October 28, 2020

Danish military intelligence uses XKEYSCORE to tap cables in cooperation with the NSA


Last August, it came out that a whistleblower accused the Danish military and signals intelligence service (Forsvarets Efterretningstjeneste or FE) of unlawful activities and deliberately misleading the intelligence oversight board.

Meanwhile, the Danish press was able to paint a surprisingly comprehensive and detailed picture of how the FE cooperated with the NSA in cable tapping on Danish soil.

It was further revealed that the Americans provided Denmark with a sophisticated new spy system which includes the NSA's data processing system XKEYSCORE.

A Danish paper also disclosed that the accusation of unlawful collection came from a young FE employee who reminds of Edward Snowden. A newly established investigation commission now has to clarify whether he was driven by fears or by facts.


The Sandagergård complex of the FE on the island of Amager, where a new
data center was built for its deployment of the XKEYSCORE system



Cable tapping

In an extensive piece from September 13, the renowned Danish newspaper Berlingske (founded in 1749) describes how the FE, in cooperation with the NSA, started to tap an international telecommunications cable in order to gather foreign intelligence.

In the mid-1990s, the NSA had found out that somewhere under Copenhagen there was a backbone cable containing phone calls, e-mails and text messages from and to countries like China and Russia, which was of great interest for the Americans.

Tapping that cable, however, was almost impossible without the help of the Danes, so the NSA asked the FE for access to the cable, but this request was denied, according to Berlingske.


Agreement with the United States

The US government did not give up, and in a letter sent directly to the Danish prime minister Poul Nyrup Rasmussen, US president Clinton asked his Danish colleague to reconsider the decision. And Nyrup, who was a sworn supporter of a close relationship with the US, said yes.

The cooperation was laid down in a document, which, according to Berlingske, all Danish defense ministers had to sign "so that any new minister could see that his predecessor - and his predecessors before his predecessors - with their signatures had been part of this small, exclusive circle of people who knew one of the kingdom's biggest secrets."

The code name for this cooperation is not known, but it's most likely part of the NSA's umbrella program RAMPART-A. Under this program, which started in 1992, foreign partners provide access to high-capacity international fiber-optic cables, while the US provides the equipment for transport, processing and analysis:


Slide from an NSA presentation about RAMPART-A from October 2010


Agreement with a cable operator

To make sure that tapping the cable was as legal as possible, the government asked approval of the private Danish company that operated the cable. The company agreed, but only when it was approved at the highest level, and so the agreement was signed by prime minister Rasmussen, minister of defense Hækkerup and head of department Troldborg.

Because the cable contained international telecommunications it was considered to fall within the FE's foreign intelligence mandate. The agreement was prepared in only one copy, which was shown to the company and then locked in a safe at the FE's headquarters at the Kastellet fortress in Copenhagen, according to Berlingske.

This Danish agreement is very similar to the Transit Agreement between the German foreign intelligence service BND and Deutsche Telekom, in which the latter agreed to provide access to international transit cables at its switching center in Frankfurt am Main. The BND then tapped these cables with help from the NSA under operation Eikonal (2004-2008).


Processing at Sandagergård

Berlingske reported that the communications data that were extracted from the backbone cable in Copenhagen were sent from the Danish company's technical hub to the Sandagergård complex of the FE on the island of Amager. The US had paid for a cable between the two locations.

At Sandagergård, the "NSA made sure to install the technology that made it possible to enter keywords and translate the huge amount of information, so-called raw data from the cable tapping, into "readable" information."

The filter system was not only fed by keywords from the FE, but the NSA also provided "the FE with a series of keywords that are relevant to the United States. The FE then reviews them - and checks that there are basically no Danes among them - and then enters the keywords" according to sources cited by Berlingske.

Besides this filtering with keywords and selectors, the FE and the NSA will also have used the metadata for contact-chaining, which means reconstructing which phone numbers and e-mail addresses had been in contact with each other, in order to create social network graphs - something the sources apparently didn't want to disclose to Berlingske.


Map of the current backbone cables around the Danish capital Copenhagen
and the Sandagergård complex of the FE on the island of Amager
(source: Infrapedia - click to enlarge)


Trusted partners

Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around". Similar words can be found in an NSA presentation from 2011: "No US collection by Partner and No Host Country collection by US" - although this is followed by "there ARE exceptions!"

The latter remark may have inspired Edward Snowden to accuse the NSA of abusing these cooperations with foreign partner agencies to spy on European citizens, but as a source told Berlingske:

"I can not at all imagine in my imagination that the NSA would betray that trust. I consider it completely and utterly unlikely. If the NSA had a desire to obtain information about Danish citizens or companies, the United States would simply turn to [the domestic security service] PET, which would then provide the necessary legal basis."

The source also said that "the NSA wanted to jump and run for Denmark. The agency did everything Denmark asked for, without discussion. The NSA continuously helped Denmark - because of this cable access. [...] Denmark was a very, very close and valued partner."

This close and successful cooperation was apparently one of the reasons for the visit of president Bill Clinton to Denmark in July 1997, according to Berlingske.


Danish prime minister Poul Nyrup Rasmussen and US president Bill Clinton
during his visit to Denmark in July 1997 (photo: Linda Kastrup)


A new spy system

In the wake of the FE scandal even more recent developments have been revealed: a report by the Danish broadcaster DR from September 24, 2020 provides interesting details about how the Americans provided Denmark with a sophisticated new "spy system".

After the FE got a new head of procurement in 2008, NSA employees frequently traveled to Denmark for quite some time to build the necessary hardware and install the required software for the new system, which DR News describes as extremely advanced. It also has a special internal code name, which the broadcaster decided not to publish. It's also this new system through which the alleged illegal collection of Danish data took place.

According to DR News, the NSA technicians were also involved in the construction of a new data center at the FE's Sandagergård complex on Amager that was specifically built to house the new spy system, which was taken into use somewhere between 2012 and 2014. The cooperation between the FE and the NSA on this specific system was based upon a Memorandum of Understanding (MoU) signed by then FE chief Thomas Ahrenkiel.


Filter systems

The DR News report also goes into more detail about the interception process. It says that first, the intelligence service identifies a data stream that may be interesting, after which they "mirror" the light that passes through the particular fiber-optic cables. In this way, they copy both metadata and content, like text messages, chat conversations, phone calls and e-mails, and send them to the FE's data center at Sandagergård.

According to DR News, the FE tried to develop a number of filters to ensure that data from Danish citizens and companies is sorted out and not made searchable by the new spy system. The former Danish minister of defense Claus Hjort Frederiksen recently said that there was indeed an attempt to develop such filters, but at the same time he admitted that there can be no guarantee that no Danish information will pass through.



XKEYSCORE

DR News also reported that the heart of the new spy system is formed by XKEYSCORE, which was developed by the NSA and the existence of which was first revealed by The Guardian in June 2013.

The NSA's British counterpart GCHQ incorporated XKEYSCORE in its own system for processing bulk internet data codenamed TEMPORA and it can be assumed that the other Second Party partners (also known as the Five Eyes) also use this system, whether or not under a different codename.




From the Snowden documents we know that the NSA also provided XKEYSCORE to some of its Third Party partners: the German foreign intelligence service BND and domestic security service BfV, the Swedish signals intelligence service FRA and the Japanese Directorate for SIGINT. It is new though that the Danish military intelligence service FE uses the system too.

Some press reports seem to suggest that these partner agencies "gain access to XKEYSCORE" as if it would allow them to connect to a huge global mass surveillance system. The latter may be the case for the NSA's Second Party partners, but the Third Party partners are using XKEYSCORE only to process and analyze data from their own tapping points and are not able to access data from Five Eyes collection platforms.

Likewise, NSA analysts using XKEYSCORE don't have direct access to, in this case, Danish collection systems, only to data that the Danes agreed to share with the US as "3rd party collection".


Slide from an NSA presentation about XKEYSCORE from August 2008


How XKEYSCORE works

Glenn Greenwald presented XKEYSCORE as the NSA's "widest-reaching" tool to collect "nearly everything a user does on the internet". This is misleading, because it's more about quality than about quantity: the system actually helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

The NSA has XKEYSCORE installed at some 150 data collection sites all over the world. There, it creates a rolling buffer of 3 to 5 days of content and around 30 days of metadata, which can be remotely searched by analysts. They can use traditional selectors like phone numbers and e-mail addresses to pick out data of interest, but that's the old way and how other agencies perform bulk collection.

Filtering phone numbers and e-mail addresses became less useful because targets know that this happens and shifted to anonymous ways to communicate over the internet. The novelty of XKEYSCORE is that it enables analysts to find exactly those anonymous communications. For that purpose it reassembles IP packets into their original format ("sessionizing"), like Word documents, spreadsheets, chat messages, etc.



Diagram showing the dataflow for the DeepDive version of XKEYSCORE


Once restored, these files can be searched for characteristics that are related to certain targets or target groups, like use of encryption, the use of the TOR network, the use of a different language than where someone is located, and many combinations thereof. In this way, analysts can discover new targets and then start monitoring them more closely.

XKEYSCORE was also mentioned in a classified file from the German BND, which contains a diagram that shows the difference between XKEYSCORE and traditional collection systems: in the traditional set-up, IP packets from a data stream were reassembled and then went through a filter to select only those of interest, which were forwarded for further analysis. XKEYSCORE could do all that at once:






Unlawful collection?

Now that the various disclosures by the Danish press provided quite some insight into the FE's cable tapping activities, how about the abuses it's accused of?

According to DR News, it was the newly installed spy system through which the alleged illegal collection of Danish data took place. In the first place we can assume that the filters were not able to block all the communications related to Danish citizens, residents or companies, but this is of a technical nature and not intentional.

Another option is that the FE itself, or the NSA fed the system with selectors (like phone numbers and e-mail addresses) that would result in the collection of Danish data. The NSA would not have been allowed to do that under the agreement with the Danes, while for the FE this would be against the law.

According to a source cited in the aforementioned Berlingske newspaper article, there was one case in which "the NSA sent a request to search for a company in a country in Asia, but when the FE checked the selector, it discovered that the company was Danish-owned, whereupon the request was rejected".

This shows that, just like it was the case in Germany, the NSA's interest was quite "broad", but that the FE did its best to protect Danish subjects and blocked such requests where possible.

A third option is that the illegal collection took place through the additional data search capabilities of the XKEYSCORE system, which is imaginable because here the search criteria are applied to characteristics of the content of the communications, instead of the people who are involved.

According to Berlingske, the whistleblower who informed the intelligence oversight board "feared that the management of the Defense Intelligence Service was doing US business by leaving its special system with technical vulnerabilities that allowed the National Security Agency to abuse it."


The whistleblower

Berlingske was also able to identify the whistleblower as a younger employee of the FE, working as an IT specialist - a striking similarity to Edward Snowden. The paper says that in 2013 he became increasingly concerned, but it's not clear whether this may have been caused by the Snowden revelations, which started in June of that year and included reports about XKEYSCORE, the system that had just been installed at the FE.

As the IT specialist insisted on his criticism, then head of the FE Thomas Ahrenkiel decided - without informing the Americans - to set up a technical working group to go through the system looking for vulnerabilities or signs of abuse by NSA. As reported by Berlingske, the IT specialist himself, with the aim of reassuring him, also participated in the working group, which in 2014 concluded that there were no signs of illegal intrusion.

For the FE the case was closed, but, as reported by Berlingske, the IT specialist was not satisfied and "he made a drastic decision and smuggled a recorder into his workplace, arranged meetings with colleagues and bosses for several months and recorded them in secret" - again a kind of persistance very similar to how Snowden operated. But unlike Snowden, the Danish whistleblower did not contact the press, but eventually informed the intelligence oversight board.


Danish defense minister Trine Bramsen (left) and her predecessor
Claus Hjort Frederiksen (photo: Linda Kastrup/Scanpix)


Investigations

Berlingske reported that the recordings provided "hours of covert footage with employees of the service, some of which [...] have expressed themselves in a way that confirms the suspicion that the FE may have acted illegally and not intervened adequately to prevent data on Danes from being disclosed." In November 2019 they were handed over to the intelligence oversight board, which in December informed defense minister Trine Bramsen.

Unlike her predecessor, Bramsen apparently took these kind of accusations very seriously and urged the oversight board to conduct an investigation, which on August 24, 2020 resulted in the sudden suspension of the head of the FE and a few other officials (meanwhile they have returned again, but in other positions).

On October 5, the Danish government decided to submit a bill to establish a special commission that has to carry out an independent and impartial investigation into the accusations against the FE, which has to present a report within a year.



Conclusion

In 2013, a young IT specialist at the FE became worried that this intelligence service could have illegally spied on Danish citizens. This was not only in accordance with Snowden's (unsubstantiated) narrative, but also a fear that had lived in Denmark since its domestic security service PET had been accused of monitoring ordinary Danes in 1998.

Meanwhile it has turned out that Snowden was driven more by fears than by facts - could that also have been the case with the FE whistleblower? Based on what has been published so far, he apparently tried to find evidence even after an internal investigation concluded that the NSA wasn't abusing the FE's collection system.

In recent years, the NSA and the German BND have also been accused of massive illegal domestic spying. Thorough investigations have shown that was not the case, although their employees were sometimes careless and it was technically not always possible to do what was legally required.

Was this also the situation at the Danish military intelligence service? The recently established investigation commission will show.



Links & sources

- Comments at Hacker News
- Berlingske: Særlig undersøgelseskommission skal kulegrave FE-sagen (Oct. 5, 2020)
- Politiken: Debat om kabelaflytning gav tårer i Sverige og folkeafstemning i Holland (Oct. 1, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020)


5 comments:

Anonymous said...

"In recent years, the NSA and the German BND have also been accused of massive illegal domestic spying. Thorough investigations have shown that was not the case, although their employees were sometimes careless and it was technically not always possible to do what was legally required.
"
Either you are above the law or you are not.

"Meanwhile it has turned out that Snowden was driven more by fears than by facts - could that also have been the case with the FE whistleblower?"
A state or collection of powerful states where the Government has total control over the citizenry is a Police State. That fear is 100% justified. Power corrupts - anyone self-deluding that human beings have evolved beyond that, instantly precludes their right to be taken seriously in such a debate.
Or to put it another way: You do not avoid Totalitarianism by implementing the tools of Totalitarianism and praying they will not be misused.
Evidence? History is full of precedents for power corrupting and dictatorships acting first by stealthy infiltration.
Learn.

P/K said...

@Anonymous:
Here it's about the NSA and the Danish FE, which are military and signals intelligence agencies, collecting information about foreign targets. Sometimes that requires access to data streams on domestic soil and there are problems with separating foreign and domestic communications, but that has little to do with totalitarianism.

Totalitarianism is about control over your own population - for that we have to look to law enforcement and domestic security services, like the FBI. In western countries and even in the US their powers are much more restricted and controlled than those of most foreign intelligence agencies.

I agree that there are worrying developments, like the militarization of the police and their use of predictive intelligence methods. We can learn from the foreign intelligence agencies how powerful those tools can be, but when it comes to the dangers, the legal and practical framework is different.

Ivan Bobev said...

> Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around". Similar words can be found in an NSA presentation from 2011: "No US collection by Partner and No Host Country collection by US"

At first glance, it sounds OK, but what if the US has similar agreements with some neighboring countries (and as mentioned in the article it has) and uses the data collected via them against Danish citizens and companies and vice versa? Everything will be perfectly legal, but in practice, no one is at safety and the creators of the system who have agreements with many countries have a huge advantage over their so-called "partners" because they are aggregating the big picture, but "the partners" have some guarantees only about the data which is transferred via them and have no guarantees even about it when it leaves their country.

Anonymous said...

Ivan:
Very good point.

Anonymous said...

The tools of totalitarianism, wonder what those are?

https://xkeys.com/software/developer.html

Andrey Mirtchovski - @ lanl.gov

And his subsequent obituary..

https://www.dignitymemorial.com/en-ca/obituaries/calgary-ab/andrey-mirtchovski-9382591

Who would have thought the "People's Liberation Front" where employed gainfully at the Los Alamo's Nuclear Science Laboratory.. Oh so that's how the Lord Marshal got the nuke...

Right under there own nose... Way to go NSA!