July 22, 2020

A unique note from the BND about European SIGINT alliances

(Updated: July 31, 2020)

Last April, an academic article by the Dutch professor for computer security Bart Jacobs revealed the existence of Maximator, a hitherto unknown SIGINT-sharing alliance of five European countries.

On July 1, the German newspaper Frankfurter Rundschau (FR) also published an article about the Maximator alliance, which includes a handwritten note by an employee of the German foreign intelligence service BND.

This note appeared to be rather spectacular, as it provides some details about two different European SIGINT alliances. Such international cooperation is among the most sensitive and secretive aspects of the intelligence business.




The handwritten note about SIGINT cooperation between BND and DGSE
(click to enlarge)



Transcript and translation

According to the Frankfurter Rundschau, the note was written in 1986 by a manager from the BND who was responsible for the Maximator alliance.

Unfortunately, his handwriting is very difficult to read, but with some puzzling and guessing it was possible to clarify most of the text (please leave a comment if you think you can correct something or fill in some of the remaining gaps).

Below is the original text of the note in German on the left side (with the abbreviations written in full) and a translation in English on the right side (updated with some good suggestions):


Title:

Tech[nische] Zusammenarbeit BND/Wicke
Technical cooperation BND/France


First column:

Mil[itärisch]
---------------
- .. 50 (Richtfunk VHF/UHF)
- RohMat[erial]
aust[ausch]
- 5er Club
(Wicke, Begon[ie]
Kresse-H, Pfingst-
rose)
- Bilaterale
Bespr[echungen] 2x jährlich
zusammen mit
UW
Military
-----------
- .. 50 (Microwave VHF/UHF)
- Raw data
exchange
- Club of Five
(France, Denmark
Netherlands-Army, Bel-
gium)
- Bilateral
talks twice a year
together with
UW


Second column:

Pol[itisch]
--------------
- Col
- RohMat[erial]
aust[ausch]
- Maximator
(Wicke (seit 1 jahr), Mohn
Begon[ie], Kresse-Mar
- Aust[ausch] Klar[text]
mat[erial] wird
abgeklärt
(Wortbanken)
einziger PD
- Bilaterale
Bespr[echungen]
Political
------------
- ...
- Raw data
exchange
- Maximator
(France (since 1 year), Sweden
Denmark, Netherlands-Navy
- Exchange of plain text
material will be
clarified
(Dictionaries)
only PD
- Bilateral
Talks


Third column:

Elint
------------
Austausch
Radar-Sign[ale]
Bilateral
(Wicke schwach)
CREM
Elint
--------
Exchange
Radar signals
Bilateral
(France weak)
CREM


Fourth column:

Krypto
------------
Col.
Crypto
-----------
...



Transcription of the handwritten note about cooperation between BND and DGSE
(click to enlarge)



Discussion of the content

The title of the note is hardly legible, but the Frankfurter Rundschau says it reads "Technische Zusammenarbeit" or technical cooperation between the German Bundesnachrichtendienst (BND) and the French foreign intelligence service Direction Générale de la Sécurité Extérieure (DGSE).

Then there are four columns for the subsets of Signals Intelligence (SIGINT) involved in this cooperation: first Communications Intelligence (COMINT) related to military issues as well as to political issues, then Electronic Intelligence (ELINT), and finally Crypto or cryptography which is needed to decipher communications that are encrypted.


Crypto

Regarding the cryptologic cooperation between BND and DGSE, the note only has the mysterious abbreviation "Col.", which reminds of terms like "collection" and "collaboration" but these doesn't seem to fit, given that the rest of the text is in German, which has very few words that start with "col".

According to the article by professor Jacobs, the members of the Maximator alliance (see below) exchanged algorithms used in various (deliberately weakened) encryption devices used by target countries. It was then up to the individual partners to find out how to exploit these weaknesses.


Electronic Intelligence

The note also doesn't provide much information about the cooperation between France and Germany in the field of Electronic Intelligence (ELINT), which is the collection and analysis of signals that do not contain human communications.

ELINT aims at the electronic parts of an enemies' defense network, like radars, surface-to-air missile systems and aircraft systems, so ships, aircraft and missiles can be detected by their radar and other electromagnetic radiation.

According to the note, BND and DGSE exchanged data about radar transmissions on a bilateral basis, but it also seems to say that the French capabilities were rather weak.

There are also the letters CREM or CIREM, which is probably the abbreviation of Centre d’Information sur les Rayonnements ÉlectroMagnétiques, or Center for Information on Electromagnetic Radiations, which is the old name for the French center for military SIGINT CFEEE.


Political Communications Intelligence / Maximator

The second column of the note is about Communications Intelligence about political issues. Here we see the mysterious abbreviation "Col." again, which is also in the Crypto column.

On this topic, BND and DGSE exchanged raw communication intercepts which were also shared multilaterally within the Maximator alliance. According to Jacobs, the focus of this group was on intercepting and decrypting diplomatic communications, both from HF radio transmissions and SHF satellite links.


The Maximator alliance has its own cover names for each of its partners, but in the BND note the members are listed by the regular cover names that the BND used for its foreign partners, which are names of flowers and plants:
Wicke - France (with the additional remark: "since 1 year")
Mohn - Sweden
Begonie - Denmark
Kresse-Mar - Netherlands, naval intelligence


From professor Jacobs' article we now that France requested to join the Maximator alliance in 1983. This was supported especially by Germany and as a result France was invited in 1984 and joined in 1985. So when the BND note says "since 1 year", it means the (undated) document was written somewhere in 1986.

For the Netherlands it was the Technisch Informatieverwerkings Centrum (TIVC) that participated in the Maximator group. The TIVC was the cryptanalysis centre of the Dutch Navy, which is indicated by the abbreviation "Mar" for Marine behind the cover name for the Netherlands.



The participants in the Maximator alliance and their internal cover names
(click to enlarge)


After listing the members of the Maximator alliance, the BND note probably says that the exchange of plain text intercepts will be clarified. An interesting term is Wortbanken, which may be similar to the "dictionaries" containing the selectors used to filter content of interest out of the intercepted data streams, a method well known from the Five Eyes agencies. There also seem to be some "PD" which may stand for "Points of Discussion".

For the coordination of the exchange of political intelligence there were bilateral talks, but it's not clear whether that's just between BND and DGSE or that it also applies to the Maximator alliance. The latter would contradict Jacobs' article, which says that signals interception issues were discussed in multilateral meetings attended by all members.


Military Communications Intelligence / Club of Five

Finally, the first column of the note is about Communications Intelligence related to military issues. It starts with some letters or numbers (maybe 50?), followed by the remark that the cooperation is apparently about intercepting microwave (Richtfunk) and possibly other VHF and UHF radio transmissions.

Since the 1950s, microwave radio relay links were widely used for long-range point-to-point communications, both for civilian and military purposes. During the Cold War, the United States had the unique capability to intercept Soviet microwave traffic using satellites such as the Rhyolite/Aquacade, which could pick up the beam of a microwave link that passes the receiving antenna and radiates towards the horizon and then into space:


Interception of microwave signals by spy satellites
(image: Decora/Wikimedia Commons)


Germany and France, nor other European countries had such satellites to intercept microwave signals, so collaboration and sharing their own intercepts could have strengtened their own position compared to the capabilities of the Americans.

Just like political intelligence was shared within the Maximator group, this military intelligence was also exchanged multilaterally, but in a different group which was called "5er Club" or "Club of Five". The note also lists the members of this group, again using the regular BND cover names:
Wicke - France
Begonie - Denmark
Kresse-H - Netherlands, army intelligence
Pfingstrose - Belgium



Note that the membership of the Club of Five is slightly different from the Maximator alliance: it has Belgium instead of Sweden as a member. For the Netherlands, it was the 898th signal battalion of the Dutch army that participated in the Club of Five, probably supported by the TIVC for the cryptanalysis.

Through several listening stations along its borders as well as mobile SIGINT units, the BND itself was able to intercept microwave and radio transmissions from inside the German Democratic Republic (DDR). The signals intelligence units of the French military have similar capabilities, probably also aboard dedicated spy ships.

This Club of Five was also mentioned in professor Jacobs' piece, who referred to a book by Richard Aldrich which says that since the early 1980's there was a "mini-UKUSA-alliance called "The Ring of Five", consisting of the sigint agencies of Germany, the Netherlands, France, Belgium and Denmark". In a note, Jacobs also suggests that this group may also "have been called Fünfgruppe".

According to the BND note, the exchange of military intelligence was also discussed during bilateral meetings, in this case twice a year and together with "UW", but it is unknown what that stands for.



The scan of the note

The Frankfurter Rundschau did not only publish the written part of the note about the cooperation between BND and DGSE, but the whole sheet of notebook paper as it was scanned, including another sheet of paper that was used as a background:



The full scan of the note about cooperation between BND and DGSE
(click to enlarge)


A close look at the bottom of the scan reveals some text that bleeds through from the back side of the larger sheet of paper. Rotating, mirroring and enhancing the image shows that it's part of a bill from the German cell phone provider Smartmobil for mobile data usage for the month of May 2019:



The back side of the sheet of paper behind the BND note
(click to enlarge)


This shows that the BND note wasn't scanned before May 2019 and maybe it could even provide a lead to the person who leaked the note to the press. Therefore, it's quite sloppy that Frankfurter Rundschau didn't cut off this part to make sure that there's no trace to the source.



Thanks to Le cueilleur and Zone d'Intérêt for providing some useful information for this blog post.


Links & sources
- Zone Militaire: Cinq pays européens, dont la France, s’échangent des renseignements au sein de la discrète alliance « Maximator » (July 2020)
- Le Monde: Une petite note manuscrite du renseignement extérieur allemand brise un très vieux secret (July 2020)
- Frankfurter Rundschau: Exklusiv-Recherche: BND spionierte jahrzehntelang am Parlament vorbei (July 2020)
- Bart Jacobs: Maximator: European signals intelligence cooperation, from a Dutch perspective (April 2020)
- German website: Fernmelde- und Elektronische Aufklärung - Funk- und Funktechnische Aufklärung
- Dutch websites: 898 Verbindingsbataljon - WKC/TIVC/SVIC
- Matthew M. Aid & Cees Wiebes, "Secrets of Signals Intelligence during the Cold War and Beyond", London, 2001.


June 23, 2020

NSA documents and cover names from the book Dark Mirror


On May 20, yet another book about the Snowden-revelations was published: Dark Mirror, Edward Snowden and the American Surveillance State. It's written by Barton Gellman, who was in direct contact with Snowden and reported on the NSA's spying activities for The Washington Post.

Here, you'll find the original documents from Dark Mirror, to complement the existing collections of Snowden documents, as well as a listing of all the NSA cover names, because most of them are not included in the index of the book. A review of Dark Mirror will follow in due course.

(Similarily, the NSA documents and codenames from Glenn Greenwald's book No Place to Hide from 2014 can be found on the website IC Off The Record)





Documents

The book contains five (parts of) documents that haven't been published before, as well as six slides from NSA presentations which were released as part of earlier press reports. There are also three photos of Edward Snowden in Dark Mirror which are not reproduced here.

(Collections of all the documents from the Snowden revelations can be found at the website IC Off the Record and in the Snowden Surveillance Archive)


Presentation about the PRISM program:


Front slide of the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 6, 2013.
(Dark Mirror, p. 109 - click to enlarge)



Part of slide 40 from the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 29, 2013,
but without the two-row table with the Section 702 FAA certifications.
(Dark Mirror, p. 113 - click to enlarge)

> See for all the PRISM slides that have been released: What is known about NSA's PRISM program


Presentation from the Large Access Exploitation Group:


Detail from a slide from an NSA presentation titled "Is it the End of the
SIGINT World as We Have Come to Know It?" prepared by a member of
the Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 169 - click to enlarge)



Detail from a slide from a briefing titled "Is it the End of the SIGINT
World as We Have Come to Know It?" prepared by a member of the
Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 174 - click to enlarge)

Probably from the same presentation are two slides that were published by The Washington Post on December 4, 2013 and one partial slide published with Greenwald's book No Place to Hide in May 2014.

> More about the MAINWAY system: Section 215 bulk telephone records and the MAINWAY database


Presentations about SSO Collection Optimization:


Meme from the NSA presentation "SSO Collection Optimization"
from January 7, 2013, referring to collection systems that
scooped up more data than they could process
(Dark Mirror, p. 192 - click to enlarge)



Slide from the NSA presentation "SSO Collection Optimization" from 2013
about intercepting Google's cloud, better known as the MUSCULAR program.
Published earlier by The Washington Post on October 30, 2013.
(Dark Mirror, p. 284 - click to enlarge)

Also from presentations about SSO Collection Optimization are:
- seven slides published by The Washington Post on October 14, 2013,
- six slides published by The Washington Post on November 4, 2013.


Slides from other NSA presentations:


Detail from a slide from the NSA presentation from
"FAIRVIEW Data Flow Diagrams" from April 2012.
The full presentation was published by
The Intercept in November 2016.
(Dark Mirror, p. 171 - click to enlarge)

> More about the FAIRVIEW program: FAIRVIEW: Collecting foreign intelligence inside the US



Slide from the NSA presentation "NSA/CSS Mission: PROVIDE AND
PROTECT VITAL INFORMATION FOR THE NATION" from October 24, 2001.
Published earlier by The Washington Post on December 23, 2013.
(Dark Mirror, p. 184 - click to enlarge)



Explanation of "traffic shaping" to redirect a target's communications
traffic in such a way that it passes an NSA access point.
Published earlier by The Intercept.
(Dark Mirror, p. 201 - click to enlarge)


Miscellaneous documents:


Example of an e-mail exchange between senior White House, Justice
Department and DNI officials, released upon a FOIA request about
the FIRSTFRUITS media leaks program
(Dark Mirror, p. 226 - click to enlarge)



Confirmation of the flight reservations for Edward Snowden
and Sarah Harrison, June 24, 2013.
(Dark Mirror, p. 307 - click to enlarge)



Cover names

Dark Mirror contains 28 cover names that haven't been published before. However, not all of them are explained in the book, some are just mentioned to reflect the NSA's internal culture and the way these code names are composed.

There are also 63 cover names which were already known from press reports and/or documents from the Snowden trove. This means that for many of them there's additional information available - click the asterisk for sources.

(All these cover names are also included in the extensive listings of NSA Nicknames and Codewords and NSA's TAO Division Codewords on this weblog)


Newly revealed cover names:

BADASS - (unexplained compartment) (p. 206)
BADGIRL - ? (p. 204)
BATCAVE - Digital hideout for NSA hackers who emerge to steal another country's software code (p. 209)
BLACKAXE - Exceptionally Controlled Information (ECI) compartment (p. 70)
BLADERUNNER - ? (p. 209)
CAPTAINCRUNCH - FBI owned and monitored network servers to attract foreign hackers (p. 86)
COOKIEDOUGH - ? (p. 210)
CROWNROYAL - ? (p. 209)
DEPUTYDAWG - ? (p. 209)
DEVILFISH - ECI compartment (p. 70)
DEVILHOUND - ? (p. 207)
EPICFAIL - ? (p. 207)
EXPLETIVEDELETED - Cover name for al-Qaeda's favorite encryption software (p. 212)
EXUBERANTCORPSE - Cover name for al-Qaeda's favorite encryption software (p. 212)
FLYLEAF - ECI compartment (p. 70)
Graph-in-Memory - Database holding maps of contacts in support of contact-chaining (p. 174, 177, 180)
HYSSOP - ECI compartment (p. 70)
KESSELRUN - ECI compartment (p. 70)
KOBAYASHIMARU - NSA contract with General Dynamics to help break into another country's surveillance equipment (p. 210)
LIGHTNINGTHIEF - ECI compartment (p. 70)
MISS MONEYPENNY - Support unit providing cover identities for undercover CNE operations abroad (p. 202)
PANT_SPARTY - Injection of an NSA software tool into a backdoor in the target's defenses (p. 204)
POISONIVY - Remote-access trojan used by Chinese government spies (p. 209)
QUIDDITCH - Exploit used by the Special Collection Service (SCS) (p. 209)
STRAWHORSE - Modification to Apple's software installer Xcode to insert a remote-controlled backdoor into each app it compiled (p. 188, 216-220)
VIXEN - ? (p. 204)
VULCANMINDMELD - ? (p. 210)
ZOMBIEARMY - ? (p. 207)


Cover names published earlier:

ALTEREDCARBON - An IRATEMONK implant for Seagate drives * (p. 209)
AMBULANT (AMB) - ECI compartment related to the BULLRUN program (p. 70)
BLACKBELT - Access point under the FAIRVIEW program * (p. 207)
BLARNEY - Collection of foreign phone and internet communications within the US under FISA authority (since 1978) * (p. 199)
BLINDDATE - Searching for vulnerable machines on a local Wi-Fi network * * * (p. 203, 206)
BORGERKING - Something related to Linux exploits (p. 210)
BOUNDLESSINFORMANT - NSA's collection visualization tool based on internet and telephone metadata (p. 10, 206)
BYZANTINE HADES (BH) - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series * (p. 68, 85, 206)
CAPTIVATEDAUDIENCE - Software tool that listens in on conversation by switching on the microphone of a target's mobile handset (p. 208)
CO-TRAVELER - Set of tools for finding unknown associates of intelligence targets by tracking movements based upon cell phone locations * (p. 318)
CRUMPET - Covert network with printer, server and desktop nodes, or ECI compartment (p. 70)
EGOTISTICALGIRAFFE (EGGI) - TOR Browser Bundle (TBB) exploit (p. 80)
EPICSHELTER - Data backup system to recover information from particular NSA sites, designed by Edward Snowden * (p. 59-61, 63, 75)
ERRONEOUSINGENUITY (ERIN) - Tool for exploiting the TOR network (p. 207)
FAIRVIEW - Domestic cable tapping program in cooperation with AT&T (since 1985) * (p. 311)
FALLOUT - Internet metadata ingest processor/database (p. 169/image)
FASCIA - Telephony metadata ingest processor/database * (p. 169)
FASCIA II - Telephony metadata ingest processor and primary source of telephone metadata for target development. It formerly contained internet metadata which are now in MARINA.* (p. 172)
FELONYCROWBAR - System used to configure the UNITEDRAKE framework (p. 207)
FIRSTFRUITS - Counterintelligence database to track unauthorized disclosures to the press, set up in 2001 * * (p. 225, 271-274, 277)
GROK - Key logger that records every character a target types (p. 209)
HAPPYHOUR - Getting access to vulnerable machines on a local Wi-Fi network (p. 203)
Heartbeat - Apparently a data handler system, designed by Edward Snowden * and/or successor of EPICSHELTER, or an index of surveillance systems * (p. 36, 74-78)
IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) * (p. 209)
KRISPYKREME - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers * (p. 210)
LADYLOVE - The NSA satellite intercept station at Misawa in Japan (since 1982) (p. 204)
LIFESAVER - Technique which images the hard drive of computers * (p. 210)
MAILORDER - FTP-based file transport system used to move data between various collection, processing and selection management systems. Originally developed in 1990, ultimately to be replaced by JDTS * (p. 171)
MAINWAY (MW) - NSA's main contact chaining system for foreign and domestic telephone and internet metadata from multiple sources; performs data quality, preparation and sorting functions, summarizes contacts and stores the resulting one-hop contact chains * (p. 168-176, 178-180)
MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 * (p. 209)
MARINA - NSA database for internet metadata; maybe succeeded by CLOUDRUNNER in 2013 * (p. 169/image)
MJOLNIR - Tool to break the anonymity of the Tor network * (p. 209)
MUSCULAR - Joint NSA-GCHQ operation to tap the cables linking Google and Yahoo data clouds to the internet * (p. 299-300, 311, 315)
NIGHTSTAND - Delivering malware to a vulnerable machines on a local Wi-Fi network (p. 203, 206)
NIGHTTRAIN - Part of a program to spy on a close US ally during operations alongside the ally against a common foe * (p. 209)
OAKSTAR - Umbrella program for 9 accesses at 7 corporate partners (since 2004)* * (p. 311)
ODDJOB – HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers (p. 201)
PINWALE - Primary storage, search, and retrieval system for SIGINT text intercepts. Target data is filtered through a Packet Raptor at the collection site and is subsequently processed by a WEALTHYCLUSTER 2, followed by an XKEYSCORE for selection at NSA headquarters.* (p. 176)
PITIEDFOOL - Suite of computer network attack (CNA) tools to attack the Windows operating system, overwrites data to the point it is irrecoverable (p. 206)
POLITERAIN - Offensive computer network attack (CNA) team from the Access Technologies & Operations (ATO) unit of the NSA's hacking division TAO * (p. 220)
PRISM - Collection of internet data from specific foreign targets at major US internet companies (since 2007) (p. 84, 99, 106-113, 117-121, 123-133, 137, 139-148, 226, 285, 300)
QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program * (p. 199)
RAGTIME (RGT) - ECI compartment for call and e-mail content collected under FISA authority * Encompasses both NSA and FBI FISA data since 2002 * (p. 122)
SCISSORS - Data scanning, formatting and distribution system * or processing system that slices up data for sorting (p. 206)
SECONDDATE - Exploitation of vulnerable machines on a local Wi-Fi network (p. 203)
SEEDSPHERE - Chinese "intrusion set" against US computer networks, identified in 2007 * (p. 68)
SORTINGHAT - RT10 application * or Traffic control system for information exchanged with GCHQ (p. 209)
STARBURST - Temporary cover term for what would become the STELLARWIND compartment (October 2001) (p. 70, 170)
STELLARWIND (STLW) - Cover term for the President's Surveillance Program (PSP), which encompassed bulk collection of domestic metadata and targeted interception at backbone facilities inside the US in order to track down foreign terrorists and their previously unknown conspirators (2001-2007) (p. 26, 70, 71, 169-170, 175)
TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions * (p. 206)
TURMOIL (TML) - Passive SIGINT sensors: filtering and selection (at the packet level) of internet traffic on high-speed satellite, microwave and cable links, part of the TURBULENCE program * * * (p. 299)
TURTLEPOWER - System to process VoIP communications data * and/or automated decryption of enciphered data (p. 209)
UNPACMAN - Processing system on TAONet, part of DEEPFRIEDPIG * (p. 210)
Upstream - Targeted collection of telephone and internet communications of foreign targets at backbone cables and switches inside the US (p. 84)
VOYEUR - Compartment shared with GCHQ for spying on another country's spies as they spy on someone else (4th party collection) * (p. 206)
VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program * or tool that seizes encryption keys during the handshake of two devices as they establish a secure link (p. 210)
WALKERBLACK - Related to the MAKERSMARK intrusion set * (p. 209)
WESTERNSTAR - Contact-chaining program * (p. 174/image)
WHARPDRIVE - Joint venture between the German BND and another country with access for NSA (2013)* * (p. 210)
WHIPGENIE (WPG) - ECI compartment for details about the STELLARWIND program * (p. 70, 122)
XKEYSCORE (XKS) - Computer system that combines high-speed filtering of data traffic from different sources with techniques for discovering targets who use the internet anonymously * (p. 86-87, 330-331)




Extra:

Cover names from Edward Snowden's book Permanent Record:

EGOTISTICALGIRAFFE - (p. 168)
EPICSHELTER - (p. 168-169, 189, 220)
FOXACID - (p. 168)
Heartbeat - (p. 221-222, 256-257)
MIDNIGHTRIDER - (p. 256)
OPTICNERVE - (p. 256)
PHOTONTORPEDO - (p. 256)
PRISM - (p. 223-224, 291)
QUANTUM - (p. 225)
STELLARWIND - (p. 175, 177, 245, 250)
TRAFFICTHIEF - (p. 168)
TRAILBLAZER - (p. 250-251)
TURBINE - (p. 225)
TURBULENCE - (p. 225)
TURMOIL - (p. 225)
Upstream - (p. 224)
XKEYSCORE - (p. 276-279, 281, 325)
ZBSMACKTALK/1 - (Fictitious CIA cryptonym) (p. 133-134)


June 5, 2020

Bulk interception by Germany's BND and what the Constitutional Court said about it



On May 19, the German Constitutional Court presented its decision in a case about the untargeted interception of foreign communications by the German foreign intelligence service BND.

Unlike suggestive headlines, the Court didn't forbid this kind of collection, but ruled that more specific safeguards and more thorough oversight are needed to make it compliant with the German constitution.

The Court's decision and some recent press reports also provide interesting details about how the BND is conducting its bulk collection of data from internet cables, especially at the German internet exchange DE-CIX.




Interior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)



The BND's untargeted cable tapping

It's assumed that the BND's first experience with large-scale cable tapping started with operation Eikonal, under which the Germans cooperated with the NSA for access to some fiber-optic cables at a switching center of Deutsche Telekom in Frankfurt. Operation Eikonal was part of the NSA umbrella program RAMPART-A, which aimed at gathering intelligence about targets from Russia, the Middle East and North-Africa.

Operation Eikonal started in March 2004 with intercepting telephone and fax messages and shifted to e-mail and VoIP communications in 2006. However, this resulted in only a few hundred reports a year (each consisting of one intercepted e-mail, fax message or phone call). For the NSA this was a big disappointment and the BND realized that it was impossible to fully separate foreign and domestic communications. Therefore, the operation was terminated in June 2008.

Earlier blog postings about operation Eikonal:
- Unnoticed leak answers and raises questions about operation Eikonal
- New details about the joint NSA-BND operation Eikonal
- The German operation Eikonal as part of NSA's RAMPART-A program


Overview of the joint NSA-BND operation Eikonal (2004-2008)
(click to enlarge)


(Between 2004 and 2013, BND and NSA also cooperated in satellite interception at Bad Aibling Station. Years of neglicence over there resulted in what is known as the "Selector Affair")

Detailed insights into operation Eikonal emerged from the hearings of the German parliamentary investigation commission (#NSAUA) between March 2014 and February 2017. This inquiry was set up to investigate the NSA spying activities, but soon turned its focus on the Signals Intelligence (SIGINT) operations of Germany's own foreign intelligence service.


Cable tapping at DE-CIX

While operation Eikonal itself wasn't very successful, it did provide the BND with the knowledge and the experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25 (out of over 300) internet service providers, this time at the DE-CIX internet exchange in Frankfurt am Main.

Among these 25 providers were foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

It appears that this interception took place in cooperation with the DE-CIX Management and that the various providers themselves didn't knew that this was happening. A smart move, as this provides BND with just one single point-of-contact, while the individual providers could honestly deny that their cables were being intercepted.


Current practice

More information about the BND's current efforts to intercept data streams from internet exchanges like DE-CIX were provided recently by reports from the German magazine Der Spiegel en the Bavarian broadcaster Bayerischer Rundfunk (BR) in anticipation of the decision of the Constitutional Court. Additional details can be found in the full text of the Court's decision.

Both press reports were based on several internal documents from the German government and the BND, including its 72-page SIGINT Policy Manual (German: Dienstvorschrift Sigint), which provides detailed regulations for what's allowed and what's prohibited when conducting untargeted interception of communications between foreigners abroad (Ausland-Ausland Fernmeldeaufklärung).

(Intercepting one-end foreign communications is regulated by the G10 Law with the G10 Commission for approval and oversight. This commission is also responsible for interception by the domestic federal security service BfV)


Intelligence priorities

Like many other intelligence agencies, the BND is not only trying to prevent terrorism, but also provides the German government with information to support its foreign policy, as well as to prevent the proliferation of weapons of mass destructing and cyber attacks. The government arranges these goals in a document similar to the National Intelligence Priority Framework (NIPF) in the United States.

The German version of this Top Secret document is called Auftragsprofil der Bundesregierung (APB) and ranges from Priority 1 for topics that require a complete coverage (umfassender Informationsbedarf) to Priority 4 for issues with a low information need (niedriger Informationsbedarf).

According to these information needs, the BND considers whether it's necessary to intercept internet communications. In Germany, this can happen at 23 internet exchanges, with DE-CIX in Frankfurt as one of the biggest in the world, but the BND also has satellite intercept stations in Schöningen, Rheinhausen and Bad Aibling.


Access directives

Once the BND has determined where they need access, the federal chancellery (Bundeskanzleramt) issues a directive granting that access based upon the BND Law. Currently, there are 17 network access directives (Netzanordnungen): 3 of them for internet exchanges inside Germany, the other 14 mainly for satellite networks.* In practice, the BND copies about 10% of the capacity of a network that it's allowed to tap.*

Based upon these network access directives, the BND provides the network providers with an extraction directive (Ausleitungsanordnung), which usually identifies multiple networks of interest. The specific parts of these networks or transmission links which the BND is interested in are specified in separate tables (Statustabellen).*


Splitting off data streams at DE-CIX

In October 2019, DE-CIX provided the Constitutional Court with an assessment saying that it handled an average number of 47,5 trillion IP connections (IP-Verkehrsverbindungen) a day and that the BND would technically be able to copy 1,2 trillion of those IP-connections, which is 2,5% of the total traffic.

However, in the Court's decision it's said that the BND's technical installations at DE-CIX have the capacity of capturing and processing 5% of its data traffic.* The management of the exchange has no insight in how many data the BND actually extracts.

Usually traffic at internet exchanges is measured in bits per second: in October 2019, the average traffic at DE-CIX was 5 terabit per second (Tb/s). If the BND copies between 2,5 and 5% of that, that would make between 125 and 250 gigabits per second (Gb/s).

For comparison: from the Snowden revelations we know that in 2011, GCHQ had access to more than 200 communications channels ("bearers") of 10 Gb/s each - out of the around 1600 channels within all the commercial cables transiting the UK. However, GCHQ could process data from only 46 of them at a time (or 460 Gb/s).


The DAFIS filtering system

Once data streams of interest are copied, the BND leads them to a multi-stage filter system called DAFIS. First, different types of data are identified in order to discard irrelevant ones, like video streams.* The first stage of DAFIS then deletes all communications that involve German citizens or residents.

According to government documents, this filter has a 96% to 98% accuracy, but with over a trillion connections a day, that would still leave 2 to 4 billion connections with an incorrect attribution. Therefore, the BND implements additional algorithms to prevent the collection of German communications.

Second stage

The second stage of DAFIS uses selectors (Suchbegriffe) to filter both metadata (Verkehrsdaten) and content (Inhaltsdaten). According to BR and Der Spiegel, The BND uses more than 100.000 selectors, not only telephone numbers and e-mail addresses, but also the names of chemical components of weapons of mass destruction.

In the decision of the Constitutional Court it's said that between 50 and 60%(!) of these selectors are provided by foreign partner agencies, but the BND only uses them when their type and purpose can be verified.*

Before feeding these selectors into the filtering system, BND checks whether they comply with the law, which says that it is not allowed to intercept the communications of German citizens and residents. Telephone numbers are automatically excluded by filtering out the country code 0049 for example. Also, no selectors may be tasked to monitor children under 14, except when it's about child soldiers and suicide attackers.

In the government documents it's acknowledged that no filter system can provide 100% protection, like when a German citizen living or working in Syria makes a call from a syrian number. Only by listening in to such a conversation it can be determined that it's actually protected under the German constitution and has to be deleted (and the selector marked accordingly).


Third stage

During the parliamentary investigation, a third stage of the filter system was mentioned, which was aimed at protecting "German interests". During the hearings it became clear that it filters out German companies and foreign companies with German participation (like EADS and Eurocopter) as well as the names of German politicians, among others.

Like it was the case under operation Eikonal, the DAFIS filter system is probably located in a highly secured room at the internet exchange. That saves bandwidth as only the data that remain after the final stage of the filter have to be forwarded to the BND's Signals Intelligence Center (Zentrum Technische Aufklärung), which is still located at the old headquarters compound in Pullach, where a new data center was built in 2012:



Exterior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)


Content

After applying the selectors, the BND's untargeted collection results in some 270.000 pieces of communications content each day, like e-mails, phone calls and chat messages. Approximately 60% comes from collection inside Germany, 40% is collected abroad. A small percentage is received from foreign partner agencies.*

After manually sorting and analyzing these intercepts, analysts produce an average of 260 intelligence reports a day (out of a total of 720 reports from all sources).* But despite all the precautions, there are still about 30 incorrect intercepts a month, like an e-mail message or a telephone call in which a German citizen is involved.*

According to press reports, the BND's SIGINT Policy Manual says that analysts have to delete any intercepts which include sexual content or are about a romantic or sexual relationship, but when there's "sexual bragging" in a "lively public space" the analyst may continue to listen in. The same applies to cases when a target simply says things like "honey I love you".


Metadata

The metadata that remain after the DAFIS filter are stored in full, so they can be combined ("enriched") with other data sets and analyzed by computers.* A meanwhile well-known method used for analyzing telephone metadata is contact-chaining. The BND Law says that metadata may be stored for up to 6 months and can also be shared with foreign partners in an automated way, even when they are not yet evaluated.



Operations room at the former BND headquarters in Pullach
(photo: Martin Schlüter - click to enlarge)



The judgement of the Constitutional Court

Already during the parliamentary investigation of the relationship between the NSA and the BND, the German government came up with a substantial amendment of the law that regulates its foreign intelligence service (BND-Gesetz). This came into effect on December 31, 2016, half a year before the end report of the investigation commission was published.

In January 2018, Reporters sans frontières and seven foreign journalists filed a constitutional complaint at the Federal Constitional Court (Bundesverfassungsgericht). They argued that the law allows the BND to indiscriminately collect the communications of foreign journalists, which imposes a risk on their confidential sources, especially when those data are shared with intelligence or security services of countries where civil liberties and press freedom are at risk.

After oral hearings on January 14 and 15, the Constitutional Court presented its decision on May 19, 2020, with the judges seated at a proper distance of each other due to the threat of the corona virus:



The German Federal Constitutional Court presenting it's
decision on the BND's untargeted cable tapping
(screenshot from Phoenix television - click to enlarge)


The main point of the Court's decision is that the fundamental rights from the constitution also bind the German government when it's acting outside German borders.

The protection of specific rights domestically can be different from the protection offered abroad, but when it comes to untargeted interception, both the protection of the privacy of telecommunication (art. 10) and the protection of the freedom of the press (art. 5) also apply to foreigners in foreign countries.

This doesn't mean that bulk collection of communications is unconstitutional in itself. It may be used as an exceptional method by a government agency that has no operative powers and when it's justified by a specific mission.* Untargeted interception may not be conducted domestically.*


Restrictions

To be in accordance with the constitution, the Court says that for this kind of collection there have to be at least the following restrictions:*
- Separation of the communications of German citizens and residents by all means available, any remaining German communications have to be deleted upon recognition;
- Limitation of the (amount of) data that can be collected;
- Collection goals have to be specified;
- Collection efforts must be in accordance with procedures;
- Additional requirements for interception of personal data;
- Limitations for storing metadata;
- Framework for data processing and analysis;
- Safeguards to protect privileged communications of lawyers and journalists;
- Protection of an inner core of private life;
- Mandatory and accountable data deletion.

The Court also decided that Germans have to be protected when they are communicating as a representative of a foreign company or organization. Previously, the BND argued that German citizens could be legally monitored when in such a position, which was known as the Funktionsträgertheorie.


International cooperation

Sharing data related to individual people is generally allowed when the foreign partner will handle them according to human rights and principles of data protection. Data may not be shared when it can be expected that they will be used for human rights violations. This requires the BND to examine the foreign legal and human rights situation. When this isn't convincing at a general level, guarantees in a specific case may also be sufficient. All this has to be documented and accountable.*

When foreign partner agencies provide selectors to be used in BND collection systems, there has to be a careful examination not only of these selectors, but also their hits. This practice also requires that the goals of the foreign partner are in accordance with those of the BND and with the rule of law. Therefore, it's not allowed to let a foreign partner collect what is prohibted domestically ("Ringtausch").*

When data are shared in an automated way without prior evaluation, the foreign partner has to provide meaningful assurances that it will delete data related to German citizens and residents, its handling of privileged communications and other boundaries imposed by the BND. Given the inherent risks, this kind of sharing is only allowed in cases of specific and concrete threats and metadata related to Germans should be filtered out.*


Oversight

Untargeted interception and sharing its results with foreign partners can only be proportionate when there's independent and comprehensive legal oversight. This has to be in the form of a body similar to the judiciary which has to investigate the subsequent stages of the interception process, including taking random samples at its own initiative. This in order to allow a judgment on the lawfulness of the entire collection method.*

For this, the oversight body has to have its own budget, its own personnel and the right to set it own procedures. It has to be provided with everything that is necessary to conduct meaningful and effective oversight. This may also not be hindered by the so-called "Third Party Rule", which means that a secret service treats the oversight body as a third party that is not allowed access to documents or data from foreign partners agencies.


The Constitutional Court gave the German government until December 31, 2021 to change the BND Law in such a way that it will be compliant with the constitution.



Links & sources
- About:intel: Try harder, Bundestag! Germany has to rewrite its foreign intelligence reform (May 22, 2020)
- Der Spiegel: Sieg für Edward Snowden (May 19, 2020)
- Golem.de: Internetüberwachung des BND ist verfassungswidrig (May 19, 2020)
- Der Spiegel: So überwacht der BND das Internet (May 19, 2020)
- Bayerischer Rundfunk: So späht der Bundesnachrichtendienst das Internet aus (May 15, 2020)


May 18, 2020

Maximator and other European SIGINT alliances

(Updated: July 22, 2020)

One of the topics covered by this weblog is international cooperation among signals intelligence agencies. The Snowden-revelations already provided many details about the various multilateral groups formed by the NSA's partners, like the SIGINT Seniors Europe (SSEUR or 14-Eyes) and the Afghanistan SIGINT Coalition (AFSC or 9-Eyes).

None of the NSA documents gave a hint that a few European countries also have their own secret alliance for cooperation in the fields of signals intelligence and crypto analysis. This alliance, which already exists since 1976, is codenamed Maximator and was unexpectedly revealed on April 7 in an academic article.

(This overview isn't meant to be complete, other multilateral cooperations between European agencies may exist or have existed)




The countries participating in the Maximator alliance
(click to enlarge)


The Maximator alliance

An interesting aspect to start with is that the existence of the Maximator alliance was revealed in an article by prof. dr. Bart Jacobs in Intelligence and National Security, which is an academic journal about intelligence and national security. Usually, this kind of revelations are published by major newspapers, but they didn't even pick up this story. So far only a Dutch investigative radio program, a Dutch regional newspaper and a German tech website have reported about Maximator.
Update: Meanwhile, The Register and The Economist have also reported about Maximator.
Professor Bart Jacobs is one of the leading Dutch experts on computer security and teaches at Radboud University in Nijmegen. He is also a member of the knowledge network (Dutch: kenniskring) of the CTIVD, the oversight committee for the Dutch secret services, and a member of the independent commission that is currently conducting an evaluation of the new Dutch intelligence law. Both assignments require a security clearance, which makes this revelation even more remarkable.


The secret purchase of Crypto AG

The revelation of Maximator came forth from another big scoop: the fact that in 1970, the CIA and the German foreign intelligence service BND had secretly purchased the Swiss manufacturer of encryption equipment Crypto AG, which was codenamed operation RUBICON. This was revealed on February 11, 2020, as a result of a cooperation between The Washington Post, the German broadcaster ZDF, the Swiss broadcaster SRF and the Dutch radio program Argos.

The CIA and the BND didn't install rude "backdoors" in the Crypto AG equipment, but only manipulated the cryptographic algorithms which "streamlined the code-breaking process, at times reducing to seconds a task that might otherwise have taken months." This made it very difficult to detect the manipulation. In this way, Crypto AG produced secure encryption devices that would be sold to a select number of friendly governments, and weakened systems for the rest of the world (including some European countries like Spain, Italy and Greece):



The countries that bought and used manipulated Crypto AG devices
(graphic: The Washington Post - click to enlarge)


It appeared that not only American and German intelligence benefited from the manipulated crypto devices: a few other countries (France, Sweden, the Netherlands, Denmark, the United Kingdom, Israel among others) were also informed about the weaknesses. An internal BND report from November 2012 titled "Einführung: Die Operation THESAURUS/RUBICON" calls them the cognoscenti, the ones with inside knowledge.

One of the experts consulted for the reporting about Crypto AG was Bart Jacobs, who in February of this year studied the CIA and BND documents about operation RUBICON. After reading the references to the involvement of the Netherlands he started to investigate more closely. Jacobs asked people from the intelligence community who then told him about the Maximator alliance and even provided him with some documents.



The "cognoscenti" mentioned in a BND report as shown
on Dutch television on February 13, 2020
(click to enlarge)


Start and growth of the Maximator alliance

The Maximator alliance was established in 1976 at the initiative of Denmark and at that time included only Sweden and Germany. The Netherlands was invited to join in 1977 and did so in 1978. Between these four countries there were already various bilateral cooperations and they also benefited from information about the manipulated Crypto AG algorithms.

According to Jacobs, the idea behind the alliance was to combine forces and divide tasks in order to reduce costs, especially those of the investments required by the upcoming satellite interception. Exchanging methods and jointly working on technical challenges would also make the partners more effective.



The former Dutch satellite intercept station at Zoutkamp, operational since 1983.
In 2008 it was closed after a new facility had been built in nearby Burum.
(screenshot from regional television - click for the video)


The idea to cooperate might have came up from lower level SIGINT employees with close personal ties and a shared high level of technical and cryptanalytical skills. It's not known whether or since when the responsible ministers knew about the alliance; Jacobs estimates that in total only up to 100 people may have known about it.

In 1983, France requested to join the alliance, which was supported especially by Germany and as a result France was invited in 1984 and joined in 1985. Other countries, like Norway, Spain and Italy, also asked to join, but this was rejected. One of the main reasons was that "within the Maximator alliance they were considered as lacking relevant expertise and/or experience."

Belgium was not invited to join Maximator for the same reason, but this country was also not fully trusted when it came to discipline in communications security: at least once it compromised its own communications via a basic mistake in key management.


Codenames within the Maximator alliance

Initially, the alliance between the first three members, Denmark, Sweden and Germany, was codenamed Ostsee (German for Baltic See), which in 1977 was changed to Alpenjäger (Alpine hunter). In 1979 the group got its final designation: Maximator.

This name was derived from the Bavarian beer brand Maximator. After a meeting at the former BND headquarters in Pullach near the Bavarian capital Munich in the late Summer of 1979, representatives of the alliance members went for a drink at a nearby Biergarten where they where served this beer, the name of which they took as their new codename.


The Maximator beer from the Augustiner brewery in Munich
(click to enlarge)


Each of the participants in the Maximator alliance also had a codename, which seem to be chosen randomly:

DENMARK
Member since 1976
Codename: Concilium
Participating organization: Forsvarets Efterretningstjeneste (FE)

SWEDEN
Member since 1976
Codename: Thymian
Participating organization: Försvarets radioanstalt (FRA)

GERMANY
Member since 1976
Codename: Novalis
Participating organizations:
- for signals interception: Bundesnachrichtendienst (BND)
- for cryptanalysis (until 1991): Zentralstelle für das Chiffrierwesen (ZfCh)

The NETHERLANDS
Member since 1978
Codename: Edison
Participating organizations: Wiskundig Centrum (WKC), since 1982: Technisch InformatieVerwerkingsCentrum (TIVC), since 1996: Strategisch Verbindingsinlichtingen Centrum (SVIC), since 2014: Joint Sigint Cyber Unit (JSCU)

FRANCE
Member since 1985
Codename: Marathon
Participating organization: Direction Générale de la Sécurité Extérieure (DGSE)


The two components of the alliance

According to the article by professor Jacobs, the Maximator alliance was about cooperation in both signals analysis and crypto analysis:

- Signals analysis:

This was about coordinating interception mechanisms and efforts, as well as exchanging intercepted, but still encrypted messages. The focus was on intercepting and decrypting diplomatic communications, either from HF radio transmissions or SHF satellite links. These signals interception issues were discussed in multilateral meetings attended by representatives of all five Maximator members. Jacobs' article includes the covers of some of the booklets of these meetings:


Booklets from the meetings of the Maximator alliance
(source: Bart Jacobs, Maximator - click to enlarge)

- Cryptanalysis:

This involved the exchange of algorithms used in various (deliberately weakened) encryption devices used by target countries. However, it was left up to each of the individual participants to find out how to exploit the weaknesses in these algorithms and subsequently decrypt the messages. According to Jacobs, this is common practice in the intelligence community in order to prevent being fed cooked-up information. Succesful exploitations, also called "solutions", were not exchanged.

In the first few decades of the Maximator alliance, these cryptanalysis issues were discussed only bilaterally, but later on this also happened multilaterally. For this purpose, there were bilateral communication links between the Maximator partners which were secured by dedicated crypto systems as shown in this diagram from 1990 (a direct connection between the Netherlands (E) and France (M) was established later):


Sketch of the communication lines between the Maximator partners in 1990
(flags added for clarity). The triangles seem to indicate how information
(especially intercepts) can flow from one party to another.
(source: Bart Jacobs, Maximator - click to enlarge)



A parallel alliance: the Ring of Five

While the Maximator alliance was focused on diplomatic communications, there "seems to be (or, has been) a parallel alliance for intercepting (metadata of) military communications" according to Jacobs.

It's possible that this other alliance still exists, because in a report from May 2016, the Dutch oversight committee CTIVD says that the military intelligence service MIVD participates in five alliances in which unevaluated (meta)data are exchanged. Three of these alliances also include the civilian intelligence and security service AIVD.

Jacobs suggests that the parallel alliance may be identical with a group that was created in the early 1980s and was described in 2010 by Richard Aldrich as a "mini-UKUSA-alliance called "The Ring of Five", consisting of the sigint agencies of Germany, the Netherlands, France, Belgium and Denmark - although this did not prevent them from intercepting and reading each other's communications traffic".*

These groups are not identical but are easily confused because the military alliance partly used the communications network of the Maximator group (shown in the diagram from 1990). The latter includes Sweden but not Belgium, while the Ring of Five includes Belgium but not Sweden:



Update:
On July 1, 2020, the German newspaper Frankfurter Rundschau published a handwritten note from a BND employee which confirms the existence and the members of this Ring or Club of Five, see: A unique note from the BND about European SIGINT alliances.


Other alliances: NSA's European partners

Not mentioned in professor Jacobs' piece are some similar groups of European countries under guidance of the NSA. One of them was already mentioned in the contribution of Dutch intelligence historian Cees Wiebes to the book Secrets of Signals Intelligence during the Cold War and Beyond from 2001. Many new details emerged from the Snowden documents published from 2013 to 2019.

Since the 1950s, the members of both the Maximator alliance and the Ring of Five are so-called third party partners of the NSA, which means there's a formal bilateral relationship based upon a Memorandum of Understanding (MoU). Although this can lead to very close cooperation, it does not prevent spying on each other.


SIGINT Seniors Europe

The first multilateral group of European third party partners is that of the SIGINT Seniors Europe (SSEUR), which was founded in 1982 for sharing information on the Soviet Union's military. This group started with nine members and after 2001 grew to 14 nations, hence it is also known as the 14-Eyes. Besides the Five Eyes, the SSEUR now includes the (signals) intelligence agencies of nine European countries (see the map below).

The SSEUR is chaired by the director of the NSA and there's an SSEUR Executive Board (SSEB) that governs the day-to-day operations and oversees various subordinate groups. There's also an annual SSEUR Principals Conference in which the heads of the 14 agencies come together to discuss issues of common concern.

In 2013, GCHQ was encouraged to host a permanent joint SSEUR collaboration center where analysts from partner nations could be co-located (similar to the collaboration center of the Counter Terrorism Group (CTG) which is hosted by the Dutch AIVD).




SSEUR Counter Terrorism coalition

In December 2001, a subordinate group of the SSEUR was created called the SIGINT Seniors Europe Counter Terrorism coalition (SISECT), in which the domestic security services from the SSEUR member countries partcipate, except for those from Australia and New Zealand. This counter-terrorism group consists of many subgroups focusing on specific terrorist groups or technologies used by terrorists. SISECT also organizes a semi-annual conference and its communications facilities seem to be hosted by Norway.


Afghanistan SIGINT Coalition

In 2009, the Five Eyes plus Denmark, France, the Netherlands and Norway established the Afghanistan SIGINT Coalition (AFSC), which was initially known as the 9-Eyes. In 2010, this group was joined by Sweden and Germany and later on, Belgium, Italy and Spain also joined, after which it had the same 14 members as the SSEUR. Their military SIGINT units in Afghanistan collected GSM metadata which were fed into the NSA's Real Time Regional Gateway (RT-RG) data analysis platform. The AFSC seems to have been dissolved by the end of 2014.


SIGINT Support to Cyber Defense

The latest initiative involving the NSA's European third party partners is probably a working group of the SSEUR aimed at using signal intelligence as an early-warning against cyber attacks, a method known as SIGINT Support to Cyber Defense (SSCD). Except for Germany it's not known which the participating countries are. The earliest reference to this SSCD group is from July 2013 in a German document published by Wikileaks.


The SIGDASYS system

The SSEUR maintain a database and communications system called SIGDASYS (for Signals Intelligence Data System). It was proposed by the BND to push SIGINT to front-line NATO commanders and became operational in 1986.*

The system also acted as a back-up in case one of the countries lost its own SIGINT capacity. Later it was used for exchanging military SIGINT and other information on a quid pro quo basis. SIGDASYS helped to decrease the enormous overlap in targeting and played an important role during the 1990-1991 Gulf War (there was a seperate framework for the exchange of acoustic signals).*

Since 9/11, the system is also used for the exchange of data for SISECT's counter-terrorism mission, including call chaining diagrams, voice clips and textual materials for translation. In 2013, the NSA proposed to replace the "dated and functionally limited (but sovereign) SIGDASYS infrastructure" by an SSEUR Community of Interest (CoI) within the more advanced Global Collaboration Environment (GCE) hosted by the US.

In 2005, the SSEUR set up a dedicated tactical communications platform codenamed CENTER ICE to support the military operations of its members in Afghanistan.



Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)


Some final thoughts

One final question is about why the existence of the Maximator alliance has been leaked. Already the fact that apparently people from inside the Dutch intelligence community were willing to talk is highly surprising, because signal intelligence and crypto analysis are seen as the most secret parts of this business, with international cooperation on these topics being even more sensitive.

Jacobs assumes that his sources may have talked about the alliance because it all happened long ago - in the United States there's automatic declassification, which means documents from the intelligence agencies have to be declassified after 25 years, unless a specific exemption applies. In the Netherlands there's no such rule, so classified information only becomes public through a specific request for information (which is rarely very successful) or by leaking.

The claim that it's long ago could be valid when the Maximator alliance was something from the past and had been dissolved without implications for current operations and relations (it's not done to unilaterally disclose things about international cooperations), but even then (former) intelligence employees would be very reluctant to provide information. And in this case Jacobs clearly says that the alliance is still functional today.

Another option is that over the years the purpose and/or the activities of the Maximator group have changed, similar to how the SIGINT Seniors Europe moved their focus from the Soviet Union to counter-terrorism. An indication could be that in 1993, Germany retreated from its involvement in Crypto AG because spying on its European partners didn't fell comfortable anymore. After this, the BND lost its ability to exploit the Crypto AG algorithms, but Sweden apparently not.

It's not clear whether the other Maximator members continued to benefit from the weaknesses in Crypto AG's hardware encryption devices, but if so, this knowledge became largely obsolete after the year 2000, when more and more target countries shifted to software-based encryption based on public standards. Crypto AG wasn't very useful anymore and so the CIA eventually sold the company in 2018.




Links & sources
- Crypto Museum: MAXIMATOR - European signals intelligence alliance
- Frankfurter Rundschau: Exklusiv-Recherche: BND spionierte jahrzehntelang am Parlament vorbei (July 2020)
- De Gelderlander: Het geheime afluistergenootschap van Maximator bleef vijftig jaar onder de radar (April 2020)
- Heise.de: Geheimdienst-Kooperation "Maximator": Die Five Eyes Europas? (April 2020)
- Argos: De afluistervrienden van Nederland (April 2020)
- Bart Jacobs: Maximator: European signals intelligence cooperation, from a Dutch perspective (April 2020)
- The Washington Post: ‘The intelligence coup of the century’ (February 2020)
- The Intercept: The powerful global spy alliance you never knew existed (March 2018)
- Marineschepen.nl: Waarom de Russen het Marineterrein in Amsterdam in de gaten hielden (January 2018)
- Cees Wiebes, "Dutch Sigint during the Cold War, 1945-94", in: Matthew M. Aid & Cees Wiebes, "Secrets of Signals Intelligence during the Cold War and Beyond", London, 2001, p. 276-277.