National Security Agency, SID Today - MASTERSHAKE: Locating Terrorists at Internet Cafes , May 26, 2005. Top Secret.
National Security Archive
A declassified 2005 NSA memo shows how satellite‑modem data turned Iraqi internet cafés into pinpointable hunting grounds for insurgents.
Source: National Security Agency, SID Today - MASTERSHAKE: Locating Terrorists at Internet Cafes , May 26, 2005. Top Secret. Date: May 26, 2005 Archive: The Intercept Collection: Cyber Vault: DOD's Information Operations Condition Oct 4, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Satellite‑Modem Playbook for the Counter‑Insurgency
The declassified NSA brief titled MASTERSHAKE: Locating Terrorists at Internet Cafés is a snapshot of a very specific intelligence‑collection effort launched in the wake of the 2003 invasion of Iraq. Drafted on 26 May 2005, the document was circulated within the Signals Intelligence Directorate (SID) and its Network Analysis Center (N31SD) as a “SID today” briefing—a routine internal memo meant to inform analysts and field operators about emerging tools. Its immediate catalyst was a senior‑level meeting in Baghdad between SID leaders and the U.S. Embassy’s Chargé d’Affaires, who, according to the memo, repeatedly asked, “Where is Zarqawi?” The question reflects the pressure on Washington to track Abu Musab al‑Zarqawi, the al‑Qaeda‑in‑Iraq mastermind whose high‑profile attacks in 2004–2005 had made him a symbol of the insurgency’s lethality.
The broader cyber‑surveillance campaign
MASTERSHAKE belongs to a larger, often‑overlooked chapter of the Iraq war: the systematic exploitation of civilian internet infrastructure to pinpoint insurgent communications. By 2005, roughly three‑quarters of Iraqi public internet access was provided through satellite‑dish modems using Digital Video Broadcast‑Satellite (DVBS) technology. These devices required “rough” geolocation data for licensing, creating a breadcrumb trail that U.S. SIGINT analysts could follow. The memo describes how the NSA’s MASTERSHAKE database aggregated technical specifications, manufacturer records, and installation addresses for more than 9,000 satellite modems across the Middle East and Africa, cross‑referencing them with MAC‑address identifiers to achieve seat‑level precision in over 50 cafés.
The system did not operate in a vacuum. It fused feeds from X‑Keyscore, the NSA’s massive data‑mining platform, and linked them to the TRAFFICTHIEF alert system, which pushed near‑real‑time notifications to analysts and combat units. The document cites a concrete outcome: in December 2004 a high‑value target known only as “Hamzah” was traced to a Ramadi café; a subsequent TRAFFICTHIEF tip led to the arrest of two suspects a month later. According to the brief, MASTERSHAKE had already underpinned more than 80 SIGINT‑enabled operations, suggesting that the tool was not an experimental prototype but an operational workhorse.
What the brief reveals about mindset and methodology
The language of the memo is unapologetically pragmatic—“Zeroing in on terrorists who use public internet terminals” reads like a mission statement. It underscores a shift from traditional battlefield intelligence to a hyper‑granular, network‑centric approach that treats a coffee‑shop terminal as a tactical node. The emphasis on “seat‑level identification” hints at an ambition to move beyond city‑wide targeting to the exact chair a suspect occupies, a capability that would only be possible through the convergence of satellite‑modem metadata, MAC‑address tracking, and real‑time traffic analysis.
Equally telling is the bureaucratic framing: the brief is marked TOP SECRET//SI//TK and limited to the Five Eyes partners, reflecting how the United States leveraged its intelligence‑sharing alliances to expand the reach of MASTERSHAKE. The mention of “TRAFFICTHIEF” and “SIGINT‑enabled surveillance” indicates a tightly integrated workflow where raw data, analytical tools, and operational decision‑makers were linked in a feedback loop designed to produce rapid kinetic outcomes.
Legacy and contemporary relevance
Although the memo’s declassification date (8 March 2032) places it well beyond the official end of major combat operations in Iraq, the operational concepts it codifies endure. Modern counter‑terrorism and counter‑insurgency efforts continue to rely on geolocating digital footprints, now extended to mobile‑phone towers, Wi‑Fi hotspots, and even Bluetooth beacons. The MASTERSHAKE model—cataloguing hardware identifiers, fusing commercial‑supplier data, and delivering seat‑level alerts—presaged today’s “digital forensics at the edge” practices used in both military and law‑enforcement contexts.
Moreover, the brief raises enduring questions about privacy, sovereignty, and the militarization of civilian cyberspace. By turning ordinary internet cafés into surveillance nodes, the United States effectively weaponized a public utility, a tactic that would later surface in debates over “cell‑site simulators” and “metadata harvesting” in the post‑9/11 era. Understanding MASTERSHAKE helps trace the genealogy of these contested practices, reminding us that today’s debates over digital privacy are rooted in the tactical exigencies of early‑2000s counter‑terrorism.
In sum, the MASTERSHAKE briefing is a microcosm of the intelligence community’s rapid adaptation to a networked battlefield. It illustrates how a seemingly mundane piece of infrastructure—satellite‑modem‑equipped internet cafés—was transformed into a high‑value intelligence asset, and it foreshadows the data‑driven, hyper‑targeted surveillance that defines much of today’s security landscape.
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL
SID today (TS//SI) MASTERSHAKE: Locating Terrorists at Internet Cafés FROM: [illegible] SIGDEV/Network Analysis Center (S31SD) Run Date: 05/26/2005
Zeroing in on terrorists who use public internet terminals. (TS//SI)
(S//SI) During a recent TDY to Iraq, a group of SID leaders met with the Charge D'Affairs at the embassy in Baghdad. As related by MG Quirk, the official "spent a lot of time with us, and was very forthcoming with his needs." The first three priorities on his list were "Where is Zarqawi?", "Where is Zarqawi?" and "Where is Zarqawi?" (See the article MGQ's Notes from the Field .)
(TS//SI) So what is SID doing to help locate terrorists in Iraq? One effort underway is a project called MASTERSHAKE. MASTERSHAKE maintains detailed technical information, as well as business-related information, for devices which provide connectivity to the public Internet. The vast majority of Iraqi Internet cafés are connected to the public Internet via satellite dishes and modems which use Digital Video Broadcast - Satellite (DVBS) technologies. As a product of the way these connections are made, providers who operate these hubs and their services require "rough" geolocation information for the installation of the modem. MASTERSHAKE targets the entire business chain, from manufacturer to Internet café installation, to ascertain any and all available data regarding this geolocation, the network connectivity of the modem, as well as the actual physical location of the installation.
(TS//SI) That's not the only source for that information, though! MASTERSHAKE also fuses a variety of data sources from across SID organizations and intelligence agencies to enrich its knowledge of each particular installation. Additionally, Network Analysis Center (NAC) analysts are using RAD's X-Keyscore system to develop more precise location information by studying the entirety of the network environment being served by each of these modems.
(TS//SI) MASTERSHAKE enriches and maintains all of this technical and geolocation information and uses a unique hardware identifier of the satellite modem, called the Media Access Control (MAC) address, to provide target offices with its best knowledge of the actual physical destination of each and every session in which they see identifiers relating to their target. In some cases, MASTERSHAKE can locate the target to a particular seat within an Internet café. Currently, MASTERSHAKE contains:
- Technical detail on over 9,000 satellite modems in the Middle East and Africa, many locatable to a particular city
- Precise location information on over 400 Internet cafés
- Seat-level identification for over 50 cafes
(TS//SI) The locational information is accessible locally, as well as provided to TRAFFICTHIEF, a system that provides near real-time alerts to analysts and war fighters on the ground telling them when and where high-value targets are active on the global net if detected via any SIGINT access such as SCS , TAO , RFO , SSO , etc. (See related article .) This information is used by local and regional analysts to inform forward deployed elements so that they can conduct surveillance and rendition operations.
(TS//SI) To date, MASTERSHAKE has been a part of over 80 SIGINT-enabled operations which have resulted in numerous arrests, and information from MASTERSHAKE contributes daily to operations in Iraq. Here's one example: In late December 2004, counterterrorism target "Hamzah" sent messages from a computer geolocated to a café in Ramadi, and the café was put under SIGINT-enabled surveillance. On 15 January 2005, two counterterrorism targets went to the internet café and began using "messenger" services. A TRAFFICTHIEF tipper -- incorporating MASTERSHAKE locational information -- was issued, and [illegible] the two men
were arrested. (U//FOUO) If you have questions about MASTERSHAKE, please contact of the Network Analysis Center at
"(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL_sid_comms)."
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu