November 3, 2015

New details about the selectors NSA provided to BND

(Updated: December 7, 2020)

Since last Spring, the German parliamentary commission investigating NSA spying is trying to find out whether the Americans secretly tried to spy on German and European targets.

During the hearings it became clear that the German foreign intelligence service BND wasn't able to fully prevent that selectors, like e-mail addresses and phone numbers, provided by the NSA, were fed into the collection system.

A special investigator was allowed access to the lists of rejected selectors and he reported about his findings last week. Here follows the background of this affair and the most important and interesting details from the investigation report.

> Many more details pieced together from the commission hearings can be found here



The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images)


Satellite interception

The origins of the selector affair go back to 2004, when the Americans turned their satellite intercept station Bad Aibling over to German intelligence. In return, BND had to share the results from its satellite collection with the NSA, for which the latter provided selectors, like e-mail addresses, phone numbers, etc. of the targets they were interested in.

Besides the satellite interception, Bad Aibling was also involved in cable tapping, but only under operation Eikonal (2004-2008), which was limited to cables from Deutsche Telekom in Frankfurt.

Until 2013, NSA is said to have provided some 690.000 phone numbers and 7,8 million internet identifiers. As a foreign intelligence service, BND is not allowed to collect German communications, let alone hand them over to NSA. In order to prevent that, BND tried to check all these selectors, initially by hand, but since 2008 by using a automated filter system called DAFIS.


Blocking German selectors

During a number of tough and lengthy hearings of the parliamentary commission that investigates NSA spying, BND employees had to admit that DAFIS was only able to defeat selectors that were clearly recognizable as belonging to Germans, like mail addresses ending with .de or phone numbers starting with (00)49.

There was hardly any effort to sort out selectors related to other European countries. Also the foreign e-mail addresses, like from Hotmail or Google, used by Germans were only blocked when someone at BND stumbled upon them. Although these kind of selectors could have been blocked more systematically, it's impossible to enter all relevant ones into the DAFIS filter.

This means, when NSA targeted such foreign addresses, the chances they were rejected by DAFIS are not very high and will therefore have been activated on the collection system. Such selectors went into the tasking database, without practicable or reliable means to identify and block them.


Rejected selectors

When the DAFIS system found recognizable German selectors, they were marked as disapproved and not entered into the collection system, so they could not lead to any results.

Initially it seemed that these rejected selectors were put into a separate repository (German: Ablehnungsdatei, also Ausschussliste), but actually they stayed in the tasking databases and were only extracted for the purpose of the parliamentary inquiry.

This resulted in a list of almost 40.000 rejected selectors. An investigation by BND employee Dr. T. in August 2013, revealed almost 2000 e-mail selectors that had been activated, but now seemed politically sensitive. A simultaneous investigation by W.O. resulted in over 10.000 e-mail selectors belonging to European government agencies.



Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)


Special investigator

Members of the parliamentary investigation commission were eager to see those selectors, but they are sensitive and classified, so the government denied them access. Finally, a compromise was made, under which an independent special investigator was allowed to examine the lists of rejected and suspicious selectors and report back to the commission, without disclosing individual targets.

The coalition parties agreed upon Dr. Kurt Graulich, a former judge at the Federal Administrative Court, for this job. During the past 4 months he examined the selector lists and finished his investigation on October 23 with a report, which was presented in three versions on October 29:
- A classified report for the federal government
- A classified report for the commission
- A public report (263 pages pdf)


Report by special investigator Dr. Kurt Graulich
(Click for the full report in .pdf)


Selector lists

Special investigator Graulich examined the following lists (German: Liste) of selectors that had been rejected by the DAFIS filter, or sorted out by hand because they were considered politically sensitive:

a. The Ablehnungsliste, containing 39.082 selectors (2.918 from the telephony and 36.164 from the internet tasking database) from 2005 till March 2015.

Including most parts of:
b. The 2000er-Liste, containing 1.826 e-mail selectors, which were found in August 2013 by Dr. T. and subsequently marked as disapproved.

c. The 2005er-Liste, containing 74 telephone selectors (52 belonging to EADS, 22 to Eurocopter), which were found by the end of 2005 and were marked as disapproved in January 2006.

d. The Nachfund 1, containing several lists with a total of 444 telephone selectors that were found by semi-manual checks in 2007 and were all marked as disapproved.

e. Not available anymore were between 10.000 and 12.000 e-mail selectors that were found by BND employee W.O. when he checked the tasking database for terms related to European government agencies. He found results for 18 EU member countries and these selectors were marked as disapproved.


Types of selectors

By examining the largest list of rejected selectors (Ablehnungsliste), Dr. Graulich found that it contains the following types of selectors:
For telephony:
- IMSI: Numbers of cell phone SIM cards
- IMEI: Numbers of cell phone devices
- SCREENNAMES: User names or numbers, mainly used for VoIP calls.
- EMAIL_ID: E-mail addresses, mainly used for VoIP calls
- PSTN: Phone and fax numbers

For internet:
- EMAIL_ID: E-mail addresses without permutations
- IMEI: Numbers of cell phone devices
- IMSI: Numbers of cell phone SIM cards
- IPV4: IP addresses
- PSTN: Phone numbers
- OTHER: For example user names, messenger or social network identifiers, cookies, login-data, phone numbers, hashes, etc.

In the tables that contain telephone selectors there's also a field for a description, like a text explaining the reason for targeting, a code or an abbreviation like CT for Counter-Terrorism.

For internet selectors, these descriptions were only visible for NSA personnel, but due to technical reasons not for BND and are therefore not available anymore. Because they lacked justifications, BND stopped using NSA provided internet selectors for the time being as of May 2015.

Keywords were also used as selectors, but according to the report, they are rarely used, because they have to be very specific. Generic words like "bomb" would produce way too many irrelevant results.

It's not clear whether PSTN only applies to traditional land line phone numbers, or also includes mobile phone numbers (known as MSISDN).


Telephone selectors

Together with experts from BND, special investigator Graulich examined all the selectors on these lists and tried to determine the reason for which they were originally rejected. Most important is the Ablehnungsliste, with the selectors that had been filtered out by the DAFIS system.

Most of the telephone selectors appeared to have been rejected because they belonged to German persons or companies and/or contained .de or (00)49. The e-mail addresses for VoIP calls were all blocked because they had no top-level domain - selectors that could not be attributed to a country were rejected.
Update:
On the website Netzpolitik.org it was noticed that for VoIP, one doesn't use e-mail addresses, but SIP addresses, which do have a similar format, like 3246697@voipprovider.com, but which are often under generic top-level domains. Also, blocking IMEI addresses containing "49" wouldn't be very effective, as there are other codes used for Germany, and phones may be sold throughout the European Union.

Some telephone selectors were also not activated because the description field contained terms like for example "German", "Germany" and "Europe".


Permutations

For one internet identifier, like for example an e-mail address, there are multiple permutations, each of which is counted as a separate selector. There can be up to 20 different permutations for one identifier, which explains the very high total number of internet selectors (7,8 million), compared to those for telephony (690.000).

Such a permutation is used to address the various encoding protocols used on the internet. The report gives the following examples:
mustermann@internet.org
mustermann%40internet%2Eorg (HTML-Hex)
mustermann\&\#37;2540internet.org (multiple encodings)
mustermann\\U0040internet.org (UTF-16)
Taken together, all permutations of an internet address are called a Telecommunications Identifier (German: TeleKommunikationsMerkmal or TKM). For telephony, the TKM equals the selector, in other words, there are no permutations for phone numbers.


Internet identifiers

Many internet selectors were rejected by the DAFIS filter system because they belonged to German persons or companies, contained German codes like .de and (00)49, or names of German companies. Also a number of IP addresses had been rejected, but it wasn't possible to determine why. They now belong to providers outside Europe.

The investigator could also not determine what the reasons had been for blocking the remaining internet identifiers, like user names, messenger or social network identifiers, cookies and login-data. NSA provided them combined with other selectors in a so-called equation, but BND separated these for DAFIS filtering, which makes it impossible now to relate them to identifiable selector types.


Numbers

Of the Telecommunications Identifiers (TKMs) found in the main Ablehnungsliste with the rejected selectors, 62% belong to government agencies of EU member states, 19% to Germans outside Europe, 7% to EU institutions, 6% to Germans, 4 to foreigners abroad, 1% to Germans in Europe and 1% to German embassies.

For all selector lists, the reasons why the selectors were apparently rejected can be found in this table:



Table with the reasons why BND rejected certain NSA selectors
(Table: Graulich report; Translation: Electrospaces.net; Click to enlarge)


German targets

The examination of the selector lists revealed that NSA provided several hundred selectors related to Germans, but most of them were blocked by the DAFIS filter. Around 250 had been active for a shorter or longer period of time, but it is not known whether this resulted in communications being collected.

As the 2002 Memorandum of Agreement (MoA), under which the cooperation at Bad Aibling was established, prohibits targeting Germans, the German selectors that had been activated are a violation of the agreement, and moreover also a violation of German law.

The rejected selectors are mainly about German companies, both inside Germany and outside Europe. Without knowing the reasons for targeting these companies, it cannot be said whether this would constitute economical espionage. Construction companies for example can be involved in both civilian and military projects (so-called dual-use).


WikiLeaks' lists

It is interesting to see that there are no rejected selectors that belong to German cabinet ministers. This means, NSA wasn't so stupid to send BND the list of selectors that contains the phone numbers of chancellor Merkel, several ministers and high-level federal government officials - a list that was published by WikiLeaks last July.

Even more interesting would be to know whether the rejected selectors contain the phone numbers of the French prime minister and his cabinet ministers, which were on a similar tasking database list that was published by Wikileaks in June. Special investigator Graulich wasn't able to determine this, because Wikileaks redacted the last four digits of the phone numbers.


European targets

The biggest number of rejected selectors are e-mail addresses (and some other internet identifiers) of European government agencies: 22.024 selectors, being the permutations of 2195 telecommunication identifiers (TKMs).

The overwhelming majority of them was only blocked after August 2013, when the public outrage over NSA spying began. First, selectors were disapproved after the investigations by Dr. T. and W.O., and in November, BND president Schindler ordered all e-mail addresses with a European Top-Level Domain (TLD) to be removed from the BND and NSA tasking database.

Before that new directive, the DAFIS filter wasn't configured to block these European selectors:
- Stage 1 of this system only blocked things like the German TLD .de, the telephone country code (00)49 and the IMSI country code 262;
- Stage 2 blocked foreign identifiers when BND noticed that they were used by German citizens or German companies;
- Stage 3 blocked an initially small number of foreign identifiers that should not be activated because that would be against "German interests".

This means that until the end of 2013, the e-mail addresses belonging to European governments had been active in the collection system: 12% of them for up to 100 days and 87% for an even longer period of time.


Violation

Foreigners and especially foreign government agencies, have no right to privacy under the German constitution, so the collection of their communications is not a violation of German law. But investigator Graulich does consider the targeting of European governments a violation of the Memorandum of Agreement, which allows collection against European targets only for a very few specific topics.

Although the reasons why NSA was interested in these subjects are not known, the investigator judges that the broad targeting of European governments (like e-mail addresses of all members of government staff bureaus) is far beyond what the memorandum allows, and therefore this constitutes a severe violation of the agreement.


Embarrassment

Graulich also says that NSA apparently misused the Bad Aibling satellite station to spy on other European countries - risking an embarrassment for Germany in its relationship with EU and NATO partners.

However, BND itself also targeted for example the British embassy in India and the French embassy in Mali, and eavesdropped on the US Defense and Foreign secretaries as well as senators, when they used non-secure phone lines while traveling.

When in November 2013, BND searched through its own tasking database (PersonenBezogene DatenBestände, or PBDB), it came out that it too contained some 2800 selectors belonging to friendly nations. They were subsequently deleted, but this was kept quiet for almost 2 years.
Updates:

On November 11, 2015, it was reported that a preliminary report by the investigation team of the parliamentary intelligence oversight committee says that among BND's own selectors, there were ones belonging to the FBI, the Voice of America, French foreign minister Fabius and the interior departments of EU member states like Poland, Austria, Denmark and Croatia. Also targeted were international organizations like the ICC, the WHO and UNICEF. The selectors also included e-mail addresses, phone and fax numbers of the diplomatic representations of the US, France, Great Britain, Sweden, Portugal, Greece, Spain, Italy, Austria, and Switzerland, as well as European and US companies like for example Lockheed.

On November 26, 2015, Albert Karl, an official from the federal Chancellery, testified that European governments are not among the official goals which the government set for BND's intelligence mission (German: AufgabenProfil der Bundesregierung or APB). It's of course possible that European citizens are targeted because they are involved in terrorism or weapon proliferation.

On December 16, 2015, German media reported that at least 3 BND-employees, including SIGINT-director Hartmut Pauland, will have to resign. This after the regular parliamentary intelligence oversight committee found that BND had some 3300 targets, including EU institutions and governments, that were not according to the goals set by the government and therefore illegal. In the future, politically sensitive selectors will have to be approved by the BND leadership.


Crisis regions

One last thing that should be mentioned is that at Bad Aibling, the collection effort is directed at (the downlinks of) satellite links from crisis regions like the Middle East, Afghanistan and Africa. This means, that if NSA deliberately provided BND all those selectors of European government officials, they should have known that they couldn't result in their day-to-day business communications.

This is also described in the Graulich report: selectors for targets in Europe will only result in the actual interception of communications when they come from one of the satellite links from those crisis regions. This provides only a small number of intercepts compared to tappping the backbone cables through which the communications for these selectors usually travel.*

The interception of the satellite links in Bad Aibling would probably only provide content when European government officials communicate with their counterparts or other people in the aforementioned crisis regions. And maybe it was just that what NSA was after - an option that was not considered in the report though.


Reactions

In a first reaction on the report, the German government said that there will be stricter guidelines for the cooperation between BND and NSA, and also that oversight by the federal Chancellery will be increased. Opposition party members of the commission aren't fully satisfied with the report and still want access to the rejected selectors, as well as an examination of all 8 million selectors that NSA provided to BND.


Hearings

On Thursday, November 5, special investigator Dr. Kurt Graulich was heard by the parliamentary investigation commission about his findings. This hearing didn't provide any significant new insights.

The other witness that day, BND lawyer Dr. Werner Ader, revealed that at Bad Aibling, there's highly sophisticated equipment, which allows the interception of satellites even under difficult circumstances, like coping with atmospheric disturbances and following non-geostationary satellites. The equipment "can follow what happens at the satellite".

Update
In the German magazine Der Spiegel from April 2, 2016, it was explained on page 33 that selectors used by BND have the following format: they start with an e-mail address, a phone number or a similar designator, followed by the intelligence topic, with WPR for Waffenproduktion, LAP for Landwirtschaftspolitik, TEF for Terrorfinanzierung and ISG for Islamistische Gefährder, then the country which is spied upon, designated by 3 letters, and finally a Sperrvermerk for those foreign intelligence agencies that should not see the results for this selector. They are designated with a 4-letter abbreviation of their codename, like HORT for HORTENSIE (United States) or BEGO for BEGONIE (Denmark).



Links and sources
- Yahoo News: Germany reins in spy service over NSA report
- Netzpolitik.org: Kein Ersatz für Selektorenliste: Abgeordnete Renner und von Notz über Graulich-Bericht
- Spiegel.de: Geheimdienstaffäre: Sonderermittler spricht von klarem Vertragsbruch der NSA

2 comments:

Elstel said...

Wanted to take this opportunity to let you know that I read your blog posts on a regular basis. Your writing style is impressive, keep it up! nsa spying

Anonymous said...

I am someone who has direct knowledge of what happened at Bad Aibling in the 80’s.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties