November 30, 2020

Via a cable in Denmark, the NSA tried to spy on Danish and other European targets



According to new revelations by the Danish broadcaster DR, the NSA tried to use its collaboration with the Danish military intelligence service FE to spy on targets in some other European countries and even on targets in Denmark itself.

Here, the new information about Denmark is compared with Germany, where similar accusations were raised in 2015 when it came out the the NSA provided the BND with thousands of selectors related to German and European targets.




New revelations from Denmark

The latest details about the cooperation between the NSA and the FE were published by the Danish broadcaster DR on November 15. This information comes from several independent sources with insight into internal reports from the FE. In these reports, the FE management was warned about possible illegalities in the joint cable tapping operation.


An IT specialist from the FE, who blew the whistle on these issues and informed the Danish intelligence oversight board in November 2019, prepared or was involved in preparing at least two of these internal reports, according to DR News.

These two reports, one from 2012 and another one from 2015, contain an analysis of the phone numbers and e-mail addresses (also known as selectors) that the NSA sent to the FE in order to collect information from a cable access point in Copenhagen.


Spying on Danish targets (2012)

According to DR News, the analysis of the selectors from 2012 revealed that the NSA used or had used the cooperation with the FE to spy on Danish targets, including the Ministry of Foreign Affairs and the Ministry of Finance, as well as the defense company Terma. This was discovered by an FE employee, who informed his bosses, according to DR News.

Sources of DR News said that the NSA entered keywords into the XKEYSCORE system that show they searched for e-mail addresses and phone numbers belonging to specific employees at Terma.

It's suspected that the Americans wanted information about Denmark's purchase of new fighter jets to replace the F-16. The Danish government eventually choose the American F-35 Joint Strike Fighter, for which Terma supplies components.


The factory of Terma Aerostructures in Grenaa where parts
for the F-35 fighter jets are produced (photo: Terma)


The revelation that the NSA was apparently trying to spy on Danish targets is quite explosive, not only because it violates the agreement between the US and Denmark, which says that "the USA does not use the system against Danish citizens and companies", but also because it would be illegal for the FE to allow the NSA to spy on Danish targets.


Protective filter system

Precisely to prevent that, the FE had installed a filter system to ensure that data from Danish citizens and companies is sorted out and not made searchable by XKEYSCORE, as DR News had reported on September 24.

A source of the Danish newspaper Berlingske explained that during the joint cable tapping operation, the NSA provided the FE with a series of selectors related to targets of their interest. These selectors were reviewed by the FE to make sure that they were not related to Danes and then entered into the system that filters the traffic from the backbone cable.

According to Berlingske, the searches on behalf of the NSA resulted in quite large data streams which were then, this time without further control by the FE, passed on to the Americans.

These press reports seem not really in accordance with each other though:

- The latest DR News report suggests that the NSA entered its selectors directly into XKEYSCORE (which is also able to perform the actual "front-end filtering") without mentioning the filter to protect Danes.

- The earlier press reports, however, say that the protective filter system either sorts out Danish data before they can be searched, or that it blocks selectors related to Danish targets before they become active in the actual collection system.

This is of some importance, because if the protective filter worked as described and intented, the NSA's selectors for Danish targets would not have resulted in actual intercepts - or just a very few, given that these kind of filters have no 100% accuracy.

As the NSA knew about this protective filter system, they may have simply relied on the FE to block anything that would not be in accordance with the Memorandum of Agreement, even though that seems not the way it should have been.


Spying on European targets (2015)

In 2015, another internal FE analysis of selectors showed that the NSA at that time used the cable tapping system to spy on targets in some other European countries, including Denmark's closest neighbours: Sweden, Norway, the Netherlands, Germany and France, according to DR News.

Sources told the Danish broadcaster that the NSA apparently also searched for information about the pan-European Eurofighter and the Swedish fighter plane Saab Gripen. Both were in the race to become Denmark's new fighter aircraft, which was decided around the time that this spying happened.

Unlike the first report, the second one was prepared some two years after the start of the Snowden revelations and in the same year as the German "Selector Affair" (see below). Both events may have been an incentive for the FE to investigate whether the NSA was also using their collaboration to spy on other European countries.

We can assume that the FE has no filter system to prevent collection against European targets, which is usually considered fair game and was also not prohibited by the collaboration agreement. Nonetheless would it be an embarrassment for Denmark when it would turn out that the NSA used its partnership with the FE for spying on other European countries.



Comparison with Germany

The new information about the cooperation between the NSA and the Danish FE can be compared with the things we know about a similar cooperation between the NSA and the German foreign intelligence service BND, which included at least two joint operations:

- Eikonal: tapping cables of Deutsche Telekom in Frankfurt (2004-2008)
- Bad Aibling: satellite interception at the Bad Aibling Station (2004-2013)

For the cooperation at Bad Aibling, the NSA provided the BND with a total of roughly 690.000 phone numbers and 7,8 million internet identifiers, which is an average of about 165 phone numbers and 1900 internet identifiers each day (each e-mail address can have some 8 different permutations, which makes the number of targets significantly lower).

In 2015 this resulted in the "Selector Affair", when it came out that among the identifiers for numerous legitimate targets, the NSA had also sent thousands of selectors related to European and even German targets, which was in clear violation of the Memorandum of Agreement (MoA) with the BND.



The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images - Click to enlarge)


Spying on European targets

Just like in Denmark, the Germans had found out that the NSA tried to spy on targets in other European countries. After severe political pressure, the German government agreed to let an independent investigator, Dr. Kurt Graulich, look at the suspicious selectors. In October 2015 he published his extensive, 250-page report about the issue.

Regarding the main list of almost 40.000 NSA selectors that the BND had rejected between 2005 and 2015, the investigator found that 62% belonged to government agencies of EU member states, 19% to Germans outside Europe, 7% to EU institutions, 6% to Germans, 4% to foreigners abroad, 1% to Germans in Europe and 1% to German embassies.


Spying on foreign governments and foreign defense companies does not violate German law, but because these selectors had been active for a period of time, investigator Graulich still considered it a clear violation of the Memorandom of Agreement, which allowed collection against European targets only for a very few specific topics.

Later in 2015 it was reported that the BND itself was also spying on for example the French foreign minister and the interior departments of EU member states like Poland, Austria, Denmark and Croatia, as well as on the FBI, the Voice of America and international organizations like the ICC, the WHO and UNICEF.

So just like it was the case at the BND, the FE might not have cared very much about the NSA selectors related to European targets, and just like the Germans, the Danes probably also spied on governments and certain companies from other EU countries themselves.



Spying on German targets

In 2015, the Germans had also discovered that, during their partnership with the BND, the NSA had apparently tried to spy on German targets too.

The examination of the NSA selectors by Dr. Graulich revealed that several hundred were related to German targets, mostly German companies, both inside and outside Germany. The reasons why the NSA was interested in these companies could not been clarified.

Just like in Denmark, it seems that the NSA sent their collaboration partner simply all the selectors they were interested in, with apparently little or no effort to pick out those that could be controversial.

Here too, the NSA seems to have relied on the foreign partner to block the selectors that would violate national law and the collaboration agreement. But even then this seems not very smart, because it would potentially allow the partner to see what targets the NSA was interested in.


The DAFIS filter system

Just like the FE, the BND also has a filter system to prevent that German data are passed on to the Americans. From the German parliamentary investigation we know a lot more about this BND system, which is called DAFIS (for DAtenFIlterSystem) and checks not only the selectors that come in, but also the collection results that go out:



Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)


As can be seen in the diagram, all the selectors which the NSA wanted to be used for collecting (in this case) foreign satellite traffic first had to pass the DAFIS system, which checked them in an automated process of 3 stages:
Stage 1: A negative filter which blocks e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

Stage 2: A positive filter consisting of a list of foreign phone numbers and e-mail addresses used by German citizens, for example businessmen, journalists, but also jihadis when they are inside Germany.

Stage 3: A filter to sort out selectors that collide with "German interests", which mainly applies to European military contractors in which Germany participates (like EADS and Eurocopter)


Only "approved" selectors that passed the DAFIS check were entered into the tasking databases (Steuerungsdatenbanken) that fed the actual collection system. Communications that matched these selectors were picked out and were also sent through the DAFIS system for another check whether they might contain German data.

Only data that passed this double check were eventually transferred to the NSA. The selectors that were rejected by DAFIS were marked as "disapproved" in order to prevent that they were submitted again later on. The NSA knew and accepted that some of its selectors were blocked by the BND, according to the Graulich report.*

Most of the NSA selectors related to German targets had been blocked by the DAFIS filter. A smaller number of them had been active in the collection system for some period of time, but it is not known whether this resulted in the actual collection of communications (Erfassungen).



A European bazaar?

The way how the NSA tried to spy on European targets through their collaboration with the BND and the FE reminds of what Edward Snowden said in his written testimony for the European Parliament from March 2014:

"The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans.
Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.
Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole."

This sounds like an accurate description, except that these joint operations with the NSA are not about "mass surveillance against ordinary citizens", as in both Germany and Denmark the NSA only provided selectors for specific targets like government agencies and companies in the defence industry, for example.

Nonetheless, spying on such targets in the partner country violates national law and the agreements between the NSA and their European counterparts, but in both Denmark and Germany that didn't seem a very big concern, at least until the Snowden revelations.

One reason may lie in the fact that in general, these so-called Third Party relations with the NSA do not include a "no-spy" condition, so both parties are free spy on each other, despite their otherwise close cooperation.

That may have kept the Danish and German intelligence agencies vigilant and let them install filter systems to make sure that no data from their country would be passed on to the Americans.

And the NSA, for their part, apparently assumed that their counterparts would do enough to protect their own data so they didn't put much effort in sorting out the selectors to be used in these kind of joint operations.



Links & sources

- DR News: Hemmelige rapporter: USA spionerede mod danske ministerier og forsvarsindustri (Nov. 15, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- The Graulich report: Nachrichtendienstliche Fernmeldeaufklärung mit Selektoren in einer transnationalen Kooperation (Oct. 23, 2015)


October 28, 2020

Danish military intelligence uses XKEYSCORE to tap cables in cooperation with the NSA


Last August, it came out that a whistleblower accused the Danish military and signals intelligence service (Forsvarets Efterretningstjeneste or FE) of unlawful activities and deliberately misleading the intelligence oversight board.

Meanwhile, the Danish press was able to paint a surprisingly comprehensive and detailed picture of how the FE cooperated with the NSA in cable tapping on Danish soil.

It was further revealed that the Americans provided Denmark with a sophisticated new spy system which includes the NSA's data processing system XKEYSCORE.

A Danish paper also disclosed that the accusation of unlawful collection came from a young FE employee who reminds of Edward Snowden. A newly established investigation commission now has to clarify whether he was driven by fears or by facts.


The Sandagergård complex of the FE on the island of Amager, where a new
data center was built for its deployment of the XKEYSCORE system



Cable tapping

In an extensive piece from September 13, the renowned Danish newspaper Berlingske (founded in 1749) describes how the FE, in cooperation with the NSA, started to tap an international telecommunications cable in order to gather foreign intelligence.

In the mid-1990s, the NSA had found out that somewhere under Copenhagen there was a backbone cable containing phone calls, e-mails and text messages from and to countries like China and Russia, which was of great interest for the Americans.

Tapping that cable, however, was almost impossible without the help of the Danes, so the NSA asked the FE for access to the cable, but this request was denied, according to Berlingske.


Agreement with the United States

The US government did not give up, and in a letter sent directly to the Danish prime minister Poul Nyrup Rasmussen, US president Clinton asked his Danish colleague to reconsider the decision. And Nyrup, who was a sworn supporter of a close relationship with the US, said yes.

The cooperation was laid down in a document, which, according to Berlingske, all Danish defense ministers had to sign "so that any new minister could see that his predecessor - and his predecessors before his predecessors - with their signatures had been part of this small, exclusive circle of people who knew one of the kingdom's biggest secrets."

The code name for this cooperation is not known, but it's most likely part of the NSA's umbrella program RAMPART-A. Under this program, which started in 1992, foreign partners provide access to high-capacity international fiber-optic cables, while the US provides the equipment for transport, processing and analysis:


Slide from an NSA presentation about RAMPART-A from October 2010


Agreement with a cable operator

To make sure that tapping the cable was as legal as possible, the government asked approval of the private Danish company that operated the cable. The company agreed, but only when it was approved at the highest level, and so the agreement was signed by prime minister Rasmussen, minister of defense Hækkerup and head of department Troldborg.

Because the cable contained international telecommunications it was considered to fall within the FE's foreign intelligence mandate. The agreement was prepared in only one copy, which was shown to the company and then locked in a safe at the FE's headquarters at the Kastellet fortress in Copenhagen, according to Berlingske.

This Danish agreement is very similar to the Transit Agreement between the German foreign intelligence service BND and Deutsche Telekom, in which the latter agreed to provide access to international transit cables at its switching center in Frankfurt am Main. The BND then tapped these cables with help from the NSA under operation Eikonal (2004-2008).


Processing at Sandagergård

Berlingske reported that the communications data that were extracted from the backbone cable in Copenhagen were sent from the Danish company's technical hub to the Sandagergård complex of the FE on the island of Amager. The US had paid for a cable between the two locations.

At Sandagergård, the "NSA made sure to install the technology that made it possible to enter keywords and translate the huge amount of information, so-called raw data from the cable tapping, into "readable" information."

The filter system was not only fed by keywords from the FE, but the NSA also provided "the FE with a series of keywords that are relevant to the United States. The FE then reviews them - and checks that there are basically no Danes among them - and then enters the keywords" according to sources cited by Berlingske.

Besides this filtering with keywords and selectors, the FE and the NSA will also have used the metadata for contact-chaining, which means reconstructing which phone numbers and e-mail addresses had been in contact with each other, in order to create social network graphs - something the sources apparently didn't want to disclose to Berlingske.


Map of the current backbone cables around the Danish capital Copenhagen
and the Sandagergård complex of the FE on the island of Amager
(source: Infrapedia - click to enlarge)


Trusted partners

Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around". Similar words can be found in an NSA presentation from 2011: "No US collection by Partner and No Host Country collection by US" - although this is followed by "there ARE exceptions!"

The latter remark may have inspired Edward Snowden to accuse the NSA of abusing these cooperations with foreign partner agencies to spy on European citizens, but as a source told Berlingske:

"I can not at all imagine in my imagination that the NSA would betray that trust. I consider it completely and utterly unlikely. If the NSA had a desire to obtain information about Danish citizens or companies, the United States would simply turn to [the domestic security service] PET, which would then provide the necessary legal basis."

The source also said that "the NSA wanted to jump and run for Denmark. The agency did everything Denmark asked for, without discussion. The NSA continuously helped Denmark - because of this cable access. [...] Denmark was a very, very close and valued partner."

This close and successful cooperation was apparently one of the reasons for the visit of president Bill Clinton to Denmark in July 1997, according to Berlingske.


Danish prime minister Poul Nyrup Rasmussen and US president Bill Clinton
during his visit to Denmark in July 1997 (photo: Linda Kastrup)


A new spy system

In the wake of the FE scandal even more recent developments have been revealed: a report by the Danish broadcaster DR from September 24, 2020 provides interesting details about how the Americans provided Denmark with a sophisticated new "spy system".

After the FE got a new head of procurement in 2008, NSA employees frequently traveled to Denmark for quite some time to build the necessary hardware and install the required software for the new system, which DR News describes as extremely advanced. It also has a special internal code name, which the broadcaster decided not to publish. It's also this new system through which the alleged illegal collection of Danish data took place.

According to DR News, the NSA technicians were also involved in the construction of a new data center at the FE's Sandagergård complex on Amager that was specifically built to house the new spy system, which was taken into use somewhere between 2012 and 2014. The cooperation between the FE and the NSA on this specific system was based upon a Memorandum of Understanding (MoU) signed by then FE chief Thomas Ahrenkiel.


Filter systems

The DR News report also goes into more detail about the interception process. It says that first, the intelligence service identifies a data stream that may be interesting, after which they "mirror" the light that passes through the particular fiber-optic cables. In this way, they copy both metadata and content, like text messages, chat conversations, phone calls and e-mails, and send them to the FE's data center at Sandagergård.

According to DR News, the FE tried to develop a number of filters to ensure that data from Danish citizens and companies is sorted out and not made searchable by the new spy system. The former Danish minister of defense Claus Hjort Frederiksen recently said that there was indeed an attempt to develop such filters, but at the same time he admitted that there can be no guarantee that no Danish information will pass through.



XKEYSCORE

DR News also reported that the heart of the new spy system is formed by XKEYSCORE, which was developed by the NSA and the existence of which was first revealed by The Guardian in June 2013.

The NSA's British counterpart GCHQ incorporated XKEYSCORE in its own system for processing bulk internet data codenamed TEMPORA and it can be assumed that the other Second Party partners (also known as the Five Eyes) also use this system, whether or not under a different codename.




From the Snowden documents we know that the NSA also provided XKEYSCORE to some of its Third Party partners: the German foreign intelligence service BND and domestic security service BfV, the Swedish signals intelligence service FRA and the Japanese Directorate for SIGINT. It is new though that the Danish military intelligence service FE uses the system too.

Some press reports seem to suggest that these partner agencies "gain access to XKEYSCORE" as if it would allow them to connect to a huge global mass surveillance system. The latter may be the case for the NSA's Second Party partners, but the Third Party partners are using XKEYSCORE only to process and analyze data from their own tapping points and are not able to access data from Five Eyes collection platforms.

Likewise, NSA analysts using XKEYSCORE don't have direct access to, in this case, Danish collection systems, only to data that the Danes agreed to share with the US as "3rd party collection".


Slide from an NSA presentation about XKEYSCORE from August 2008


How XKEYSCORE works

Glenn Greenwald presented XKEYSCORE as the NSA's "widest-reaching" tool to collect "nearly everything a user does on the internet". This is misleading, because it's more about quality than about quantity: the system actually helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

The NSA has XKEYSCORE installed at some 150 data collection sites all over the world. There, it creates a rolling buffer of 3 to 5 days of content and around 30 days of metadata, which can be remotely searched by analysts. They can use traditional selectors like phone numbers and e-mail addresses to pick out data of interest, but that's the old way and how other agencies perform bulk collection.

Filtering phone numbers and e-mail addresses became less useful because targets know that this happens and shifted to anonymous ways to communicate over the internet. The novelty of XKEYSCORE is that it enables analysts to find exactly those anonymous communications. For that purpose it reassembles IP packets into their original format ("sessionizing"), like Word documents, spreadsheets, chat messages, etc.



Diagram showing the dataflow for the DeepDive version of XKEYSCORE


Once restored, these files can be searched for characteristics that are related to certain targets or target groups, like use of encryption, the use of the TOR network, the use of a different language than where someone is located, and many combinations thereof. In this way, analysts can discover new targets and then start monitoring them more closely.

XKEYSCORE was also mentioned in a classified file from the German BND, which contains a diagram that shows the difference between XKEYSCORE and traditional collection systems: in the traditional set-up, IP packets from a data stream were reassembled and then went through a filter to select only those of interest, which were forwarded for further analysis. XKEYSCORE could do all that at once:






Unlawful collection?

Now that the various disclosures by the Danish press provided quite some insight into the FE's cable tapping activities, how about the abuses it's accused of?

According to DR News, it was the newly installed spy system through which the alleged illegal collection of Danish data took place. In the first place we can assume that the filters were not able to block all the communications related to Danish citizens, residents or companies, but this is of a technical nature and not intentional.

Another option is that the FE itself, or the NSA fed the system with selectors (like phone numbers and e-mail addresses) that would result in the collection of Danish data. The NSA would not have been allowed to do that under the agreement with the Danes, while for the FE this would be against the law.

According to a source cited in the aforementioned Berlingske newspaper article, there was one case in which "the NSA sent a request to search for a company in a country in Asia, but when the FE checked the selector, it discovered that the company was Danish-owned, whereupon the request was rejected".

This shows that, just like it was the case in Germany, the NSA's interest was quite "broad", but that the FE did its best to protect Danish subjects and blocked such requests where possible.

A third option is that the illegal collection took place through the additional data search capabilities of the XKEYSCORE system, which is imaginable because here the search criteria are applied to characteristics of the content of the communications, instead of the people who are involved.

According to Berlingske, the whistleblower who informed the intelligence oversight board "feared that the management of the Defense Intelligence Service was doing US business by leaving its special system with technical vulnerabilities that allowed the National Security Agency to abuse it."


The whistleblower

Berlingske was also able to identify the whistleblower as a younger employee of the FE, working as an IT specialist - a striking similarity to Edward Snowden. The paper says that in 2013 he became increasingly concerned, but it's not clear whether this may have been caused by the Snowden revelations, which started in June of that year and included reports about XKEYSCORE, the system that had just been installed at the FE.

As the IT specialist insisted on his criticism, then head of the FE Thomas Ahrenkiel decided - without informing the Americans - to set up a technical working group to go through the system looking for vulnerabilities or signs of abuse by NSA. As reported by Berlingske, the IT specialist himself, with the aim of reassuring him, also participated in the working group, which in 2014 concluded that there were no signs of illegal intrusion.

For the FE the case was closed, but, as reported by Berlingske, the IT specialist was not satisfied and "he made a drastic decision and smuggled a recorder into his workplace, arranged meetings with colleagues and bosses for several months and recorded them in secret" - again a kind of persistance very similar to how Snowden operated. But unlike Snowden, the Danish whistleblower did not contact the press, but eventually informed the intelligence oversight board.


Danish defense minister Trine Bramsen (left) and her predecessor
Claus Hjort Frederiksen (photo: Linda Kastrup/Scanpix)


Investigations

Berlingske reported that the recordings provided "hours of covert footage with employees of the service, some of which [...] have expressed themselves in a way that confirms the suspicion that the FE may have acted illegally and not intervened adequately to prevent data on Danes from being disclosed." In November 2019 they were handed over to the intelligence oversight board, which in December informed defense minister Trine Bramsen.

Unlike her predecessor, Bramsen apparently took these kind of accusations very seriously and urged the oversight board to conduct an investigation, which on August 24, 2020 resulted in the sudden suspension of the head of the FE and a few other officials (meanwhile they have returned again, but in other positions).

On October 5, the Danish government decided to submit a bill to establish a special commission that has to carry out an independent and impartial investigation into the accusations against the FE, which has to present a report within a year.



Conclusion

In 2013, a young IT specialist at the FE became worried that this intelligence service could have illegally spied on Danish citizens. This was not only in accordance with Snowden's (unsubstantiated) narrative, but also a fear that had lived in Denmark since its domestic security service PET had been accused of monitoring ordinary Danes in 1998.

Meanwhile it has turned out that Snowden was driven more by fears than by facts - could that also have been the case with the FE whistleblower? Based on what has been published so far, he apparently tried to find evidence even after an internal investigation concluded that the NSA wasn't abusing the FE's collection system.

In recent years, the NSA and the German BND have also been accused of massive illegal domestic spying. Thorough investigations have shown that was not the case, although their employees were sometimes careless and it was technically not always possible to do what was legally required.

Was this also the situation at the Danish military intelligence service? The recently established investigation commission will show.



Links & sources

- Comments at Hacker News
- Berlingske: Særlig undersøgelseskommission skal kulegrave FE-sagen (Oct. 5, 2020)
- Politiken: Debat om kabelaflytning gav tårer i Sverige og folkeafstemning i Holland (Oct. 1, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020)


September 14, 2020

About the legality and constitutionality of the Section 215 metadata program



It was one of the NSA's most controversial activities: the bulk collection of domestic telephone records under the Section 215 program. On September 2, a court of appeal ruled that this violated the Foreign Intelligence Surveillance Act (FISA) and suggested that it may have been unconstitutional under the Fourth Amendment.

Here, I will provide a summary of this court case, United States v. Moalin, summarize the initial legal authority for the Section 215 program and explain on what grounds the court of appeal has now found that it was in violation of the law.

That's followed by a more extensive discussion about whether telephone metadata are protected under the Fourth Amendment of the US Constitution, which shows that the court didn't recognize the difference between extensive data mining and the much more restricted method of contact-chaining as conducted by the NSA.



Slide about the NSA's Section 215 domestic telephone records program, from the keynote
by former NSA director Keith Alexander during the security conference Black Hat USA 2013


United States v. Moalin

The case in which the US Court of Appeals for the Ninth Circuit decided is about four Somali immigrants, Basaaly Saeed Moalin, Ahmed Nasir Taalil Mohamud, Mohamed Mohamud and Issa Doreh, who were found guilty by a San Diego jury in February 2013 on charges of sending money to al-Shabaab, a jihadist terrorist group based in East Africa.

The principal evidence against the four men consisted of a series of recorded calls between Moalin, his co-defendants, and individuals in Somalia, obtained through a wiretap of Moalin's phone. After Snowden revealed the Section 215 program in June 2013, several government officials tried to defend this program by claiming that it had provided information that led to reopening the investigation into Moalin.

Among them was then-FBI Deputy Director Sean Joyce who in a congressional hearing said that "the NSA provided us a telephone number only in San Diego that had indirect contact with an extremist outside the United States." This led to an identification of co-conspirators and enabled the FBI to disrupt their financial support to al-Shabaab.



Three of the four men convicted in 2013
(image: CBS News)


Subsequently, Moalin and his co-defendants argued that the metadata program violated both the Fourth Amendment and the law under which it was authorized. Therefore, the "fruits" of the government's acquisition of Moalin's phone records should therefore have been suppressed.

And indeed, the three-judge panel of the Court of Appeals unanimously found that the bulk collection of telephone records violated the Foreign Intelligence Surveillance Act (FISA) and was possibly unconstitutional under the Fourth Amendment (see below).


No benefit for Moalin

But after carefully reviewing the classified FISA applications and all related classified information, the court was also convinced that the telephone metadata, even if unconstitutional, did not taint the evidence presented by the government.

In other words: the court saw no evidence that Section 215 had provided a lead to reopen the investigation into Moalin and to wiretap him: "To the extent the public statements of government officials created a contrary impression, that impression is inconsistent with the contents of the classified record".

This means that Moalin, who received an 18-year sentence, and one of his co-defendants remain in prison; the two other co-defendants already completed their sentences. Any of them or the government can still seek review from a larger, 11-judge en banc court, but they can also bring the case before the Supreme Court.


Notice of intelligence information

While the Ninth Circuit's ruling on Section 215 has no consequences anymore, another part of the opinion still has: the government has to provide notice to criminal defendants when evidence was obtained from surveillance conducted under FISA and the FISA Amendment Act (FAA). This also applies to surveillance conducted under other foreign intelligence authorities, including Executive Order 12333.

In the Moalin case, the defendants were not notified about the use of intelligence information, but learned about it after the trial from the public statements that government officials made in the wake of the Snowden revelations. The court, however, considered that "information as to whether surveillance other than the metadata collection occurred would not have enabled defendants to assert a successful Fourth Amendment claim."



The Richard H. Chambers building in Pasadena, once a hotel, now one of
the courthouses of the US Court of Appeals for the Ninth Circuit
(photo: Levi Clancy/Wikimedia Commons)


Bulk collection under Section 215

The NSA started its collection of domestic telephone records in October 2001 as part of the President's Surveillance Program (PSP), better known under its classification codename STELLARWIND.

This program was based upon a very controversial legal opinion by Justice Department lawyer John Yoo, arguing that it was justified by the president's wartime powers according to Article Two of the US Constitution.*

After objections raised by Justice Department officials Jack Goldsmith and James Comey, a new legal basis for this collection of telephone metadata was found in Section 215 of the Patriot Act, which was approved in secret by the FISA Court on May 24, 2006.


Unlike the content of phone calls, the associated metadata were not considered constitutionally protected. This because in 1979, the US Supreme Court had ruled that telephone records that have been voluntarily provided to a telecom provider are not protected under the Fourth Amendment of the US Constitution (Smith v. Maryland, also known as the third-party doctrine).



Section from the classified STELLARWIND report, page 16


Violation of the law

Now let's take a closer look at why the Ninth Circuit Court of Appeals considered the Section 215 bulk collection program unlawful.

Section 215 of the Patriot Act amended 50 U.S. Code §1861 and authorized the government to apply to the FISA Court for an "order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities."

According to the PCLOB report the government didn't link its FISA Court applications to a single counter-terrorism investigation. Instead, the practice was to "list multiple terrorist organizations [...] and declare that the telephone records being sought are relevant to each of those investigations", which is "little different [...] from simply declaring that they are relevant to counter-terrorism in general."

With this practice the statutory requirement of relevance for "an investigation" became virtually meaningless and therefore the Ninth Circuit ruled that the telephony metadata collection program exceeded the scope of Congress's authorization and violated that particular section of the law.


The intelligence committees

While the NSA's collection of domestic telephone records was not according to how Section 215 was intended, the congressional intelligence committees were aware of it. They had been briefed multiple times about what was actually going on - a practice that (in secret) had also been approved by the FISA Court.*

According to an American legal doctrine, "Congress is presumed to be aware of judicial interpretations of the law". So when Congress reauthorized Section 215 in 2009 and 2011, the government argued that it had also "ratified" the FISA Court's secret interpretation that allowed the NSA's bulk collection.*

However, many members of the intelligence committees choose not to attend such classified briefings, preferring to stay comfortably ignorant not only about how their legislation turned out in practice, but also about how it was interpreted by the FISA Court.*

On May 7, 2015 the Court of Appeals for the Second Circuit had excused this by saying that details about the Section 215 program were actually so hard to access, even for members of the intelligence committees, that no meaningful debate had been possible.

Therefore, this court did not recognize the theory of the implicit ratification of the FISA Court's interpretation and ruled that the bulk collection exceeded the scope of what Congress had authorized under Section 215 of the Patriot Act - the same decision as that of the Ninth Circuit.



Hand-written copy of the proposed Bill of Rights from 1789, cropped to show
just the text that would later be ratified as the Fourth Amendment
(click to enlarge)


Protected under the Fourth Amendment?

Regarding the issue whether the telephone metadata collected under Section 215 were protected under the Fourth Amendment of the US Constitution, the Court of Appeals "stopped just short of saying that the snooping was definitely unconstitutional".*

Instead of a judgement, the court described a range of differences between the use of a simple pen register back in the days of Smith v. Maryland and the present-day capabilities of collecting and analyzing metadata in bulk:
- Nowadays, metadata reveal much more information, like the IMSI and IMEI number and the trunk identifier of a cell phone, telephone calling card numbers, and time and duration of a call.
- The amount of metadata created and collected has increased exponentially, along with the government's ability to analyze it.
- The duration of the collection in this case also vastly exceeds that in Smith v. Maryland: back then the pen register was used for a few days at most, while the NSA collected telephony metadata for years.
- Telephony metadata "as applied to individual telephone subscribers and when collected on an ongoing basis [...] permit something akin to [...] 24-hour surveillance."
- The extremely large number of people from whom the NSA collected telephony metadata enables the data to be aggregated and analyzed in bulk.

Regarding the latter, the court's opinion says:
"A couple of examples illustrate this point: A woman calls her sister at 2:00 a.m. and talks for an hour. The record of that call reveals some of the woman’s personal information, but more is revealed by access to the sister’s call records, which show that the sister called the woman’s husband immediately afterward. Or, a police officer calls his college roommate for the first time in years. Afterward, the roommate calls a suicide hotline.
These are simple examples; in fact, metadata can be combined and analyzed to reveal far more sophisticated information than one or two individuals’ phone records convey. As Amici explain, “it is relatively simple to superimpose our metadata trails onto the trails of everyone within our social group and those of everyone within our contacts’ social groups and quickly paint a picture that can be startlingly detailed"

This is a probably the most common argument against the bulk collection of metadata, but it ignores that there are actually different ways how intelligence agencies use large sets of metadata:

- Contact-chaining:
The full set of data is used in a "shallow" way by only looking which phone numbers (or other kinds of identifiers) are in contact with each other. This results in contact-chains and social network graphs:




- Pattern-of-life analysis:
Only parts of the data set are used to create a deeper insight into the daily life patterns of people of interest (after being identified through contact-chaining for example). Note that this kind of analysis is also conducted for individual people who are subject of targeted interception:





The examples cited by the Court of Appeals refer to the pattern-of-life analysis, while the data collected under Section 215 were only used for contact-chaining (and analyzing the results thereof).* The latter is also mentioned in the court's opinion, but without any further discussion:
"The government was also allowed to search phone numbers within three “hops” of that selector, i.e., the phone numbers directly in contact with a selector, the numbers that had been in contact with those numbers, and the numbers that had been in contact with those numbers."


The NSA's contact chaining method

The contact chaining started with a so-called "seed" - a phone number for which there was a Reasonable, Articulable Suspicion (RAS) that it was associated with a foreign terrorism organization.

This seed number was then entered into the MAINWAY contact chaining system to retrieve all the numbers that had been in contact with the seed - the first "hop". Then, analysts could also retrieve the numbers that had been in contact with the first hop numbers, which makes a second hop from the seed number:



Slide from a declassified NSA training about the Section 215 program
(click to enlarge)


Only for the numbers that showed up in such a two (and sometimes three hop) contact chain, analysts could use a separate tool to retrieve the associated call records which were stored in a different database.

These records included the originating and receiving phone number, the date, time and duration of the call (since 2008 also the IMEI and IMSI numbers of cell phones). The collection of location data was prohibited by the FISA Court, and subscriber information was also not acquired either.

In 2006, NSA analysts saw only one of every four million phone records as a result of the contact-chaining. In 2012, the NSA used 288 phone numbers as a seed for a contact-chaining query, resulting in 6000 phone numbers that analysts actually looked at.

Only such phone numbers of interest were "enriched" with additional information from other sources, like subscriber details, which would then reveal the associated names and things like family relations for example.

When this led to a suspicious American phone number, the NSA passed it on to the FBI for further investigation. There are no indications that the NSA conducted pattern-of-life analysis using the domestic telephone metadata collected under Section 215.



ACLU v. Clapper

The way Section 215 was operated was clearly less intrusive than the examples cited above, but the Ninth Circuit didn't mention this difference. It was discussed though by district judge William H. Pauley III, who summarized the actual practice in the case ACLU v. Clapper already in December 2013:
"First, without additional legal justification - subject to rigorous minimization procedures - the NSA cannot even query the telephony metadata database. Second, when it makes a query, it only learns the telephony metadata of the telephone numbers within three "hops" of the "seed." Third, without resort to additional techniques, the Government does not know who any of the telephone numbers belong to. In other words, all the Government sees is that telephone number A called telephone number B. It does not know who subscribes to telephone numbers A or B."

Accordingly, he ruled that the Section 215 program was lawful (this was overruled by the Court of Appeals for the Second Circuit because of violation of Section 215 of the Patriot Act (see above). For that reason the Second Circuit didn't want to "reach these weighty constitutional issues").


Contact chaining compared to pen register

In a report from last February, the Privacy and Civil Liberties Oversight Board (PCLOB) says that the first hop of the contact chaining process is not much different from what a pen register did: it lists the numbers with which a particular number had been in contact with.

Regarding the second hop, the PCLOB suggests that it's rather the nature than the number of call records that constitutes a Fourth Amendment protection.

Not discussed by district judge Pauley nor by the PCLOB is the subsequent analysis of the full call records associated with the numbers from the contact chains.



Telephone interception equipment that was used in the Netherlands from 1971 to 2003.
The brown device prints the metadata of the calls on a paper slip.
(photo: Wikimedia Commons - click to enlarge)


Apparently, the pen register in the Smith v. Maryland case only provided the phone numbers, but others may have recorded more call details. As of 1979 the Dutch police for example used a "telephone call analyzer" that recorded time and duration of a call, and the phone numbers of the calling and called parties - the same elements as the NSA collected under Section 215.

Therefore, one could argue that these call records are also not protected under the Fourth Amendment, especially when they are from landline phones.

This would be a bit more difficult with the final phase of the NSA's contact chaining process, when the numbers from the contact chains are enriched with information from other sources, including names and other subscriber details.

About the subscriber information one could still say that people provide that to their phone company voluntarily (in the past it was even published in phone books), but enrichment with other kinds of information will likely cross the line of what people see as private.

Based upon this more detailed analysis of the Section 215 program, the contact chaining and the call record analysis seem close enough to a pen register to fall outside the protections of the Fourth Amendment.

For the enrichment that could be different as it comes closer to a pattern-of-life analysis, even when it still doesn't reveal "a vibrant and constantly updating picture of the person’s life" as it was cited in the Ninth Circuit's opinion.


Bulk collection?

A final aspect that has to be taken into account is that protection under the Fourth Amendment also requires recognition by society. The Court of Appeals mentions "the public outcry following the revelation of the metadata collection program" to show that nowadays "several years' worth of telephony metadata collected on an ongoing, daily basis" are regarded as something private.

But the majority of the general public probably never understood that the Section 215 metadata were only used for contact chaining and not for analyzing the database as a whole, by pattern analysis or data mining for example.*

Therefore it's yet another, but still unaddressed question whether there's a reasonable expectation of privacy when metadata are collected in bulk but only an extremely small number of them are picked out for closer examination.


Replacement and termination

For the NSA's Section 215 program these legal questions have no practical impact anymore. In 2015, it was replaced by the USA FREEDOM Act, which ended the bulk collection. Henceforth the NSA had to request the metadata from telephone companies based upon specific and pre-approved selection terms.

Early 2019, the NSA suspended the program and subsequently deleted all the data collected under this authority, "after balancing the program’s relative intelligence value, associated costs, and compliance and data-integrity concerns caused by the unique complexities of using these provider-generated business records for intelligence purposes."




Links & sources
- Lawfare: NSA Bulk Phone Data Collection Unlawful, Appeals Court Rules
- Emptywheel: Basaaly Moalin Wins His Appeal — But Gets Nothing
- Politico: Court rules NSA phone snooping illegal — after 7-year delay
- Brennan Center for Justice: A Breakdown of Selected Government Surveillance Programs
- Privacy and Civil Liberties Oversight Board: Report on the Telephone Records Program Conducted under Section 215
- Emptywheel: The Era of Big Pen Register: The Flaw in Jeffrey Miller’s Moalin Decision


August 30, 2020

Head of Danish military intelligence suspended after misleading the oversight board



The Danish military intelligence service (Forsvarets Efterretningstjeneste or FE), which is also responsible for signals intelligence, has been accused of unlawful activities and deliberately misleading the intelligence oversight board.

After the oversight board (Tilsynet med Efterretningstjenesterne or TET) received information from a whistleblower, the head of the FE, Lars Findsen, and three other senior officials of the intelligence service were suspended.

Here, I will provide a translation of the press release of the oversight board, as well as details from its earlier reports, showing that there were problems at the FE for years. An overview of the international cooperation between the FE and foreign partner agencies provides a context for what likely went wrong at the Danish service.



Lars Findsen, head of the FE from 2015 to 2020 and the
FE's satellite intercept station in North Jutland



Press release of the Oversight Board

The affair came to light when on August 24, the Danish Ministry of Defense issued a short statement saying that the head of the FE and two other officials were suspended from duty until further notice. Svend Larsen, the chief of Central and West Zealand Police, was appointed as acting chief of the FE. Later, a third official was also suspended.

The same day, the Danish Intelligence Oversight Board published a press release with the unclassified results of its investigation into the issues that led to Findsen's suspension. Because the press release is only available in Danish, I made a preliminary translation using Google Translate with manual corrections to make it more readible:



PRESS RELEASE

The Intelligence Oversight Board completed a special investigation into the Defense Intelligence Service (FE) on the basis of material submitted by one or more whistleblowers.

In November 2019, one or more whistleblowers provided the Intelligence Oversight Board with a significant amount of material relating to the FE, which the Board has not hitherto been aware of or able to acquire. The material is of such a nature that the Board decided to focus its oversight of the FE in order to carry out an in-depth investigation of the present situation. With this announcement, the Board publishes the unclassified results of the investigation.

On the basis of the Board's investigation of the submitted material, the Board sent an analysis in four volumes to the Minister of Defense containing the Board's conclusions and recommendations on 21 August 2020.

Throughout the process of the special investigation of the FE, the Board has held the Minister of Defense informed. The Minister of Defense has regularly expressed support for the Board's in-depth examination of the material.

The Board's assessments and recommendations deal with matters that are fully or partially within its legal supervision authority according to the FE Act and the rules and conditions based on it, which the Minister, in the opinion of the Board, should have knowledge of, cf. § 16, stk. 2. of the FE Act.

Based on a source-critical examination of the submitted material, the Board assesses, among other things, the following:
- That since the establishment of the Board in 2014 and until the summer of 2020, the FE has, among other things, on several occasions during the Board's inspections and meetings with the head of the FE, withheld key and crucial information and provided the Board with incorrect information regarding the service's collection and disclosure of information.

The Board is of the opinion that the statutory duty to provide information is absolutely necessary for functional oversight and that it is based on trust by the legislator that the FE complies with this obligation in all respects. The result of these repeated breaches of the statutory duty to provide information is that the legality check that the Board is required to carry out under the FE Act, and which contributes to the legitimacy of the FE's work, does not work out as intended.

- That at central parts of the FE's collection capabilities there are risks that can lead to unlawful collection against Danish citizens.

- That the submitted material indicates that the FE's management has failed to follow up on, or further investigate indications of espionage within the Ministry of Defense.

- That there is a culture of insufficient legal awareness within the FE's management and parts of the service, which results in unlawful activities or inappropriate situations within the service to be shelved, including not informing the Oversight Board about matters relevant to its supervision.

- That the submitted material indicates that the FE, prior to the establishment of the Board in 2014, initiated operational activities in violation of the Danish law, including obtaining and passing on a significant amount of information about Danish citizens.

- That the FE has unlawfully processed information about an employee of the Oversight Board.

Against this background, the Board recommends that a political position be taken on the following:
- Whether there should be an investigation into whether the FE has carried out and is carrying out its task as a national security authority within ​​the Ministry of Defense in accordance with § 1, stk. 2 of the FE Act.

- The need to uncover whether the FE has adequately informed policy makers about all relevant issues concerning key parts of the service's collection capabilities.

Given the options of the FE Control Act, the Board does not have the possibilities to further uncover specific matters that emerge from the submitted material. Therefore, the Board generally recommends the following:
- That an early evaluation of the FE Act will be carried out to determine whether the Board has the necessary legal authorities and resources to carry out an effective legal oversight of the FE, including whether the Board must have the authority to conduct interrogations of the FE's employees as witnesses.

- That, based on of the circumstances of the Board's receipt of the submitted material, an external whistleblower scheme for the FE is established, which can best be placed under the auspices of the Board.

Such a scheme should improve the ability of current and former FE employees to comment on controversial issues without fear of retaliation, including employment or criminal consequences. Furthermore, such a scheme would allow classified information to be passed on in a secure environment. The scheme must also ensure that an external whistleblower body has the necessary resources and instruments to protect the persons who submit information according to this scheme.

The Board had thorough considerations regarding the publication of the conclusions and recommendations of the investigation. It is crucial for the oversight that the public has as much insight as possible. However, in the view of the extremely sensitive circumstances surrounding the submission of the material to the Board and its classified content, the Board may not provide further information to the public.

Facts about the Intelligence Oversight Board

The Intelligence Oversight Board is a special independent monitoring body that supervises that the PET processes information about natural and legal persons in accordance with the law, and that the FE processes information about natural and legal persons domiciled in Denmark in accordance with the law. The Board was established by the Act on the Police Intelligence Service (PET), which, like the Act on the Defense Intelligence Service (FE), entered into force on 1 January 2014.

Following the entry into force on 1 July 2014 of the Center for Cyber ​​Security (CFCS) Act, the Board has also monitored that CFCS processes information about natural persons in accordance with the legislation.

The Board consists of five members appointed by the Minister of Justice after consultation with the Minister of Defense. The chairman, who has to be a High Court judge, is appointed on the recommendation of the Presidents of the Danish Eastern and Western High Courts, while the other members are appointed after consultation with the Parliamentary Committee for the Intelligence Services.

The members are:

- Michael Kistrup, High Court Judge, High Court of Eastern Denmark (Chairman)
- Erik Jacobsen, Chairman of the Board of Directors, Roskilde University
- Pernille Christensen, Legal Chief, National Association of Local Authorities
- Professor Henrik Udsen, University of Copenhagen
- Professor Rebecca Adler-Nissen, University of Copenhagen

Read more about the audit at www.tet.dk




The Kastellet fortress in Copenhagen, the workplace of most of the FE's employees
(photo: Danish Air Force Photo Service)



Problems in earlier reports

The FE's unauthorized and illegal activities described in the press release of the Oversight Board may actually not have come as a complete surprise.

Already in several earlier reports, the Oversight Board noticed that the FE conducted quite a large number of unlawful "raw data searches", which is the term used for untargeted interception. This method enables the FE to "obtain very large amounts of information (several hundred million communications per year)" - according the Annual Report 2018.

In the English version of its Annual Report 2017, in which the FE is mentioned as the Danish Defense Intelligence Service or DDIS, the oversight board says:
"the checks showed that in four instances DDIS engaged in unlawful targeted procurement of information about persons resident in Denmark for a total of 20 days in 2014, eight months in 2014-2015, four days in 2016 and 17 months in 2016-2017. The checks further showed that in 20 percent of the samples drawn DDIS made unlawful searches in raw data.
In the Oversight Board’s opinion, the unlawful instances of procurement, including searches in raw data, were in the nature of negligent actions in all cases. Similarly, the Oversight Board notes that since the publication of the Oversight Board’s annual report for 2016 DDIS has taken a number of measures to reduce the number of errors. For one thing, DDIS has intensified its internal controls in the area and strengthened and targeted its staff training."

Regarding the issue of sharing data and information with the Danish domestic security service (Politiets Efterretningstjeneste, or PET) as well as with foreign partner agencies, the board noticed:
"that in a few instances DDIS was not in possession of documentation of the reason underlying the legal approval of a disclosure of information about persons resident in Denmark. The Oversight Board encouraged DDIS to ensure that documentation is obtained in all cases.
Furthermore, the check showed that DDIS did not carry out logging of a system sampled for disclosure of information. The Oversight Board encouraged DDIS to implement system logging, which was soon implemented by DDIS."



Lars Findsen in his office, with two Cisco 7900-series IP phones, apparently one for
secure and one for non-secure calls, as indicated by the colored labels
(photo: Ritzau/Jens Dresling)


Work station searches

Also interesting is that the Danish Intelligence Oversight Board checks individual computers of FE employees:
"Within two DDIS departments, the Oversight Board’s secretariat checked a number of randomly chosen work stations, including their drives, Outlook folders, external storage devices and documents in hard copy.
In connection with the check performed of the information held on each of the work stations, the secretariat asked questions to the individual staff members in question about their knowledge of the rules on processing, including erasure, of information about persons resident in Denmark.
When asked, a majority of the staff informed the secretariat that they had erased information from their work stations before the check."

As a result of this work station check in 2017, there appeared to be one case in which a "staff member processed information about persons resident in Denmark in violation of DDIS’s internal guidelines as the staff member in question retained information which he or she believed was no longer relevant to process there."


Backdoor searches

In its Annual Report 2018 the Oversight Board addressed an interesting aspect of the cooperation between the FE and the domestic security service PET. When the PET requests the FE to use its (untargeted) collection systems to obtain future communications of someone resident in Denmark, then the PET has to obtain a court order beforehand.

However, it was "an established practice" that no court order was required when the PET asked the FE to conduct a search in raw data that had already been obtained (note the similarity with the controversial "backdoor searches" which the NSA conducts on data that it has already lawfully collected).

After a critical opinion of the Oversight Board from June 2018, the PET agreed that in the future it will obtain a court order before requesting the FE to perform a raw data search concerning persons resident in Denmark. This because the PET "does not wish for a situation where it could be called into question whether it has the authority required for its activities".



The FE's satellite interception station near Hjørring in North Jutland



International cooperation

Although being just a small organization, the Danish FE was always part of various international signals intelligence alliances. Already in 1954, it became a third party partner of the NSA and, as such, a member of the multilateral SIGINT Seniors Europe (SSEUR) group that was established in 1982.

In 1976, the FE took the initiative to set up a purely European signals intelligence group codenamed Maximator, which includes Sweden, Germany, the Netherlands and France. The FE was also part of a parallel military intelligence alliance, which was created in the early 1980s and is known as the Club of Five.

The data and information that Denmark contributes to these multilateral exchange groups comes from the various collection systems operated by the FE. Most visible are its two satellite interception stations: one close to Sandagergård on Amager and one near Hjørring in North Jutland.

Additionally, the Danish military probably has mobile interception units to be used during operations abroad. In Afghanistan for example, Danish forces were part of the Afghanistan SIGINT Coalition (AFSC) and used DRT equipment to collect cell phone metadata that was fed into the NSA's Real Time-Regional Gateway (RT-RG) system.



The FE's satellite interception station on Amager, close to Sandagergård


Based on documents from the Snowden revelations, the Danish newspaper Information reported in June 2014, that Denmark is most likely cooperating with the Americans for access to fiber-optic cables under the NSA's umbrella program RAMPART-A. The NSA also provided the FE with collection and processing equipment.

Data "collected from cable taps in Denmark are filtered in order to eliminate Danish data before handing them over to NSA. The filters, however, do not remove all Danish data, since this is not technically feasible" - according to Information. This is similar to what happened to the data the German BND shared with the NSA under operation Eikonal, which was also part of RAMPART-A.




Denmark was also mentioned in Edward Snowden's written testimony for the European Parliament from March 2014, in which he came up with the following accusation:
The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans.
Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.
Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole.


It should be noted that this theory is not supported by original documents from the Snowden collection. Also, a thorough German investigation into the prohibited data the NSA was interested in during its cooperation with the BND for satellite interception revealed that the NSA mainly tried to target various European government agencies and German companies.

This was in violation of the Memorandum of Agreement (MoA) with the Germans, but in general, spying on foreign governments is considered fair game - and it turned out that the BND was doing exactly the same. There are no indications that these kind of cooperations were used for the surveillance of ordinary citizens.



Conclusion

Meanwhile, additional reporting by the Danish broadcaster DR says that the FE allegedly shared large amounts of raw data from a fiber-optic cable access with the NSA, "which could have included Danish citizens' private personal information and communications". DR couldn't clarify whether this cooperation with the NSA was legal or illegal.

This could be a confirmation of Information's reports from 2014 about a joint cable access operation, but it could also be that the FE shared (meta)data from its own cable access with the NSA. It's assumed that the FE can legally intercept cable traffic in bulk, but as a foreign intelligence service, it has to make sure that no data of Danish residents are collected.

We know that both the NSA and the BND had great difficulties with filtering out data of their citizens and residents, so the least that can be expected is that the FE has the same problem, apparently didn't care much about it and deliberately misled the Oversight Board about the extent of this issue.

The Danish prime minister, Mette Frederiksen, has announced an investigation into the unlawful activities of the FE.



Links & sources
- Information: Når man samarbejder med NSA om masseovervågning, er det langtfra risikofrit (Sept. 12, 2020)
- The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020)
- Information: German disclosure raises questions about Danish NSA-partnership (October 20, 2014)
- Information: NSA ‘third party’ partners tap the Internet backbone in global surveillance program (June 19, 2014)

- English homepage of the Danish Defence Intelligence Service (DDIS)