research Intelligence Group is a GCHQ unit focused on cyber forensics, espionage and covert operations.
Research Unit for the GCHQ.
Division of the NSA, with joint partners from within the five eye network, the SIGINT Development produces research and technology for use in signals intelligence.
NCEUR is a division of the NSA with a focus in SIGINT in Europe
SUSLAG is the NSA liaison to the German intelligence service (BND). It is the parent to the Joint Analysis Center (JAC) and the Joint SIGINT Activity (JSA).
The Joint Analysis Center, in 2005, comprised of five NSA civilian analysts who are integrated into the German intelligence service (BND).
The Joint SIGINT Activity is a NSA and BND intelligence partnership, operated from the German SIGINT facility Mangfall Kaserne in Bavaria.
In 2006, the NSA announced the opening of a new Remote Operations Center, the "Epicenter for Computer Network Operations." The motto of the ROC is "Your data is our data, your equipment is our equipment – anytime, anyplace, by any legal means."
DNCA is a division of the NSA.
The National Counterterrorism Center (NCTC) is a United States government organization responsible for national and international counterterrorism efforts. Part of the Office of the Director of National Intelligence, the group brings together specialists from other federal agencies, including the NSA, CIA, the FBI, and the Department of Defense.
The National Information Assurance Research Laboratory (NIARL) is "responsible for conducting and sponsoring research in technologies and techniques needed to secure America's future information systems."
Under the lead of the NSA, The European Security Center (ESC) is a "fixed site facility that provides provide crisis support to military operations throughout the European Command theater, which includes not only Europe, but also much of Africa and parts of the Middle East." In 2006, the European Security Center (ESC) was transitioned into the European Security Operations Center (ESOC) a NSA lead project to "help build up the Center's capabilities to allow it to assume even greater responsibilities within thew orldwide SIGINT Enterprise."
The European Cryptologic Center (ECC) is a branch of the NSA in Darmstadt, Germany.
The European Technical Center (ETC) in Wiesbaden, Germany, is NSA's "primary communication hub in that part of the world, providing communication connectivity, SIGINT collection, and dataflow services to NSAers [and partners]." The center was upgraded in 2011.
Menwith Hill Station (MHS) "provides communications and intelligence support services to the United Kingdom and the United States of America. The site contains an extensive satellite ground station and is a communications intercept and missile warning site and has been described as the largest electronic monitoring station in the world." The NSA has led US operations at MHS since 1966.
The Special Collection Service (SCS) is a joint U.S. CIA/NSA program that enables intelligence collection from highly sensitive places, "such as foreign embassies, communications centers, and foreign government installations." The unit combines the "communications intelligence capabilities of the NSA with the covert action capabilities of the CIA in order to facilitate access to sophisticated foreign communications systems."
NSA/CSS Threat Operations Center (NTOC) is a division of the NSA with a "blended foreign intelligence (SIGINT) and information assurance mission."
A division of the NSA, the Foreign Affairs Directorate which "acts as liaison with foreign intelligence services, counterintelligence centers" and the Five Eye partners. The are different offices based on geographic region under FAD.
All documents that contain classified information have to be marked with codes that detail appropriate control procedures. These are usually presented at the top of the document, and occaisonally at the beginning of each sub-heading and paragraph. They are usually comprised of three elements, separated by double slashes:
CLASSIFICATION LEVEL // SCI OR SAP COMPARTMENT // DISTRIBUTION MARKING
Further information on security classification and distribution codes can be found at Electrospaces.net
There are three main classification levels:
After the security classification, there is a series of Sensitive Compartmented Information (SCI) codes that further control access to the document. These are usually codewords, the meaning of which is unknown in some cases. There may be around 100-300 SCI compartments, grouped into about two dozen different control systems. Some of the codes that are known include:
This control system is for communications intercepts or Signals Intelligence, and contains various sub-control systems and compartments, identified by an abbreviation or codeword. They usually follow the code COMINT or SI with a hyphen. They include:
This is a "controlled access signals intelligence program" created under presidential authorization after the attacks of September 11th. It includes information related to the President's Surveillance Program (PSP), the Terrorist Surveillance Program (TSP) and bulk telephony and metadata collection by the NSA.
This control system is reserved for finalized intelligence products. ENDSEAL information is always classified as Special Intelligence (SI). Documents with this classification are intended for dissemination to various consumers within the Intelligence Community.
This control system is reserved for the products of overhead collection systems, including satellites and reconnaissance aircraft.
This control system is used for compartments protecting new sources and methdos during research, development and acquisiton done by the National Reconnaissance Office (NRO).
This control system has been developed for Geospatial Intelligence (GEOINT) produced by the National Reconnaissance Officer (NRO).
This control system is for protecting Human Intelligence (HUMINT), which is derived from information collected or provided by human sources.
These are code terms for GCHQ documents, STRAP 1 being the lowest level, and STRAP 3 being the highest. No STRAP 3 documents have been published as of yet.
These codes are used to restrict the dissemination of information to only those with teh appropriate classification level and the need to know the information. They include the following:
This code refers to the security alliance operating between the USA, Britain (GBR), New Zealand (NZA), Canada (CAN) and Australia (AUS)
The NSA used to use special SIGINT Exchange Designators to refer to different countries. They have been largely replaced by the 'REL TO[...]' marking, which uses a country trigraph codes to indicate the relevant party.
The following are keywords that appear in document descriptions:
The principle that the intelligence agencies can access data held by organizations without having to formally ask them to hand over information through the "front door".
A GCHQ database that is used for discovering VPNs which communicate data through encrypted tunnels across the internet.
A Belgians telecom provider whose customers include several EU institutions. In September 2013 the firm revealed that its systems had been hacked since at least 2011.
A tool used by the NSA to analyze the metadata that it holds. It allows analysts to determine what information is currently available about a specific country and whether certain trends can be deduced.
The term used to refer to information stored from a service provider's data centers, as opposed to being stored on the user's own computer.
An abbreviation for Communications Intelligence.
A term used to refer to efforts to exploit data gathered from surveillance targets.
Operations to manipulate, disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.
Efforts to defend against the CNO of others, especially that directed against U.S. and allied computers and networks.
CNE, CNA, and CND collectively.
A flaw in the design, implementation or system integration of cryptography used in an information security device, or a flaw in the way that a cryptographic information security device is used.
The analysis of large stores of information in order to obtain new knowledge.
The addition of data into an internet stream. The NSA and GCHQ have been alleged to do this in order to send codes to target's computers that causes them to be infected with spyware as part of an operation called QUANTUM.
A term used to refer to infomation gathered from telephone taps.
A term used to refer to content sent over the internet.
A codename used to refer to a system used by the NSA to processes and store information intercepted from SMS messages.
The name for a surveillance program involving the infection of security-enhanced fax machines based in foreign embassies by the NSA and GCHQ.
A codename that refers to a global intelligence-gathering network operated on behalf of the Five Eyes Alliance (Australia, Canada, New Zealand, the UK, and the US).
Provides traffic confidentiality (via encryption) and optionally provides authentication and integrity protection.
A surveillance program ran by GCHQ that aimed to break various encryption technologies used by Hotmail, Google, Yahoo and Facebook. It is named after the 1642 battle in the English Civil War.
A codename given to a program ran by the NSA's Tailored Access Operations (TAO). This program involves techniques used to undermine the TOR network.
An NSA data repository, FASCIA is used to store the location information of mobile devices.
A PPTP repository.
A GCHQ unit that collects data from fibre optic cable.
The term used for the gathering of information from human sources.
CSEC metadata database.
A software or hardware subcomponent that is surreptitiously placed in a target environment (CPU, router, etc) to pass selected information back to NSA, where it is processed for analysis.
Non-commercial cryptographic information security system or device developed by a SIGINT target.
Actions taken to affect adversary information and information systems while defending one's own information and information systems.
A device or system that provides any of the following services for communication or information systems: confidentiality, data integrity, authentication, and authorization.
Refers to CNE operations involving remote manipulation, hardware/software modifications, or sensing of environment changes in a computer device or system, and/or occasionally the facilities that house the systems.
Protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
Joint Worldwide Intelligence Communications System, operated by Defense Intelligence Agency (DIA) and serving the Department of Defense (DoD) and Intelligence Community (IC).
CSE's "behaviourbased target discovery project," LEVITATION is an effort to monitor file sharing sites in order to locate extremist training and propaganda materials. This program is capable of monitoring 1015 million interactions with file sharing sites such as Megaupload, Rapidshare and Sendspace.
The NSA gives a SIGAD code to each one of its surveillance programs. For example, the SIGAD name for PRISM is US-984XN.
Navy Information Operations Command Maryland.
A program administered by GCHQ that collects the internet "cloud" traffic of Yahoo and Google from an interception point on British territory.
NSA program for monitoring voice call and metadata content.
Refers to covert or clandestine field activities of personnel carried out in support of CNE activities.
CSE network intelligence database which makes collected network metadata accessible and can be used as an analytic tool.
A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process.
Subverts with physical access to a device or host facility. Other terms sometimes used to connote physical subversion are close access enabling, exploitation, or operations; off-net enabling, exploitation, or operations; supplychain enabling, exploitation, or operations; or hardware implant enabling, exploitation, or operations.
A general NSA surveillance program code for a host of computer network operations. Programs include diverse operations devised for SIGINT development, such as redirecting communications for surveillance, controlling target's computer, denial of access attacks, and file upload/download disruption. Subprograms include QUANTUMTHEORY, QUANTUMBOT, QUANTUMCOPPER among others.
Subverts without physical access to a device or host facility; obtains unauthorized permission. Other terms sometimes used to connote remote subversion are computer network exploitation; endpoint access, exploitation, or operations; onnet access, exploitation, or operations; software implant access, exploitation, or operations; or accessing or exploiting data at rest.
An intelligence innovation technique that utilizes captured foreign CNE components (implants, exploits, etc) to shorten the development cycle of new CNE tools.
The term used for the gathering of information from electronic signals and systems, whether created by humans or machines.
The NSA gives a SIGAD code to each one of its surveillance programs. For example, the SIGAD name for PRISM is US984XN.
Interdiction activities that focus on modifying equipment in a target's supply chain.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over a computer network. Widely used on the internet to provide secure web browsing, webmail, instant messaging, electronic commerce, etc.
An intelligence technique which exploits weaknesses in foreign CNE implants to gain access to victims and either take control of the foreign implant or replace it with our own.
Processes and databases digital network intelligence collected from various field sites, targeted and nontargeted. Developed by the NSA and shared among the Five Eyes.