September 21, 2013

PRISM as part of the BLARNEY program

(Updated: December 18, 2013)

Last June, the still on-going Snowden-leaks started with the unveiling of PRISM, an NSA program which collects information about foreign targets from American internet companies like Facebook, Google, Yahoo, Microsoft and Apple.

Since then, no new information about PRISM was published, but recently some new details could be found. These show that PRISM is part of another NSA program, codenamed BLARNEY, and that US-984XN is not a single designator for PRISM, but stands for multiple designators, one for each of the internet companies.


New slides

On September 8, the Brazilian television news magazine Fantástico aired a report about the NSA trying to access the network of the Brazilian oil company Petrobras. In the background of this report, a number of hitherto unseen NSA slides were shown.

One of the slides shows details about the BLARNEY program, which has the SIGAD, or SIGINT Activity Designator US-984 and the PDDG, or Producer Designator Digraph AX. The slide says that BLARNEY collects DNR (telephony) and DNI (internet) communications under authority of the FISA court. Main targets of the program are diplomatic establishments, terrorists, foreign governments and economic targets:


Top left the slide shows the NSA seal and top right we see a green leprechaun hat with a clover leaf, symbolizing Blarney, as this is also the name of a small town in Ireland.

However, the most intesting fact is that the BLARNEY SIGAD US-984 is almost the same as US-984XN, which is prominently shown on the first slide of the PRISM presentation that was published in June:




This similarity indicates that PRISM is part of BLARNEY, which is also suggested in the Wikipedia article about the latter program.


SIGADs

Wikipedia also has a good article about the SIGAD or SIGINT Activity Designator itself, which teaches us that a SIGAD with two letters followed by three or four numbers, like US-984, is for identifying signals intelligence collection programs and activities.

An additional alphabetic character is added to denote a sub-designator for a subset of the primary collection unit, like a detachment. Lastly, a numeric character can be added after the aforementioned alphabetic to provide for a sub-sub-designator. This already confirms that with the designation US-984XN, PRISM is a sub-program of BLARNEY.

But there's more. In the Wikipedia-article the SIGADs are represented like XX-NNNxn, where an X represents an alphabetic character and an N represents a numeric character. Here we see the same XN-suffix as in the alleged PRISM designator US-984XN, so it seems that XN is only meant as a placeholder for the actual designations of PRISM subsets.

This is confirmed by another slide from Brazilian television, which says that the SIGAD US-984X stands for multiple programs and partners collecting under FAA authority:



PRISM SIGADs

In one of the PRISM slides published in June, there's an explanation of the PRISM case notations. These start with a designation for each PRISM provider, like P1 for Microsoft, P2 for Yahoo, etc. (the first position in the slide below). These designators fit the XN-scheme of one alphabetic character followed by one numeric character.





If we combine this, it seems likely that instead of US-984XN as a single PRISM SIGAD, there might be actually the following multiple SIGADs, one for each of the internet companies:
- Microsoft: US-984P1
- Yahoo: US-984P2
- Google: US-984P3
- Facebook: US-984P4
- PalTalk: US-984P5
- YouTube: US-984P6
- Skype: US-984P7
- AOL: US-984P8
- Apple: US-984PA

After P8 for AOL, the final number becomes the letter A for Apple. Maybe this is because more than nine companies became involved, and so NSA chose to go on with hexadecimal numbers, so PA can be followed by PB, PC, etc.

Having separate SIGADs for each internet company makes sense, because a SIGAD identifies a specific facility where collection takes place, like a ship or a listening post. PRISM as a program is not such a facility, but comprises a number of them.


The notation of the multiple PRISM SIGADs is also more like that of other collection facilities, for example US-987LA and US-987LB for the Bavarian and Afghanistan listening posts of NSA's German partner-agency BND.


UPDATE and CORRECTION:

Meanwhile, high-resolution video footage of the Brazilian television magazine Fantástico became available, from which I could make a readable screenshot of a slide that was ineligible until now:




This slide is from an NSA presentation about the FAIRVIEW program and shows that both FAIRVIEW and STORMBREW have a number of subsets that were not known before. It also shows that my previous interpretation of the US-984X SIGAD wasn't correct.

The slide learns us that BLARNEY collection under the FISA Amendment Act (FAA) is designated US-984X* and it's this asterisk which apparently acts as a placeholder for other facilities collecting under FAA authority:

- US-984XA-H for eight STORMBREW collection facilities under FAA
- US-984XR for a FAIRVIEW collection facility under FAA
- US-984X2 for another FAIRVIEW collection facility under FAA

Here we see US-984X followed by different letters and also a number, which means it's now unlikely that "XN" in the PRISM SIGAD US-984XN is a placeholder for a letter and a number, as I assumed before. With US-984XN, PRISM actually fits the format of BLARNEY facilities which collect data under FAA authority. This also means that there's only one SIGAD for the PRISM program, and not one for each of the internet companies, although that would have made some sense.

My idea that the first two characters of the PRISM case notation (P1, P2, etc) could be the suffix after US-984 is also refuted by the fact that the high resolution slide shows that US-984P is actually the SIGAD for a STORMBREW facility under FISA authority. FAIRVIEW has also collection under FISA, which is designated US-984T.

The original parent programs of FAIRVIEW (US-990) and STORMBREW (US-983) are under Transit (T) authority, which means that they collect communications which originate and terminate in foreign countries when they transit the United States.



BLARNEY

Under BLARNEY, information is collected from both telephone and internet communications at facilities in the United States. The program was started in 1978 under the authority of the Foreign Intelligence Surveillance Act (FISA), which was enacted in the same year for regulating foreign intelligence collection in which communications of Americans could be involved. The SIGAD for BLARNEY collection under this initial FISA authority is US-984.

According to a report of the Wall Street Journal, BLARNEY was established with AT&T, for capturing foreign communications at or near key international fiber-optic cable landing points, like the AT&T facility Room 641A in San Francisco that was revealed in 2006. A similar facility was reportedly built at an AT&T site in New Jersey.



One of the doors of room 641A in the building of AT&T in San Francisco,
where the NSA had a secret internet tapping device installed,
which was revealed by an AT&T technician in 2006.


After the 2001 attacks these intercept capabilities were expanded to top-level telecommunications facilities within the United States, like main switching stations for telephone and internet traffic. These are accessed through arrangements with American internet backbone providers. Finally companies providing internet services like Microsoft, Google and Facebook were added.

Since 2008 this collection takes place under authority of the FISA Amendments Act (FAA) and the specific BLARNEY sub-programs and corporate partners are identified by SIGADs in the format US-984X*.

According to the recently disclosed US Intelligence Budget, NSA pays 65.96 million USD for costs made by corporate partners under the BLARNEY program. As PRISM is part of BLARNEY, it's possible that part of that money (maybe the 20 million mentioned in this slide?) is also for expenses made by the internet companies like Facebook, Google and Yahoo.

When PRISM was unveiled in June, the Guardian said this program was one of the main contributors to the President's Daily Brief, the top-secret document which briefs the US president every morning on intelligence matters. Being the PRISM parent program, BLARNEY is also one of the top sources to this document. According to a report by Der Spiegel, some 11,000 pieces of information reportedly come from BLARNEY every year.

This is shown in the slide below with a chart of the Top Ten Collection SIGADs from 2010-2011:


(screenshot courtesy @koenr)

In green we see the signals intelligence sources where NSA's Special Source Operations (SSO) division uses arrangements with corporate partners, in blue the sources where there are no such arrangements needed, which means SSO can collect the data on its own.

By far the most productive sources are the facilties under US-984X*, which include PRISM. Second comes information from what is called "transit only" traffic under the FAIRVIEW program (US-990). The initial BLARNEY collection under US-984, which is apparently from the AT&T network, is the nineth most productive source.

Some more information about BLARNEY is in another slide that was shown on Brazilian television:


Click for a readable version


Among other things, the slide says that BLARNEY is used for gathering information related to counter proliferation, counter terrorism, foreign diplomats and governments, as well as economic and military targets. PRISM seems to be used against more or less the same targets, as can be seen in a lesser known slide of the famous PRISM powerpoint presentation:


(it seems the bottom part of this slide was blacked out by Brazilian media, as the Indian
paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as
topics under the header "India", and also information from Asian and African
countries is contributing to a total of "589 End product Reports")


Once again this makes clear that programs like BLARNEY and PRISM are used to gather information about the usual strategic and tactical topics and therefore not for spying on Americans or other ordinary people.

(Updated on September 23 with the slide describing US-984X, the slide with the PRISM topics, some additional information from the WSJ report and a new slide about the top ten FAA sources)


September 13, 2013

The US Classification System

(Updated: February 19, 2024)

Top level telecommunications often involve information that has to be kept secret. To ensure that, governments have systems to protect sensitive information by classifying it, which is best known from document markings like "Top Secret".

Here I'll explain the classification system of the United States, which is far more complex than most people think, also because it's one of the world's biggest secrecy systems. In 2012 almost 5 million(!) people in the US had a clearance for access to classified information,* a number that was brought back to 4,2 million by 2015.*

The deeper parts of this classification system are classified, but new details and codewords have been revealed in documents from the Snowden-leaks.



Classification markings

All documents that contain classified information, whether digital or hard copy, have to be marked with the appropriate markings. These are shown in the classification or banner line, which is shown at the top and bottom of every document and usually has three parts, separated by double slashes:


An example of such a classification line would be:

TOP SECRET//COMINT//NOFORN


Additionally, all sections of a document should have a portion marking, which is an abbreviation of the full classification line. Below, the abbreviations for these portion markings are shown in brackets.

When a document contains joint or Foreign Government Information (FGI), the necessary markings are shown in a separate part of the classification line. Finally declassification instructions can be added. These markings will not be discussed here.

The meaning of abbreviations and codewords can be found in the separate listing of Abbreviations and Acronyms and the listing of Nicknames and Codewords.



Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)



Classification levels

The United States government classifies information according to the degree which the unauthorized disclosure would damage national security. Like many other countries, the US has three classifications levels. From the highest to the lowest level these are:

- TOP SECRET (TS, color code: orange)
- SECRET (S, color code: red)
- CONFIDENTIAL (C, color code: blue)

Government documents which are not classified can be marked as:

- CONTROLLED UNCLASSIFIED INFORMATION (CUI, color code: purple)
- UNCLASSIFIED (U, color code: green)


With 1.3 million US citizens, including some 300,000 members of the Intelligence Community, having a Top Secret clearance in 2017,* it's obvious that additional measures are needed to protect the most sensitive information. Therefore, that information is put in separated compartments, only accessible for those people who have the 'need-to-know'.

This system is called Sensitive Compartmented Information (SCI) for intelligence information, while other highly secret and sensitive information is protected by a Special Access Program (SAP). Both sub-systems will be explained below.

The classification levels Confidential, Secret and Top Secret are sometimes called 'Collateral', denoting that no additional control systems or compartmentations, like SCI or SAP, apply.

The new Controlled Unclassified Information (CUI) marking was meant to simplify the handling of unclassified information that still requires some protection, but has meanwhile expanded into a system with over 100 categories.



Sensitive Compartmented Information (SCI)

Sensitive Compartmented Information (SCI) is a system to protect national intelligence information concerning sources and methods. SCI is divided into control systems and compartments, which are further divided in subcontrol systems and subcompartments.

These systems and compartments are usually identified by a classified codeword, some of which were leaked or have been declassified. In total, there may be between 100 and 300 SCI compartments and subcompartments, grouped into about two dozen control systems. The color code for SCI is yellow.


SCI control systems and their compartments are species of Controlled Access Programs (CAPs), which also include Non-SCI CAPs, like for example at the Secret level. SCI information has to be stored and handled in a Sensitive Compartmented Information Facility (SCIF).

Known and supposed SCI control systems from the past and present are:

- COMINT, replaced by Special Intelligence (SI)
- STELLARWIND (STLW, 2001-2009)
- UMBRA (TSU or TSC)
- ENDSEAL (EL, until 2016)
- TALENT KEYHOLE (TK)
- HUMINT Control System (HCS)
- KLONDIKE (KDK, 2011-2016)
- RESERVE (RSV, since 2005)
- BYEMAN (BYE or B, 1961-2005)
- KLAMATH (KLM)
- MARVEL (MVL)
- FOCAL POINT (FP)
- CREDIBLE WOLF (CW)
- AZURE BLUE (AB)
- Special Navy Control Program (SNCP)
- VERDANT (VER, defunct)
- PANGRAM (PM, defunct)
- MEDITATE (M, defunct)
- SPECTRE
- LOMA
- EARPOP
- ? (CRU)
- ? (BUR)
- ? (GG)

In a classification line this is shown like: TOP SECRET//SI

Multiple control systems are shown like: TOP SECRET//SI/TK


Top Secret/SCI coversheets as found by the FBI in Trump's office at Mar-a-Lago


COMINT / Special Intelligence (SI)
This control system is for communications intercepts or Signals Intelligence. Since 2005, COMINT information which is not marked NOFORN is automatically releasable to the Five Eyes-partners.* Initially, the abbreviation for COMINT was SI, by which it was replaced somewhere between 2008 and 2013.
SI contains various sub-control systems and compartments, which are identified by an abbreviation or a codeword. In a classification line they follow COMINT or SI, connected by a hyphen.

Known COMINT/SI sub-control systems are:
- Very Restricted Knowledge (VRK, 1974-2003)
- Exceptionally Controlled Information (ECI, since 1999)
- GAMMA (G)
- DELTA (D, defunct)
- [undisclosed]
- ECRU (EU, since 2016)
- NONBOOK (NK, since 2016)

In a classification line this is shown like: TOP SECRET//SI-G

Multiple COMINT/SI compartments shown like: TOP SECRET//SI-VRK-G


Very Restricted Knowledge (VRK)
This sub-control system was established in 1974 to limit access to uniquely sensitive COMINT activities and programs (no product or content). It contains compartments or categories which have an identifier of one to three alpha numeric characters.* The term VRK was declassified in 1998* while the compartment was succeeded by ECI in 2003.*

Example: TOP SECRET//SI-VRK 11A


Exceptionally Controlled Information (ECI)
This sub-control system protects highly sensitive information and sources and contains compartments, which are identified by a classified codeword. In the classification line there's a three-letter abbreviation of this codeword. ECI already existed in 1999* and succeeded VRK in 2003.*

Recently disclosed codewords for ECI compartments include:
- AMBULANT (AMB), APERIODIC, AUNTIE, ESCAPEE? (ESC), PAINTEDEAGLE, PAWLEYS, PENDLETON, PIEDMONT, PICARESQUE (PIQ), PITCHFORD, RAGTIME (RGT), REDHARVEST (RDV), WHIPGENIE (WPG).
Lists of ECI compartments from 2003 and 2013.

Example: TOP SECRET//SI-ECI PIQ

Multiple compartments: TOP SECRET//SI-ECI PIQ-ECI AMB

Since 2011, SCI type indicators used to group compartments, like ECI, may not be used anymore in classification lines and portion markings. For example, information formerly marked TS//SI-ECI ABC must now be marked TS//SI-ABC.


GAMMA (G)
This sub-control system of SI is for highly sensitive communication intercepts (product or content)* and therefore requires the ORCON dissemination marking. GAMMA may contain compartments, which are identified by a codeword or an identifier of four alphabetic characters. The term GAMMA was declassified in 1998.*

Some former GAMMA compartments were:
- GABE, GANT, GART, GILT, GOAT, GOUT, GROL, GUPY, GYRO

Example: TOP SECRET//SI-G GUPY

Multiple compartments: TOP SECRET//SI-G GUPY GYRO


DELTA (D)
This was a former SCI control system for intercepts from Soviet military operations.


[undisclosed]
According to classification manuals there are undisclosed SI compartments which have identifiers of three alphabetical characters. Some documents from such a compartment were declassified in early May 2014. It seems that this compartment is for protecting information related to metadata collection, but is different from STELLARWIND.* It probably contains sub-compartments which are identified by three numeric characters.*

For example: TOP SECRET//SI-XXX 888



ECRU (EU)
Formerly a compartment of the ENDSEAL control system, which was retired as of 2016. Now, ECRU is "an ECI used to protect technical data derived from exploitation of a high interest signal". The transition from ENDSEAL to SI was done by the Naval Intelligence Activity (NIA) in coordination with NSA.*


NONBOOK (NK)
Formerly a compartment of the ENDSEAL control system, which was retired as of 2016. Now, NONBOOK is "an SI compartment used for sensitive intelligence products intended for dissemination to IC consumers".*



STELLARWIND (STLW)
This is a "controlled access signals intelligence program", created under presidential authorization in response to the attacks of September 11, 2001. It includes information related to the Terrorist Surveillance Program (TSP) and to the bulk telephony and internet metadata collection by the NSA.* It seems that STLW started as a COMINT compartment* but later on became a hitherto unknown classification category at the same level as SCI and SAP.


Terrorist Surveillance Program (TSP)
The markings "TSP" and "Compartmented" were used instead of "STELLARWIND" in briefing materials and documents related to the STELLARWIND program intended for external audiences, such as Congress and the courts. The term "TSP" was initially used in relation to only that portion of the program that was publicly disclosed by president Bush in December 2005.*



UMBRA (TSC)
This codeword was used since 1968 as the last of a range of succeeding codewords to protect the most sensitive intercepts of Communication Intelligence (COMINT). The portion marking for UMBRA was TSU (Top Secret Umbra)* or TSC (Top Secret Codeword).*
The use of the UMBRA compartment was publicly terminated in 1999, but the Snowden-leaks revealed that NSA is still using it, probably as a registered but unpublished SCI control system for the content of communications collected under authority of EO 12333.



ENDSEAL (EL)
The existance of this control system was declassified in 2014, but the name was already mentioned in 2001. ENDSEAL was for finalized intelligence products, probably based upon information derived from US Navy SIGINT sensors. The raw data collected for ENDSEAL reports were likely handled under a different, still-classified coverterm.*
ENDSEAL contained compartments for intelligence products intended for dissemination to Intelligence Community consumers. These compartments were identified by a codeword and could be divided into sub-compartments. ENDSEAL was retired as of 2016 and its two compartments were moved to SI.*

Declassified names of ENDSEAL compartments are:
- ECRU (EU)
- NONBOOK (NK)

In a classification line this was shown like: TOP SECRET//EL-NK/SI



TALENT KEYHOLE (TK)
This control system is for products of overhead collection systems, such as satellites and reconnaissance aircraft, and contains compartments, which are identified by a classified codeword. The original TALENT compartment was created in the mid-1950s for the U-2. In 1960, it was broadened to cover all national aerial reconnaissance and the KEYHOLE compartment was created for satellite intelligence. The term TALENT KEYHOLE was declassified in 1998.*


Some former TK subcompartments were:
- CHESS, RUFF, DAFF and ZARF

Some current TK compartments are:
- BLUEFISH (BLFH)
- IDITAROD (IDIT)
- KANDIK (KAND)
- GEOCAP (G)

In a classification line this is shown like: TOP SECRET//TK-BLFH

BLUEFISH (BLFH)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-BLFH XXXXXX

IDITAROD (IDIT)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-IDIT XXXXXX

KANDIK (KAND)
This compartment contains sub-compartments which are identified by up to six alphanumeric characters. There are no actual examples.

Example: TOP SECRET//KDK-KAND XXXXXX

GEOCAP (G)
GEOCAP stands for Geospatial-Intelligence Controlled Access Program, which in classification markings is treated like a TK compartment. But other than that, little information is publicy available.*


BYEMAN (B)
The BYEMAN Control System (BCS) was established in 1961 by the CIA to protect information about the National Reconnaissance Office (NRO) and its operations. At the unclassified level, B, BRAVO, and BYE were used interchangeably instead of BYEMAN.* The BYEMAN Control System was retired on May 20, 2005 and most of its information was transitioned to TALENT KEYHOLE.

Some publicly acknowledged BYEMAN compartments were:
- ARGON, CORONA, DORIAN, GAMBIT, GRAB, HEXAGON, LANYARD, MELVIN, POPPY, QUILL, and UPWARD

In a classification line this was shown like: TOP SECRET//DORIAN


OXCART/TAGBOARD
A security compartment of BYEMAN to protect information about the covertly developed D-21 supersonic reconnaissance drone, which was initially launched from the CIA's Lockheed A-12 aircraft (OXCART). As of may 1969 this information was identified and classified as TAGBOARD.*

TAGBOARD
A security compartment of BYEMAN to protect information about the covertly developed D-21 supersonic reconnaissance drone. Project TAGBOARD was terminated on July 15, 1971. Documents of historical value were made available for persons with clearance for IDEALIST or STUDY 50006.*


KLONDIKE (KDK)
This control system was for Geospational Intelligence (GEOINT) produced by the National Reconnaissance Office (NRO). Since 2013, the control system contained compartments, which are identified by a codeword.
As of 2016, KLONDIKE has been merged with TALENT KEYHOLE (TK) and its three declared compartments are now a part of the TK Control System.*

Declassified names of former KLONDIKE compartments are:
- BLUEFISH (BLFH)
- IDITAROD (IDIT)
- KANDIK (KAND)

In a classification line this was shown like: TOP SECRET//KDK-IDIT


RESERVE (RSV)
This control system is for compartments protecting new sources and methods during the research, development, and acquisition process done by the National Reconnaissance Office (NRO). Compartments within RESERVE have an identifier of three alphanumeric characters.* There are no actual examples.

In a classification line this is shown like: TOP SECRET//RSV-XXX


HUMINT Control System (HCS)
This control system is "intended to provide enhanced protection to exceptionally fragile clandestine HUMINT sources, methods, and activities based on assessed value, critical nature, and vulnerability of the information." It has two compartments which were revealed in 2014.*

Compartments are:
- HCS-OPERATIONS (HCS-O)
- HCS-PRODUCT (HCS-P)

In a classification line this is shown like: TOP SECRET//HCS-P

HCS-OPERATIONS (HCS-O)
This compartment is used "to protect exceptionally fragile and unique HUMINT operations and methods. Each clandestine HUMINT collector organization is authorized to activate an operations compartment upon the approval of the CIA/Deputy Director of Operations." The information requires the ORCON and NOFORN dissemination markings as well. Dissemination outside the CIA is highly restricted. HCS-O contains sub-compartments which are identified by up to six alphanumeric characters.* There are no actual examples.

Example: TOP SECRET//HCS-O XXXXXX

HCS-PRODUCT (HCS-P)
This compartment is used to protect intelligence information (products) intended for dissemination to Intelligence Community consumers when unauthorized disclosure would endanger or compromise human sources and collection capabilities. HCS-P contains sub-compartments for information that requires extremely restricted access. These are identified by up to six alphanumeric characters.*

Example: TOP SECRET//HCS-P XXXXXX

? (CRD)
Sub-compartment of HCS-P, no further information available.*

Shown like: TOP SECRET//HCS-P CRD




KLAMATH (KLM)
A CIA control system, which in 2003 included the NSA ECI compartments CONQUERER (for joint NSA/CIA clandestine radio frequency operations), LYSERGIC (for NSA efforts to select and prosecute foreign deployed telecommunication cables) and WASHBURN (for a CLANSIG effort to exploit a source in a Middle Eastern location).* There's also a compartment identified as R.*

In a classification line this is shown like: TOP SECRET//KLM-R


MARVEL (MVL)
This control system is only known by its codeword, its purpose is still classified. MARVEL has four known compartments, each identified by two separate codewords.*

Known compartments are:
- GHOSTLY LABRYNTH (GYL)
- MADAM BUTTERFLY (MBF)
- PAINTED LADY (PDL)
- TAME MONARCH (TMN)

In a classification line this is shown like: TOP SECRET//MVL-MBF

GHOSTLY LABRYNTH (GYL)
This compartment of MARVEL is only known by codeword, its purpose is still classified. GHOSTLY LABRYNTH has three known sub-compartments which are also identified by two separate codewords.*

Known compartments are:
- GRAPHITE MESA (GRM)
- TWISTED MIRROR (TMI)
- VICIOUS CALAMITY (VIC)

Example: TOP SECRET//MVL-GYL-TMI

? (GG)
This control system is for information derived from Measurement and Signature Intelligence (MASINT) and is identified by a codeword that is still classified. It's only known by the abbreviation.*


? (BUR)
This control system is only known by its abbreviation and therefore its full codeword as well as its purpose are still classified. BUR has three known compartments and a whole range of sub-compartments.*

Known compartments are:
- ? (BLG)
- ? (DTP)
- ? (WRG)

In a classification line this is shown like: TOP SECRET//BUR-WRG

? (BLG)
This compartment of BUR is only known by its abbreviation and therefore its full codeword as well as its purpose are still classified. BUR-BLG has some 33 known sub-compartments which are identified by four letters, or codewords that are abbreviated by four letters.*

Known compartments of BLG are:
- ASPW, CMBR, CRFT, CSPR, DMRL, DNCW, DRVR, DSPR, DVTL, FLFD, GRLK, GRSH, GRWD, HCAS, HZDP, IRTH, JDHZ, JETS, JPST, LNFX, LTPL, ORGL, PAJE, RDFN, RDGL, RFPT, SKCH, SLSH, SOFX, TLWV, TWIX, WKSW, WVLT.

Example: TOP SECRET//BUR-BLG-GRWD

? (WRG)
This compartment of BUR is only known by its abbreviation and therefore its full codeword as well as its purpose are still classified. BUR-WRG has some 14 known sub-compartments which are identified by four letters, or codewords that are abbreviated by four letters.*

Known compartments of WRG are:
- ARME, BSVL, DEDR, DPRL, DRK, EGLY, JKRG, LOCR, LOEN, PAPL, PLVX, RDSK, SLFX, VCEG.

Example: TOP SECRET//BUR-WRG-JKRG

? (CRU)
This control system is identified by a codeword that is still classified and is only known by the abbreviation which was accidentally revealed in 2009.* It's related to highly secret CIA programs.

> More about the CRU classification marking

A compartment of CRU seems to be:
- GREYSTONE (GST)

In a classification line this is shown like: TOP SECRET//CRU-GST

GREYSTONE (GST)
This compartment is for information about the extraordinary rendition, interrogation and counter-terrorism programs, which the CIA established after the 9/11 attacks. It contains more than a dozen sub-compartments, which are identified by numeric characters.*

Example: TOP SECRET//CRU-GST 001

FOCAL POINT (FP)
This compartment protects CIA support to the military, Special Technical Operations (STOs) and military CIA operations.* The Joint Staff managed FOCAL POINT programs as well, governed by CJCSM 3213.02A, the Joint Staff Focal Point Communications Procedures Manual from January 31, 1997, which implemented additional control measures for protecting operationally-sensitive classified Information.*

EARPOP
Former NSA/NRO compartment, similar to SI and TK, that apparently protected information related to satellite "overhead" collection systems in the 1960s and 1970s.* *

VERDANT (VER)
Former Navy/NSA compartment for SIGINT information.*

PANGRAM (PM)
Former Navy/NSA compartment for information dealing with ocean surveillance.*

MEDITATE (M)
Former Navy/NSA compartment dealing with submarine operations and an IVY BELLS-like operation.*

SPECTRE
Counter-terrorism related compartment, probably no longer in use.*

LOMA
This compartment possibly protects nuclear-related information.*

PSALM
Defunct control system for intelligence related to the Cuban missile crisis (October 1962).*

ICS / PH / ZH
Compartments used by FEMA for continuity of government information and communications. Initiated in 1983, not clear whether these are still used.*

HOLLOW TILE (HT)
SCI control system or Special Access Program for the Air Intelligence Agency.*



Special Access Programs (SAPs)

Special Access Programs (SAPs) are created to control access, distribution, and protection of particularly sensitive information. From the early 1970s to the mid-1990s, SAPs were usually called "black programs" and almost exclusively restricted to safeguarding DoD acquisition programs, but now they include intelligence and operations & support programs as well.*

Each SAP is identified by a nickname which consists of two unassociated, unclassified words. Additionally, a Special Access Program Central Office (SAPCO) can also assign a single classified codeword to the program. These can be changed regularly. The nickname and the codeword can be abbreviated into an unclassified two or three-letter Program Identifier (PID).

There are over 100 SAPs, with many having numerous compartments and sub-compartments. More than 50 SAPs protect operations and capabilities of the Joint Special Operations Command (JSOC), while 75-80% of all SAPs are for military procurement, acquisition, research and testing programs. The existence of a SAP can be acknowledged, unacknowledged or waived.*

Most SAPs protect military operational, tactical and strategical programs, but SAPs may also be created by the Secretaries of State, Energy, Homeland Security and the Attorney General or their principal deputies.

The classification line for SAP information shows the words SPECIAL ACCESS REQUIRED, often abbreviated as SAR, followed by the program's nickname or codeword. Fictitious examples of program nicknames are BUTTER POPCORN, MEDIAN BELL and SENIOR ICE.

In a classification line this is shown like: TOP SECRET//SAR-MEDIAN BELL

Multiple SAP's are shown like: TOP SECRET//SAR-MB/SAR-BP


Some examples of actual Special Access Programs are:

YANKEE WHITE
People who have been cleared for this SAP have unfettered access to presidential workspaces that might contain classified information at any level and may also carry a loaded weapon when the president is around. This clearance requires the most extensive background investigation.*


COPPER GREEN / MATCHBOX
This SAP protected a program for training interrogators to use techniques that had been reverse-engineered by the military's agency that trained special operations forces on how to resist torture.*


TIMBER WIND
Unacknowledged SAP to protect information about the development of (dangerous) nuclear thermal rockets capable as part of president Reagan's Strategic Defense Initiative (SDI). The project was established in 1987, terminated in 1991 and declassified in 1992.*


SEASPRAY
SAP that protected a joint Army-CIA covert aviation unit to support clandestine operations conducted by the Special Operations Division (SOD) in Central America in the early 1980s.*


YELLOW FRUIT
Unacknowledged SAP to provide additional operational security and counter-intelligence assistance for military missions in Central America run by the Special Operations Division. Created in 1982 and terminated in 1983.*


? (CD)
This SAP is identified by a codeword that is still classified and is only known by its abbreviation. It protects all information related to the Air Force Flight Test Center at Groom Lake (aka Area 51).*


Other known Special Access Programs (SAPs) and related Alternative or Compensatory Control Measures (ACCMs) are:

- ADOBE, ANTEMATE, BELL WEATHER, BERNIE, BLACK LIGHT, BLUE MAIL, BLUE ZEPHYR, CAVALRY, CENTENNIAL, CHALK series, CHANNEL series, CITADEL, CLOUD GAP, COMPASS LINK, CONSTANT HELP, CONSTANT PISCES, CONSTANT STAR, COPPER COAST, CORONET PHOENIX, DISTANT PHOENIX, ELEGANT LADY, FIREANT, FOOTPRINT, GALAXY, GENTRY, GIANT CAVE, GIANT DODGE, GRASS BLADE, GREATER SLOPE, GREYHOUND, GULF, GUSTY series, GYPSY series, HAVE DJINN, HAVE FLAG, HAVE TRUMP, HAVE VOID, ISLAND SUN, LEO, LINK series, MALLARD, MERIDIAN, MILKYWAY, MUSTANG, OLYMPIC, OMEGA, OSPREY series, OVERTONE, OXIDE, OZONE, PANTHER series, PAVE RUNNER, PIRATE SWORD, POLO STEP, PROCOMM, PROJECT 19, PROJECT 643, PROJECT 9000, RADIUS, RAVEN, RETRACT series, REWARD, ROSETTA STONE, RUBY, SCATHE series, SCIENCE series, SEA BASS, SEEK CLOCK, SENIOR NEEDLE, SENIOR NIKE, SIERRA, SIT-II, SOFTRING, SPEAR, SUTER, STEEL PUMA, TALON RADIANCE, TAPESTRY, THEME CASTLE, THERMAL VICAR, THIRST WATCHER, THIRSTY SABER, TIGER LAKE, TITRANT RANGER, CAPACITY GEAR, TRACTOR series, UMBRELLA and WHITE KNIGHT.*


SAP compartments and sub-compartments
Special Access Programs can be divided into compartments, sub-compartments and programs. Compartments and sub-compartments can be identified by a two-word unclassified nickname or an alphanumeric designator. They are separated by spaces and they are listed in ascending alphabetic and numeric order. The classification markings do not show the hierarchy beyond the sub-compartment level.

In a classification line this is shown like: TOP SECRET//SAR-MB A691 D722




Alternative Compensatory Control Measures (ACCM)

When regular security measures are insufficient to enforce the need-to-know for classified information, but SCI or SAP protection is not required, Department of Defense Manual (DODM) 5200.01 from January 1997 allows the implementation of Alternative Compensatory Control Measures (ACCMs) for information about military intelligence and special operations. In 2014, there were more than 70 ACCMs in the US Defense Department. Similar additional security measures are provided by the FOCAL POINT control system.*

ACCM consists of three measures: creating a specific description of the information subject to the enhanced ACCM control, maintaining a list of personnel to whom the classified information has been or may be provided, and guidelines for the use of unclassified nicknames. Top Secret, Secret, and Confidential cover sheets used to cover ACCM material are marked with "ACCM" and the appropriate nickname.



Controlled Unclassified Information (CUI)

In 2010, president Obama established the Controlled Unclassified Information (CUI) program to streamline the sharing of unclassified information among more than 100 US government departments and agencies while still providing some level of protection from unauthorized access and release. The CUI program is managed by the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA).

In 2020, DNI Ratcliffe lamented that "instead of simplifying and replacing a handful document markings with one new CUI marking, the CUI Program has expanded to over 124 categories in 20 groupings, with 60 Specified and 60+ Basic categories".* For the specified categories there's an abbreviation to be added (preceded by SP) to the CUI marking in the same way as in classification lines. CUI can also have additional dissemination markings.

In a classification line this is shown like: CUI//SP-CTI//NOFORN



Dissemination markings

Dissemination markings or caveats are used to restrict the dissemination of information within only those people who have the appropriate clearance level and the need to know the information. Dissemination markings can also be used to control information which is unclassified. Some markings are used by multiple agencies, others are restricted to use by one agency.

In a classification line they are shown like: SECRET//SI//ORCON

Multiple markings are shown like: SECRET//SI//ORCON/NOFORN


Markings used by multiple agencies:
- FOR OFFICIAL USE ONLY (FOUO, to be replaced by CUI))
- SENSITIVE INFORMATION (SINFO, defunct since 2002)
- LAW ENFORCEMENT SENSITIVE (LES, to be replaced by CUI)
- OTHER LAW ENFORCEMENT AGENCIES (OLEA)
- FEDERAL EMPLOYEES ONLY (FED ONLY)
- FEDERAL EMPLOYEES AND CONTRACTORS ONLY (FEDCON)
- DISSEMINATION LIST CONTROLLED (DL ONLY)


Intelligence community markings:
- WARNING NOTICE - INTELLIGENCE (WNINTEL; eliminated in 1987)
- NOCONTRACT (eliminated in 1987)
- ORIGINATOR CONTROLLED (ORCON) (OC)
- ORIGINATOR CONTROLLED-USGOV (ORCON-USGOV, since 2013)
- CONTROLLED IMAGERY (IMCON) (IMC)
- SOURCES AND METHODS INFORMATION (SAMI, defunct since 2009)
- NO FOREIGN NATIONALS (NOFORN) (NF)
- PROPRIETARY INFORMATION (PROPIN) (PR)
- AUTHORIZED FOR RELEASE TO (REL TO) [country trigraph or coalition tetragraph]
- DISPLAY ONLY [country trigraph or coalition tetragraph]
- Releasable by Information Disclosure Official (RELIDO)
- Foreign Intelligence Surveillance Act (FISA)


National Security Agency (NSA) markings:
- [country trigraph] EYES ONLY (since 2016 replaced by REL TO)

NSA also used SIGINT Exchange Designators, which were gradually replaced by the 'REL TO [...]' marking. Some former SIGINT Exchange Designators were:
- FRONTO
- KEYRUT
- SEABOOT
- SETTEE

National Geospatial intelligence Agency (NGA) markings:
- LIMITED DISTRIBUTION (LIMDIS) (DS)
- RISK SENSITIVE (RSEN)


Department of Defense (DoD) markings:
- NC2-ESI (Nuclear Command and Control - Extremely Sensitive Information)
- SPECIAL CATEGORY (SPECAT, defunct since 2010)




Department of Homeland Security (DHS) markings:
- SENSITIVE SECURITY INFORMATION (SSI)


State Department (DoS) markings:
- NO DISTRIBUTION (NODIS) (ND)
- EXCLUSIVE DISTRIBUTION (EXDIS) (XD)
- STATE DISTRIBUTION only (STADIS)
- SENSITIVE BUT UNCLASSIFIED (SBU, to be replaced by CUI)


Drug Enforcement Administration (DEA) markings:
- DEA SENSITIVE (DSEN)


Nuclear weapons related markings:
- RESTRICTED DATA (RD)
- FORMERLY RESTRICTED DATA (FRD)
- DOD UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (DCNI)
- DOE UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (UCNI)
- TRANSCLASSIFIED FOREIGN NUCLEAR INFORMATION (TFNI)

The markings Restricted Data (RD) and Former Restricted Data (FRD) are based upon the Atomic Energy Act (AEA) and used by the Department of Defense and the Department of Energy for information about design and operation of nuclear warheads. For non-military personnel, access to this information requires L Clearance (Secret) or Q Clearance (Top Secret).*
Both RD and FRD can have the following additional sub-markings:

- CRITICAL NUCLEAR WEAPON DESIGN INFORMATION (CNWDI)
- SIGMA (SG, followed by a number between 1 and 20)

In a classification line this is shown like: SECRET//RD-CNWDI

Multiple SIGMA markings are shown like: SECRET//RD-SIGMA 2 4



Internal markings

Some intelligence agencies also use internal markings, indicating that information may not be released or shown to anyone outside that particular agency without proper permission. Internal markings are shown after the dissemination markings at the very end of a classification line.


White House (WH) internal markings:
- LIMITED ACCESS (not part of the classification line)*
- SPECIAL HANDLING (?)*


Central Intelligence Agency (CIA) internal markings:*
- CIA INTERNAL USE ONLY
- Administrative Internal Use Only (AIUO, to be replaced by CUI)


Federal Bureau of Investigation (FBI) internal markings:
- SENSITIVE
- JUNE (protecting the FBI's most sensitive sources, now defunct)*
- [undisclosed] *


National Security Agency (NSA) internal markings:
These markings are used to identify a COI or CoI, which stands for Community Of Interest. It seems that this term has recently been replaced by Secure Community of Interest (SCoI). Recently disclosed COI identifiers are:
- BULLRUN
- ENDUE
- NOCON

In a classification line this is shown like: TOP SECRET//SI//NOFORN/BULLRUN


Coalition designators
The designators or tetragraphs which are used in the dissemination marking "AUTHORIZED FOR RELEASE TO (REL TO)" are listed here:

- ABCA: American, British, Canadian, Australian (and New Zealand Armies’ Program)
- ACGU: Australia, Canada, Great Britain, United States (Four Eyes)
- AFSC: Afghanistan SIGINT Coalition
- BWCS: Biological Weapons Convention States
- CFCK: Combined Forces Command, Korea
- CMFC: Combined Maritime Forces Central
- CMFP: Cooperative Maritime Forces Pacific
- CPMT: Civilian Protection Monitoring Team (for Sudan)
- CWCS: Chemical Weapons Convention States
- ECTF: European Counter-Terrorism Forces
- EFOR: European Union Stabilization Forces in Bosnia
- FVEY: Five Eyes (Australia, Canada, New Zealand, UK, US)
- GCTF: Global Counter-Terrorism Forces
- GMIF: Global Maritime Interception Forces
- IESC: International Events Security Coalition
- ISAF: International Security Assistance Forces (for Afghanistan)
- KFOR: Stabilization Forces in Kosovo
- MCFI: Multinational Coalition Forces – Iraq
- MIFH: Multinational Interim Force Haiti
- NACT: North African Counter-Terrorism Forces
- NATO: North Atlantic Treaty Organization
- OSAG: Olympic Security Advisory Group
- UNCK: United Nations Command, Korea



CAPCO

In order to prevent codewords being assigned twice, the Security Markings Program (SMP, part of ODNI, Policy & Strategy Information Management Division) lists all codenames and authorized abbreviations of Sensitive Compartmented Information (SCI) and Special Access Programs (SAPs) in the Authorized Classification and Control Markings Register or CAPCO list.



NSA Classification Guides

- Classification Guide for the TAREX Program (2012)
- Classification Guide for SIGINT material from 1945-1967 (2011)
- Classification Guide for Computer Network Exploitation (2010)
- Classification Guide for Project BULLRUN (2010)
- Classification Guide for Cryptgraphic Modernization (pdf) (2010)
- Classification Guide for FISA, PAA and FAA Activities (pdf) (2009)
- Classification Guide for STELLARWIND (pdf) (2009)
- Classification Guide for RAINFALL (Pine Gap) (2009)
- Classification Guide for the Cuban Missile Crisis (2008)
- Classification Guide for USS Liberty Incident (2006)
- Classification Guide for ECI PAWLEYS (2006)
- Classification Guide for Cryptanalysis (2005)
- Classification Guide for ECI WHIPGENIE (2004)
- Classification Guide for the JFK Assassination Records (2000)
- Classification Guide for Cellular communications interception (undated)

In 2023, the US government maintained more than 2000 classification guides, including more than 400 for the Army alone, and roughly 1400 original classification authorities.



Links and Sources

- NPEC: Over-classification: How Bad Is It, What’s the Fix?
- The Debrief: It's Classified! A Deep Dive Into the Dark World of Keeping Secrets
- NSA/CSS: Policy Manual 1-52: Classification
- USA Today: What are the types of 'classified' documents?
- The Atlantic: Not Even the President Can Declassify Nuclear Secrets
- Alex Wellerstein: Secrecy Stamps (for US nuclear secrets)
- The Drive: Special Access Programs And The Pentagon’s Ecosystem Of Secrecy
- Robert Sesek: U.S. Classification Markings, 2016 Update
- The 2016 Intelligence Community Classification and Control Markings Implementation Manual
- Air Force Policy Directive 16-7: Special Access Programs
- Secrecy News: Was Obama Administration the Most Transparent or the Least?
- The 2015 Intelligence Community Directive on Controlled Access programs (pdf)
- The latest SCI compartments: My First FOIA Request: ODNI CAPCO v6 + Update
- TheWeek.com: What Edward Snowden didn't disclose
- Wikipedia articles:
  - Classified information in the United States
  - Sensitive Compartmented Information
  - Special access program
- The 2013 Intelligence Community Classification and Control Markings Implementation Manual (pdf)
- The 2013 DoD Special Access Program (SAP) Instruction (pdf)
- The 2012 NRO Review and Redaction Guide (pdf)
- The 2008 DNI Authorized Classification and Control Markings Register (pdf)
- The 2004 listing of Country Code Trigraphs and Coalition Tetragraphs (pdf)
- Article about Security Clearances and Classifications
- Some notes about Sensitive Compartmented Information
- About The 5 secret code words that define our era
- N.N.: Do You Know the Differences? SCI | SI | SIGINT, in: Cryptolog, p. June 1983, p. 7-9.
- Marc Ambinder & D.B. Grady, Deep State, Inside the Government Secrecy Industry, 2013, p. 164-167.
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.

September 5, 2013

An NSA eavesdropping case study

(Updated: December 7, 2015)

On September 1, the popular Brazilian television news magazine Fantástico reported about an NSA operation for wiretapping the communications of the presidents of Mexico and Brazil. Fantástico is part of the Globo network, which already disclosed various top secret NSA presentations last July.

Now, the Brazilian magazine showed some new top secret NSA documents, like a powerpoint presentation about the eavesdropping operation, which were all among the thousands of documents which Edward Snowden gave to Guardian journalist Glenn Greenwald in June.

Fantástico also published the slides on their website, but as that's only in portuguese, we show these slides too, because they give a nice graphical insight in how the NSA intercepts foreign communications.


The Fantástico news magazine started showing a cover sheet of a presentation which bears the logo of the SIGDEV Strategy and Governance division of the NSA, where SIGDEV stands for SIGINT Development. However, it's not quite clear whether this division is also responsible for the eavesdropping operation which is shown below.


The presentation was prepared in June 2012 by the Scalable Analytics Tradecraft Center (SATC) of NSA. Except for the abbreviation SATC, the full name of this unit was initially unknown, so the Fantástico website assumed it stood for "Secure and Trustworthy Cyberspace" (SaTC), but that's actually a program of the US National Science Foundation. Brazilian television briefly showed the name of the author of the presentation, but here we blacked that out.


This slide shows the overall classification level of the presentation: TOP SECRET // COMINT // REL TO USA, AUS, CAN, GBR, NZL. This means the information is Top Secret, contained in the COMINT (Communications Intelligence) control system and is only to be released to the US and it's "Five Eyes" or UKUSA partners: the UK, Canada, Australia and New Zealand.


The presentation starts with two slides, showing the benefits of searching for contacts by using graphs:





The next three slides show some more details of the specific elements of the process:







The Mexican target

The first target of the operation was the then Mexican candidate for the presidency, Enrique Peña Nieto. The information was analysed by NSA unit S2C41 which is the Mexican Leadership Team and is also part of the S2C production line for International Security Issues (ISI).


This slide shows the process of searching for contacts and communications of the mexican president:

1. Selectors, like known e-mail adresses or phone numbers related to EPN (Enrique Peña Nieto) are used as seeds to start the process.

2. The initial seeds lead to 2-hop graphs, apparently based upon metadata which are in the databases mentioned below the graph: MAINWAY is the NSA's database of bulk phone metadata, CIMBRI is seen here for the first time, and could be another kind of metadata database. JEMA probably stands for Joint Enterprise Modeling and Analytics, which is a tool that allows analysts to create more complex analytic scenarios.

3. Next, addresses discovered by creating the contact graphs can act as selectors for collecting SMS messages. For this the MAINWAY database is used too, just like ASSOCIATION, which, according to the Fantástico website, filters text messages (SMS) to mobile phones.

4. Finally, these messages go to DISHFIRE, which is NSA's database for text messages and can be searched for certain keywords.


This slide shows two "interesting messages", proving that content of text messages was collected. In the two quoted passages, the Mexican presidential candidate Enrique Peña Nieto is in discussion with some of the designated ministers of his future government. Parts of the messages are blacked out by Brazilian media.


The Brazilian target

The second target of the operation were the Brazilian president Dilma Rousseff and her key advisers. The information was analysed by NSA unit S2C42 which is focussed on the Brazilian leadership. This unit is part of the NSA's S2C production line for International Security.


This slide shows the process of searching for contacts and communications of the Brazilian president. The intelligence gathering starts with a few DNI Selectors (like e-mail or IP addresses) which act as seeds growing into a 2-hop contact graph. This graph shows all the addresses which had 2-hop or 2-step contacts with the original seed addresses.

Below the graph is the word SCIMITAR, seen here for the first time, which could be a tool to create such contact graphs, or maybe a database containing metadata from which these contacts can be derived.


From the 2-hop contact graph NSA apparently discovered new selectors (e-mail or IP addresses) associated with the Brazilian president and her advisers. Another slide, which was not published, is said to show all the names associated with the colored dots in this graph.


The presentation concludes that there was a successful cooperation between the mysterious unit SATC and the Latin American units from the S2C International Security division. This led to a successful implementation of contact filtering by using graphs, resulting in the interception of communications of high-profile, security-savvy Brazilian and Mexican targets.


This presentation gives insight in a specific eavesdropping operation, but also gives a good idea of how NSA is collecting information from the internet in general, for example through PRISM and various other programs which gather data from internet backbone cables.

Allthough the presentation is clarifying, it could also have been published without mentioning the specific targets involved. Showing that this operation targeted the presidents of Mexico and Brazil did not serve a public interest, but unnecessarily damaged the relationship between the United States and both countries.

Glenn Greenwald seemed to justify the publication by saying that the presentation proved that NSA was also intercepting the content of phone calls and e-mail messages. After earlier disclosures, the US had said that they only collect bulk metadata from Brazil and no content. But of course this statement only applied to ordinary citizens, as eavesdropping on foreign political and military leaders is generally considered to be a legal activity of (signals) intelligence agencies.

Greenwald, who lives in Rio de Janeiro, also said that "most of the spying they [= the US] do does not have anything to do with national security, it is to obtain an unfair advantage over other nations in their industrial and commerce economic agreements". But with this motive he also acts more in the national interest of Brazil, or at least like an activist, than as a journalist working for the public interest.

(Updated by rearranging the slide order and some related minor corrections - see the comment below)


> See also: How NSA targeted the Venezuelan oil company PdVSA



Links and Sources
- Globo.com: Documentos revelam esquema de agência dos EUA para espionar Dilma
- Cryptome.org: Translation in English
- The slides with Portuguese description: Veja os documentos ultrassecretos que comprovam espionagem a Dilma
- Bloomberg.com: U.S. Spied on Presidents of Brazil and Mexico, Globo Reports