November 30, 2020

The NSA tried to spy on Danish and other European targets via cable tapping in Denmark

(Updated: December 2, 2020)

According to new revelations by the Danish broadcaster DR, the NSA tried to use its collaboration with the Danish military intelligence service FE to spy on targets in some other European countries and even on targets in Denmark itself.

Here, the new information about Denmark is compared with Germany, where similar accusations were raised in 2015 when it came out the the NSA provided the BND with thousands of selectors related to German and European targets.




New revelations from Denmark

The latest details about the cooperation between the NSA and the FE were published by the Danish broadcaster DR on November 15. This information comes from several independent sources with insight into internal reports from the FE.

In these reports, the FE management was warned about possible illegalities in the cable tapping operation that the Danish military intelligence service FE conducted in cooperation with the NSA.


An IT specialist from the FE, who blew the whistle on these issues and informed the Danish intelligence oversight board in November 2019, prepared or was involved in preparing at least two of these internal reports, according to DR News.

These two reports, one from 2012 and another one from 2015, contain an analysis of the phone numbers and e-mail addresses (also known as selectors) that the NSA sent to the FE in order to collect information from the cable tap.


Spying on Danish targets (2012)

According to DR News, the analysis of the selectors from 2012 revealed that the NSA used or had used the cooperation with the FE to spy on Danish targets, including the Ministry of Foreign Affairs and the Ministry of Finance, as well as the defense company Terma. This was discovered by an FE employee, who informed his bosses.

Sources of DR News said that the NSA entered keywords into the XKEYSCORE system that show they searched for e-mail addresses and phone numbers belonging to specific employees at Terma.

It's suspected that the Americans wanted information about Denmark's purchase of new fighter jets to replace the F-16. The Danish government eventually choose the American F-35 Joint Strike Fighter, for which Terma supplies components.


The factory of Terma Aerostructures in Grenaa where parts
for the F-35 fighter jets are produced (photo: Terma)


The revelation that the NSA was trying to spy on Danish targets is quite explosive, not only because it violates the agreement between the US and Denmark, which says that "the USA does not use the system against Danish citizens and companies", but also because it would be illegal for the FE to allow foreign espionage against Danish targets.


Protective filter system

Precisely to prevent that, the FE had installed a filter system to ensure that data from Danish citizens and companies is sorted out and not made searchable by XKEYSCORE, as DR News had reported on September 24.

A source of the Danish newspaper Berlingske explained that during the joint cable tapping operation, the NSA provided the FE with a series of selectors related to targets of their interest. These selectors were reviewed by the FE to make sure that they were not related to Danes and then entered into the system that filters the traffic from the backbone cable.

According to Berlingske, the searches on behalf of the NSA resulted in quite large data streams which were then, this time without further control by the FE, passed on to the Americans.

These press reports seem not really in accordance with each other though:

- The latest DR News report suggests that the NSA entered its selectors directly into XKEYSCORE (which is also able to perform the actual "front-end filtering") without mentioning the filter to protect Danes.

- The earlier press reports, however, say that the protective filter system either sorts out Danish data before they can be searched, or that it blocks selectors related to Danish targets before they become active in the actual collection system.

This is of some importance, because if the protective filter worked as described and intented, the NSA's selectors for Danish targets would not have resulted in actual intercepts - or just a very few, given that these kind of filters have no 100% accuracy.

As the NSA knew about this protective filter system, they may have simply relied on the FE to block anything that would not be in accordance with the Memorandum of Agreement, even though that seems not the way it should have been.


The Sandagergård complex of the FE on the island of Amager,
where a data center was built specifically to store data
from the joint NSA-FE cable tapping operation.
(Click to enlarge)


Spying on European targets (2015)

In 2015, another internal FE analysis of selectors showed that the NSA at that time used the cable tapping system to spy on targets in some other European countries, including Denmark's closest neighbours: Sweden, Norway, the Netherlands, Germany and France, according to DR News.

Sources told the Danish broadcaster that the NSA apparently also searched for information about the pan-European Eurofighter and the Swedish fighter plane Saab Gripen. Both were in the race to become Denmark's new fighter aircraft, which was decided around the time that this spying happened.

Unlike the first report, the second one was prepared some two years after the start of the Snowden revelations and in the same year as the German "Selector Affair" (see below). Both events may have been an incentive for the FE to investigate whether the NSA was also using their collaboration to spy on other European countries.

We can assume that the FE has no filter system to prevent collection against other European countries, which means the NSA selectors related to European targets had likely been active in the collection system and may have resulted in an unknown number of intercepted communications.

Spying on foreign governments is usually considered fair game and this was probably also not prohibited by the agreement between the NSA and the FE. Nonetheless would it be an embarrassment for Denmark when it would turn out that the NSA used its partnership with the FE for spying on other European countries.





Comparison with Germany

The new information about the cooperation between the NSA and the Danish FE can be compared with the things we know about a similar cooperation between the NSA and the German foreign intelligence service BND, which included at least two joint operations:

- Eikonal: tapping cables of Deutsche Telekom in Frankfurt (2004-2008)
- Bad Aibling: satellite interception at the Bad Aibling Station (2004-2013)

For the cooperation at Bad Aibling, the NSA provided the BND with a total of roughly 690.000 phone numbers and 7,8 million internet identifiers, which is an average of about 165 phone numbers and 1900 internet identifiers each day (the actual number of targets is significantly lower because each e-mail address can have some 8 different permutations).

In 2015 this resulted in the "Selector Affair", when it came out that among the identifiers for numerous legitimate targets, the NSA had also sent thousands of selectors related to European and even German targets, which was in clear violation of the Memorandum of Agreement (MoA) with the BND.



The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images - Click to enlarge)


Spying on European targets

Just like in Denmark, the Germans had found out that the NSA tried to spy on targets in other European countries. After severe political pressure, the German government agreed to let an independent investigator, Dr. Kurt Graulich, look at the suspicious selectors. In October 2015 he published his extensive, 250-page report about the issue.

Regarding the main list of almost 40.000 NSA selectors that the BND had rejected between 2005 and 2015, the investigator found that 62% belonged to government agencies of EU member states, 19% to Germans outside Europe, 7% to EU institutions, 6% to Germans, 4% to foreigners abroad, 1% to Germans in Europe and 1% to German embassies.


Spying on foreign governments and foreign defense companies does not violate German law, but investigator Graulich still considered it a clear violation of the Memorandom of Agreement, which allowed collection against European targets only for a very few specific topics.

Later in 2015 it was reported that the BND itself was also spying on for example the French foreign minister and the interior departments of EU member states like Poland, Austria, Denmark and Croatia, as well as on the FBI, the Voice of America and international organizations like the ICC, the WHO and UNICEF.

So just like it was the case at the BND, the FE might not have cared very much about the NSA selectors related to European targets, and just like the Germans, the Danes probably also spied on governments and certain companies from other EU countries themselves.



Spying on German targets

In 2015, the Germans had discovered that the NSA had apparently also tried to spy on German targets during their cooperation with the BND.

The examination of the NSA selectors by Dr. Graulich revealed that several hundred were related to German targets, mostly German companies, both inside and outside Germany. Selectors related to the German government were not found, which is an interesting difference to Denmark.

The reasons why the NSA was interested in these German companies could not been clarified by Dr. Graulich, mainly because the BND had no access to the NSA's motivations for each selector.

Just like in Denmark, it seems that the NSA sent their collaboration partner simply all the selectors they were interested in, with apparently little or no effort to pick out those that could be controversial.

Here too, the NSA seems to have relied on the foreign partner to block the selectors that would violate national law and the collaboration agreement. But even then this seems not very smart, because it would potentially allow the partner to see what targets the NSA was interested in.


The DAFIS filter system

Just like the FE, the BND also has a filter system to prevent that German data are passed on to the Americans. From the German parliamentary investigation we know a lot more about this BND system, which is called DAFIS (for DAtenFIlterSystem) and checks not only the selectors that come in, but also the collection results that go out:



Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)


As can be seen in the diagram, all the selectors which the NSA wanted to be used for collecting (in this case) foreign satellite traffic first had to pass the DAFIS system, which checked them in an automated process of 3 stages:
Stage 1: A negative filter which blocks e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

Stage 2: A positive filter consisting of a list of foreign phone numbers and e-mail addresses used by German citizens, for example businessmen, journalists, but also jihadis when they are inside Germany.

Stage 3: A filter to sort out selectors that collide with "German interests", which mainly applies to European military contractors in which Germany participates (like EADS and Eurocopter, both part of Airbus now)

Selectors that were "approved" by the DAFIS system were entered into the tasking databases (Steuerungsdatenbanken) that fed the actual collection system. Communications that matched these selectors were picked out and were also sent through the DAFIS system for another check whether they might contain German data.

Only data that passed this double check were eventually transferred to the NSA. The selectors that were rejected by DAFIS were marked as "disapproved" in order to prevent that they were submitted again later on. The NSA knew and accepted that some of its selectors were blocked by the BND, according to the Graulich report.*

Most of the NSA selectors related to German targets had been blocked by the DAFIS filter. A smaller number of them had been active in the collection system for some period of time, but it is not known whether this resulted in the actual collection of communications (Erfassungen).



A European bazaar?

The way how the NSA tried to spy on European targets through their collaboration with the BND and the FE reminds of what Edward Snowden said in his written testimony for the European Parliament from March 2014:

"The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn't search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans.
Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.
Ultimately, each EU national government's spy services are independently hawking domestic accesses to the NSA, GCHQ, FRA, and the like without having any awareness of how their individual contribution is enabling the greater patchwork of mass surveillance against ordinary citizens as a whole."

This sounds like an accurate description, except that these joint operations with the NSA are not about "mass surveillance against ordinary citizens", as in both Germany and Denmark the NSA only provided selectors for specific targets like government agencies and companies in the defence industry, for example.

Nonetheless, spying on such targets in the partner country violates national law and the agreements between the NSA and their European counterparts, but for both the FE and the BND that didn't seem a very big concern, at least until the Snowden revelations.

One reason may lie in the fact that in general, these so-called Third Party relations with the NSA do not include a "no-spy" condition, so both parties are free spy on each other, despite their otherwise close cooperation.

That may have kept the Danish and German intelligence agencies vigilant and let them install filter systems to make sure that no data from their country would be passed on to the Americans.

And the NSA, for their part, apparently assumed that their counterparts would do enough to protect their own data so they didn't put much effort in sorting out the selectors to be used in these kind of joint operations.



Links & sources

- Willy Van Damme: De F35 – Pleegde de Deense militaire veiligheidsdienst landverraad? (Nov. 23, 2020)
- DR News: Hemmelige rapporter: USA spionerede mod danske ministerier og forsvarsindustri (Nov. 15, 2020)
- DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
- Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
- The Register: The Viking Snowden: Denmark spy chief 'relieved of duty' after whistleblower reveals illegal snooping on citizens (August 25, 2020)
- The Graulich report: Nachrichtendienstliche Fernmeldeaufklärung mit Selektoren in einer transnationalen Kooperation (Oct. 23, 2015)


3 comments:

Cryptome said...

Can you identify the cable(s) that are tapped by reference to those listed on the Submarine Cable Map:

https://www.submarinecablemap.com/

P/K said...

@Cryptome:

The joint NSA-FE cable tapping operation in Copenhagen started in de mid-1990s, so it most likely involved a cable operated by the state-owned Tele Denmark, which was privatized between 1994 and 1998 and changed its name into TDC in the year 2000.

I have no information about the landline backbone cables in those days and submarine cables may also have been replaced, so I can't decisively point to the specific cable that was involved in this operation.

According to Submarinecablemap.com there are still two submarine cables nearby Copenhagen that predate the tapping operation:
- Denmark-Sweden 16, since 1991
- IP-Only Denmark-Sweden, since 1994

jmp0ut said...

Reminds me of when PIMS broke down, I fought by behest of PFP(partnership for peace) in the post cold war 1993 Asian nuclear crisis while NATO partners were busy with reforger, currently Finland are on a MAP projected to assist with actinide fallout activity in late summer across asia by mountain weight alone, good economics and sensible agricultural trade..

Soviet hq in India reminded me of why unicameral post-consumer technocrats wanted the earth to run on closed loop nucleating gases