TEMPEST: Why the Government Classified the Fact That Your Devices Talk

TEMPEST is the NSA’s code name for the investigation and mitigation of compromising electromagnetic emanations from electronic equipment. The program has existed since at least the 1950s. Its full scope remains classified. What is publicly known establishes a principle that TFRi considers foundational: every electronic device emits electromagnetic radiation as a byproduct of its operation, and that radiation contains readable information about what the device is doing. The government considers this fact serious enough to classify the countermeasures, build a multi-billion-dollar industry around shielded equipment, and require TEMPEST certification for facilities handling classified information. Your phone, laptop, and smart home devices emit the same type of emanations. The government does not consider your emanations worth protecting.

The Principle

Every electronic device — every processor, display, keyboard, cable, and circuit board — emits electromagnetic radiation as a consequence of the electrical currents flowing through its components. These emissions are not random. They correlate with the device’s internal operations: the image displayed on a monitor, the keys pressed on a keyboard, the data transmitted through a cable, the computations performed by a processor. The emissions are unintentional but not uninformative. They are, in signals intelligence terminology, “compromising emanations” — electromagnetic signals that compromise the security of the information being processed by leaking it into the ambient electromagnetic environment.

The principle was publicly demonstrated in 1985 by Dutch computer researcher Wim van Eck, who published a paper showing that the image displayed on a CRT computer monitor could be reconstructed at a distance using commercially available radio equipment. The technique — now called “van Eck phreaking” — required no physical access to the target computer, no network connection, no software exploit. It required only a radio receiver tuned to the frequency of the monitor’s electromagnetic emanations, positioned within range (van Eck demonstrated reception at distances of hundreds of meters).

Van Eck’s paper made the principle public. But the principle had been known to intelligence agencies for decades. The NSA’s TEMPEST program predates van Eck’s publication by at least thirty years. Declassified references to TEMPEST-related concerns appear in documents from the 1950s. The full history of the program — when the vulnerability was first identified, how it was exploited, what countermeasures were developed — remains classified.

The Countermeasures

TEMPEST countermeasures are, at their core, electromagnetic shielding applied at institutional scale. The approaches include:

Shielded enclosures: Rooms and buildings designed as Faraday cages — continuous metal enclosures that prevent electromagnetic emanations from escaping. Government facilities handling classified information (Sensitive Compartmented Information Facilities, or SCIFs) are required to meet TEMPEST shielding standards. The shielding is tested and certified to specific attenuation levels across defined frequency ranges.

Shielded equipment: Computers, monitors, printers, and other devices designed to minimize electromagnetic emanations through internal shielding, filtering, and design techniques that reduce the correlation between internal operations and external emissions. TEMPEST-certified equipment costs significantly more than commercial equivalents — the premium is the cost of the shielding.

Emanation security (EMSEC) protocols: Operational procedures governing the placement of equipment relative to facility boundaries, the separation of classified and unclassified systems, and the management of cables and connections to minimize emanation pathways.

The TEMPEST certification program — administered by the NSA — defines multiple protection levels (TEMPEST Levels I, II, and III, corresponding to different threat environments and required attenuation levels). The standards themselves (NSTISSAM TEMPEST/1-92 and related documents) are partially declassified, with the specific attenuation requirements and test procedures remaining classified.

The Asymmetry

TFRi’s interest in TEMPEST is not primarily technical. It is institutional. The TEMPEST program demonstrates, through the government’s own behavior, that electromagnetic emanations from electronic devices contain exploitable information and that electromagnetic shielding is the appropriate countermeasure. The government does not consider TEMPEST a theoretical concern — it spends billions of dollars on it. The shielding is real. The threat is real. The countermeasure works.

The asymmetry is this: the government shields its own devices, facilities, and personnel from electromagnetic emanations. It does not extend similar protection — or similar concern — to the general public. Your phone emits electromagnetic emanations that correlate with your activities, your communications, and your location. These emanations are readable by anyone with appropriate equipment — which, since van Eck’s 1985 paper, means anyone with commercially available radio hardware. No agency has proposed TEMPEST-equivalent protection for consumer devices. No standard requires that your phone minimize its compromising emanations. The government’s assessment — electromagnetic emanations are a serious security concern warranting billions in countermeasures — applies only to the government’s own information. Your information, apparently, is not worth protecting.