June 5, 2020

Bulk interception by Germany's BND and what the Constitutional Court said about it



On May 19, the German Constitutional Court presented its decision in a case about the untargeted interception of foreign communications by the German foreign intelligence service BND.

Unlike suggestive headlines, the Court didn't forbid this kind of collection, but ruled that more specific safeguards and more thorough oversight are needed to make it compliant with the German constitution.

The Court's decision and some recent press reports also provide interesting details about how the BND is conducting its bulk collection of data from internet cables, especially at the German internet exchange DE-CIX.




Interior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)



The BND's untargeted cable tapping

It's assumed that the BND's first experience with large-scale cable tapping started with operation Eikonal, under which the Germans cooperated with the NSA for access to some fiber-optic cables at a switching center of Deutsche Telekom in Frankfurt. Operation Eikonal was part of the NSA umbrella program RAMPART-A, which aimed at gathering intelligence about targets from Russia, the Middle East and North-Africa.

Operation Eikonal started in March 2004 with intercepting telephone and fax messages and shifted to e-mail and VoIP communications in 2006. However, this resulted in only a few hundred reports a year (each consisting of one intercepted e-mail, fax message or phone call). For the NSA this was a big disappointment and the BND realized that it was impossible to fully separate foreign and domestic communications. Therefore, the operation was terminated in June 2008.

Earlier blog postings about operation Eikonal:
- Unnoticed leak answers and raises questions about operation Eikonal
- New details about the joint NSA-BND operation Eikonal
- The German operation Eikonal as part of NSA's RAMPART-A program


Overview of the joint NSA-BND operation Eikonal (2004-2008)
(click to enlarge)


(Between 2004 and 2013, BND and NSA also cooperated in satellite interception at Bad Aibling Station. Years of neglicence over there resulted in what is known as the "Selector Affair")

Detailed insights into operation Eikonal emerged from the hearings of the German parliamentary investigation commission (#NSAUA) between March 2014 and February 2017. This inquiry was set up to investigate the NSA spying activities, but soon turned its focus on the Signals Intelligence (SIGINT) operations of Germany's own foreign intelligence service.


Cable tapping at DE-CIX

While operation Eikonal itself wasn't very successful, it did provide the BND with the knowledge and the experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25 (out of over 300) internet service providers, this time at the DE-CIX internet exchange in Frankfurt am Main.

Among these 25 providers were foreign companies from Russia, Central Asia, the Middle East and North Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who almost exclusively handle domestic traffic.

It appears that this interception took place in cooperation with the DE-CIX Management and that the various providers themselves didn't knew that this was happening. A smart move, as this provides BND with just one single point-of-contact, while the individual providers could honestly deny that their cables were being intercepted.


Current practice

More information about the BND's current efforts to intercept data streams from internet exchanges like DE-CIX were provided recently by reports from the German magazine Der Spiegel en the Bavarian broadcaster Bayerischer Rundfunk (BR) in anticipation of the decision of the Constitutional Court. Additional details can be found in the full text of the Court's decision.

Both press reports were based on several internal documents from the German government and the BND, including its 72-page SIGINT Policy Manual (German: Dienstvorschrift Sigint), which provides detailed regulations for what's allowed and what's prohibited when conducting untargeted interception of communications between foreigners abroad (Ausland-Ausland Fernmeldeaufklärung).

(Intercepting one-end foreign communications is regulated by the G10 Law with the G10 Commission for approval and oversight. This commission is also responsible for interception by the domestic federal security service BfV)


Intelligence priorities

Like many other intelligence agencies, the BND is not only trying to prevent terrorism, but also provides the German government with information to support its foreign policy, as well as to prevent the proliferation of weapons of mass destructing and cyber attacks. The government arranges these goals in a document similar to the National Intelligence Priority Framework (NIPF) in the United States.

The German version of this Top Secret document is called Auftragsprofil der Bundesregierung (APB) and ranges from Priority 1 for topics that require a complete coverage (umfassender Informationsbedarf) to Priority 4 for issues with a low information need (niedriger Informationsbedarf).

According to these information needs, the BND considers whether it's necessary to intercept internet communications. In Germany, this can happen at 23 internet exchanges, with DE-CIX in Frankfurt as one of the biggest in the world, but the BND also has satellite intercept stations in Schöningen, Rheinhausen and Bad Aibling.


Access directives

Once the BND has determined where they need access, the federal chancellery (Bundeskanzleramt) issues a directive granting that access based upon the BND Law. Currently, there are 17 network access directives (Netzanordnungen): 3 of them for internet exchanges inside Germany, the other 14 mainly for satellite networks.* In practice, the BND copies about 10% of the capacity of a network that it's allowed to tap.*

Based upon these network access directives, the BND provides the network providers with an extraction directive (Ausleitungsanordnung), which usually identifies multiple networks of interest. The specific parts of these networks or transmission links which the BND is interested in are specified in separate tables (Statustabellen).*


Splitting off data streams at DE-CIX

In October 2019, DE-CIX provided the Constitutional Court with an assessment saying that it handled an average number of 47,5 trillion IP connections (IP-Verkehrsverbindungen) a day and that the BND would technically be able to copy 1,2 trillion of those IP-connections, which is 2,5% of the total traffic.

However, in the Court's decision it's said that the BND's technical installations at DE-CIX have the capacity of capturing and processing 5% of its data traffic.* The management of the exchange has no insight in how many data the BND actually extracts.

Usually traffic at internet exchanges is measured in bits per second: in October 2019, the average traffic at DE-CIX was 5 terabit per second (Tb/s). If the BND copies between 2,5 and 5% of that, that would make between 125 and 250 gigabits per second (Gb/s).

For comparison: from the Snowden revelations we know that in 2011, GCHQ had access to more than 200 communications channels ("bearers") of 10 Gb/s each - out of the around 1600 channels within all the commercial cables transiting the UK. However, GCHQ could process data from only 46 of them at a time (or 460 Gb/s).


The DAFIS filtering system

Once data streams of interest are copied, the BND leads them to a multi-stage filter system called DAFIS. First, different types of data are identified in order to discard irrelevant ones, like video streams.* The first stage of DAFIS then deletes all communications that involve German citizens or residents.

According to government documents, this filter has a 96% to 98% accuracy, but with over a trillion connections a day, that would still leave 2 to 4 billion connections with an incorrect attribution. Therefore, the BND implements additional algorithms to prevent the collection of German communications.

Second stage

The second stage of DAFIS uses selectors (Suchbegriffe) to filter both metadata (Verkehrsdaten) and content (Inhaltsdaten). According to BR and Der Spiegel, The BND uses more than 100.000 selectors, not only telephone numbers and e-mail addresses, but also the names of chemical components of weapons of mass destruction.

In the decision of the Constitutional Court it's said that between 50 and 60%(!) of these selectors are provided by foreign partner agencies, but the BND only uses them when their type and purpose can be verified.*

Before feeding these selectors into the filtering system, BND checks whether they comply with the law, which says that it is not allowed to intercept the communications of German citizens and residents. Telephone numbers are automatically excluded by filtering out the country code 0049 for example. Also, no selectors may be tasked to monitor children under 14, except when it's about child soldiers and suicide attackers.

In the government documents it's acknowledged that no filter system can provide 100% protection, like when a German citizen living or working in Syria makes a call from a syrian number. Only by listening in to such a conversation it can be determined that it's actually protected under the German constitution and has to be deleted (and the selector marked accordingly).


Third stage

During the parliamentary investigation, a third stage of the filter system was mentioned, which was aimed at protecting "German interests". During the hearings it became clear that it filters out German companies and foreign companies with German participation (like EADS and Eurocopter) as well as the names of German politicians, among others.

Like it was the case under operation Eikonal, the DAFIS filter system is probably located in a highly secured room at the internet exchange. That saves bandwidth as only the data that remain after the final stage of the filter have to be forwarded to the BND's Signals Intelligence Center (Zentrum Technische Aufklärung), which is still located at the old headquarters compound in Pullach, where a new data center was built in 2012:



Exterior of the BND data center in Pullach, near Munich in Bavaria
(screenshot from ARD television - click to enlarge)


Content

After applying the selectors, the BND's untargeted collection results in some 270.000 pieces of communications content each day, like e-mails, phone calls and chat messages. Approximately 60% comes from collection inside Germany, 40% is collected abroad. A small percentage is received from foreign partner agencies.*

After manually sorting and analyzing these intercepts, analysts produce an average of 260 intelligence reports a day (out of a total of 720 reports from all sources).* But despite all the precautions, there are still about 30 incorrect intercepts a month, like an e-mail message or a telephone call in which a German citizen is involved.*

According to press reports, the BND's SIGINT Policy Manual says that analysts have to delete any intercepts which include sexual content or are about a romantic or sexual relationship, but when there's "sexual bragging" in a "lively public space" the analyst may continue to listen in. The same applies to cases when a target simply says things like "honey I love you".


Metadata

The metadata that remain after the DAFIS filter are stored in full, so they can be combined ("enriched") with other data sets and analyzed by computers.* A meanwhile well-known method used for analyzing telephone metadata is contact-chaining. The BND Law says that metadata may be stored for up to 6 months and can also be shared with foreign partners in an automated way, even when they are not yet evaluated.



Operations room at the former BND headquarters in Pullach
(photo: Martin Schlüter - click to enlarge)



The judgement of the Constitutional Court

Already during the parliamentary investigation of the relationship between the NSA and the BND, the German government came up with a substantial amendment of the law that regulates its foreign intelligence service (BND-Gesetz). This came into effect on December 31, 2016, half a year before the end report of the investigation commission was published.

In January 2018, Reporters sans frontières and seven foreign journalists filed a constitutional complaint at the Federal Constitional Court (Bundesverfassungsgericht). They argued that the law allows the BND to indiscriminately collect the communications of foreign journalists, which imposes a risk on their confidential sources, especially when those data are shared with intelligence or security services of countries where civil liberties and press freedom are at risk.

After oral hearings on January 14 and 15, the Constitutional Court presented its decision on May 19, 2020, with the judges seated at a proper distance of each other due to the threat of the corona virus:



The German Federal Constitutional Court presenting it's
decision on the BND's untargeted cable tapping
(screenshot from Phoenix television - click to enlarge)


The main point of the Court's decision is that the fundamental rights from the constitution also bind the German government when it's acting outside German borders.

The protection of specific rights domestically can be different from the protection offered abroad, but when it comes to untargeted interception, both the protection of the privacy of telecommunication (art. 10) and the protection of the freedom of the press (art. 5) also apply to foreigners in foreign countries.

This doesn't mean that bulk collection of communications is unconstitutional in itself. It may be used as an exceptional method by a government agency that has no operative powers and when it's justified by a specific mission.* Untargeted interception may not be conducted domestically.*


Restrictions

To be in accordance with the constitution, the Court says that for this kind of collection there have to be at least the following restrictions:*
- Separation of the communications of German citizens and residents by all means available, any remaining German communications have to be deleted upon recognition;
- Limitation of the (amount of) data that can be collected;
- Collection goals have to be specified;
- Collection efforts must be in accordance with procedures;
- Additional requirements for interception of personal data;
- Limitations for storing metadata;
- Framework for data processing and analysis;
- Safeguards to protect privileged communications of lawyers and journalists;
- Protection of an inner core of private life;
- Mandatory and accountable data deletion.

The Court also decided that Germans have to be protected when they are communicating as a representative of a foreign company or organization. Previously, the BND argued that German citizens could be legally monitored when in such a position, which was known as the Funktionsträgertheorie.


International cooperation

Sharing data related to individual people is generally allowed when the foreign partner will handle them according to human rights and principles of data protection. Data may not be shared when it can be expected that they will be used for human rights violations. This requires the BND to examine the foreign legal and human rights situation. When this isn't convincing at a general level, guarantees in a specific case may also be sufficient. All this has to be documented and accountable.*

When foreign partner agencies provide selectors to be used in BND collection systems, there has to be a careful examination not only of these selectors, but also their hits. This practice also requires that the goals of the foreign partner are in accordance with those of the BND and with the rule of law. Therefore, it's not allowed to let a foreign partner collect what is prohibted domestically ("Ringtausch").*

When data are shared in an automated way without prior evaluation, the foreign partner has to provide meaningful assurances that it will delete data related to German citizens and residents, its handling of privileged communications and other boundaries imposed by the BND. Given the inherent risks, this kind of sharing is only allowed in cases of specific and concrete threats and metadata related to Germans should be filtered out.*


Oversight

Untargeted interception and sharing its results with foreign partners can only be proportionate when there's independent and comprehensive legal oversight. This has to be in the form of a body similar to the judiciary which has to investigate the subsequent stages of the interception process, including taking random samples at its own initiative. This in order to allow a judgment on the lawfulness of the entire collection method.*

For this, the oversight body has to have its own budget, its own personnel and the right to set it own procedures. It has to be provided with everything that is necessary to conduct meaningful and effective oversight. This may also not be hindered by the so-called "Third Party Rule", which means that a secret service treats the oversight body as a third party that is not allowed access to documents or data from foreign partners agencies.


The Constitutional Court gave the German government until December 31, 2021 to change the BND Law in such a way that it will be compliant with the constitution.



Links & sources
- About:intel: Try harder, Bundestag! Germany has to rewrite its foreign intelligence reform (May 22, 2020)
- Der Spiegel: Sieg für Edward Snowden (May 19, 2020)
- Golem.de: Internetüberwachung des BND ist verfassungswidrig (May 19, 2020)
- Der Spiegel: So überwacht der BND das Internet (May 19, 2020)
- Bayerischer Rundfunk: So späht der Bundesnachrichtendienst das Internet aus (May 15, 2020)


No comments: