June 23, 2020

NSA documents and cover names from the book Dark Mirror


On May 20, yet another book about the Snowden-revelations was published: Dark Mirror, Edward Snowden and the American Surveillance State. It's written by Barton Gellman, who was in direct contact with Snowden and reported on the NSA's spying activities for The Washington Post.

Here, you'll find the original documents from Dark Mirror, to complement the existing collections of Snowden documents, as well as a listing of all the NSA cover names, because most of them are not included in the index of the book. A review of Dark Mirror will follow in due course.

(Similarily, the NSA documents and codenames from Glenn Greenwald's book No Place to Hide from 2014 can be found on the website IC Off The Record)





Documents

The book contains five (parts of) documents that haven't been published before, as well as six slides from NSA presentations which were released as part of earlier press reports. There are also three photos of Edward Snowden in Dark Mirror which are not reproduced here.

(Collections of all the documents from the Snowden revelations can be found at the website IC Off the Record and in the Snowden Surveillance Archive)


Presentation about the PRISM program:


Front slide of the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 6, 2013.
(Dark Mirror, p. 109 - click to enlarge)



Part of slide 40 from the NSA's PRISM presentation from April 2013.
Published earlier by The Washington Post on June 29, 2013,
but without the two-row table with the Section 702 FAA certifications.
(Dark Mirror, p. 113 - click to enlarge)

> See for all the PRISM slides that have been released: What is known about NSA's PRISM program


Presentation from the Large Access Exploitation Group:


Detail from a slide from an NSA presentation titled "Is it the End of the
SIGINT World as We Have Come to Know It?" prepared by a member of
the Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 169 - click to enlarge)



Detail from a slide from a briefing titled "Is it the End of the SIGINT
World as We Have Come to Know It?" prepared by a member of the
Large-Access Exploitation Group and dated May 10, 2012.
(Dark Mirror, p. 174 - click to enlarge)

Probably from the same presentation are two slides that were published by The Washington Post on December 4, 2013 and one partial slide published with Greenwald's book No Place to Hide in May 2014.

> More about the MAINWAY system: Section 215 bulk telephone records and the MAINWAY database


Presentations about SSO Collection Optimization:


Meme from the NSA presentation "SSO Collection Optimization"
from January 7, 2013, referring to collection systems that
scooped up more data than they could process
(Dark Mirror, p. 192 - click to enlarge)



Slide from the NSA presentation "SSO Collection Optimization" from 2013
about intercepting Google's cloud, better known as the MUSCULAR program.
Published earlier by The Washington Post on October 30, 2013.
(Dark Mirror, p. 284 - click to enlarge)

Also from presentations about SSO Collection Optimization are:
- seven slides published by The Washington Post on October 14, 2013,
- six slides published by The Washington Post on November 4, 2013.


Slides from other NSA presentations:


Detail from a slide from the NSA presentation from
"FAIRVIEW Data Flow Diagrams" from April 2012.
The full presentation was published by
The Intercept in November 2016.
(Dark Mirror, p. 171 - click to enlarge)

> More about the FAIRVIEW program: FAIRVIEW: Collecting foreign intelligence inside the US



Slide from the NSA presentation "NSA/CSS Mission: PROVIDE AND
PROTECT VITAL INFORMATION FOR THE NATION" from October 24, 2001.
Published earlier by The Washington Post on December 23, 2013.
(Dark Mirror, p. 184 - click to enlarge)



Explanation of "traffic shaping" to redirect a target's communications
traffic in such a way that it passes an NSA access point.
Published earlier by The Intercept.
(Dark Mirror, p. 201 - click to enlarge)


Miscellaneous documents:


Example of an e-mail exchange between senior White House, Justice
Department and DNI officials, released upon a FOIA request about
the FIRSTFRUITS media leaks program
(Dark Mirror, p. 226 - click to enlarge)



Confirmation of the flight reservations for Edward Snowden
and Sarah Harrison, June 24, 2013.
(Dark Mirror, p. 307 - click to enlarge)



Cover names

Dark Mirror contains 28 cover names that haven't been published before. However, not all of them are explained in the book, some are just mentioned to reflect the NSA's internal culture and the way these code names are composed.

There are also 63 cover names which were already known from press reports and/or documents from the Snowden trove. This means that for many of them there's additional information available - click the asterisk for sources.

(All these cover names are also included in the extensive listings of NSA Nicknames and Codewords and NSA's TAO Division Codewords on this weblog)


Newly revealed cover names:

BADASS - (unexplained compartment) (p. 206)
BADGIRL - ? (p. 204)
BATCAVE - Digital hideout for NSA hackers who emerge to steal another country's software code (p. 209)
BLACKAXE - Exceptionally Controlled Information (ECI) compartment (p. 70)
BLADERUNNER - ? (p. 209)
CAPTAINCRUNCH - FBI owned and monitored network servers to attract foreign hackers (p. 86)
COOKIEDOUGH - ? (p. 210)
CROWNROYAL - ? (p. 209)
DEPUTYDAWG - ? (p. 209)
DEVILFISH - ECI compartment (p. 70)
DEVILHOUND - ? (p. 207)
EPICFAIL - ? (p. 207)
EXPLETIVEDELETED - Cover name for al-Qaeda's favorite encryption software (p. 212)
EXUBERANTCORPSE - Cover name for al-Qaeda's favorite encryption software (p. 212)
FLYLEAF - ECI compartment (p. 70)
Graph-in-Memory - Database holding maps of contacts in support of contact-chaining (p. 174, 177, 180)
HYSSOP - ECI compartment (p. 70)
KESSELRUN - ECI compartment (p. 70)
KOBAYASHIMARU - NSA contract with General Dynamics to help break into another country's surveillance equipment (p. 210)
LIGHTNINGTHIEF - ECI compartment (p. 70)
MISS MONEYPENNY - Support unit providing cover identities for undercover CNE operations abroad (p. 202)
PANT_SPARTY - Injection of an NSA software tool into a backdoor in the target's defenses (p. 204)
POISONIVY - Remote-access trojan used by Chinese government spies (p. 209)
QUIDDITCH - Exploit used by the Special Collection Service (SCS) (p. 209)
STRAWHORSE - Modification to Apple's software installer Xcode to insert a remote-controlled backdoor into each app it compiled (p. 188, 216-220)
VIXEN - ? (p. 204)
VULCANMINDMELD - ? (p. 210)
ZOMBIEARMY - ? (p. 207)


Cover names published earlier:

ALTEREDCARBON - An IRATEMONK implant for Seagate drives * (p. 209)
AMBULANT (AMB) - ECI compartment related to the BULLRUN program (p. 70)
BLACKBELT - Access point under the FAIRVIEW program * (p. 207)
BLARNEY - Collection of foreign phone and internet communications within the US under FISA authority (since 1978) * (p. 199)
BLINDDATE - Searching for vulnerable machines on a local Wi-Fi network * * * (p. 203, 206)
BORGERKING - Something related to Linux exploits (p. 210)
BOUNDLESSINFORMANT - NSA's collection visualization tool based on internet and telephone metadata (p. 10, 206)
BYZANTINE HADES (BH) - Chinese computer network exploitation (CNE) against the US * probably renamed to the LEGION-series * (p. 68, 85, 206)
CAPTIVATEDAUDIENCE - Software tool that listens in on conversation by switching on the microphone of a target's mobile handset (p. 208)
CO-TRAVELER - Set of tools for finding unknown associates of intelligence targets by tracking movements based upon cell phone locations * (p. 318)
CRUMPET - Covert network with printer, server and desktop nodes, or ECI compartment (p. 70)
EGOTISTICALGIRAFFE (EGGI) - TOR Browser Bundle (TBB) exploit (p. 80)
EPICSHELTER - Data backup system to recover information from particular NSA sites, designed by Edward Snowden * (p. 59-61, 63, 75)
ERRONEOUSINGENUITY (ERIN) - Tool for exploiting the TOR network (p. 207)
FAIRVIEW - Domestic cable tapping program in cooperation with AT&T (since 1985) * (p. 311)
FALLOUT - Internet metadata ingest processor/database (p. 169/image)
FASCIA - Telephony metadata ingest processor/database * (p. 169)
FASCIA II - Telephony metadata ingest processor and primary source of telephone metadata for target development. It formerly contained internet metadata which are now in MARINA.* (p. 172)
FELONYCROWBAR - System used to configure the UNITEDRAKE framework (p. 207)
FIRSTFRUITS - Counterintelligence database to track unauthorized disclosures to the press, set up in 2001 * * (p. 225, 271-274, 277)
GROK - Key logger that records every character a target types (p. 209)
HAPPYHOUR - Getting access to vulnerable machines on a local Wi-Fi network (p. 203)
Heartbeat - Apparently a data handler system, designed by Edward Snowden * and/or successor of EPICSHELTER, or an index of surveillance systems * (p. 36, 74-78)
IRONAVENGER - NSA hacking operation against an ally and an adversary (2010) * (p. 209)
KRISPYKREME - Implant module related to the UNITEDRAKE framework, as revealed by the Shadow Brokers * (p. 210)
LADYLOVE - The NSA satellite intercept station at Misawa in Japan (since 1982) (p. 204)
LIFESAVER - Technique which images the hard drive of computers * (p. 210)
MAILORDER - FTP-based file transport system used to move data between various collection, processing and selection management systems. Originally developed in 1990, ultimately to be replaced by JDTS * (p. 171)
MAINWAY (MW) - NSA's main contact chaining system for foreign and domestic telephone and internet metadata from multiple sources; performs data quality, preparation and sorting functions, summarizes contacts and stores the resulting one-hop contact chains * (p. 168-176, 178-180)
MAKERSMARK - Major cyber threat category countered by the TUTELAGE system * identified in 2007 * (p. 209)
MARINA - NSA database for internet metadata; maybe succeeded by CLOUDRUNNER in 2013 * (p. 169/image)
MJOLNIR - Tool to break the anonymity of the Tor network * (p. 209)
MUSCULAR - Joint NSA-GCHQ operation to tap the cables linking Google and Yahoo data clouds to the internet * (p. 284, 299-300, 311, 315)
NIGHTSTAND - Delivering malware to a vulnerable machines on a local Wi-Fi network (p. 203, 206)
NIGHTTRAIN - Part of a program to spy on a close US ally during operations alongside the ally against a common foe * (p. 209)
OAKSTAR - Umbrella program for 9 accesses at 7 corporate partners (since 2004)* * (p. 311)
ODDJOB – HTTP command and control implant for installation on compromised Windows hosts, published by the Shadow Brokers (p. 201)
PINWALE - Primary storage, search, and retrieval system for SIGINT text intercepts. Target data is filtered through a Packet Raptor at the collection site and is subsequently processed by a WEALTHYCLUSTER 2, followed by an XKEYSCORE for selection at NSA headquarters.* (p. 176)
PITIEDFOOL - Suite of computer network attack (CNA) tools to attack the Windows operating system, overwrites data to the point it is irrecoverable (p. 206)
POLITERAIN - Offensive computer network attack (CNA) team from the Access Technologies & Operations (ATO) unit of the NSA's hacking division TAO * (p. 220)
PRISM - Collection of internet data from specific foreign targets at major US internet companies (since 2007) (p. 84, 99, 106-113, 117-121, 123-133, 137, 139-148, 226, 285, 300)
QUANTUM - Secret servers placed by NSA at key places on the internet backbone; part of the TURMOIL program * (p. 199)
RAGTIME (RGT) - ECI compartment for call and e-mail content collected under FISA authority * Encompasses both NSA and FBI FISA data since 2002 * (p. 122)
SCISSORS - Data scanning, formatting and distribution system * or processing system that slices up data for sorting (p. 206)
SECONDDATE - Method to influence real-time communications between client and server in order to redirect web-browsers to FOXACID malware servers (p. 203)
SEEDSPHERE - Chinese "intrusion set" against US computer networks, identified in 2007 * (p. 68)
SORTINGHAT - RT10 application * or Traffic control system for information exchanged with GCHQ (p. 209)
STARBURST - Temporary cover term for what would become the STELLARWIND compartment (October 2001) (p. 70, 170)
STELLARWIND (STLW) - Cover term for the President's Surveillance Program (PSP), which encompassed bulk collection of domestic metadata and targeted interception at backbone facilities inside the US in order to track down foreign terrorists and their previously unknown conspirators (2001-2007) (p. 26, 70, 71, 169-170, 175)
TRANSGRESSION - TAO/CES unit providing cryptanalytic support for various missions * (p. 206)
TURMOIL (TML) - Passive SIGINT sensors: filtering and selection (at the packet level) of internet traffic on high-speed satellite, microwave and cable links, part of the TURBULENCE program * * * (p. 299)
TURTLEPOWER - System to process VoIP communications data * and/or automated decryption of enciphered data (p. 209)
UNPACMAN - Processing system on TAONet, part of DEEPFRIEDPIG * (p. 210)
Upstream - Targeted collection of telephone and internet communications of foreign targets at backbone cables and switches inside the US (p. 84)
VOYEUR - Compartment shared with GCHQ for spying on another country's spies as they spy on someone else (4th party collection) * (p. 206)
VULCANDEATHGRIP - Repository for data collected from vPCS shaping under the STEELFLAUTA program * or tool that seizes encryption keys during the handshake of two devices as they establish a secure link (p. 210)
WALKERBLACK - Related to the MAKERSMARK intrusion set * (p. 209)
WESTERNSTAR - Contact-chaining program * (p. 174/image)
WHARPDRIVE - Joint venture between the German BND and another country with access for NSA (2013)* * (p. 210)
WHIPGENIE (WPG) - ECI compartment for details about the STELLARWIND program * (p. 70, 122)
XKEYSCORE (XKS) - Computer system that combines high-speed filtering of data traffic from different sources with techniques for discovering targets who use the internet anonymously * (p. 86-87, 330-331)




Extra:

Cover names from Edward Snowden's book Permanent Record:

EGOTISTICALGIRAFFE - (p. 168)
EPICSHELTER - (p. 168-169, 189, 220)
FOXACID - (p. 168)
Heartbeat - (p. 221-222, 256-257)
MIDNIGHTRIDER - (p. 256)
OPTICNERVE - (p. 256)
PHOTONTORPEDO - (p. 256)
PRISM - (p. 223-224, 291)
QUANTUM - (p. 225)
STELLARWIND - (p. 175, 177, 245, 250)
TRAFFICTHIEF - (p. 168)
TRAILBLAZER - (p. 250-251)
TURBINE - (p. 225)
TURBULENCE - (p. 225)
TURMOIL - (p. 225)
Upstream - (p. 224)
XKEYSCORE - (p. 276-279, 281, 325)
ZBSMACKTALK/1 - (Fictitious CIA cryptonym) (p. 133-134)


June 5, 2020

Bulk interception by Germany's BND and what the Constitutional Court said about it

(Updated: November 2, 2020)

On May 19, the German Constitutional Court presented its decision in a case about the untargeted interception of foreign communications by the German foreign intelligence service BND.

Unlike suggestive headlines, the Court didn't forbid this kind of collection, but ruled that more specific safeguards and more thorough oversight are needed to make it compliant with the German constitution.

The Court's decision and some recent press reports also provide interesting details about how the BND is conducting its bulk collection of data from internet cables, especially at the German internet exchange DE-CIX.




Interior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)



The BND's untargeted cable tapping

It's assumed that the BND's first experience with large-scale cable tapping started with operation Eikonal, under which the Germans cooperated with the NSA for access to some fiber-optic cables at a switching center of Deutsche Telekom in Frankfurt. Operation Eikonal was part of the NSA umbrella program RAMPART-A, which aimed at gathering intelligence about targets from Russia, the Middle East and North-Africa.

Operation Eikonal started in March 2004 with intercepting telephone and fax messages and shifted to e-mail and VoIP communications in 2006. However, this resulted in only a few hundred reports a year (each consisting of one intercepted e-mail, fax message or phone call). For the NSA this was a big disappointment and the BND realized that it was impossible to fully separate foreign and domestic communications. Therefore, the operation was terminated in June 2008.

Earlier blog postings about operation Eikonal:
- Unnoticed leak answers and raises questions about operation Eikonal
- New details about the joint NSA-BND operation Eikonal
- The German operation Eikonal as part of NSA's RAMPART-A program


Overview of the joint NSA-BND operation Eikonal (2004-2008)
(click to enlarge)


(Between 2004 and 2013, BND and NSA also cooperated in satellite interception at Bad Aibling Station. Years of neglicence over there resulted in what is known as the "Selector Affair")

Detailed insights into operation Eikonal emerged from the hearings of the German parliamentary investigation commission (#NSAUA) between March 2014 and February 2017. This inquiry was set up to investigate the NSA spying activities, but soon turned its focus on the Signals Intelligence (SIGINT) operations of Germany's own foreign intelligence service.


Cable tapping at DE-CIX

While operation Eikonal itself wasn't very successful, it did provide the BND with the knowledge and the experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25 (out of over 300) internet service providers, this time at the DE-CIX internet exchange in Frankfurt am Main.

Among these 25 providers were foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

It appears that this interception took place in cooperation with the DE-CIX Management and that the various providers themselves didn't knew that this was happening. A smart move, as this provides BND with just one single point-of-contact, while the individual providers could honestly deny that their cables were being intercepted.


Current practice

More information about the BND's current efforts to intercept data streams from internet exchanges like DE-CIX were provided recently by reports from the German magazine Der Spiegel en the Bavarian broadcaster Bayerischer Rundfunk (BR) in anticipation of the decision of the Constitutional Court. Additional details can be found in the full text of the Court's decision.

Both press reports were based on several internal documents from the German government and the BND, including its 72-page SIGINT Policy Manual (German: Dienstvorschrift Sigint), which provides detailed regulations for what's allowed and what's prohibited when conducting untargeted interception of communications between foreigners abroad (Ausland-Ausland Fernmeldeaufklärung).

(Intercepting one-end foreign communications is regulated by the G10 Law with the G10 Commission for approval and oversight. This commission is also responsible for interception by the domestic federal security service BfV)


Intelligence priorities

Like many other intelligence agencies, the BND is not only trying to prevent terrorism, but also provides the German government with information to support its foreign policy, as well as to prevent the proliferation of weapons of mass destructing and cyber attacks. The government arranges these goals in a document similar to the National Intelligence Priority Framework (NIPF) in the United States.

The German version of this Top Secret document is called Auftragsprofil der Bundesregierung (APB) and ranges from Priority 1 for topics that require a complete coverage (umfassender Informationsbedarf) to Priority 4 for issues with a low information need (niedriger Informationsbedarf).

According to these information needs, the BND considers whether it's necessary to intercept internet communications. In Germany, this can happen at 23 internet exchanges, with DE-CIX in Frankfurt as one of the biggest in the world, but the BND also has satellite intercept stations in Schöningen, Rheinhausen and Bad Aibling.


Access directives

Once the BND has determined where they need access, the federal chancellery (Bundeskanzleramt) issues a directive granting that access based upon the BND Law. Currently, there are 17 network access directives (Netzanordnungen): 3 of them for internet exchanges inside Germany, the other 14 mainly for satellite networks.* In practice, the BND copies about 10% of the capacity of a network that it's allowed to tap.*

Based upon these network access directives, the BND provides the network providers with an extraction directive (Ausleitungsanordnung), which usually identifies multiple networks of interest. The specific parts of these networks or transmission links which the BND is interested in are specified in separate tables (Statustabellen).*


Splitting off data streams at DE-CIX

In October 2019, DE-CIX provided the Constitutional Court with an assessment saying that it handled an average number of 47,5 trillion IP connections (IP-Verkehrsverbindungen) a day and that the BND would technically be able to copy 1,2 trillion of those IP-connections, which is 2,5% of the total traffic.

However, in the Court's decision it's said that the BND's technical installations at DE-CIX have the capacity of capturing and processing 5% of its data traffic.* The management of the exchange has no insight in how many data the BND actually extracts.

Usually traffic at internet exchanges is measured in bits per second: in October 2019, the average traffic at DE-CIX was 5 terabit per second (Tb/s). If the BND copies between 2,5 and 5% of that, that would make between 125 and 250 gigabits per second (Gb/s).

For comparison: from the Snowden revelations we know that in 2011, GCHQ had access to more than 200 communications channels ("bearers") of 10 Gb/s each - out of the around 1600 channels within all the commercial cables transiting the UK. However, GCHQ could process data from only 46 of them at a time (or 460 Gb/s).


Update:
Already in July 2013, the German television magazine FAKT reported that the BND may have acquired Narus filtering devices, which the NSA allegedly used for its Upstream collection, through a small firm called GTS (for Gesellschaft für technische Sonderlösungen) from Frankfurt am Main. From 2007 to 2010, GTS was the exclusive reseller of Narus equipment in Germany.


The DAFIS filtering system

Once data streams of interest are copied, the BND leads them to a multi-stage filter system called DAFIS. First, different types of data are identified in order to discard irrelevant ones, like video streams.* The first stage of DAFIS then deletes all communications that involve German citizens or residents.

According to government documents, this filter has a 96% to 98% accuracy, but with over a trillion connections a day, that would still leave 2 to 4 billion connections with an incorrect attribution. Therefore, the BND implements additional algorithms to prevent the collection of German communications.

Second stage

The second stage of DAFIS uses selectors (Suchbegriffe) to filter both metadata (Verkehrsdaten) and content (Inhaltsdaten). According to BR and Der Spiegel, The BND uses more than 100.000 selectors, not only telephone numbers and e-mail addresses, but also the names of chemical components of weapons of mass destruction.

In the decision of the Constitutional Court it's said that between 50 and 60%(!) of these selectors are provided by foreign partner agencies, but the BND only uses them when their type and purpose can be verified.*

Before feeding these selectors into the filtering system, BND checks whether they comply with the law, which says that it is not allowed to intercept the communications of German citizens and residents. Telephone numbers are automatically excluded by filtering out the country code 0049 for example. Also, no selectors may be tasked to monitor children under 14, except when it's about child soldiers and suicide attackers.

In the government documents it's acknowledged that no filter system can provide 100% protection, like when a German citizen living or working in Syria makes a call from a syrian number. Only by listening in to such a conversation it can be determined that it's actually protected under the German constitution and has to be deleted (and the selector marked accordingly).


Third stage

During the parliamentary investigation, a third stage of the filter system was mentioned, which was aimed at protecting "German interests". During the hearings it became clear that it filters out German companies and foreign companies with German participation (like EADS and Eurocopter) as well as the names of German politicians, among others.

Like it was the case under operation Eikonal, the DAFIS filter system is probably located in a highly secured room at the internet exchange. That saves bandwidth as only the data that remain after the final stage of the filter have to be forwarded to the BND's Signals Intelligence Center (Zentrum Technische Aufklärung), which is still located at the old headquarters compound in Pullach, where a new data center was built in 2012:



Exterior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)


Content

After applying the selectors, the BND's untargeted collection results in some 270.000 pieces of communications content each day, like e-mails, phone calls and chat messages. Approximately 60% comes from collection inside Germany, 40% is collected abroad. A small percentage is received from foreign partner agencies.*

After manually sorting and analyzing these intercepts, analysts produce an average of 260 intelligence reports a day (out of a total of 720 reports from all sources).* But despite all the precautions, there are still about 30 incorrect intercepts a month, like an e-mail message or a telephone call in which a German citizen is involved.*

According to press reports, the BND's SIGINT Policy Manual says that analysts have to delete any intercepts which include sexual content or are about a romantic or sexual relationship, but when there's "sexual bragging" in a "lively public space" the analyst may continue to listen in. The same applies to cases when a target simply says things like "honey I love you".


Metadata

The metadata that remain after the DAFIS filter are stored in full, so they can be combined ("enriched") with other data sets and analyzed by computers.* A meanwhile well-known method used for analyzing telephone metadata is contact-chaining. The BND Law says that metadata may be stored for up to 6 months and can also be shared with foreign partners in an automated way, even when they are not yet evaluated.



Operations room at the former BND headquarters in Pullach
(photo: Martin Schlüter - click to enlarge)



The judgement of the Constitutional Court

Already during the parliamentary investigation of the relationship between the NSA and the BND, the German government came up with a substantial amendment of the law that regulates its foreign intelligence service (BND-Gesetz). This came into effect on December 31, 2016, half a year before the end report of the investigation commission was published.

In January 2018, Reporters sans frontières and seven foreign journalists filed a constitutional complaint at the Federal Constitional Court (Bundesverfassungsgericht). They argued that the law allows the BND to indiscriminately collect the communications of foreign journalists, which imposes a risk on their confidential sources, especially when those data are shared with intelligence or security services of countries where civil liberties and press freedom are at risk.

After oral hearings on January 14 and 15, the Constitutional Court presented its decision on May 19, 2020, with the judges seated at a proper distance of each other due to the threat of the corona virus:



The German Federal Constitutional Court presenting it's
decision on the BND's untargeted cable tapping
(screenshot from Phoenix television - click to enlarge)


The main point of the Court's decision is that the fundamental rights from the constitution also bind the German government when it's acting outside German borders.

The protection of specific rights domestically can be different from the protection offered abroad, but when it comes to untargeted interception, both the protection of the privacy of telecommunication (art. 10) and the protection of the freedom of the press (art. 5) also apply to foreigners in foreign countries.

This doesn't mean that bulk collection of communications is unconstitutional in itself. It may be used as an exceptional method by a government agency that has no operative powers and when it's justified by a specific mission.* Untargeted interception may not be conducted domestically.*


Restrictions

To be in accordance with the constitution, the Court says that for this kind of collection there have to be at least the following restrictions:*
- Separation of the communications of German citizens and residents by all means available, any remaining German communications have to be deleted upon recognition;
- Limitation of the (amount of) data that can be collected;
- Collection goals have to be specified;
- Collection efforts must be in accordance with procedures;
- Additional requirements for interception of personal data;
- Limitations for storing metadata;
- Framework for data processing and analysis;
- Safeguards to protect privileged communications of lawyers and journalists;
- Protection of an inner core of private life;
- Mandatory and accountable data deletion.

The Court also decided that Germans have to be protected when they are communicating as a representative of a foreign company or organization. Previously, the BND argued that German citizens could be legally monitored when in such a position, which was known as the Funktionsträgertheorie.


International cooperation

Sharing data related to individual people is generally allowed when the foreign partner will handle them according to human rights and principles of data protection. Data may not be shared when it can be expected that they will be used for human rights violations. This requires the BND to examine the foreign legal and human rights situation. When this isn't convincing at a general level, guarantees in a specific case may also be sufficient. All this has to be documented and accountable.*

When foreign partner agencies provide selectors to be used in BND collection systems, there has to be a careful examination not only of these selectors, but also their hits. This practice also requires that the goals of the foreign partner are in accordance with those of the BND and with the rule of law. Therefore, it's not allowed to let a foreign partner collect what is prohibted domestically ("Ringtausch").*

When data are shared in an automated way without prior evaluation, the foreign partner has to provide meaningful assurances that it will delete data related to German citizens and residents, its handling of privileged communications and other boundaries imposed by the BND. Given the inherent risks, this kind of sharing is only allowed in cases of specific and concrete threats and metadata related to Germans should be filtered out.*


Oversight

Untargeted interception and sharing its results with foreign partners can only be proportionate when there's independent and comprehensive legal oversight. This has to be in the form of a body similar to the judiciary which has to investigate the subsequent stages of the interception process, including taking random samples at its own initiative. This in order to allow a judgment on the lawfulness of the entire collection method.*

For this, the oversight body has to have its own budget, its own personnel and the right to set it own procedures. It has to be provided with everything that is necessary to conduct meaningful and effective oversight. This may also not be hindered by the so-called "Third Party Rule", which means that a secret service treats the oversight body as a third party that is not allowed access to documents or data from foreign partners agencies.


The Constitutional Court gave the German government until December 31, 2021 to change the BND Law in such a way that it will be compliant with the constitution.



Links & sources
- About:intel: Try harder, Bundestag! Germany has to rewrite its foreign intelligence reform (May 22, 2020)
- Der Spiegel: Sieg für Edward Snowden (May 19, 2020)
- Golem.de: Internetüberwachung des BND ist verfassungswidrig (May 19, 2020)
- Der Spiegel: So überwacht der BND das Internet (May 19, 2020)
- Bayerischer Rundfunk: So späht der Bundesnachrichtendienst das Internet aus (May 15, 2020)


In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties