Monitoring Centres: Force Multipliers From The Surveillance Industry

News & Analysis
Monitoring Centres: Force multipliers from the surveillance industry

This year, an advanced surveillance system called the "Platform for Unified Monitoring and Analysis" will come online in Colombia. Frustrated with the the previous system, Esperanza, which only monitored telecommunications activity, the Colombian authorities turned to PUMA (Plataforma Única de Monitoreo y Análisis), a system that will allow them to monitor both telecommunications traffic and IP traffic in one source. The system, now based on Police property in Western Bogota, will now be able to "to cover 20,000 means of telecommunication." 

Similarly, India this year is due to roll out its own system across the country. The Indian "Central Monitoring System" will link together the regional monitoring capabilities into one centralised epicentre, empowering authorities with direct access to telecommunications data, content, as well as giving them the ability to monitor IP based services such as VoIP, emails, SMSs and any other online activity. The legislative authority for this derives from Section 5(2) of the Indian Telegraph Act, 1885.

Such monitoring centres lie at the heart of any surveillance infrastructure, with 93 companies catalogued by our Surveillance Industry Index selling this equipment. These technologies are the command and control centres of the surveillance world, connecting the intelligence analysts with the intelligence itself. The centralisation of surveillance does far more than simply representing disparate sources of data in one source; it increases exponentially its utility, and the possibilities for its abuse.


What are monitoring centres?

Interception, interface and retention are three of the central concepts being advertised by surveillance vendors in their monitoring centre solutions. What sets these vast monitoring centres apart from smaller-scale technologies, which may just focus on one communication network or means of communications, are their sheer scale of integration-- the multiplicity and centralisation of the connections, the processing power of the interface, and the size of retention capabilities. One company selling monitoring centres describe their monitoring centre as an all-in-one surveillance "turnkey solution".

To perform interception, monitoring centres use probes within different communication networks that copy communications as they travel to their intended destinations. ClearTrail's ComTrail mass monitoring centre displays the different probes deployed and networks tapped for mass surveillance. From mobile networks to packet-switched networks for internet monitoring, each of these need to be tapped to achieve the centralisation of surveillance that some states work towards.

Many companies advertise and focus on the interfacing and management of intercepted communications of their monitoring centres. Utimaco's Lawful Interception Management System acts as a management server for the intercepted communications. While it does not intercept communications, it instead provides a "central administration of intercepts and target assignments", "mediation of intercepted data from all network nodes" and can segregate up to 64 different networks/providers. The ability to perform mass segregation of networks and providers indicates a design for mass monitoring of communications from different sources.

Possibly the most dangerous facet of a monitoring centre is the ability to look back into history relying on vast retention capability. Retention of intercepted information on a mass scale creates a broad scope for abuse because of the permanence of the information retained. While data retention has been a policy pursued by law enforcement for years, including in Europe, the tide is slowly turning with key court ruling at the ECJ recently demolishing indiscriminate, blanket retention of communications data across Europe.


"No limit"

Advanced System's retention system, Cerebro DRS,  has the capacity to store two petabytes of data in one server rack- a space of around 2000 x  600 x 1000 mm, about the size of a small shelving unit you can purchase at IKEA. It then allows for communications to be indexed and archived, creating a "Google-like" approach to searching through communications. Such trawling is plainly incompatible with principles of necessity and proportionality.

The opportunity data retention poses for governments can be summarised by Advanced Systems themselves, by using Cerebro DRS, “there is no limit to the  scalability of the system in terms of storage duration”.  VASTech's Zebra Monitoring Centre is advertised on the basis of it's retention capabilities where the user of the system can: "Reach back in  time and discover new targets and networks of collaborators".

The use of  such great retention capabilities needs to  be underpinned by good  policy and regulation, something that is hard to  achieve when  surveillance is carried out at such a great scope. Technologically  speaking, data retention is one of the most worrying aspects of a surveillance system. To deal with the vast amount of data collected by  the NSA, the new Bluffdale centre in Utah has a storage capacity that has to be measured in Zettabytes. A Zettabyte is a thousand exabytes, one exabyte is a thousand petabytes.


Destinations of Monitoring Centres

Given their incredible capabilities, it's no wonder centralised monitoring centers are so sought after by repressive regimes.

Utimaco, which sells a management server along with a data retention system, sold what appears to be its management server to Nokia Siemens Networks. That kit was then used to connect monitoring centre's sold by Nokia Siemens Networks at the time to the tapped phone networks of Tunisia prior to the 2011 revolution. Utimaco technology has also been found in Syria and Iran. Furnishing these regimes with the ability to monitor communications on a massive scale within the country lead to the detention and torture of the activist Saleh Hamid in Iran.

VASTech, a South African company who sell the Zebra monitoring centre, were found to have sold phone monitoring technology to Libya during the Gaddafi regime. Zebra, which allows for the monitoring of all international calls going in and out of the country, focuses on the centralisation of surveillance. The technology was used to log roughly 30 to 40 milliion minutes of mobile and landline calls a month in Libya and store them for years. The interception and retention capablities of the technology are striking and should never have been sold to an actor such as Gaddafi because of the legitimate concerns around internal repression and human rights violation that existed within Libya throughout the reign of the Gaddafi family.

Other companies offering monitoring centre's with chilling testimonies to the power of mass surveillance include Nice Systems and NETI. Nice advertise their Nice Track 360 system for providing "Persistent Situation Awareness" and all under a "Single Unified Display" which assembles "all communication types, Internet events, OSINT data and Lawful Hacking information collected under a single platform". NETI's Bongo diagram returns to the aesthetic of centralising surveillance by tapping internet service providers, telecommunication service providers and what would appear to be targeting internet cafe's too.

Centralised monitoring solutions that can intercept and retain such a massive amount of communications data are force mulitpliers for regimes wanting to track down political opponents and democracy activists. Existing state practice of unlawful detention, torture, and even deaths can be exacerbated, if not enabled by such a dangerous surveillance technology.

Privacy International are campaigning for better regulation of this sector to put an end to the abuse of these systems. Monitoring centres and the surveillance they provide can have a legitimate use in democractic, rule of law respecting countries to protect national security. Critically legitimacy of the use is not derived purely from whether or not it is used in the interests of national security but whether it is used in a lawful framework of checks and balances, necessarily and proportionately.

System's sold by the likes of VASTech, Utimaco and Advanced Middle East Systems contain many features that are incompatible with fundamental rights and damaging to democracies. Their equipment should not be able to be exported to destinations where there is no clearly defined legal regime for their use, which allows for overreach and abuse of the system to the detriment of human rights and civil liberties. While a  mulitlateral agreement was reached to control the trade of some monitoring centres at the Wassenaar Arrangement last year, it is targeted at a very specific set of monitoring centres, and does nothing to ensure that human rights criteria are considered. It remains frightfully easy for human rights abusers to create systems of centralised surveillance the technological capacity of which are only set to grow and grow.