When a Canadian internet user communicates sensitive data with a secure Canadian server, it often passes through exchanges points in the United States and is thus subject to Patriot Act incursions by U.S. authorities. Why is it important?
See our Showcase Routes section on network sovereignty for more details.
What are NSA listening posts?
The U.S. National Security Agency (NSA), is strongly suspected of having installed ‘splitter rooms’ in 15-20 major internet exchange points.
View a summary of the evidence supporting our claims regarding NSA splitter locations.
Who are our some of our principal sources of research related to the NSA?
What kinds of resources did we use on telecommunications infrastructures?
Although harder to find these days, we have located several AT&T fibre 'backbone maps'. These range in date from 2000 to 2008, covering the relevant time span in regards to the NSA.
See 1, 2, 3.
We also looked at several sources regarding the largest cable hubs in North America, such as this article. Finally, we looked at several sites that measure performance/latency, managed by Akamai and AT&T. We also mapped undersea cable sites.
How do we geolocate routers?
In order to map the generated traceroutes, we must ascertain the physical location of the routers that generate the IP addresses in the route. When a traceroute is run, our software assigns locations to the IP addresses using a commercial service called Maxmind. This is often sufficient to geolocate the router to within about 5km of the target. However, Maxmind tends to work best when locating edge routers; its success rate when attempting to geolocate core routers drops to nearly zero. Therefore, we have adopted a layered strategy to manually assign physical locations to core routers. This document provides greater technical detail on the geolocation process we have employed. It outlines our attempt to geolocate IP addresses (and their corresponding routers) for the IXmaps database, details the logic and methods we have employed, and provides current information about parsing specific ISP hostnames. While the geolocation process provides more accurate longitude and latitude than is often provided by Maxmind, it generally remains reliable only at a city level; many corrections place routers at a generic city location instead of in a particular building. These locations are described as the city centre by wikipedia'sWGS84 reference.
A traceroute measures the route path and transit times of packets across an Internet Protocol (IP) network. For more information see
A common carrier is a company that offers its services to the general public under license or authority provided by a regulatory body. In the context of the telecommunications industry in the United States, telecommunications providers are regulated by the Federal Communications Commission. While internet service providers have successfully argued against being classified as common carriers, they are treated like common carriers in many respects. For more information see common carrier
A carrier hotel, also known as a colocation centre, is a datacentre that provides colocation services, enabling multiple customers to locate networking equipment under the same roof. For more information see colocation centre
Allows multiple customers to locate network, server, and storage gear, while connecting connect them to a variety of telecommunications and network service providers. For more information see colocation
A facility used to house computer systems and associated components, such as telecommunications and storage systems. Datacentres are classified according to a tier structure, with Tier 1 signifying the simplest configuration (basically a server room) and Tier 4 signifying the most complex operations (designed to host mission critical computer systems). For more information see data center
Internet Exchange Point
A physical infrastructure through which service providers exchange internet traffic between their networks, designed to enable service providers to reduce their traffice which must be delivered by upstream transit providers, reducing the average delivery cost of their services. For more information see internet exchange point
Refers to the principal data routes between large, strategically interconnected networks and core routers in the internet. These data routes are hosted by commercial, government, academic and other high-capacity network centers, internet exchange points and network access points, that interchange internet traffic between the countries, continents and across the oceans of the world. For more information see internet backbone
An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. IP addresses serve two key functions: host or network interface identification and location addressing. For more information see IP address
An Autonomous System Number (ASN) is the unique number of an Autonomous System (AS), which is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the internet. While there may be multiple Autonomous Systems supported by an ISP, the Internet only sees the routing policy of the ISP. That ISP must have an officially registered Autonomous System Number for use in BGP routing. ASNs are important because they uniquely identifies each network on the Internet. For more information see autonomous system
A hostname is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication. Hostnames may be simple names consisting of a single word or phrase, or they may have appended the name of a Domain Name System (DNS) domain, separated from the host specific label by a full stop (dot). In the latter form, a hostname is also called a domain name. For more information see hostname
In computer networking, a packet is a formatted unit of data carried by a packet mode computer network. All communication on the internet involves packets. For example, every Web page that you receive comes as a series of packets, and every e-mail you send leaves as a series of packets. Networks that ship data around in small packets are called packet switched networks. For more information see network packet
A hop represents one portion of the path between a source and its destination. As data is transmitted along a path, passing throughrouters and other devices, each device causes data to hop from one point-to-point connection to another. For more information see hop
Refers to a range of delays incurred in the processing of networking data. A low latency connection features short delay times, while a high latency connection suffers from long delays. For more information see latency
Tracerouting programs often send multiple packets to the same IP address in an attempt to correct for random error. Minimum latency refers to the amount of time that the fastest packet took to reach a node. For more information see latency
Pinpointing the physical location of a router is difficult. When talking about a location, the IXmaps uses the term geoprecision to describe the level of precision with which geolocation has been ascribed. For example, if geoprecision is to 'building level', we believe we can say with some confidence that the router is located within a specific building. More often, however, we are only confident that our geolocation is accurate at a 'city level'. Finally, a geoprecision of 'Maxmind' indicates that we are relying on their geolocation
CLLI codes are assigned and used by the North American telecom industry to designate location and type of hardware used at a particular location. Thus, a CLLI code can occasionally be used to geolocate a router. For more information see CLLI code
Spy Room (6th Floor)
Room 641A is an intercept facility operated by AT&T for the U.S. National Security Agency, beginning in 2003. Room 641A is located in a building at 611 Folsom Street, San Francisco, three floors of which were occupied by AT&T before SBC purchased AT&T. The room was referred to in internal AT&T documents as the SG3 [Study Group 3] Secure Room. It is fed by fiber optic lines from beam splitters installed in fiber optic trunks carrying internet backbone traffic and, therefore, presumably has access to all internet traffic that passes through the building. The existence of the room was revealed by former AT&T technician, Mark Klein, and was the subject of a 2006 class action lawsuit by the Electronic Frontier Foundation against AT&T. For more information see room 641A
Splitter Cabinet (7th Floor)
A fiber optic circuit can be split using splitting equipment to divide the light signal and to divert a portion of the signal into each of two fiber optic cables. While both signals will have a reduced signal strength, after the split both signals still contain the same information, effectively duplicating the communications that pass through the splitter. Starting in February 2003, the "splitter cabinet" split (and diverted to the SG3 Secure Room) the light signals that contained the communications in transit to and from AT&T's Peering Links with the following Internet networks and Internet exchange points: ConXion, Verio, XO, Genuity, Qwest, PAIX, Allegiance, Abovenet. Global Crossing, C&W, UUNET, Level 3, Sprint, Telia, PSINet, and MAE-WEST. MAE-WEST is an Internet nodal point and one of the largest "Internet exchange points" in the United States. PAIX, the Palo Alto Internet Exchange, is another significant Internet exchange point. Internet exchange points are facilities at which large numbers of major Internet service providers interconnect their equipment in order to facilitate the exchange of communications among their respective networks. Through the "splitter cabinet," the content of all the electronic voice and data communications going across the Peering Links [listed above] was transferred from the WorldNet Internet room's fiber optical circuits into the SG3 Secure Room. According to Mark Klein, such "splitter cabinets" were being installed in other cities, including Seattle, San Jose, Los Angeles, and San Diego. For more information see Mark Klein's description