December 16, 2014

German investigation of the cooperation between NSA and BND (II)

This is part II about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

Here we provide summaries of the hearings of a number of BND employees, who provided some interesting details about satellite interception at the Bad Aibling station, the subsequent processing and storage of data and also about the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

The room where the hearings of the parliamentary committee take place
(photo: DPA)

14th Meeting, September 25, 2014 (Transcript)

- Hearing of the witness Mr. R. U. (BND, head of the site in Bad Aibling):

The BND site in Bad Aibling is for satellite interception. In Bad Aibling there's no interception of point-to-point microwave transmissions, which is done by putting an antenna in between the two microwave antennas that transmit the signals that have to be intercepted.

(This BND satellite station is part of the former NSA Bad Aibling Station that was codenamed GARLICK, from which BND took over most of the facilities in 2004, including nine of the large satellite dishes hidden under white radomes)

When the Bad Aibling site was led by the witness, it had 120 personnel and was divided into three sections:
- Management
- Technical (operation of the antennas, network security, script programming, installation of computers)
- Analysis (analysing the collected data, language translating capabilities)

An important goal was protection of German troops deployed in countries like Afghanistan. BND was also able to prevent attacks on ISAF forces. Other goals for the satellite interception were anti-terrorism and rescuing people who have been kidnapped.

Satellite interception

In remote countries, domestic communications also use satellite links, which can also be intercepted from inside Germany. This collection is restricted by technical limits, which make that there's access to only a small number of satellites, and from them, only part of the communications can be intercepted. Also, not everything can be analysed, because much of it is in local languages. Therefore, there's no mass surveillance. BND only collects promilles of what would be theoretically possible.

Nonetheless, the amount of satellite traffic from Afghanistan that can be intercepted from Bad Aibling is rather high. Asked about media reports quoting former NSA and CIA director Michael Hayden "We kill people based on metadata", the witness replied that metadata are not specific enough for pinpointing drone attacks on specific people. Metadata like cell-IDs define areas of 50-60 square kilometers, which is not precise enough for bombarding a house.

(Hayden's "we kill people based on metadata" was followed by "but that's not what we do with this metadata", referring to the 215 (domestic metadata) database. How Hayden meant the first part of this statement isn't clear. There was also a report by The Intercept, in which a former JSOC drone operator said that some targets were tracked by metadata and then killed based upon the SIM card they use.)

The former NSA satellite intercept station in Bad Aibling,
parts of which are now used by the BND
(Click to enlarge)

The Joint SIGINT Activity (JSA)

Since 2004, NSA and BND cooperated in the Joint SIGINT Activity (JSA), which was located at the Mangfall Barracks, also in Bad Aibling. The JSA consisted of both German and American personnel. Most of the equipment was provided by NSA. Management was in the hands of BND, and in turn, NSA got access to the German satellite collection.

For this satellite interception, NSA provided BND with selectors, like phone numbers and e-mail addresses, most of them belonging to targets in Afghanistan. These selectors are on an American server, from which BND personnel can pick them up 2, 3 or 4 times a day. Then these selectors were checked at the headquarters in Pullach for whether they included German citizens or companies. These were taken out, just like the ones that contradicted German national interests.

The cooperation between NSA and BND declined since 2004. Since the JSA was closed in 2012, there's only an NSA liaison office and some technical support left in Bad Aibling. Both are located in a building that is nicknamed Tin Can (Blechdose), because of its windowless exterior of black-painted metal. Here, BND personnel has to ring a door bell when they want in, and there's a similar procedure for when US personnel wants to visit BND buildings.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Tools and databases used by BND

After selectors have been cleared and entered into the collection system, it results in for example a phone call that appears in the dataprocessing tool of an analyst. This is not a random phone call, but one that has been filtered out based upon the selector. The analyst can then listen to this phone call, maybe has to translate it, and decides whether it is relevant or not. If not, it is deleted, otherwise he writes a report (Meldung), which is sent back to headquarters.

XKeyscore is an analysis tool that is used to look whether internet data that have been collected contain relevant information. BND uses XKeyscore on their own computers and servers. NSA only provides (software) updates and has no access to BND networks through XKeyscore. For sharing data, there was only one-way traffic from BND to NSA through highly secured firewalls.

Collected internet content is stored for only a few days, other (meta)data for a few days up to a few weeks. When there's a match, the selected data are stored for 1 or 2 years at most, not in Bad Aibling, but at the BND headquarters. In Bad Aibling there was no real-time collection. Quasi real-time means many many minutes, and until something shows up on the monitor it takes hours.

Besides XKeyscore, BND uses, among others, the programs MIRA4 und VERAS, which are classified analysis tools. The first one is used to listen in to phone calls, the latter one for visualising metadata and showing who has called who. Metadata are data that contain no content. When for example a website like is viewed from a computer, this creates more than 100 pieces of metadata.

- Hearing of the witness Mr. J. Z. (BND official, since 2008 head of the technical unit of the JSA, which uses XKeyscore). This hearing was entirely behind closed doors.

- . - . - . - . -

16th Meeting, October 9, 2014 (Transcript)

- Hearing of the witness Ms. H. F. (BND, legal counsel for data protection):

This witness is responsible for data protection regulations, but not for the implementation of the so-called G-10 Act, which protects the communications privacy of German citizens and corporations under article 10 of the constitution (Grundgesetz).

The witness has set up educational programs for BND employees and is regularly auditing the various systems and databases used by BND, especially in the SIGINT division, where not all databases have formal data protection procedures (like for access control) yet. All BND databases, regardless of where their data come from, fall under the German Data Protection Act (BundesDatenSchutzGesetz).

The witness audited many databases, like for example:
- INBE (INhaltliche BEarbeitung)
- VERAS (VERkehrsAnalyseSystem)
- PBDB (PersonenBezogene DatenBestände)
In total, there are about 25 databases (Auftragsdatenbanken) which serve the SIGINT collection process. Besides these databases, BND uses about 20 programs provided by NSA, most of them are technical tools, like for language translation.

In Bad Aibling, only satellite communications are intercepted. After German communications have been filtered out, they are stored in databases according to their type: metadata go to VERAS and content goes to INBE. The latter database succeeded MIRA4 in 2010 and currently contains several hundred thousand data sets, including data from German citizens. Both VERAS and INBE were developed by BND.

The witness couldn't estimate how many data are in VERAS (which was set up in 2002), which contains mainly metadata from telephone communications, with the purpose of call chaining for creating contact graphs. BND uses this tool for connecting phone numbers as far as 4 or 5 hops from a known target. This doesn't mean that it always goes that far, because the further away from the initial known target, the more difficult it is to discover the connections.

In several cases, like for example with INBE and VERAS, BND failed to comply with the formal requirement from the Data Protection Act for a so-called "Dateianordnungsverfahren", even for several years. After the witness recognized this, she forced to fulfill these legal requirements, although it was more a bureaucratic formality than a big shortcoming.

There's still discussion at BND about whether metadata are always personal data. Metadata like German telephone numbers are considered to be personal data, because it is easy to look up to whom such a number belongs. In foreign countries, like Afghanistan and Pakistan, that's not so easy. Phone numbers are also used by a whole clan for example.

The president of the BND has decided that collection in Bad Aibling is not subject to the provisions of the BND Act (BND-Gesetz), because only foreign satellite communications are intercepted. The witness disagrees, but was overruled by the president.

- The planned hearing of the witness A. F. (also a BND employee) was postponed to November 13.

- . - . - . - . -

18th Meeting, October 16, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, at Bad Aibling from 2002-2007):

The witness explained that one phone call creates between 20 and 30 pieces of metadata. Not all of them are usefull for targeting because they are not specific enough, like for example a mobile phone cell-ID. Metadata include the number that was called, the cell-ID, the provider, the duration of the call, etc.

Raw data are signals (like radio frequencies) that have been processed. Raw data on their turn can be processed into metadata and content. These are then automatically filtered and selected, and when finally a human takes a look at them, this can result in a report (Meldung).

Raw data were not counted by BND, only the reports, of which only a handful were produced at Bad Aibling. This low number was also due to the fact that only a small part of the collected communications was actually translated.

XKeyscore was first used by BND in 2007, but back then this tool wasn't by far as sophisticated as in 2013.

- After just a short while, this hearing was ended after it became clear that the witness had read internal BND documents that had not yet been fully handed over to the committee.

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spying Together: Germany's Deep Cooperation with the NSA

> See also: BND Codewords and Abbreviations

December 13, 2014

Update on tapping German chancellor Merkel's phone

(Updated: June 28, 2016)

Over the last days, there were some new developments regarding the eavesdropping on the mobile phone of the German chancellor Angela Merkel, which was revealed in October last year. It was clarified that the record from an NSA database that was presented as evidence for this tapping, wasn't actually an original NSA document, but just a transcription.

Also, this database record wasn't among the Snowden-documents. This means the information about monitoring Merkel's phone was not provided by Edward Snowden, but by another leaker, something that many people may not have been aware of.

German chancellor Angela Merkel holding a secure BlackBerry Z10 in 2013
(photo: Nicki Demarco/The Fold/The Washington Post)

Criminal investigation

In June of this year, the highest German public prosecutor (Generalbundesanwalt) started a criminal investigation against NSA regarding the alleged eavesdropping on chancellor Merkel. Last month it was reported that this case had been closed as no sufficient evidence had been found, but this was not fully correct.

In his annual press conference on December 11, prosecutor Harald Range said that the investigation of the eavesdropping on chancellor Merkel is still going on:

Annual press conference of the federal public prosecutor Harald Range
(information about the Merkel eavesdropping starts at 23:20)

Regarding the eavesdropping case, prosecutor Range said the following things:

- The phone number which is at stake is not registered by the German Chancellery, but it's a number that has been used since 1999 by the headquarters of Merkel's party CDU. Therefore the number wasn't used by Gerhard Schröder (chancellor from the SPD party from 1998-2005).

- The document (see below) that was publicly presented as a proof of this eavesdropping is not an authentic NSA interception order, nor is it from an NSA database. Actually, it was made by a reporter of Der Spiegel, based upon an NSA document he had seen.

- The prosecutor asked the editors of Der Spiegel to hand over the original document or to be questioned about it, but this was refused pointing to the journalist's privilege to protect their sources. NSA was asked for a statement through the BND, but also refused to comment.

- This makes that under these circumstances, a serious evaluation of the authenticity of the document is not possible.

- Through his German lawyer, Edward Snowden was also given the opportunity to provide a written statement, but until now there was no reaction.

- Presently, there is no sufficient evidence that could lead to an indictment, but the case is not yet closed. The investigation continues, and this will also include the results of the parliamentary committee that is currently investigating NSA spying activities.

- Based upon the Snowden revelations and other media reports it can be assumed that in general, foreign intelligence agencies are trying to spy on German targets by electronic means. But according to German law, that is not enough to open a criminal case, because that would be investigating without reasonable suspicion, which the public prosecutor isn't allowed to do under the rule of law. Where neccessary, such investigations are the responsibility of the security services.


Parts of what prosecutor Range said was misinterpreted by a number of foreign news websites, like Business Insider UK and, which said that the NSA document might not be authentic or even faked by Der Spiegel.

It seems these media only took the first part of Range's statement that the document "was made by a reporter of Der Spiegel, based upon an NSA document he had seen" and overlooked/left out the last part.

Although the German public prosecutor's office couldn't find any concrete evidence for the eavesdropping by NSA, Der Spiegel stresses that neither NSA nor the US government has denied that phone calls of chancellor Merkel had been monitored.

A second leaker

After the public prosecutor's press conference, Der Spiegel provided a statement saying that prior to their reporting about the eavesdropping on chancellor Merkel, they had access to information from an NSA database, which it copied.

This sounds like Der Spiegel got access to the content of an NSA database from which it selected and copied the information related to chancellor Merkel. But in the book "Der NSA Komplex" written by Spiegel reporters Marcel Rosenbach and Holger Stark, it is said that early October 2013, "we received the excerpt from an NSA database about Merkel's cell phone".*

That phrase suggests that someone from outside, and also someone not being Edward Snowden, provided Der Spiegel with just that one particular record which includes Merkel's phone number. How and in what form is not said. Greenwald confirms that this information didn't came from Snowden, and earlier on, also Bruce Schneier was convinced that this came from a second leaker.

Just a transcription

After having obtained the database record, Der Spiegel presented it to the Chancellery, so they could verify it. According to their statement, Der Spiegel made it very clear that this information was not an original document, but just a transcription. Apparently for this reason, the magazine never published the database record, but only reported about its contents.

However, some other German newspapers somehow managed to get a copy of the letter that was sent to the Chancellery and published it in their print editions. One of them was the tabloid paper BILD, from which this scan was made:

So what we see here is a printed copy of a copy (either by xerox, a scanner or a (mobile phone) camera, which explains the fuzzyness) of the print on a DIN A4-sheet of paper that was sent to Merkel's Chancellary.

Maybe this was a xerox copy of the excerpt which the mysterious source handed over to Der Spiegel, but more likely (else it could be used to trace the source) is that a reporter copied the original text by hand. Probably he used an Apple computer, as the result is in the Ayuthaya font, which comes with Apple's OS X.

For a detailed explanation of the record: How NSA targeted chancellor Merkel's mobile phone

Right after this "document" was first published, some people wondered why it looks like a piece of paper, whereas all other leaked NSA documents are digital files (with a few similar exceptions though). This has now been cleared, but again we see that it can take some time and some pressure before such questions are answered.

From which database?

Initially, Der Spiegel reported that the record that mentions Merkel's phone number comes from an NSA database in which the agency records its targets.* My suggestion was that this could have been a database codenamed OCTAVE, which was used for tasking telephony targets, but which reportedly was replaced by the Unified Targeting Tool (UTT) in 2011.

But a more recent Spiegel article from early June 2014, seems to say that it's an entry from the NYMROD database. A slide in which Merkel was listed among 122 other heads of state in the NYMROD database was published by Der Spiegel on March 29, 2014. This slide was from an NSA presentation about content extraction analytics that was fully published in June.

However, in another NSA document it is explained that NYMROD is a name-matching system that is used for finding "garbled or misspelled names" of targets. It contains names taken from CREST (a translating database) and from intelligence reports from NSA, CIA and DoD databases.

If we compare that function with the data in the record that was published, it seems not very likely that the entry is from NYMROD. A tasking database still seems the best option.

On June 12, 2015, the highest German public prosecutor, Harald Range, said the investigation into the eavesdropping on chancellor Merkel was closed, and no court case would be filed. This because there was no sufficient hard evidence: no original documents were provided, and also Edward Snowden seemed not to have any personal insights in this matter.

During a hearing of the German parliamentary investigation commission on June 23, 2016, it came out that the German information assurance agency BSI offered to investigate chancellor Merkel's cell phone, but this offer wasn't accepted by the chancellery and therefore it wasn't possible to for example check the phone for any kind of malware implants.

Links and Sources
- When Germany's federal prosecutor appeared to discredit SPIEGEL
- Spiegel soll NSA-Dokument zu Merkel-Handy hergestellt haben
- Did a German Prosecutor Really Claim That Der Spiegel’s NSA Document Was a Fake?

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties