January 26, 2021

The phones in president Biden's Oval Office

(Updated: February 21, 2021)

On January 20, Joseph R. Biden Jr. was inaugurated as the 46th president of the United States. As such he has access to the presidential communications system, including secure and non-secure telephone lines.

Here, I will discuss a small and unnoticed change in the telephones on the desk of the new president, as well as what happened to the call device that became known as Trump's "Diet Coke Button".

President Joe Biden in the Oval Office, January 20, 2021.
(click to enlarge)

The telephones on Biden's desk

Already on his first day as president, Biden went to the Oval Office of the White House to sign a range of executive orders.

By then, this famous room had already been redecorated with new paintings, busts and photographs, while Trump's beige rug had been replaced by the deep blue one from Bill Clinton's Oval Office. The flags of the five branches of the US Armed Forces have also been removed.

A close look at the photos shows that there was also a small change in the telephone equipment. On Biden's presidential desk there are now two identical phone sets, which can be identified as the high-end Cisco IP 8851 Phone:

Both phones are not the standard commercially available model, however, as they have been modified by a small communications security company called Advanced Programs, Inc. (API). This can be recognized by the dark gray metal box at the back side of the phone's color display and an additional red button on the front panel of the phone:

The purpose of these modifications is to provide on-hook security for the handset and the speakerphone and probably also for TEMPEST protection - to make sure that the phone cannot, either accidentally or deliberately, pick up and transmit audio when the handset is on-hook.

Comparing the two phones on Biden's desk with the ones used by president Trump, we see that under Trump only one of the Cisco 8851 IP phones had the aforementioned modifications. The other phone was the standard model:

Former president Donald Trump in the Oval Office, December 3, 2020.
(photo: Doug Mills/The New York Times - click to enlarge)

Unclassified phone calls

The modified Cisco 8851 IP phone was placed on the president's desk by the end of 2016, replacing an old Avaya/Lucent 8520T of the internal White House telephone network which is used for all kinds of unclassified phone calls.

This telephone connects to the regular White House switchboard in the basement of the Eisenhower Executive Office Building, where operators can set up calls to whoever the president wants to speak with.

Classified phone calls

The standard, unmodified Cisco 8851 IP phone on Trump's desk was part of the highly secure Executive Voice over Secure IP-network connecting the president to all major decision makers, like the secretaries of State, Defense and Homeland Security, as well as the Director of National Intelligence and various intelligence agency headquarters and watch centers.

This telephone replaced an old Cisco 7975 IP phone in September 2017 and connects to the so-called Signal switchboard of the White House Communications Agency (WHCA). The WHCA is a joint military unit that provides the president with secure and non-secure communications in Washington as well as during presidential travels. The Signal board also connects to the White House Situation Room.

Despite being used for classified conversations, the Cisco 8851 IP phone for secure calls wasn't equipped with the additional security features like the non-secure telephone - probably because secure calls travel over a separate, encrypted network, which mitigates the risk that adversaries can abuse the phone's microphones for eavesdropping.

But now, under president Biden, the phone for secure calls also has the modifications for on-hook security. Maybe this was considered safer, or maybe it's just to make both phone sets look the same, so outsiders cannot see whether the president is making a classified or an unclassified phone call based upon which telephone he is using.

Usually, the phones for the secure top-level telephone network can be recognized by a bright yellow faceplate, as can be seen at the modified Cisco IP phone that is used when the president is outside the White House, for example.

Yellow is the color code for the highest classification category: Top Secret/SCI, but in the Oval Office this would probably stand out too much, so here this phone just has the presidential seal in the bottom left corner of the black display section:

Close-up of the presidential seal on a Cisco 8851 IP phone

Update #1:

Around the first of February 2021, there was another small change in the phone on Biden's desk in the Oval Office: as can be seen in the picture below, the Cisco IP phone on the left, probably the one for unclassified conversations, now has an Key Expansion Module attached to it, which provides 14 additional programmable direct line buttons.

President Biden's desk in the Oval Office. One of the Cisco 8851 IP phones
having an additional Key Expansion Module, February 2, 2021
(photo: AFP via Getty Images - click to enlarge)

Under Obama, the old Cisco 7975 IP Phone for secure calls had a similar expansion module, but under president Trump that module was removed. Apparently he saw no need for having the extra direct line buttons, probably because he could always make calls via the White House switchboard operator, but it also symbolized that there was only a very small group of people he was in contact with.

Update #2:

On February 18, 2021, the White House released a photo in which we see president Biden in the office of his secretary, just outside the Oval Office. On the desk in front of him are the same modified Cisco 8851 IP phone sets as on his own desk, although here, both have an additional Key Expansion Module.

In the Oval Office, the phones have brown network cables to blend in with the furniture, but in the secretary's office the cables are color-coded: green for the Unclassified network and yellow for the Top Secret/SCI telephone network:

President Biden watches the landing of NASA's Perseverance vehicle on Mars
(White House photo, February 18, 2021 - click to enlarge)

The president's call button

While the small change in phones wasn't noticed, there was quite some media attention for something that appeared missing on the desk of president Biden: the wooden box with the presidential seal and a red push-button, which became known as Trump's "Diet Coke Button".

The removal of this box was just temporarily though, because meanwhile it has been placed back on the president's desk, as can be seen in this photo from January 25:

President Joe Biden at his desk in the Oval Office, January 25, 2021
(click to enlarge)

Trump's "Diet Coke Button"

There are a lot of stories about how president Trump used the button. Former White House communications aide Cliff Sims, for example, wrote in his 2019 book Team of Vipers that Trump would prank visitors by hitting the button and suggesting it was related to the country’s nuclear weapons arsenal.

"Out of nowhere, he'd suddenly press the button," Sims wrote. "Not sure what to do, guests would look at one another with raised eyebrows" he added. "Moments later, a steward would enter the room carrying a glass filled with Diet Coke on a silver platter, and Trump would burst out laughing."

On Twitter, Times Radio political commentator Newton Dunn recalled a similar situation: "When Tim Shipman and I interviewed Donald Trump in 2019, we became fascinated by what the little red button did. Eventually Trump pressed it, and a butler swiftly brought in a Diet Coke on a silver platter."

Trump's glass of Diet Coke in front of the Cisco 8851 IP phone for secure calls
(photo: Jonathan Ernst/Reuters - click to enlarge)

Earlier usage of the call button

The box with the button is in the Oval Office already since the presidency of Bill Clinton and it's not only on the president's desk, but also on a side table in the seating area and in the small presidential dining room nearby the Oval Office.

The button has nothing to do with nuclear command and control, but can be used by the president to summon assistance. According to earlier sources, it was meant to alert the Secret Service, while others say that pushing the button makes an aide come in for whatever the president may need.

In his autobiography Finding My Virginity from 2017, billionaire Richard Branson recalled what president Obama once said during a lunch in the Oval Office: "As we stood up to leave I noticed the red buttons on his desk. Obama saw me looking at them," Branson wrote. "He said, 'They used to be there for emergencies, but now I use them for ordering tea for my guests.' "

President George W. Bush in the small dining room near the Oval Office
On the table is the wooden box with the call button
(click to enlarge)

Links & sources

- Homepage of the White House Communications Agency
- Politico: Trump hid his calls with Putin. Now, Biden has access to them. (2021)
- Secrecy News: Biden Issues National Security Directive 1 (2021)
- Reuters.com: Phone calls with Trump: more risky venture than diplomatic boon (2019)
- People.com: Richard Branson Reveals the Real Purpose for Barack Obama's Oval Office Red Button (2017)
- The Week: Who answers the White House phone, anyway? (2010)
- The New York Times: Whitehouse; A Switchboard That is Justly Fabled (1983)

December 30, 2020

The report of a Swiss investigation into the case of Crypto AG

Last month, the Swiss parliamentary intelligence oversight committee published a report about its investigation into the case of Crypto AG, the former Swiss manufacturer of encryption systems that was secretly owned by the CIA and the German BND.

The committee found that the Swiss foreign intelligence service knew about this covert ownership since 1993 and used its knowledge to decrypt foreign communications, but failed to inform the responsible minister about the case.

Here I will provide a translation of the summary of this report as well as some interesting additional details from the rest of the committee's report about Crypto AG in relation to the Swiss government.

Summary of the Crypto AG report

The Swiss parliamentary audit committee for national security and the intelligence services (German: Geschäftsprüfungsdelegation or GPDel) started its investigation on February 13, 2020 and published its 64-page report about the Crypto AG case on November 10, in a French (pdf) and a German (pdf) version.

Below is a translation of the summary of this report, made from the German version by using Google Translate with the necessary manual corrections. I added some links and additional details in square brackets, as well as subheadings in bold italics for easier navigation of the text.

The case of Crypto AG
Report of the audit committee of the Federal Assembly

from November 2, 2020

The essentials in brief

Since the Fall of 1993, the Strategic Intelligence Service (German: Strategischer Nachrichtendienst or SND) managed to get reliable information about Crypto AG. It learned that the company was owned by foreign intelligence agencies and exported "weak" devices, the encryption of which could be broken with a realistic effort.

In order to be able to break the encryption of such devices itself, the SND began to gather technical information about their encryption methods and customer lists. Later, when the SND had become a civilian office, it managed to get enduring access to this knowledge with the consent of the American intelligence agencies.

Legal situation

From a legal point of view, the parliamentary audit committee (GPDel) therefore sees it as an intelligence cooperation, like in the past it was provided in the military law and today in the Intelligence Service Act (Nachrichtendienstgesetz or NDG). From the fact that the SND and the American agencies acted by mutual agreement, it follows that the Swiss authorities share responsibility for the activities of Crypto AG.

It was legally allowed that the SND and a foreign intelligence agency used a company in Switzerland to gather information about foreign countries. Given the big political implications of this cooperation, however, the GPDel considers it wrong that except for the current head of the Federal Department of Defence, Civil Protection and Sport (VBS) none of her predecessors were informed about this operation.

The east wing of the Federal Palace (Bundeshaus) in Bern, Switzerland,
home of the Federal Department of Defence, Civil Protection and Sport (VBS)
(photo: Mike Lehmann/Wikimedia Commons - click to enlarge)

Police investigation

In addition, the SND's findings on Crypto AG during the Bühler affair, which was investigated by the federal police (Bundespolizei or BuPo) in 1994 and 1995, should not have been withheld from the political leadership. The head of the federal military department (EMD) at the time did not learn the truth about Crypo AG via other ways either, as he explained to the GPDel.

The GPDel also did not found any evidence that the government unduly influenced the investigations by the BuPo. Rather, the head of the Federal Department of Justice and Police (EJPD) made an effort to clarify the ownership of the company. Ultimately, however, the BuPo had to stop its investigations without being able to answer this question.

In 1994, the GPDel was informed repeatedly about the ongoing investigations of the BuPo. Just like the military and political superiors of the SND, the GPDel did not learn anything from the foreign intelligence service related to Crypto AG. The company was never subject of the information provided by the Defense Department (VBS) when the overall supervisor specifically dealt with the topic of cryptology in 2007 and 2009.

Storage and destruction of documents related to Crypto AG

Especially valuable for the inspection of the GPDel were the operational files of the SND and the BuPo, which the federal intelligence service (Nachrichtendienst des Bundes or NDB) stored in a converted K-Anlage [Kriegsanlage, a well-hidden former command bunker of the Swiss army near Bern]. Their archiving in accordance with the applicable regulations is still pending. Due to the archiving practice of the intelligence services, however, there is no guarantee that all important documents are still available.

The destruction of such records was in part allowed by law and regulations, but in some cases it contradicted them. Between 2011 and 2014, the NDB destroyed documents from their correspondence with foreign partner services, instead of storing them internally as prescribed. Its inspection showed the GPDel that the destruction of files by the intelligence service is not an effective method for source protection. Rather, there is a risk that former sources can be compromised when authorities don't have the proper information.

Foreign espionage under the guise of a Swiss company

Companies and organizations that operate on Swiss soil benefit from Switzerland's image as a neutral state. Accordingly, foreign intelligence services may have an interest to operate under the guise of a Swiss company to the detriment of other countries.

Under certain circumstances, such a company can be guilty of the criminal offense of forbidden intelligence service against foreign states. However, such an operation is permissible under applicable law when a foreign agency uses such a company together with the NDB to collect information about foreign countries (cf. Art. 34 Para. 2 NDG).

In the view of the GPDel, planning such an operation should include a political assessment of the possible consequences for Switzerland, as well as for any affected employees of the company. The Federal Council (Bundesrat) should therefore clarify in principle how much room for maneuver it wants to grant the Defense Department (VBS) in this regard.

Not enough attention for the supply of secure encryption devices

The case of Crypto AG shows that companies under the influence of foreign intelligence services can produce devices with “weak” encryption methods. However, the GPDel assumes that Crypto AG has never supplied the “weak” encryption equipment to the Swiss authorities. Important in this case was that the Swiss authorities were able to inspect the security of the purchased devices or even influence their design. However, this is only possible with suppliers who develop and manufacture their devices in Switzerland.

For security reasons, it is not responsible for the federal government to purchase encryption solutions from foreign suppliers. Right from the start, the Federal Council did not pay the necessary attention to the role that domestic suppliers play in ensuring the availability of secure encryption technology for the Swiss authorities. As the responsible department, the Defense Department (VBS) didn't analyze the risks for a reliable supply in time and informed the Federal Council about this matter.

Access to Crypto AG at the management of the intelligence services

The information access to the Crypto AG was a well-kept secret at the management level of the SND. But when the Federal Intelligence and Security Service (NDB) was created [in 2010], this knowledge remained hidden for its first director. When confronted with this a few years later, he refused to take his responsibility.

It was only in the summer of 2019 that the current director commissioned a position paper for this case, although he was not informed by his predecessor and it was still before the NDB learned from the research of the media about Crypto AG. However, he did not use this informational advantage to uncover the relations between Crypto AG, the NDB's predecessors and the American intelligence agencies. Instead of clarifying the legal situation and recognizing the political implications, the NDB downplayed the relevance of the Crypto AG case for the current organisation.

The Defense Department (VBS), which already informed the Federal Council and the GPDel in November 2019, did not succeed in identifying the need for political action. The interdepartmental working group, which the VBS also set up, was not able to support the political leadership because of the reluctance of the NDB to provide information for the looming intelligence affair.

In its application for the Federal Council meeting on December 20, 2019, the Defense Department asserted that the level of information was insufficient for a substantive discussion about the case of Crypto AG. After finding the files in the K-Anlage, about which the Defense Department had informed the Federal Council, this finding was no longer valid.

Since the NDB had not evaluated the extensive files before the Federal Council meeting, the Council decided to establish an external committee of experts to clarify the apparently purely historical questions. With this, the Federal Council gave the strategic leadership for dealing with the Crypto AG case of the hand from the start.

Ending the parallel investigation by judge Oberholzer

When the GPDel opened its inspection on February 13, 2020, former federal judge [Niklaus] Oberholzer had been active as an external expert on behalf of the Federal Council for a month, but without having access to the files from the K-Anlage. After the GPDel had requested all relevant files from the NDB, it recognized that the Crypto AG case went beyond pure history and was of current importance. This proved the approach of the defense department, to examine the historical and current aspects of the case separately, as not very effective.

Given the various parallel investigations, the GPDel considered it necessary to discuss the unresolved coordination issues with the head of the Defense Department before the work was continued. However, when the Defense Department expanded the scope of the Oberholzer investigation before to the meeting agreed with the GPDel, the GPDel revoked its authorization to the Federal Council to commission Mr Oberholzer on February 21, 2020. As an investigative officer for the GPDel, he then reported on the intelligence-related aspects of the Crypto AG case in a secret report for the GPDel.

On February 25, 2020, the GPDel discussed its revocation of the authorization with the head of the Defense Department. The subsequent written exchange with the Federal Council led to a meeting with the federal president and the head of the Defense Department on May 25, 2020, where the GPDel provided information about the most important facts about the role of the intelligence services in the case of Crypto AG. In a classified letter this information was also brought to the attention of the Federal Council.

Former headquarters of Crypto AG in Steinhausen, Switzerland
(photo: Keystone - click to enlarge)

Suspension of the export licenses for Crypto AG's successors

After the meeting of the Federal Council on December 20, 2019, the Federal Department of Economic Affairs, Education and Research (WBF) decided to suspend the general export licenses for the successor companies of Crypto AG [Crypto International AG and TCG Legacy AG]. The goal was apparently to avoid unfavorable media coverage for the WBF.

From the point of view of the GPDel, however, the suspension of these licenses was neither materially nor legally justified, just like the way the State Secretariat for Economic Affairs (SECO) delayed matters related to those companies. Individual export applications could still be submitted though.

There were also no legal arguments against their issuance, as the export control group rightly recognized on March 4, 2020. However, due to the position of the Federal Department of Foreign Affairs (EDA), it was decided in May 2020 to submit all applications to the Federal Council for decision.

Filing a criminal complaint against Crypto AG

On February 25, 2020, the SECO, with the support of the WBF, filed a criminal complaint at the federal prosecutor's office. Because of the first media coverage, the SECO suspected that by exporting "weaker" encryption technology before 2018, Crypto AG had violated individual declaration obligations from the export control law (Güterkontrollrecht).

Without further scrutiny, the WBF took over the argument of the SECO according to which there was a legal obligation to file a complaint. However, in an opinion at the request of the SECO, the federal prosecutor had advised against filing a criminal complaint; the SECO did not discussed the matter with other federal agencies.

From the point of view of the GPDel, the criminal complaint was based on an insufficient assessment of the facts and an inadequate legal reasoning. Since the complaint was apparently made for political reasons, it should have been submitted by the Department of Economic Affairs (WBF) instead of by the SECO.

Authorization to prosecute Crypto AG

On March 13, 2020, the federal prosecutor asked the Justice and Police Department (EJPD) for the authorization to prosecute the violations of the export control law as reported by he SECO. Three months later, the EJPD submitted the prosecutor's application for decision to the Federal Council. Before that, the EJPD had a discussion about it with the GPDel on May 25, 2020.

The WBF for its part, requested the Federal Council on June 10, 2020 to approve all pending export applications, this although it had supported SECO's criminal complaint. After the Federal Council had postponed the issue by a week, the WBF requested to suspend the decision until the prosecutor's investigation had been finished. The Federal Council followed this proposal on June 19, 2020 and on the same day it granted the authorization to the federal prosecutor.

Violation of good faith and of the separation of powers

The GPDel recognizes the coherence between the decisions of the Federal Council regarding the authorization application by the federal prosecutor and the individual export applications from the successor companies of Crypto AG. With their indefinite postponement, however, the Federal Council may have violated the principle of good faith, because in principle every Swiss company can expect an authorization of its exports, unless there are legal arguments against it.

The export control law was also not a suitable means of approaching the Crypto AG case, while the criminal complaint was obviously an attempt to get rid of political responsibility by letting the justice system tackle the Crypto AG case. With this, the Federal Council ultimately linked the criminal case with the ongoing investigation of the GPDel, which was problematic given the separation of powers.

The Swiss foreign intelligence service

Initially, the Swiss foreign intelligence service (German: Strategischer Nachrichtendienst or SND) was part of the Untergruppe Nachrichtendienst (UG ND), which reported to the general staff of the Swiss army. In 2001, it was removed from the military hierarchy and turned into a civilian office, but still under the responsibility of the head of the Defense Department.

On January 1, 2010, the SND was merged with the domestic security service (Dienst für Analyse und Prävention or DAP) into the current federal intelligence and security service (Nachrichtendienst des Bundes or NDB), which is also responsible for signals intelligence.

Known divisions of the NDB are:
- NDBA for Auswertung (Analysis)
- NDBB for Beschaffung (Acquisition)
   - NDBB-A for Beschaffung Ausland (Foreign Acquisition)
   - NDBB-I for Beschaffung Inland (Domestic Acquisition)
- NDBS for Steuerung und Lage (Coordination)
- NDBU for Unterstützung (Support)

Headquarters of the Nachrichtendienst des Bundes (NDB) in Bern, Switzerland
(photo: Samuel Schalch - click to enlarge)

More details from the Crypto AG report

Besides the general conclusions as translated above, the GPDel report about the Crypto AG case also contains some more detailed information that is worth to be translated:

The MIVERVA report

The NDB provided the parliamentary audit committee (GPDel) with a copy of the internal CIA report about Crypto AG. This report is titled "MINERVA - A History" and describes how since the 1950s, US intelligence agencies cooperated with the Swedish owner of Crypto AG and was taken over by CIA and BND in 1970. The report includes the withdrawel of the Germans from the operation in 1993 and ends in 1995. The MINERVA report was written after the year 2000 with input from representatives of the BND.

It seems that around 2005, the Germans were provided a copy of the report and prepared additional assessments. This version of the American report, together with German documents, came in the hands of the press, which in February 2020 published about certain sections of the report. The full MINERVA report of almost 100 pages has not yet been released.

The GPDel analyzed the MINERVA report and additional information from the NDB confirmed the authenticity of the document. Regarding the situation in Switzerland, the report is not always accurate and contains small mistakes. Apparently the American authors were not very familiar with Switzerland and its government. (p. 9-10)

Acquiring and using information about weakened algorithms

Since the autumn of 1993, the SND got informed about the fact that Crypto AG was owned by American and German intelligence services and that the company built encryption devices with weaker algorithms. The SND aimed at breaking the encryption of these weakened devices themselves and gathered technical information about the encryption methods of the exported Crypto AG devices. This knowledge could also be used to identify weak encryption methods used in devices bought by Swiss customers. (p. 20)

This search for information about the weak algorithms continued after the SND became a civilian office in 2001 and was only successful because American intelligence agreed that Switzerland got the necessary information but only as far as necessary. (p. 20)

It should be noted that the Swiss intelligence service was not a member of the secretive Maximator alliance, in which the signals intelligence agencies of Denmark, Sweden, Germany, the Netherlands and France cooperated since 1976. Part of this cooperation was breaking the codes of diplomatic communications, for which the alliance members exchanged the algorithms used in the deliberately weakened encryption devices made by Crypto AG.

In order to actually use its knowledge about the weakened encryption methods for national security interests, the SND also had to gain access to encrypted communications. Interception of radio communications was conducted by a unit of the Swiss army (Führungsunterstützungsbasis der Armee or FUB).

After modernizing systems to intercept short wave (high frequency) radio communications, Switzerland started to set up a system to intercept satellite links, which is codenamed Onyx and became fully operational in 2006. The decryption capabilities were integrated in the interception process managed by the SND. (p. 20)

The Onyx satellite intercept station in Leuk, Switzerland
(photo: Martin Steiger/Wikimedia Commons - click to enlarge)

Knowledge about Crypto AG at the SND and the NDB

At the SND the information about Crypto AG was a closely held secret. Only the head of the SND (Fred Schreier) and his successors (Hans Wegmüller and Paul Zinniker) and no more than two other employees of the SND knew about it. The director of the newly created NDB, Markus Seiler, was (orally) informed about the existence of weak Crypto AG devices when he assumed office in 2010. (p. 21)

Only during his last year in office, 2017, Seiler was also informed about what made his organization able to decrypt the weak algorithms, but he declined to accept a note about further options. Vice-director Paul Zinniker supported him in not taking further actions. The former heads of the Swiss Defense Department (VBS) were not informed about the fact that Crypto AG was under control of American intelligence and that Swiss intelligence was using its knowledge about the weak algorithms. (p. 21)

In the spring of 2019, the current director of the NDB, Jean-Philippe Gaudin, got basically the same information about Crypto AG as his predecessor two years earlier. But this time, Gaudin requested a detailed presentation and demanded a written position paper. On August 19, 2019, Gaudin also informed the head of the Defense Department (p. 21)

Mid-October 2019, the NDB was provided with a copy of the MINERVA report and its director was informed about its contents. As of the end of October there was an increase in the communications between the NDB, the American and other foreign intelligence services, also in order to anticipate the media coverage about the MINERVA report. (p. 22)

Awareness about weaknesses in encryption devices

In 2007, the GPDel was briefed about how the SND's decryption capabilities are integrated in the process of intercepting foreign communications. A fact sheet showed that many manufacturers of encryption devices built in weaknesses for some of their customers. Behind this practice were the intelligence agencies of the United States and some of its allies. However, other states with the proper capabilities, like Switzerland, could also benefit from this. (p. 23)

According to the GPDel, the knowledge about the weakened Crypto AG devices provided useful intelligence for Switzerland as it could be used to decrypt the communications from foreign targets and exchange information with foreign intelligence services, which also strengthed the position of Switzerland. However, it should also be noticed that encryption methods and access to relevant communications are changing continously and know-how can rapidly loose its value. (p. 27)

The GPDel found that it was possible to identify weaknesses in various types of encryption devices used by Swiss institutions and to repair the deficiencies. This shows how important it is to have good insights on domestic manufacturers and influence the quality of their products. (p. 27) The GPDel was assured that all inspections made clear that Crypto AG never provided weak encryption devices to Swiss government agencies - unlike another company. (p. 31)

A second Swiss company selling weakened encryption devices

From hand-written notes from the head of the Defense Department, the GPDel learned that the security of encryption devices used by federal agencies had regularly been a talking point between the director of the SND and the head of the Defense Department. Somewhere between 2002 and 2008 it became clear that a Swiss manufacturer (not being Crypto AG) had sold unsecure equipment to the federal government and two large corporations. After learning about this, the Defense Department took measures to close the hole. (p. 28)

In November 2020, the Swiss broadcaster SRF revealed that this other Swiss company was Omnisec AG, which was founded in 1987 and dissolved in 2018. According to SRF, Omnisec had sold less secure encryption devices from their 500-series to Swiss federal agencies and even to the secret services SND and DAP. These weakened devices were also sold to at least two private companies, including the UBS bank - around the time when the US pressed Swiss banks to lift their banking secrecy.

Former headquarters of Omnisec AG in Dällikon, Switzerland
(photo: ZVG - click to enlarge)

Links & sources

- Swissinfo.ch: Second Swiss firm allegedly sold encrypted spying devices (Nov. 26, 2020)
- Woz.ch: Professor Maurer und die NSA (Nov. 26, 2020)
- SRF.ch: Geheimdienstaffäre, Corona im Milieu, Boni trotz Pandemie (Nov. 25, 2020)
- Res Strehle, Operation Crypto. Die Schweiz im Dienst von CIA und BND, Echtzeit Verlag, Juli 2020.
- CryptoMuseum.com: Operation RUBICON - The secret purchase of Crypto AG by BND and CIA

November 30, 2020

The NSA tried to spy on Danish and other European targets via cable tapping in Denmark

(Updated: December 2, 2020)

According to new revelations by the Danish broadcaster DR, the NSA tried to use its collaboration with the Danish military intelligence service FE to spy on targets in some other European countries and even on targets in Denmark itself.

Here, the new information about Denmark is compared with Germany, where similar accusations were raised in 2015 when it came out the the NSA provided the BND with thousands of selectors related to German and European targets.

New revelations from Denmark

The latest details about the cooperation between the NSA and the FE were published by the Danish broadcaster DR on November 15. This information comes from several independent sources with insight into internal reports from the FE.

In these reports, the FE management was warned about possible illegalities in the cable tapping operation that the Danish military intelligence service FE conducted in cooperation with the NSA.

An IT specialist from the FE, who blew the whistle on these issues and informed the Danish intelligence oversight board in November 2019, prepared or was involved in preparing at least two of these internal reports, according to DR News.

These two reports, one from 2012 and another one from 2015, contain an analysis of the phone numbers and e-mail addresses (also known as selectors) that the NSA sent to the FE in order to collect information from the cable tap.

Spying on Danish targets (2012)

According to DR News, the analysis of the selectors from 2012 revealed that the NSA used or had used the cooperation with the FE to spy on Danish targets, including the Ministry of Foreign Affairs and the Ministry of Finance, as well as the defense company Terma. This was discovered by an FE employee, who informed his bosses.

Sources of DR News said that the NSA entered keywords into the XKEYSCORE system that show they searched for e-mail addresses and phone numbers belonging to specific employees at Terma.

It's suspected that the Americans wanted information about Denmark's purchase of new fighter jets to replace the F-16. The Danish government eventually choose the American F-35 Joint Strike Fighter, for which Terma supplies components.

The factory of Terma Aerostructures in Grenaa where parts
for the F-35 fighter jets are produced (photo: Terma)

The revelation that the NSA was trying to spy on Danish targets is quite explosive, not only because it violates the agreement between the US and Denmark, which says that "the USA does not use the system against Danish citizens and companies", but also because it would be illegal for the FE to allow foreign espionage against Danish targets.

Protective filter system

Precisely to prevent that, the FE had installed a filter system to ensure that data from Danish citizens and companies is sorted out and not made searchable by XKEYSCORE, as DR News had reported on September 24.

A source of the Danish newspaper Berlingske explained that during the joint cable tapping operation, the NSA provided the FE with a series of selectors related to targets of their interest. These selectors were reviewed by the FE to make sure that they were not related to Danes and then entered into the system that filters the traffic from the backbone cable.

According to Berlingske, the searches on behalf of the NSA resulted in quite large data streams which were then, this time without further control by the FE, passed on to the Americans.

These press reports seem not really in accordance with each other though:

- The latest DR News report suggests that the NSA entered its selectors directly into XKEYSCORE (which is also able to perform the actual "front-end filtering") without mentioning the filter to protect Danes.

- The earlier press reports, however, say that the protective filter system either sorts out Danish data before they can be searched, or that it blocks selectors related to Danish targets before they become active in the actual collection system.

This is of some importance, because if the protective filter worked as described and intented, the NSA's selectors for Danish targets would not have resulted in actual intercepts - or just a very few, given that these kind of filters have no 100% accuracy.

As the NSA knew about this protective filter system, they may have simply relied on the FE to block anything that would not be in accordance with the Memorandum of Agreement, even though that seems not the way it should have been.

The Sandagergård complex of the FE on the island of Amager,
where a data center was built specifically to store data
from the joint NSA-FE cable tapping operation.
(Click to enlarge)

Spying on European targets (2015)

In 2015, another internal FE analysis of selectors showed that the NSA at that time used the cable tapping system to spy on targets in some other European countries, including Denmark's closest neighbours: Sweden, Norway, the Netherlands, Germany and France, according to DR News.

Sources told the Danish broadcaster that the NSA apparently also searched for information about the pan-European Eurofighter and the Swedish fighter plane Saab Gripen. Both were in the race to become Denmark's new fighter aircraft, which was decided around the time that this spying happened.

Unlike the first report, the second one was prepared some two years after the start of the Snowden revelations and in the same year as the German "Selector Affair" (see below). Both events may have been an incentive for the FE to investigate whether the NSA was also using their collaboration to spy on other European countries.

We can assume that the FE has no filter system to prevent collection against other European countries, which means the NSA selectors related to European targets had likely been active in the collection system and may have resulted in an unknown number of intercepted communications.

Spying on foreign governments is usually considered fair game and this was probably also not prohibited by the agreement between the NSA and the FE. Nonetheless would it be an embarrassment for Denmark when it would turn out that the NSA used its partnership with the FE for spying on other European countries.

Comparison with Germany

The new information about the cooperation between the NSA and the Danish FE can be compared with the things we know about a similar cooperation between the NSA and the German foreign intelligence service BND, which included at least two joint operations:

- Eikonal: tapping cables of Deutsche Telekom in Frankfurt (2004-2008)
- Bad Aibling: satellite interception at the Bad Aibling Station (2004-2013)

For the cooperation at Bad Aibling, the NSA provided the BND with a total of roughly 690.000 phone numbers and 7,8 million internet identifiers, which is an average of about 165 phone numbers and 1900 internet identifiers each day (the actual number of targets is significantly lower because each e-mail address can have some 8 different permutations).

In 2015 this resulted in the "Selector Affair", when it came out that among the identifiers for numerous legitimate targets, the NSA had also sent thousands of selectors related to European and even German targets, which was in clear violation of the Memorandum of Agreement (MoA) with the BND.

The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images - Click to enlarge)

Spying on European targets

Just like in Denmark, the Germans had found out that the NSA tried to spy on targets in other European countries. After severe political pressure, the German government agreed to let an independent investigator, Dr. Kurt Graulich, look at the suspicious selectors. In October 2015 he published his extensive, 250-page report about the issue.

Regarding the main list of almost 40.000 NSA selectors that the BND had rejected between 2005 and 2015, the investigator found that 62% belonged to government agencies of EU member states, 19% to Germans outside Europe, 7% to EU institutions, 6% to Germans, 4% to foreigners abroad, 1% to Germans in Europe and 1% to German embassies.

Spying on foreign governments and foreign defense companies does not violate German law, but investigator Graulich still considered it a clear violation of the Memorandom of Agreement, which allowed collection against European targets only for a very few specific topics.

Later in 2015 it was reported that the BND itself was also spying on for example the French foreign minister and the interior departments of EU member states like Poland, Austria, Denmark and Croatia, as well as on the FBI, the Voice of America and international organizations like the ICC, the WHO and UNICEF.

So just like it was the case at the BND, the FE might not have cared very much about the NSA selectors related to European targets, and just like the Germans, the Danes probably also spied on governments and certain companies from other EU countries themselves.

Spying on German targets

In 2015, the Germans had discovered that the NSA had apparently also tried to spy on German targets during their cooperation with the BND.

The examination of the NSA selectors by Dr. Graulich revealed that several hundred were related to German targets, mostly German companies, both inside and outside Germany. Selectors related to the German government were not found, which is an interesting difference to Denmark.

The reasons why the NSA was interested in these German companies could not been clarified by Dr. Graulich, mainly because the BND had no access to the NSA's motivations for each selector.

Just like in Denmark, it seems that the NSA sent their collaboration partner simply all the selectors they were interested in, with apparently little or no effort to pick out those that could be controversial.

Here too, the NSA seems to have relied on the foreign partner to block the selectors that would violate national law and the collaboration agreement. But even then this seems not very smart, because it would potentially allow the partner to see what targets the NSA was interested in.

The DAFIS filter system

Just like the FE, the BND also has a filter system to prevent that German data are passed on to the Americans. From the German parliamentary investigation we know a lot more about this BND system, which is called DAFIS (for DAtenFIlterSystem) and checks not only the selectors that come in, but also the collection results that go out:

Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)

As can be seen in the diagram, all the selectors which the NSA wanted to be used for collecting (in this case) foreign satellite traffic first had to pass the DAFIS system, which checked them in an automated process of 3 stages:
Stage 1: A negative filter which blocks e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

Stage 2: A positive filter consisting of a list of foreign phone numbers and e-mail addresses used by German citizens, for example businessmen, journalists, but also jihadis when they are inside Germany.

Stage 3: A filter to sort out selectors that collide with "German interests", which mainly applies to European military contractors in which Germany participates (like EADS and Eurocopter, both part of Airbus now)

Selectors that were "approved" by the DAFIS system were entered into the tasking databases (Steuerungsdatenbanken) that fed the actual collection system. Communications that matched these selectors were picked out and were also sent through the DAFIS system for another check whether they might contain German data.

Only data that passed this double check were eventually transferred to the NSA. The selectors that were rejected by DAFIS were marked as "disapproved" in order to prevent that they were submitted again later on. The NSA knew and accepted that some of its selectors were blocked by the BND, according to the Graulich report.*

Most of the NSA selectors related to German targets had been blocked by the DAFIS filter. A smaller number of them had been active in the collection system for some period of time, but it is not known whether this resulted in the actual collection of communications (Erfassungen).

A European bazaar?

The way how the NSA tried to spy on European targets through their collaboration with the BND and the FE reminds of what Edward Snowden said in his written testimony for the European Parliament from March 2014:

"The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans.
Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.
Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole."

This sounds like an accurate description, except that these joint operations with the NSA are not about "mass surveillance against ordinary citizens", as in both Germany and Denmark the NSA only provided selectors for specific targets like government agencies and companies in the defence industry, for example.

Nonetheless, spying on such targets in the partner country violates national law and the agreements between the NSA and their European counterparts, but for both the FE and the BND that didn't seem a very big concern, at least until the Snowden revelations.

One reason may lie in the fact that in general, these so-called Third Party relations with the NSA do not include a "no-spy" condition, so both parties are free spy on each other, despite their otherwise close cooperation.

That may have kept the Danish and German intelligence agencies vigilant and let them install filter systems to make sure that no data from their country would be passed on to the Americans.

And the NSA, for their part, apparently assumed that their counterparts would do enough to protect their own data so they didn't put much effort in sorting out the selectors to be used in these kind of joint operations.

Links & sources

- Willy Van Damme: De F35 – Pleegde de Deense militaire veiligheidsdienst landverraad? (Nov. 23, 2020)
- DR News: Hemmelige rapporter: USA spionerede mod danske ministerier og forsvarsindustri (Nov. 15, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- The Graulich report: Nachrichtendienstliche Fernmeldeaufklärung mit Selektoren in einer transnationalen Kooperation (Oct. 23, 2015)

October 28, 2020

Danish military intelligence uses XKEYSCORE to tap cables in cooperation with the NSA

Last August, it came out that a whistleblower accused the Danish military and signals intelligence service (Forsvarets Efterretningstjeneste or FE) of unlawful activities and deliberately misleading the intelligence oversight board.

Meanwhile, the Danish press was able to paint a surprisingly comprehensive and detailed picture of how the FE cooperated with the NSA in cable tapping on Danish soil.

It was further revealed that the Americans provided Denmark with a sophisticated new spy system which includes the NSA's data processing system XKEYSCORE.

A Danish paper also disclosed that the accusation of unlawful collection came from a young FE employee who reminds of Edward Snowden. A newly established investigation commission now has to clarify whether he was driven by fears or by facts.

The Sandagergård complex of the FE on the island of Amager, where a new
data center was built for its deployment of the XKEYSCORE system

Cable tapping

In an extensive piece from September 13, the renowned Danish newspaper Berlingske (founded in 1749) describes how the FE, in cooperation with the NSA, started to tap an international telecommunications cable in order to gather foreign intelligence.

In the mid-1990s, the NSA had found out that somewhere under Copenhagen there was a backbone cable containing phone calls, e-mails and text messages from and to countries like China and Russia, which was of great interest for the Americans.

Tapping that cable, however, was almost impossible without the help of the Danes, so the NSA asked the FE for access to the cable, but this request was denied, according to Berlingske.

Agreement with the United States

The US government did not give up, and in a letter sent directly to the Danish prime minister Poul Nyrup Rasmussen, US president Clinton asked his Danish colleague to reconsider the decision. And Nyrup, who was a sworn supporter of a close relationship with the US, said yes.

The cooperation was laid down in a document, which, according to Berlingske, all Danish defense ministers had to sign "so that any new minister could see that his predecessor - and his predecessors before his predecessors - with their signatures had been part of this small, exclusive circle of people who knew one of the kingdom's biggest secrets."

The code name for this cooperation is not known, but it's most likely part of the NSA's umbrella program RAMPART-A. Under this program, which started in 1992, foreign partners provide access to high-capacity international fiber-optic cables, while the US provides the equipment for transport, processing and analysis:

Slide from an NSA presentation about RAMPART-A from October 2010

Agreement with a cable operator

To make sure that tapping the cable was as legal as possible, the government asked approval of the private Danish company that operated the cable. The company agreed, but only when it was approved at the highest level, and so the agreement was signed by prime minister Rasmussen, minister of defense Hækkerup and head of department Troldborg.

Because the cable contained international telecommunications it was considered to fall within the FE's foreign intelligence mandate. The agreement was prepared in only one copy, which was shown to the company and then locked in a safe at the FE's headquarters at the Kastellet fortress in Copenhagen, according to Berlingske.

This Danish agreement is very similar to the Transit Agreement between the German foreign intelligence service BND and Deutsche Telekom, in which the latter agreed to provide access to international transit cables at its switching center in Frankfurt am Main. The BND then tapped these cables with help from the NSA under operation Eikonal (2004-2008).

Processing at Sandagergård

Berlingske reported that the communications data that were extracted from the backbone cable in Copenhagen were sent from the Danish company's technical hub to the Sandagergård complex of the FE on the island of Amager. The US had paid for a cable between the two locations.

At Sandagergård, the "NSA made sure to install the technology that made it possible to enter keywords and translate the huge amount of information, so-called raw data from the cable tapping, into "readable" information."

The filter system was not only fed by keywords from the FE, but the NSA also provided "the FE with a series of keywords that are relevant to the United States. The FE then reviews them - and checks that there are basically no Danes among them - and then enters the keywords" according to sources cited by Berlingske.

Besides this filtering with keywords and selectors, the FE and the NSA will also have used the metadata for contact-chaining, which means reconstructing which phone numbers and e-mail addresses had been in contact with each other, in order to create social network graphs - something the sources apparently didn't want to disclose to Berlingske.

Map of the current backbone cables around the Danish capital Copenhagen
and the Sandagergård complex of the FE on the island of Amager
(source: Infrapedia - click to enlarge)

Trusted partners

Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around". Similar words can be found in an NSA presentation from 2011: "No US collection by Partner and No Host Country collection by US" - although this is followed by "there ARE exceptions!"

The latter remark may have inspired Edward Snowden to accuse the NSA of abusing these cooperations with foreign partner agencies to spy on European citizens, but as a source told Berlingske:

"I can not at all imagine in my imagination that the NSA would betray that trust. I consider it completely and utterly unlikely. If the NSA had a desire to obtain information about Danish citizens or companies, the United States would simply turn to [the domestic security service] PET, which would then provide the necessary legal basis."

The source also said that "the NSA wanted to jump and run for Denmark. The agency did everything Denmark asked for, without discussion. The NSA continuously helped Denmark - because of this cable access. [...] Denmark was a very, very close and valued partner."

This close and successful cooperation was apparently one of the reasons for the visit of president Bill Clinton to Denmark in July 1997, according to Berlingske.

Danish prime minister Poul Nyrup Rasmussen and US president Bill Clinton
during his visit to Denmark in July 1997 (photo: Linda Kastrup)

A new spy system

In the wake of the FE scandal even more recent developments have been revealed: a report by the Danish broadcaster DR from September 24, 2020 provides interesting details about how the Americans provided Denmark with a sophisticated new "spy system".

After the FE got a new head of procurement in 2008, NSA employees frequently traveled to Denmark for quite some time to build the necessary hardware and install the required software for the new system, which DR News describes as extremely advanced. It also has a special internal code name, which the broadcaster decided not to publish. It's also this new system through which the alleged illegal collection of Danish data took place.

According to DR News, the NSA technicians were also involved in the construction of a new data center at the FE's Sandagergård complex on Amager that was specifically built to house the new spy system, which was taken into use somewhere between 2012 and 2014. The cooperation between the FE and the NSA on this specific system was based upon a Memorandum of Understanding (MoU) signed by then FE chief Thomas Ahrenkiel.

Filter systems

The DR News report also goes into more detail about the interception process. It says that first, the intelligence service identifies a data stream that may be interesting, after which they "mirror" the light that passes through the particular fiber-optic cables. In this way, they copy both metadata and content, like text messages, chat conversations, phone calls and e-mails, and send them to the FE's data center at Sandagergård.

According to DR News, the FE tried to develop a number of filters to ensure that data from Danish citizens and companies is sorted out and not made searchable by the new spy system. The former Danish minister of defense Claus Hjort Frederiksen recently said that there was indeed an attempt to develop such filters, but at the same time he admitted that there can be no guarantee that no Danish information will pass through.


DR News also reported that the heart of the new spy system is formed by XKEYSCORE, which was developed by the NSA and the existence of which was first revealed by The Guardian in June 2013.

The NSA's British counterpart GCHQ incorporated XKEYSCORE in its own system for processing bulk internet data codenamed TEMPORA and it can be assumed that the other Second Party partners (also known as the Five Eyes) also use this system, whether or not under a different codename.

From the Snowden documents we know that the NSA also provided XKEYSCORE to some of its Third Party partners: the German foreign intelligence service BND and domestic security service BfV, the Swedish signals intelligence service FRA and the Japanese Directorate for SIGINT. It is new though that the Danish military intelligence service FE uses the system too.

Some press reports seem to suggest that these partner agencies "gain access to XKEYSCORE" as if it would allow them to connect to a huge global mass surveillance system. The latter may be the case for the NSA's Second Party partners, but the Third Party partners are using XKEYSCORE only to process and analyze data from their own tapping points and are not able to access data from Five Eyes collection platforms.

Likewise, NSA analysts using XKEYSCORE don't have direct access to, in this case, Danish collection systems, only to data that the Danes agreed to share with the US as "3rd party collection".

Slide from an NSA presentation about XKEYSCORE from August 2008


Glenn Greenwald presented XKEYSCORE as the NSA's "widest-reaching" tool to collect "nearly everything a user does on the internet". This is misleading, because it's more about quality than about quantity: the system actually helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

The NSA has XKEYSCORE installed at some 150 data collection sites all over the world. There, it creates a rolling buffer of 3 to 5 days of content and around 30 days of metadata, which can be remotely searched by analysts. They can use traditional selectors like phone numbers and e-mail addresses to pick out data of interest, but that's the old way and how other agencies perform bulk collection.

Filtering phone numbers and e-mail addresses became less useful because targets know that this happens and shifted to anonymous ways to communicate over the internet. The novelty of XKEYSCORE is that it enables analysts to find exactly those anonymous communications. For that purpose it reassembles IP packets into their original format ("sessionizing"), like Word documents, spreadsheets, chat messages, etc.

Diagram showing the dataflow for the DeepDive version of XKEYSCORE

Once restored, these files can be searched for characteristics that are related to certain targets or target groups, like use of encryption, the use of the TOR network, the use of a different language than where someone is located, and many combinations thereof. In this way, analysts can discover new targets and then start monitoring them more closely.

XKEYSCORE was also mentioned in a classified file from the German BND, which contains a diagram that shows the difference between XKEYSCORE and traditional collection systems: in the traditional set-up, IP packets from a data stream were reassembled and then went through a filter to select only those of interest, which were forwarded for further analysis. XKEYSCORE could do all that at once:

Unlawful collection?

Now that the various disclosures by the Danish press provided quite some insight into the FE's cable tapping activities, how about the abuses it's accused of?

According to DR News, it was the newly installed spy system through which the alleged illegal collection of Danish data took place. In the first place we can assume that the filters were not able to block all the communications related to Danish citizens, residents or companies, but this is of a technical nature and not intentional.

Another option is that the FE itself, or the NSA fed the system with selectors (like phone numbers and e-mail addresses) that would result in the collection of Danish data. The NSA would not have been allowed to do that under the agreement with the Danes, while for the FE this would be against the law.

According to a source cited in the aforementioned Berlingske newspaper article, there was one case in which "the NSA sent a request to search for a company in a country in Asia, but when the FE checked the selector, it discovered that the company was Danish-owned, whereupon the request was rejected".

This shows that, just like it was the case in Germany, the NSA's interest was quite "broad", but that the FE did its best to protect Danish subjects and blocked such requests where possible.

A third option is that the illegal collection took place through the additional data search capabilities of the XKEYSCORE system, which is imaginable because here the search criteria are applied to characteristics of the content of the communications, instead of the people who are involved.

According to Berlingske, the whistleblower who informed the intelligence oversight board "feared that the management of the Defense Intelligence Service was doing US business by leaving its special system with technical vulnerabilities that allowed the National Security Agency to abuse it."

The whistleblower

Berlingske was also able to identify the whistleblower as a younger employee of the FE, working as an IT specialist - a striking similarity to Edward Snowden. The paper says that in 2013 he became increasingly concerned, but it's not clear whether this may have been caused by the Snowden revelations, which started in June of that year and included reports about XKEYSCORE, the system that had just been installed at the FE.

As the IT specialist insisted on his criticism, then head of the FE Thomas Ahrenkiel decided - without informing the Americans - to set up a technical working group to go through the system looking for vulnerabilities or signs of abuse by NSA. As reported by Berlingske, the IT specialist himself, with the aim of reassuring him, also participated in the working group, which in 2014 concluded that there were no signs of illegal intrusion.

For the FE the case was closed, but, as reported by Berlingske, the IT specialist was not satisfied and "he made a drastic decision and smuggled a recorder into his workplace, arranged meetings with colleagues and bosses for several months and recorded them in secret" - again a kind of persistance very similar to how Snowden operated. But unlike Snowden, the Danish whistleblower did not contact the press, but eventually informed the intelligence oversight board.

Danish defense minister Trine Bramsen (left) and her predecessor
Claus Hjort Frederiksen (photo: Linda Kastrup/Scanpix)


Berlingske reported that the recordings provided "hours of covert footage with employees of the service, some of which [...] have expressed themselves in a way that confirms the suspicion that the FE may have acted illegally and not intervened adequately to prevent data on Danes from being disclosed." In November 2019 they were handed over to the intelligence oversight board, which in December informed defense minister Trine Bramsen.

Unlike her predecessor, Bramsen apparently took these kind of accusations very seriously and urged the oversight board to conduct an investigation, which on August 24, 2020 resulted in the sudden suspension of the head of the FE and a few other officials (meanwhile they have returned again, but in other positions).

On October 5, the Danish government decided to submit a bill to establish a special commission that has to carry out an independent and impartial investigation into the accusations against the FE, which has to present a report within a year.


In 2013, a young IT specialist at the FE became worried that this intelligence service could have illegally spied on Danish citizens. This was not only in accordance with Snowden's (unsubstantiated) narrative, but also a fear that had lived in Denmark since its domestic security service PET had been accused of monitoring ordinary Danes in 1998.

Meanwhile it has turned out that Snowden was driven more by fears than by facts - could that also have been the case with the FE whistleblower? Based on what has been published so far, he apparently tried to find evidence even after an internal investigation concluded that the NSA wasn't abusing the FE's collection system.

In recent years, the NSA and the German BND have also been accused of massive illegal domestic spying. Thorough investigations have shown that was not the case, although their employees were sometimes careless and it was technically not always possible to do what was legally required.

Was this also the situation at the Danish military intelligence service? The recently established investigation commission will show.

Links & sources

- Comments at Hacker News
- Berlingske: Særlig undersøgelseskommission skal kulegrave FE-sagen (Oct. 5, 2020)
- Politiken: Debat om kabelaflytning gav tårer i Sverige og folkeafstemning i Holland (Oct. 1, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020)