The NSAs Hidden Spy Hubs in Eight U.S. Cities

The secrets are hidden behind fortified walls in cities across the United States, inside towering, windowless skyscrapers and fortress-like concrete structures that were built to withstand earthquakes and even nuclear attack. Thousands of people pass by the buildings each day and rarely give them a second glance, because their function is not publicly known. They are an integral part of one of the worlds largest telecommunications networks and they are also linked to a controversial National Security Agency surveillance program.

Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C. In each of these cities, The Intercept has identified an AT&T facility containing networking equipment that transports large quantities of internet traffic across the United States and the world. A body of evidence including classified NSA documents, public records, and interviews with several former AT&T employees indicates that the buildings are central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory.

The NSA considers AT&T to be one of its most trusted partners and has lauded the companys extreme willingness to help. It is a collaboration that dates back decades. Little known, however, is that its scope is not restricted to AT&Ts customers. According to the NSAs documents, it values AT&T not only because it has access to information that transits the nation, but also because it maintains unique relationships with other phone and internet providers. The NSA exploits these relationships for surveillance purposes, commandeering AT&Ts massive infrastructure and using it as a platform to covertly tap into communications processed by other companies.

Much has previously been reported about the NSAs surveillance programs. But few details have been disclosed about the physical infrastructure that enables the spying. Last year, The Intercept highlighted a likely NSA facility in New York Citys Lower Manhattan. Now, we are revealing for the first time a series of other buildings across the U.S. that appear to serve a similar function, as critical parts of one of the worlds most powerful electronic eavesdropping systems, hidden in plain sight.

Its eye-opening and ominous the extent to which this is happening right here on American soil, said Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. It puts a face on surveillance that we could never think of before in terms of actual buildings and actual facilities in our own cities, in our own backyards.

There are hundreds of AT&T-owned properties scattered across the U.S. The eight identified by The Intercept serve a specific function, processing AT&T customers data and also carrying large quantities of data from other internet providers. They are known as backbone and peering facilities.

While network operators would usually prefer to send data through their own networks, often a more direct and cost-efficient path is provided by other providers infrastructure. If one network in a specific area of the country is overloaded with data traffic, another operator with capacity to spare can sell or exchange bandwidth, reducing the strain on the congested region. This exchange of traffic is called peering and is an essential feature of the internet.

Because of AT&Ts position as one of the U.S.s leading telecommunications companies, it has a large network that is frequently used by other providers to transport their customers data. Companies that peer with AT&T include the American telecommunications giants Sprint, Cogent Communications, and Level 3, as well as foreign companies such as Swedens Telia, Indias Tata Communications, Italys Telecom Italia, and Germanys Deutsche Telekom.

AT&T currently boasts 19,500 points of presence in 149 countries where internet traffic is exchanged. But only eight of the companys facilities in the U.S. offer direct access to its common backbone key data routes that carry vast amounts of emails, internet chats, social media updates, and internet browsing sessions. These eight locations are among the most important in AT&Ts global network. They are also highly valued by the NSA, documents indicate.

The data exchange between AT&T and other networks initially takes place outside AT&Ts control, sources said, at third-party data centers that are owned and operated by companies such as Californias Equinix. But the data is then routed in whole or in part through the eight AT&T buildings, where the NSA taps into it. By monitoring what it calls the peering circuits at the eight sites, the spy agency can collect not only AT&Ts data, they get all the data thats interchanged between AT&Ts network and other companies, according to Mark Klein, a former AT&T technician who worked with the company for 22 years. It is an efficient point to conduct internet surveillance, Klein said, because the peering links, by the nature of the connections, are liable to carry everybodys traffic at one point or another during the day, or the week, or the year.

Christopher Augustine, a spokesperson for the NSA, said in a statement that the agency could neither confirm nor deny its role in alleged classified intelligence activities. Augustine declined to answer questions about the AT&T facilities, but said that the NSA conducts its foreign signals intelligence mission under the legal authorities established by Congress and is bound by both policy and law to protect U.S. persons privacy and civil liberties.

Jim Greer, an AT&T spokesperson, said that AT&T was required by law to provide information to government and law enforcement entities by complying with court orders, subpoenas, lawful discovery requests, and other legal requirements. He added that the company provides voluntary assistance to law enforcement when a persons life is in danger and in other immediate, emergency situations. In all cases, we ensure that requests for assistance are valid and that we act in compliance with the law.

Dave Schaeffer, CEO of Cogent Communications, told The Intercept that he had no knowledge of the surveillance at the eight AT&T buildings, but said he believed the core premise that the NSA or some other agency would like to look at traffic at an AT&T facility. He said he suspected that the surveillance is likely carried out on a limited basis, due to technical and cost constraints. If the NSA were trying to ubiquitously monitor data passing across AT&Ts networks, Schaeffer added, he would be extremely concerned.

Sprint, Telia, Tata Communications, Telecom Italia, and Deutsche Telekom did not respond to requests for comment. CenturyLink, which owns Level 3, said it would not discuss matters of national security.

The maps The Intercept used to identify the internet surveillance hubs.

Maps: NSA/AT&T

The eight locations are featured on a top-secret NSA map, which depicts U.S. facilities that the agency relies upon for one of its largest surveillance programs, code-named FAIRVIEW. AT&T is the only company involved in FAIRVIEW, which was first established in 1985, according to NSA documents, and involves tapping into international telecommunications cables, routers, and switches.

In 2003, the NSA launched new internet mass surveillance methods, which were pioneered under the FAIRVIEW program. The methods were used by the agency to collect within a few months some 400 billion records about peoples internet communications and activity, the New York Times previously reported. FAIRVIEW was also forwarding more than 1 million emails every day to a keyword selection system at the NSAs Fort Meade headquarters.

Central to the internet spying are eight peering link router complex sites, which are pinpointed on the top-secret NSA map. The locations of the sites mirror maps of AT&Ts networks, obtained by The Intercept from public records, which show backbone node with peering facilities in Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C.

One of the AT&T maps contains unique codes individually identifying the addresses of the facilities in each of the cities.

Among the pinpointed buildings, there is a nuclear blast-resistant, windowless facility in New York Citys Hells Kitchen neighborhood; in Washington, D.C., a fortress-like, concrete structure less than half a mile south of the U.S. Capitol; in Chicago, an earthquake-resistant skyscraper in the West Loop Gate area; in Atlanta, a 429-foot art deco structure in the heart of the citys downtown district; and in Dallas, a cube-like building with narrow windows and large vents on its exterior, located in the Old East district.

Elsewhere, on the west coast of the U.S., there are three more facilities: in downtown Los Angeles, a striking concrete tower near the Walt Disney Concert Hall and the Staples Center, two blocks from the most important internet exchange in the region; in Seattle, a 15-story building with blacked-out windows and reinforced concrete foundations, near the citys waterfront; and in San Franciscos South of Market neighborhood, a building where it was previously claimed that the NSA was monitoring internet traffic from a secure room on the sixth floor.

The peering sites otherwise known in AT&T parlance as Service Node Routing Complexes, or SNRCs were developed following the internet boom in the mid- to late 1990s. By March 2009, the NSAs documents say it was tapping into peering circuits at the eight SNRCs.

The facilities purpose was to bolster AT&Ts network, improving its reliability and enabling future growth. They were developed under the leadership of an Iranian-American innovator and engineer named Hossein Eslambolchi, who was formerly AT&Ts chief technology officer and president of AT&T Labs, a division of the company that focuses on research and development.

Eslambolchi told The Intercept that the project to set up the facilities began after AT&T asked him to help create the largest internet protocol network in the world. He obliged and began implementing his network design by placing large Cisco routers inside former AT&T phone switching facilities across the U.S. When planning the project, he said he divided AT&Ts network into different regions, and in every quadrant I will have what I will call an SNRC.

During his employment with AT&T, Eslambolchi said he had to take a polygraph test, and he obtained a government security clearance. I was involved in very, very top, heavy-duty projects for a few of these three-letter agencies, he said, in an apparent reference to U.S. intelligence agencies. They all loved me.

He would not confirm or deny the exact locations of the eight peering sites identified by The Intercept or discuss the classified work he carried out while with the company. You put a gun to my head, he said, Im not going to tell you.

Other former AT&T employees, however, were more forthcoming.

A former senior member of AT&Ts technical staff, who spoke on condition of anonymity due to the sensitivity of the subject, confirmed with 100 percent certainty the locations of six of the eight peering facilities identified by The Intercept. The source, citing direct knowledge of the facilities and their function, verified the addresses of the buildings in Atlanta, Dallas, Los Angeles, New York City, Seattle, and Washington, D.C.

A second former AT&T employee confirmed the locations of the remaining two sites, in Chicago and San Francisco. I worked with all of them, said Philip Long, who was employed by AT&T for more than two decades as a technician servicing its networks. Longs work with AT&T was carried out mostly in California, but he said his job required him to be in contact with the companys other facilities across the U.S. In about 2005, Long recalled, he received orders to move every internet backbone circuit I had in northern California through the San Francisco AT&T building identified by The Intercept as one of the eight NSA spy hubs. Long said that, at the time, he felt suspicious of the changes, because they were unusual and unnecessary. We thought we were routing our circuits so that they could grab all the data, he said. We thought it was the government listening. He retired from his job with AT&T in 2014.

A third former AT&T employee reviewed The Intercepts research and said he believed it accurately identified all eight of the facilities. The site data certainly seems correct, said Thomas Saunders, who worked as a data networking consultant for AT&T in New York City between 1995 and 2004. Those nodes arent going to move.

Photo: Henrik Moltke

The NSA calls this predicament home field advantage a kind of geographic good fortune. A targets phone call, email, or chat will take the cheapest path, not the physically most direct path, one agency document explains. Your targets communications could easily be flowing into and through the U.S.

Once the internet traffic arrives on U.S. soil, it is processed by American companies. And that is why, for the NSA, AT&T is so indispensable. The company claims it has one of the worlds most powerful networks, the largest of its kind in the U.S. AT&T routinely handles masses of emails, phone calls, and internet chats. As of March 2018, some 197 petabytes of data the equivalent of more than 49 trillion pages of text, or 60 billion average-sized mp3 files traveled across its networks every business day.

The NSA documents, which come from the trove provided to The Intercept by the whistleblower Edward Snowden, describe AT&T as having been aggressively involved in aiding the agencys surveillance programs. One example of this appears to have taken place at the eight facilities under a classified initiative called SAGUARO.

As part of SAGUARO, AT&T developed a strategy to help the NSA electronically eavesdrop on internet data from the peering circuits at the eight sites, which were said to connect to the common backbone, major data routes carrying internet traffic.

The company worked with the NSA to rank communications flowing through its networks on the basis of intelligence value, prioritizing data depending on which country it was derived from, according to a top-secret agency document.

Graphic: NSA

NSA diagrams reveal that after it collects data from AT&Ts access links and peering partners, it is sent to a centralized processing facility code-named PINECONE, located somewhere in New Jersey. Inside the PINECONE facility, there is a secure space in which there is both NSA-controlled and AT&T-controlled equipment. Internet traffic passes through an AT&T distribution box to two NSA systems. From there, the data is then transferred about 200 miles southwest to its final destination: NSA headquarters at Fort Meade in Maryland.

At the Maryland compound, the communications collected from AT&Ts networks are integrated into powerful systems called MAINWAY and MARINA, which the NSA uses to analyze metadata such as the to and from parts of emails, and the times and dates they were sent. The communications obtained from AT&T are also made accessible through a tool named XKEYSCORE, which NSA employees use to search through the full contents of emails, instant messenger chats, web-browsing histories, webcam photos, information about downloads from online services, and Skype sessions.

Top left / right: Mike Osborne. Bottom left: Henrik Moltke. Bottom right: Frank Heath.

The NSAs primary mission is to gather foreign intelligence. The agency has broad legal powers to monitor emails, phone calls, and other forms of correspondence as they are being transported across the U.S., and it can compel companies such as AT&T to install surveillance equipment within their networks.

Under a Ronald Reagan-era presidential directive Executive Order 12333 the NSA has what it calls transit authority, which it says enables it to eavesdrop on communications which originate and terminate in foreign countries, but traverse U.S. territory. That could include, for example, an email sent by a person in France to a person in Mexico, which on its way to its destination was routed through a server in California. According to the NSAs documents, it was using AT&Ts networks as of March 2013 to gather some 60 million foreign-to-foreign emails every day, 1.8 billion per month.

Without an individualized court order, it is illegal for the NSA to spy on communications that are wholly domestic, such as emails sent back and forth between two Americans living in Texas. However, in the aftermath of the 9/11 attacks, the agency began eavesdropping on Americans international calls and emails that were passing between the U.S. and other countries. That practice was exposed by the New York Times in 2005 and triggered what became known as the warrantless wiretapping scandal.

Critics argued that the surveillance of Americans international communications was illegal, because the NSA had carried it out without obtaining warrants from a judge and had instead acted on the orders of President George W. Bush. In 2008, Congress weighed into the dispute and controversially authorized elements of the warrantless wiretapping program by enacting Section 702 of the Foreign Intelligence and Surveillance Act, or FISA. The new law allowed the NSA to continue sweeping up Americans international communications without a warrant, so long as it did so incidentally while it was targeting foreigners overseas for instance, if it was monitoring people in Pakistan, and they were talking with Americans in the U.S. by phone, email, or through an internet chat service.

Within AT&Ts networks, there is filtering equipment designed to separate foreign and domestic internet data before it is passed to the NSA, the agencys documents show. Filtering technology is often used by internet providers for security reasons, enabling them to keep tabs on problems with their networks, block out spam, or monitor hacking attacks. But the same tools can be used for government surveillance.

You can essentially trick the routers into redirecting a small subset of traffic you really care about, which you can monitor in more detail, said Jennifer Rexford, a computer scientist who worked for AT&T Labs between 1996 and 2005.

According to the NSAs documents, it programs its surveillance systems to focus on particular IP addresses a set of numbers that identify a computer associated with foreign countries. A classified 2012 memo describes the agencys efforts to use IP addresses to home in on internet data passing between the U.S. and particular regions of interest, including Iran, Afghanistan, Israel, Nigeria, Pakistan, Yemen, Sudan, Tunisia, Libya, and Egypt. But this process is not an exact science, as people can use privacy or anonymity tools to change or spoof their IP addresses. A person in Israel could use privacy software to masquerade as if they were accessing the internet in the U.S. Likewise, an internet user in the U.S. could make it appear as if they were online in Israel. It is unclear how effective the NSAs systems are at detecting such anomalies.

In October 2011, the Foreign Intelligence Surveillance Court, which approves the surveillance operations carried out under Section 702 of FISA, found that there were technological limitations with the agencys internet eavesdropping equipment. It was generally incapable of distinguishing between some kinds of data, the court stated. As a consequence, Judge John D. Bates ruled, the NSA had been intercepting the communications of non-target United States persons and persons in the United States, violating Fourth Amendment protections against unreasonable searches and seizures. The ruling, which was declassified in August 2013, concluded that the agency had acquired some 13 million internet transactions during one six-month period, and had unlawfully gathered tens of thousands of wholly domestic communications each year.

The root of the issue was that the NSAs technology was not only targeting communications sent to and from specific surveillance targets. Instead, the agency was sweeping up peoples emails if they had merely mentioned particular information about surveillance targets.

A top-secret NSA memo about the courts ruling, which has not been disclosed before, explained that the agency was collecting peoples messages en masse if a single one were found to contain a selector like an email address or phone number that featured on a target list.

One example of this is when a user of a webmail service accesses her inbox; if the inbox contains one email message that contains an NSA tasked selector, NSA will acquire a copy of the entire inbox, not just the individual email message that contains the tasked selector, the memo stated.

The courts ruling left the agency with two options: shut down the spying based on mentions of targets completely, or ensure that protections were put in place to stop the unlawfully collected communications from being reviewed. The NSA chose the latter option, and created a cautionary banner that warned its analysts not to read particular messages unless they could confirm that they had been lawfully obtained.

But the cautionary banner did not solve the problem. The NSAs analysts continued to access the same data repositories to search, unlawfully, for information on Americans. In April 2017, the agency publicly acknowledged these violations, which it described as inadvertent compliance incidents. It said that it would no longer use surveillance programs authorized under Section 702 of FISA to harvest messages that mentioned its targets, citing technological constraints, United States person privacy interests, and certain difficulties in implementation.

The messages that the NSA had unlawfully collected were swept up using a method of surveillance known as upstream, which the agency still deploys for other surveillance programs authorized under both Section 702 of FISA and Executive Order 12333. The upstream method involves tapping into communications as they are passing across internet networks precisely the kind of electronic eavesdropping that appears to have taken place at the eight locations identified by The Intercept.

Photo: Frank Heath

Photo: Frank Heath

The Atlanta facility is likely of strategic importance for the NSA. The site is the closest major AT&T internet routing center to Miami, according to the NSA and AT&T maps. From undersea cables that come aground at Miami, huge flows of data pass between the U.S. and South America. It is probable that much of that data is routed through the Atlanta facility as it is being sent to and from the U.S. In recent years, the NSA has extensively targeted several Latin American countries such as Mexico, Brazil, and Venezuela for surveillance.

Photo: Henrik Moltke

According to the Chicago Sun-Times, the facility handles much of the citys phone and internet traffic and is equipped with banks of routers, servers, and switching systems. This building touches every single resident of the city, Jim Wilson, an AT&T area manager, told the newspaper in 2016.

Photo: Henrik Moltke

10 South Canal Street originally contained a million-gallon oil tank, turbine generators, and a water well, so that it could continue to function for more than two weeks without electricity or water from the city, according to Illinois broadcaster WBEZ. The building is anchored in bedrock, which helps support the weight of the equipment inside, and gives it extra resistance to bomb blasts or earthquakes, WBEZ reported.

NSA and AT&T maps point to the Chicago facility as being one of the peering hubs, which process internet traffic as part of the NSA surveillance program code-named FAIRVIEW. Philip Long, who was employed by AT&T for more than two decades as a technician servicing its networks, confirmed that the Chicago site was one of eight primary AT&T Service Node Routing Complexes, or SNRCs, in the U.S. NSA documents explicitly describe tapping into flows of data at all eight of these sites.

Photo: Mike Osborne

The 4211 Bryan Street facility is located next to other AT&T-owned buildings, including a towering telephone routing complex that was first built in 1904. A piece about the telephone hub in the Dallas Observer described it as an imposing, creepy building that is known in some circles as The Great Wall of Beige.

Photo: Mike Osborne

NSA and AT&T maps point to the 4211 Bryan Street facility as being one of the peering hubs, which process internet traffic as part of the NSA surveillance program code-named FAIRVIEW. A former AT&T employee confirmed that the site was one of eight primary AT&T Service Node Routing Complexes, or SNRCs, in the U.S. NSA documents explicitly describe tapping into flows of data at all eight of these sites.

Photo: Henrik Moltke

Located between Chinatown and the Staples Center, the fortress-like structure is one of the largest telephone central offices in the U.S. The theoretical number of telephone lines that can be served from this office are 1.3 million and this office also serves as a foreign exchange carrier to neighboring area codes, according to the Central Office, a website that profiles U.S. telecommunications hubs.

Untitled, or Bell Communications Around the Globe. Mural by Anthony Heinsbergen (1961) on the West side of 420 South Grand Ave, La.

Photo: Henrik Moltke

Due to the close proximity of the Madison Complex and One Wilshire, and their shared role as telecommunications hubs, it is likely that the buildings process some of the same data as it is being routed across U.S. networks.

NSA and AT&T maps point to the Madison Complex facility as being one of the peering hubs, which process internet traffic as part of the NSA surveillance program code-named FAIRVIEW. A former AT&T employee confirmed that the site was one of eight primary AT&T Service Node Routing Complexes, or SNRCs, in the U.S. NSA documents explicitly describe tapping into flows of data at all eight of these sites.

Photo: Henrik Moltke

A New York Times article published in 1975 noted that 811 10th Avenue was the first of several windowless equipment buildings to be constructed in the city, and added that its design initially caused considerable controversy.

Aerial shot of 811 10th street, NYC, ca. 1965.

Photo: courtesy of Avery Architectural & Fine Arts Library, Columbia University

Photo: Henrik Moltke

NSA and AT&T documents indicate that 10th Avenue building serves as the NSAs internet equivalent of 33 Thomas Street. While the NSAs surveillance at 33 Thomas Street mainly targets phone calls that pass through the buildings international switching points, at the 10th Avenue site the agency appears to primarily collect emails, online chats, and data from internet browsing sessions.

Photo: Henrik Moltke

NSA and AT&T maps obtained by The Intercept indicate that 611 Folsom Street is one of the eight peering hubs in the U.S. that process internet traffic as part of the NSA surveillance program code-named FAIRVIEW. Philip Long, who was employed by AT&T for more than two decades as a technician servicing its networks, confirmed that the San Francisco site is one of eight primary AT&T Service Node Routing Complexes, or SNRCs, in the U.S. NSA documents explicitly describe tapping into flows of data at all eight of these sites.

Photo: Henrik Moltke

We were getting orders to move backbones and it just grabbed me, said Long. We thought it was government stuff and that they were being intrusive. We thought we were routing our circuits so that they could grab all the data.

It is not the first time the building has been implicated in revelations about electronic eavesdropping. In 2006, an AT&T technician named Mark Klein alleged in a sworn court declaration that the NSA was tapping into internet traffic from a secure room on the sixth floor of the facility.

Klein, who worked at 611 Folsom Street between October 2003 and May 2004, stated that employees from the agency had visited the building and recruited one of AT&Ts management level technicians to carry out a special job. The job involved installing a splitter cabinet that copied internet data as it was flowing into the building, before diverting it into the secure room.

The room at AT&Ts Folsom St. facility that allegedly contained NSA surveillance equipment.

Photo: Mark Klein

He said equipment in the secure room included a semantic traffic analyzer a tool that can be used to search large quantities of data for particular words or phrases contained in emails or online chats. Notably, Klein discovered that the NSA appeared to be specifically targeting internet peering links, which is corroborated by the NSA and AT&T documents obtained by The Intercept.

According to documents provided by Klein, AT&Ts network at Folsom Street peered with other companies like Sprint, Cable & Wireless, and Qwest. It was also linked, he said, to an internet exchange named MAE West, a major data hub in San Jose, California, where other companies connect their networks together.

Sprint did not respond to a request for comment. A spokesperson for Cable & Wireless said the company only discloses data when legally required to do so as a result of a valid warrant or other legal process. In 2011, CenturyLink acquired Qwest as part of a $12.2 billion merger deal. A CenturyLink spokesperson said he could not discuss matters of national security.

Photo: Jovelle Tamayo for The Intercept

Read more from the original source:
The NSAs Hidden Spy Hubs in Eight U.S. Cities