26 May 2006

As reported by CNET News today, an ATT reply memorandum filed with the Court on May 24, 2006 had redactions which could be easily lifted. Below are the redacted sections of the original memorandum with redactions restored.

26 May 2006

This presents a combined document to show probable redactions in the Mark Klein declaration released on May 25, 2006, in the Heptig v. ATT/NSA suit filed by EFF.

Black text is the redacted (shown by xxxxx) declaration by Mark Klein published in court records on May 25, 2006:

Text in green from Mark Klein statement published in Wired, May 22, 2006:

Text in red from Mark Klein statement issued on April 6, 2006 by his attorney:

1 ELECTRONIC FRONTIER FOUNDATION CINDY COHN (145997) 2 cindy@efforg LEE TIEN (148216) 3 tien@efforg KURT OPSAHL (191303) 4 kurt@efforg KEVIN S. BANKSTON (217026) 5 bankston@efforg CORYNNE MCSHERRY (221504) 6 corynne@efforg JAMES S. TYRE (083117) 7 jstyre@efforg 454 Shotwell Street 8 San Francisco, CA 94110 Telephone: 415/436-9333 9 415/436-9993 (fax) 10 TRABER & VOORHEES BERT VOORHEES (137623) 11 bv@tvlega1.com THERESA M. TRABER (116305) 12 tmt@tvlega1.com 128 North Fair Oaks Avenue, Suite 204 13 Pasadena, CA 91103 Telephone: 626/585-9611 14 626/577-7079 (fax) Attorneys for Plaintiffs 15 [Additional counsel appear following the signature page.] 16 17 UNITED STATES DISTRICT COURT 18 NORTHERN DISTRICT OF CALIFORNIA 19 TASH HEPTING, GREGORY HICKS, ) No. C-06-0672-VRW 20 CAROLYN JEWEL and ERIK KNUTZEN on ) Behalf of Themselves and All Others Similarly ) CLASS ACTION 21 Situated, ) ) DECLARATION OF MARK KLEIN IN 22 Plaintiffs, ) SUPPORT OF PLAINTIFFS' MOTION FOR ) PRELIMINARY INJUNCTION 23 vs. ) ) Date: June 8, 2006 24 AT&T CORP., AT&T INC. and DOES 1-20, ) Time: 2:00 p.m. inclusive, ) Court: Courtroom 6, 17th Floor 25 ) Judge: The Hon. Vaughn R. Walker, Defendants. ) Chief United States District Judge 26 ) 27 [REDACTED] 28 DECLARATION OF MARK KLEIN C-06-0672-VRW -1- 1 I, Mark Klein, declare under penalty of perjury that the following is true and correct: 2 1. I am submitting this Declaration in support of Plaintiffs' Motion for a 3 Preliminary Injunction. I have personal knowledge of the facts stated herein, unless stated 4 on information and belief, and if called upon to testify to those facts I could and would 5 competently do so. 6 2. For over 22 years I worked as a technician for AT&T Corporation ("AT&T"), 7 first in New York and then in California. I started working for AT&T in November 1981 as 8 a Communications Technician. 9 3. From January 1998 to October 2003, I worked as a Computer Network 10 Associate III at an AT&T facility on xxxxx Street in xxxxxxxxxx. 11 4. From October 2003 to May 2004 I worked as a Communications Technician at 12 an AT&T facility xxxxxxxxxxxxxxxxxxxxxxxxx (the "xxxxxxxxxxx Facility"). 13 5. Previously, I worked as an AT&T Communications Technician from 14 November 1981 to January 1998. I was assigned to AT&T facilities in New York, New 15 York (November 1981 to December 1990), White Plains, NY (December 1990 to March 16 1991), Pleasanton, CA (March 1991 to May 1993 and March 1994 to January 1998) and 17 Point Reyes, CA (June 1993 to March 1994). 18 6. I retired from AT&T in May 2004. 19 7. AT&T Corp. (now a subsidiary of AT&T Inc.) maintains domestic 20 telecommunications facilities over which millions of Americans' telephone and Internet 21 communications pass every day. These facilities allow for the transmission of interstate or 22 foreign electronic voice and data communications by the aid of wire, fiber optic cable, or 23 other like connection between the point of origin and the point of reception. 24 8. Between 1998 and 2003 I worked in an AT&T office located on xxxxxx 25 in xxxxxxxx as one of xx Computer Network Associates in the office. The site manager 26 was a management-level technician with the title of xxxxxxxxxxxxxxxxxxxxx (hereinafter 27 referred to as FSS #1). Two other FSS people (FSS #2 and FSS #3) also operated from this 28 office. DECLARATION OF MARK KLEIN C-06-0672-VRW - 2- 1 9. During my service at the xxxxxxxx facility, the office provided WorldNet 2 Internet service, international and domestic Voice Over IP (voice communications 3 transmitted over the Internet), and data transport service to the Asia/Pacific region. In October 2003, the company transferred me to the San Francisco building to oversee the Worldnet Internet room, which included large routers, racks of modems for customers' dial-in services, and other equipment. I was responsible for troubleshooting problems on the fiber optic circuits and installing new circuits. 4 10. While I worked in the xxxxxxxx facility in 2002, FSS #1 told me to expect a 5 visit from a National Security Agency ("NSA") agent. I and other technicians also received 6 an email from higher management xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 7 xxxxxxxxxxxxxxxxxx. FSS #1 told me the NSA agent was to interview FSS #2 for a special 8 job. The NSA agent came and met with FSS #2. FSS #1 later confirmed to me that FSS #2 9 was working on the special job, and that it was at the xxxxxxxx Facility. In 2002, when I was working in an AT&T office in San Francisco, the site manager told me to expect a visit from a National Security Agency agent, who was to interview a management-level technician for a special job. The agent came, and by chance I met him and directed him to the appropriate people. 10 11. In January 2003, I, along with others, toured the xxxxxxxx Facility. The 11 xxxxxxxx Facility consists of xxx floors of a building that was then operated by SBC 12 Communications, Inc. (now known as AT&T Inc.). In January 2003, I, along with others, toured the AT&T central office on Folsom Street in San Francisco -- actually three floors of an SBC building. There I saw a new room being built adjacent to the 4ESS switch room where the public's phone calls are routed. I learned that the person whom the NSA interviewed for the secret job was the person working to install equipment in this room. The regular technician work force was not allowed in the room. 13 12. While on the January 2003 tour, I saw a new room being built xxxxxxxx 14 xxxxxxxxr oom. The new room was near completion. I saw a workman apparently 15 working on the door lock for the room. I later learned that this new room being built was 16 referred to in AT&T documents as the "xxxxxxxx Room" (hereinafter the "xxxxxxxx 17 Room"). The xxxxxxxx Room was room number xxx, and measures approximately xx 18 xxxxxx. In San Francisco the secret room is Room 641A at 611 Folsom Street, the site of a large SBC phone building, three floors of which are occupied by AT&T. High speed fiber optic circuits come in on the 8th floor and run down to the 7th floor where they connect to routers for AT&T's WorldNet service, part of the latter's vital Common Backbone. In order to snoop on these circuits, a special cabinet was installed and cabled to the secret room on the 6th floor to monitor the information going through the circuits. (The location code of the cabinet is 070177.04, which denotes the 7th floor, aisle 177 and bay 04.) The secret room itself is roughly 24-by-48 feet, containing perhaps a dozen cabinets including such equipment as Sun servers and two Juniper routers, plus an industrial-size air conditioner. Plans for the secret room were fully drawn up by December 2002, curiously only four months after DARPA started awarding contracts for TIA. Photos from Klein statement While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled "Study Group 3, LGX/Splitter Wiring, San Francisco" dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the "splitter" cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world. 19 13. The 4ESS switch room is a room that contains a 4ESS switch, a type of 20 electronic switching system that is used to direct long-distance telephone communications. 21 AT&T uses the 4ESS switch in this room to route the public's telephone calls that transit 22 through the xxxxxxxx Facility. 23 14. FSS #2, the management-level technician whom the NSA cleared and 24 approved for the special job referenced above, was the person working to install equipment 25 in the xxxxxxxx Room. 26 15. In October 2003, the company transferred me to the AT&T xxxxxxxx 27 Facility to oversee the xxxxxxxx Rrom, as a Communications Technician. 28 16. In the Fall of 2003, FSS #1 told me that another NSA agent would again visit DECLARATION OF MARK KLEIN C-06-0672-VRW - 3 - 1 our office at xxxxxxxx to talk to FSS #1 in order to get the latter's evaluation of FSS #3's 2 suitability to perform the special job that FSS #2 had been doing. The NSA agent did come 3 and speak to FSS #1. By January 2004, FSS #3 had taken over the special job as FSS #2 was 4 forced to leave the company in a downsizing. The normal workforce of unionized technicians in the office are forbidden to enter the secret room, which has a special combination lock on the main door. The telltale sign of an illicit government spy operation is the fact that only people with security clearance from the National Security Agency can enter this room. In practice this has meant that only one management-level technician works in there. Ironically, the one who set up the room was laid off in late 2003 in one of the company's endless downsizings, but he was quickly replaced by another. 5 17. The regular AT&T technician workforce was not allowed in the xxxxxxxx 6 Room. To my knowledge, only employees cleared by the NSA were permitted to enter the 7 xxxxxxxx Room. To gain entry to the xxxxxxxx Room required both xxxxxxxxxxx 8 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 9 xxxxx. To my knowledge, only FSS #2, and later FSS #3, had both the xxxxxxx 10 xxxxxxxxxxxxxx. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 11 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. We were not given either xxxxx 12 xxxxxxxxxxxxxx for the xxxxxxxxx Room. On one occasion, when FSS #3 was 13 retrieving a circuit card for me from the xxxxxxxx Room, he invited me into the room with 14 him for a couple of minutes while he retrieved the circuit card from a storage cabinet and 15 showed me some poorly installed cable. 16 18. The extremely limited access to the xxxxxxxx Room was highlighted by one 17 incident in 2003. FSS #1 told me that the large industrial air conditioner in the xxxxxxxx 18 Room was leaking water through the floor and onto xxxx equipment downstairs, but 19 FSS #2 was not immediately available to provide servicing, and the regular technicians had 20 no access, so the semi-emergency continued for some days until FSS #2 arrived. 21 19. AT&T provides dial-up and DSL Internet services to its customers through its 22 WorldNet service. The xxxxxxxxxx room included large routers, racks of modems for 23 AT&T customers' WorldNet dial-in services, and other telecommunications equipment. The 24 equipment in the xxxxxxxxxx room was used to direct emails, web browsing requests 25 and other electronic communications sent to or from the customers of AT&T's WorldNet 26 Internet service. 27 20. In the course of my employment, I was responsible for troubleshooting 28 problems on the fiber optic circuits and installing new fiber optic circuits. DECLARATION OF MARK KLEIN C-06-0672-VRW -4- 1 The fiber optic cables used by AT&T typically consist of up to xx optical 2 fibers, which are flexible thin glass fibers capable of transmitting communications through 3 light signals. 4 22. Within the xxxxxxxxxx room, high speed fiber optic circuits connect to 5 routers for AT&T's WorldNet Internet service and are part of the AT&T WorldNet's 6 "Common Backbone" (CBB). The CBB comprises a number of major hub facilities, such as 7 the xxxxxxxx Facility, connected by a mesh of high-speed (OC3, OC 12, OC48 and some 8 even higher speed) optical circuits]. 9 23. Unlike traditional copper wire circuits, which emit electromagnetic fields that 10 can be tapped into without disturbing the circuits, fiber optic circuits do not "leak" their light 11 signals. In order to monitor such communications, one has to physically cut into the fiber 12 and divert a portion of the light signal to access the information. 13 24. A fiber optic circuit can be split using splitting equipment to divide the light 14 signal and to divert a portion of the signal into each of two fiber optic cabks. While both 15 signals will have a reduced signal strength, after the split both signals still contain the same 16 information, effectively duplicating the communications that pass through the splitter. 17 25. In the course of my employment, I reviewed two "xxxxxxxxxxxxxxxxxxxxx" 18 documents dated xxxxxxxxxxxxxxxxxxxxxxxxxxxx, which instructed technicians on 19 how to connect the already in-service circuits to a xxxxxxxxxxxxxxxxxxxxxxxxx 20 xxxx from the WorldNet Internet service's fiber optical circuits to the xxxxxxxx Room. 21 26. A true and correct copy of the "xxxxxxxxxxxxxxxxxxxxx" documents are 22 attached hereto as Exhibits A and B. Exhibit A is the xxxxxxxxxx document, and 23 Exhibit B is the xxxxxxxxxxxxx document. One of the documents listed the equipment installed in the secret room, and this list included a Narus STA 6400, which is a "Semantic Traffic Analyzer". The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets. The company's advertising boasts that its technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) provides complete visibility for all internet applications." One 60-page document, identified as coming from AT&T Labs Connectivity & Net Services and authored by the labs' consultant Mathew F. Casamassima, is titled Study Group 3, LGX/Splitter Wiring, San Francisco and dated 12/10/02. (See sample pdf 1-4.) This document addresses the special problem of trying to spy on fiber optic circuits. Unlike copper wire circuits which emit electromagnetic fields that can be tapped into without disturbing the circuits, fiber optic circuits do not leak their light signals. In order to monitor such communications, one has to physically cut into the fiber somehow and divert a portion of the light signal to see the information.

Exhibit A Images from Klein statement

This problem is solved with splitters which literally split off a percentage

of the light signal so it can be examined. This is the purpose of the special cabinet

referred to above: circuits are connected into it, the light signal is split into two signals,

one of which is diverted to the secret room. The cabinet is totally unnecessary for the

circuit to perform-- in fact it introduces problems since the signal level is reduced by the

splitterits only purpose is to enable a third party to examine the data flowing between

sender and recipient on the Internet.

The above-referenced document includes a diagram (pdf 3) showing the

splitting of the light signal, a portion of which is diverted to SG3 Secure Room, i.e., the

so-called Study Group spy room. Another page headlined Cabinet Naming (pdf 2)

lists not only the splitter cabinet but also the equipment installed in the SG3 room,

including various Sun devices, and Juniper M40e and M160 backbone routers. Pdf file

4 shows shows one of many tables detailing the connections between the splitter

cabinet on the 7th floor (location 070177.04) and a cabinet in the secret room on the 6th

floor (location 060903.01). Since the San Francisco secret room is numbered 3, the

implication is that there are at least several more in other cities (Seattle, San Jose, Los

Angeles and San Diego are some of the rumored locations), which likely are spread

across the U.S.

One of the devices in the Cabinet Naming list is particularly revealing as

to the purpose of the secret room: a Narus STA 6400. Narus is a 7-year-old company

which, because of its particular niche, appeals not only to businessmen (it is backed by

AT&T, JP Morgan and Intel, among others) but also to police, military and intelligence

officials. Last November 13-14, for instance, Narus was the Lead Sponsor for a

technical conference held in McLean, Virginia, titled Intelligence Support Systems for

Lawful Interception and Internet Surveillance.* Police officials, FBI and DEA agents,

and major telecommunications companies eager to cash in on the war on terror had

gathered in the hometown of the CIA to discuss their special problems. Among the

attendees were AT&T, BellSouth, MCI, Sprint and Verizon. Narus founder, Dr. Ori

Cohen, gave a keynote speech. So what does the Narus STA 6400 do?

To implement this scheme, WorldNet's highspeed data circuits already in

service had to be re-routed to go through the special splitter cabinet. This was

addressed in another document of 44 pages from AT&T Labs, titled SIMS, Splitter Cut-

In and Test Procedure, dated 01/13/03 (pdf 5-6). SIMS is an unexplained reference to

the secret room. Part of this reads as follows:

A WMS [work] Ticket will be issued by the AT&T Bridgeton Network

Operation Center (NOC) to charge time for performing the work

described in this procedure document....

This procedure covers the steps required to insert optical splitters into

select live Common Backbone (CBB) OC3, OC12 and OC48 optical circuits.

The NOC referred to is in Bridgeton, Missouri, and controls WorldNet operations. (As a

sign that government spying goes hand-in-hand with union-busting, the entire CWA

Local 6377 which had jurisdiction over the Bridgeton NOC was wiped out in early 2002

when AT&T fired the union workforce and later re-hired them as non-union

management employees.) The cut-in work was performed in 2003, and since then new

circuits are connected through the splitter cabinet.

Another Cut-In and Test Procedure document dated January 24, 2003,

provides diagrams of how AT&T Core Network circuits were to be run through the

splitter cabinet (pdf 7). One page lists the circuit IDs of key Peering Links which were

cut-in in February 2003 (pdf 8), including ConXion, Verio, XO, Genuity, Qwest,

PAIX, Allegiance, Abovenet, Global Crossing, C&W, UUNET, Level 3, Sprint, Telia,

PSINet, and Mae West. By the way, Mae West is one of two key Internet nodal points in

the United States (the other, Mae East, is in Vienna, Virginia). It's not just WorldNet

customers who are being spied onit's the entire Internet.

Exhibit B Images from Klein statement

My job required me to connect new circuits to the "splitter" cabinet and get them up and running.

While working on a particularly difficult one with a technician back East, I learned that other such

"splitter" cabinets were being installed in other cities, including Seattle, San Jose, Los Angeles and

San Diego.

CERTIFICATE OF SERVICE

May 26, 2006

An ATT reply memorandum filed with the Court on May 24, 2006 (Docket No. 141) had redactions which could be easily lifted by highlighting the redaction strips, copying and pasting to reveal the underlying text. After being contacted by CNET News, ATT asked the Court to block access to the original memorandum and filed a replacement that cannot be manipulated (Docket No. 150). Here are the redacted sections of the original memorandum with redactions restored shown in red.

[Beginning at the bottom of page 12:]

Plaintiffs contend that the Klein Declaration is itself sufficient to make out a prima facie

case on their statutory claims. But even if one focused only on the two claims as to which

plaintiffs make any argument, the Court could not determine the validity of those claims without

first evaluating information covered by the government's state secrets assertion. Plaintiffs'

suggestion that they need only show that certain communications have been split off into a "secret

room" strips multiple elements from the statutes on which their claims are based and glosses over numerous issues

that would have to be explored if their claims were ever to be fully litigated.

AT&T cannot confirm or deny any of the facts on which plaintiffs' complaint is based. But it is certain

that the Klein Declaration and its associated exhibits are insufficient to demonstrate any illegal conduct by AT&T.

Plaintiffs offer no evidence regarding what, if anything, actually happens to any data once it allegedly enters the

alleged "secret room." Plaintiffs' purported expert provides merely "suggestive" configurations between unknown

equipment in an AT&T facility. See Declaration of J. Scott Marcus In Support of Motion for Preliminary

Injunction (Dkt. 32) ¶ 74. His strongest opinion, explicitly based "in terms of media claims" is conditioned entirely

on a supposition: "if the government is in fact in communication with this infrastructure." Id. ¶ 39. Plaintiff's

purported expert, of course, has no knowledge whether this is true or not.

Even accepting their allegations as true, plaintiffs' declarations fail to establish their claims. Key factual

issues that bear directly on the viability of their legal claims and AT&T's defenses are subject to the Government's

state secrets assertion and are unavailable. Without either confirming or denying the plaintiffs' assertions, AT&T

notes that the facts recited by plaintiffs are entirely consistent with any number of legitimate Internet monitoring

systems, such as those used to detect viruses and stop hackers. Although the plaintiffs ominously refer to the

equipment as the "Surveillance Configuration," the same physical equipment could be utilized exclusively for other

surveillance in full compliance with the terms of FISA which even the plaintiffs themselves would not contend is

unlawful. See id. ¶ 40 ("The SG3 Configurations could be used for a number of legitimate purposes."). The mere

existence of these so-called configurations, even if plaintiffs' allegations were accurate, would not by itself be

prima facie evidence of what if any information is intercepted or divulged or by whom. And it certainly is not

prima facie evidence of any illegality. Plaintiffs fail to establish even a prima facie case that there has been an

"interception" of "contents" within the meaning of 18 U.S.C. § 2510(4) & (8), whether there has been "electronic

surveillance" within the meaning of 50 U.S.C. § 1801(f), and whether particular statutory exemptions do not apply,

see, e.g., 18 U.S.C. § 2702(c). Certainly nothing compels the inference that the contents of communications of

"millions of ordinary Americans," (Motion for Preliminary Injunction (Dkt. 30) at 11), have been divulged to the

government, in contradiction of the government's statement that communications are intercepted only if the

government has "a reasonable basis to conclude that one party to the communication is a member of al Qaeda," or

otherwise affiliated with al Qaeda. Press Briefing by Attorney General Alberto Gonzales and General Michael

Hayden, Plaintiffs' Request for Judicial Notice (Attachment 2) (Dkt. 20).

[Redactions end mid-page 14.]

Accordingly, without admitting or denying any factual assertions by the

plaintiffs, it is clear they lack even prima facie evidence of any governmental

interception or electronic surveillance of any communications much less any

illegal activity. No such evidence could possibly be developed without delving

deeply into matters covered by the government's existing state secrets assertion.