August 30, 2020

Head of Danish military intelligence suspended after misleading the oversight board



The Danish military intelligence service (Forsvarets Efterretningstjeneste or FE), which is also responsible for signals intelligence, has been accused of unlawful activities and deliberately misleading the intelligence oversight board.

After the oversight board (Tilsynet med Efterretningstjenesterne or TET) received information from a whistleblower, the head of the FE, Lars Findsen, and three other senior officials of the intelligence service were suspended.

Here, I will provide a translation of the press release of the oversight board, as well as details from its earlier reports, showing that there were problems at the FE for years. An overview of the international cooperation between the FE and foreign partner agencies provides a context for what likely went wrong at the Danish service.



Lars Findsen, head of the FE from 2015 to 2020 and the
FE's satellite intercept station in North Jutland



Press release of the Oversight Board

The affair came to light when on August 24, the Danish Ministry of Defense issued a short statement saying that the head of the FE and two other officials were suspended from duty until further notice. Svend Larsen, the chief of Central and West Zealand Police, was appointed as acting chief of the FE. Later, a third official was also suspended.

The same day, the Danish Intelligence Oversight Board published a press release with the unclassified results of its investigation into the issues that led to Findsen's suspension. Because the press release is only available in Danish, I made a preliminary translation using Google Translate with manual corrections to make it more readible:



PRESS RELEASE

The Intelligence Oversight Board completed a special investigation into the Defense Intelligence Service (FE) on the basis of material submitted by one or more whistleblowers.

In November 2019, one or more whistleblowers provided the Intelligence Oversight Board with a significant amount of material relating to the FE, which the Board has not hitherto been aware of or able to acquire. The material is of such a nature that the Board decided to focus its oversight of the FE in order to carry out an in-depth investigation of the present situation. With this announcement, the Board publishes the unclassified results of the investigation.

On the basis of the Board's investigation of the submitted material, the Board sent an analysis in four volumes to the Minister of Defense containing the Board's conclusions and recommendations on 21 August 2020.

Throughout the process of the special investigation of the FE, the Board has held the Minister of Defense informed. The Minister of Defense has regularly expressed support for the Board's in-depth examination of the material.

The Board's assessments and recommendations deal with matters that are fully or partially within its legal supervision authority according to the FE Act and the rules and conditions based on it, which the Minister, in the opinion of the Board, should have knowledge of, cf. § 16, stk. 2. of the FE Act.

Based on a source-critical examination of the submitted material, the Board assesses, among other things, the following:
- That since the establishment of the Board in 2014 and until the summer of 2020, the FE has, among other things, on several occasions during the Board's inspections and meetings with the head of the FE, withheld key and crucial information and provided the Board with incorrect information regarding the service's collection and disclosure of information.

The Board is of the opinion that the statutory duty to provide information is absolutely necessary for functional oversight and that it is based on trust by the legislator that the FE complies with this obligation in all respects. The result of these repeated breaches of the statutory duty to provide information is that the legality check that the Board is required to carry out under the FE Act, and which contributes to the legitimacy of the FE's work, does not work out as intended.

- That at central parts of the FE's collection capabilities there are risks that can lead to unlawful collection against Danish citizens.

- That the submitted material indicates that the FE's management has failed to follow up on, or further investigate indications of espionage within the Ministry of Defense.

- That there is a culture of insufficient legal awareness within the FE's management and parts of the service, which results in unlawful activities or inappropriate situations within the service to be shelved, including not informing the Oversight Board about matters relevant to its supervision.

- That the submitted material indicates that the FE, prior to the establishment of the Board in 2014, initiated operational activities in violation of the Danish law, including obtaining and passing on a significant amount of information about Danish citizens.

- That the FE has unlawfully processed information about an employee of the Oversight Board.

Against this background, the Board recommends that a political position be taken on the following:
- Whether there should be an investigation into whether the FE has carried out and is carrying out its task as a national security authority within ​​the Ministry of Defense in accordance with § 1, stk. 2 of the FE Act.

- The need to uncover whether the FE has adequately informed policy makers about all relevant issues concerning key parts of the service's collection capabilities.

Given the options of the FE Control Act, the Board does not have the possibilities to further uncover specific matters that emerge from the submitted material. Therefore, the Board generally recommends the following:
- That an early evaluation of the FE Act will be carried out to determine whether the Board has the necessary legal authorities and resources to carry out an effective legal oversight of the FE, including whether the Board must have the authority to conduct interrogations of the FE's employees as witnesses.

- That, based on of the circumstances of the Board's receipt of the submitted material, an external whistleblower scheme for the FE is established, which can best be placed under the auspices of the Board.

Such a scheme should improve the ability of current and former FE employees to comment on controversial issues without fear of retaliation, including employment or criminal consequences. Furthermore, such a scheme would allow classified information to be passed on in a secure environment. The scheme must also ensure that an external whistleblower body has the necessary resources and instruments to protect the persons who submit information according to this scheme.

The Board had thorough considerations regarding the publication of the conclusions and recommendations of the investigation. It is crucial for the oversight that the public has as much insight as possible. However, in the view of the extremely sensitive circumstances surrounding the submission of the material to the Board and its classified content, the Board may not provide further information to the public.

Facts about the Intelligence Oversight Board

The Intelligence Oversight Board is a special independent monitoring body that supervises that the PET processes information about natural and legal persons in accordance with the law, and that the FE processes information about natural and legal persons domiciled in Denmark in accordance with the law. The Board was established by the Act on the Police Intelligence Service (PET), which, like the Act on the Defense Intelligence Service (FE), entered into force on 1 January 2014.

Following the entry into force on 1 July 2014 of the Center for Cyber ​​Security (CFCS) Act, the Board has also monitored that CFCS processes information about natural persons in accordance with the legislation.

The Board consists of five members appointed by the Minister of Justice after consultation with the Minister of Defense. The chairman, who has to be a High Court judge, is appointed on the recommendation of the Presidents of the Danish Eastern and Western High Courts, while the other members are appointed after consultation with the Parliamentary Committee for the Intelligence Services.

The members are:

- Michael Kistrup, High Court Judge, High Court of Eastern Denmark (Chairman)
- Erik Jacobsen, Chairman of the Board of Directors, Roskilde University
- Pernille Christensen, Legal Chief, National Association of Local Authorities
- Professor Henrik Udsen, University of Copenhagen
- Professor Rebecca Adler-Nissen, University of Copenhagen

Read more about the audit at www.tet.dk




The Kastellet fortress in Copenhagen, the workplace of most of the FE's employees
(photo: Danish Air Force Photo Service)



Problems in earlier reports

The FE's unauthorized and illegal activities described in the press release of the Oversight Board may actually not have come as a complete surprise.

Already in several earlier reports, the Oversight Board noticed that the FE conducted quite a large number of unlawful "raw data searches", which is the term used for untargeted interception. This method enables the FE to "obtain very large amounts of information (several hundred million communications per year)" - according the Annual Report 2018.

In the English version of its Annual Report 2017, in which the FE is mentioned as the Danish Defense Intelligence Service or DDIS, the oversight board says:
"the checks showed that in four instances DDIS engaged in unlawful targeted procurement of information about persons resident in Denmark for a total of 20 days in 2014, eight months in 2014-2015, four days in 2016 and 17 months in 2016-2017. The checks further showed that in 20 percent of the samples drawn DDIS made unlawful searches in raw data.
In the Oversight Board’s opinion, the unlawful instances of procurement, including searches in raw data, were in the nature of negligent actions in all cases. Similarly, the Oversight Board notes that since the publication of the Oversight Board’s annual report for 2016 DDIS has taken a number of measures to reduce the number of errors. For one thing, DDIS has intensified its internal controls in the area and strengthened and targeted its staff training."

Regarding the issue of sharing data and information with the Danish domestic security service (Politiets Efterretningstjeneste, or PET) as well as with foreign partner agencies, the board noticed:
"that in a few instances DDIS was not in possession of documentation of the reason underlying the legal approval of a disclosure of information about persons resident in Denmark. The Oversight Board encouraged DDIS to ensure that documentation is obtained in all cases.
Furthermore, the check showed that DDIS did not carry out logging of a system sampled for disclosure of information. The Oversight Board encouraged DDIS to implement system logging, which was soon implemented by DDIS."



Lars Findsen in his office, with two Cisco 7900-series IP phones, apparently one for
secure and one for non-secure calls, as indicated by the colored labels
(photo: Ritzau/Jens Dresling)


Work station searches

Also interesting is that the Danish Intelligence Oversight Board checks individual computers of FE employees:
"Within two DDIS departments, the Oversight Board’s secretariat checked a number of randomly chosen work stations, including their drives, Outlook folders, external storage devices and documents in hard copy.
In connection with the check performed of the information held on each of the work stations, the secretariat asked questions to the individual staff members in question about their knowledge of the rules on processing, including erasure, of information about persons resident in Denmark.
When asked, a majority of the staff informed the secretariat that they had erased information from their work stations before the check."

As a result of this work station check in 2017, there appeared to be one case in which a "staff member processed information about persons resident in Denmark in violation of DDIS’s internal guidelines as the staff member in question retained information which he or she believed was no longer relevant to process there."


Backdoor searches

In its Annual Report 2018 the Oversight Board addressed an interesting aspect of the cooperation between the FE and the domestic security service PET. When the PET requests the FE to use its (untargeted) collection systems to obtain future communications of someone resident in Denmark, then the PET has to obtain a court order beforehand.

However, it was "an established practice" that no court order was required when the PET asked the FE to conduct a search in raw data that had already been obtained (note the similarity with the controversial "backdoor searches" which the NSA conducts on data that it has already lawfully collected).

After a critical opinion of the Oversight Board from June 2018, the PET agreed that in the future it will obtain a court order before requesting the FE to perform a raw data search concerning persons resident in Denmark. This because the PET "does not wish for a situation where it could be called into question whether it has the authority required for its activities".



The FE's satellite interception station near Hjørring in North Jutland



International cooperation

Although being just a small organization, the Danish FE was always part of various international signals intelligence alliances. Already in 1954, it became a third party partner of the NSA and, as such, a member of the multilateral SIGINT Seniors Europe (SSEUR) group that was established in 1982.

In 1976, the FE took the initiative to set up a purely European signals intelligence group codenamed Maximator, which includes Sweden, Germany, the Netherlands and France. The FE was also part of a parallel military intelligence alliance, which was created in the early 1980s and is known as the Club of Five.

The data and information that Denmark contributes to these multilateral exchange groups comes from the various collection systems operated by the FE. Most visible are its two satellite interception stations: one close to Sandagergård on Amager and one near Hjørring in North Jutland.

Additionally, the Danish military probably has mobile interception units to be used during operations abroad. In Afghanistan for example, Danish forces were part of the Afghanistan SIGINT Coalition (AFSC) and used DRT equipment to collect cell phone metadata that was fed into the NSA's Real Time-Regional Gateway (RT-RG) system.



The FE's satellite interception station on Amager, close to Sandagergård


Based on documents from the Snowden revelations, the Danish newspaper Information reported in June 2014, that Denmark is most likely cooperating with the Americans for access to fiber-optic cables under the NSA's umbrella program RAMPART-A. The NSA also provided the FE with collection and processing equipment.

Data "collected from cable taps in Denmark are filtered in order to eliminate Danish data before handing them over to NSA. The filters, however, do not remove all Danish data, since this is not technically feasible" - according to Information. This is similar to what happened to the data the German BND shared with the NSA under operation Eikonal, which was also part of RAMPART-A.




Denmark was also mentioned in Edward Snowden's written testimony for the European Parliament from March 2014, in which he came up with the following accusation:
The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans.
Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.
Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole.


It should be noted that this theory is not supported by original documents from the Snowden collection. Also, a thorough German investigation into the prohibited data the NSA was interested in during its cooperation with the BND for satellite interception revealed that the NSA mainly tried to target various European government agencies and German companies.

This was in violation of the Memorandum of Agreement (MoA) with the Germans, but in general, spying on foreign governments is considered fair game - and it turned out that the BND was doing exactly the same. There are no indications that these kind of cooperations were used for the surveillance of ordinary citizens.



Conclusion

Meanwhile, additional reporting by the Danish broadcaster DR says that the FE allegedly shared large amounts of raw data from a fiber-optic cable access with the NSA, "which could have included Danish citizens' private personal information and communications". DR couldn't clarify whether this cooperation with the NSA was legal or illegal.

This could be a confirmation of Information's reports from 2014 about a joint cable access operation, but it could also be that the FE shared (meta)data from its own cable access with the NSA. It's assumed that the FE can legally intercept cable traffic in bulk, but as a foreign intelligence service, it has to make sure that no data of Danish residents are collected.

We know that both the NSA and the BND had great difficulties with filtering out data of their citizens and residents, so the least that can be expected is that the FE has the same problem, apparently didn't care much about it and deliberately misled the Oversight Board about the extent of this issue.

The Danish prime minister, Mette Frederiksen, has announced an investigation into the unlawful activities of the FE.



Links & sources
- Information: Når man samarbejder med NSA om masseovervågning, er det langtfra risikofrit (Sept. 12, 2020)
- The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020)
- Information: German disclosure raises questions about Danish NSA-partnership (October 20, 2014)
- Information: NSA ‘third party’ partners tap the Internet backbone in global surveillance program (June 19, 2014)

- English homepage of the Danish Defence Intelligence Service (DDIS)


In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties