February 2, 2022

Head of Danish military intelligence arrested but independent inquiry finds no wrongdoing

(Updated: November 13, 2023)

Unprecedented developments in Denmark: a former defense minister as well as the head of the military intelligence service FE have been charged for disclosing highly classified information, for which the latter has even been imprisoned.

Here I will provide more details about the arrest of FE head Lars Findsen and the charges against defense minister Claus Hjort Frederiksen, followed by a summary of how the crisis has developed, the recent conclusions of an independent investigation and finally the similarities to the Snowden case.


FE head Lars Findsen (left) and former defense minister Claus Hjort Frederiksen
(photos: Liselotte Sabroe/EPA-EFE & Johannes Jansson/Norden)



FE head Lars Findsen arrested and imprisoned

On January 10, the Danish broadcaster DR reported that Lars Findsen had been arrested on Copenhagen Airport on December 8, 2021, after he had been under surveillance by the Danish police intelligence service (Politiets EfterretningsTjeneste or PET).

It's a wry turn of fate as Findsen himself had been the head of the PET from 2002 to 2007. Since 2015 he led the Danish military intelligence service (Forsvarets Efterretningstjeneste or FE), before he was suspended in August 2020.

Update:
On April 4, 2022, DR reported that the PET had apparently bugged Findsen's house in order to find out whether he revealed classified information to family members, which is a very intrusive method that is only used in the most serious cases.

According to DR, the PET set up a special investigation after on September 30, 2020 the Danish newspaper Berlingske published a long piece with unprecedented details about the cooperation between the FE and the NSA. The investigation intensified when in May 2021 news media from several European countries provided additional details based upon nine sources with access to classified information (see below).

On the same day as Lars Findsen, the PET arrested three other current and former employees of the FE and the PET. Just like Findsen, they are accused of the unauthorized disclosure of highly classified information in violation of section 109(1) of the Danish criminal code, which is punishable with up to 12 years in prison.

This came quite unexpected because section 109 was only used once before, as it is meant for cases of treason and espionage, comparable to the American Espionage Act of 1917. In Denmark, leaks by government employees were usually charged under a much less strict law which can lead to imprisonment for only up to two years.


The headquarters of the Danish police intelligence service PET


The exact charges against Findsen haven't been made public, but according to DR News it's about leaking information to the press. Just before a hearing behind closed doors at Copenhagen magistrate's court on January 10, Findsen exclaimed to the press: "I want the charges brought forward and I plead not guilty. This is completely insane". Findsen has to stay in prison at least until February 4, the other three have been released on bail.
Updates:

On February 4, the court gathered behind closed doors again and decided that Findsen has to stay in custody for another four weeks. Highly unusual was the fact that it took some 8 hours to reach that decision. Findsen appeared in court carrying the 2017 war novel All the Light We Cannot See by Anthony Doerr.

On February 17, an appeals court ordered that Findsen had to be released from prison because although there's "a well-founded suspicion" that he violated Danish law by disclosing intelligence information, the court "didn’t find that the conditions for a pre-trial detention are met."

Already in December 2021, the head of the PET and the acting head of the FE visited the main Danish media outlets and warned that their editors could also be charged under section 109. On January 4, eight journalists from six media were summoned for questioning as part of the police investigation into the leaks about the FE.

A possible explanation for this intimidation could be that the Danish government wants to demonstrate that they will punish leakers severely and do everything to prevent any further leaks in an attempt to comfort the FE's foreign partners, especially the Americans, who are likely highly disturbed by the recent developments.

This could risk the continuation of the intelligence cooperation, for which mutual trust is the most important factor: intelligence agencies will only be willing to share their secret information when they are convinced that the other side will keep the information just as secret and will not misuse it in any way.



Lars Findsen in his office as head of the FE, with two Cisco 7900-series IP phones,
apparently one for secure and one for non-secure calls
(photo: Ritzau/Jens Dresling - click to enlarge)


Charges against former Defense minister Frederiksen

The current crisis didn't stop at the imprisonment of Lars Findsen though: on January 14, it was reported that Claus Hjort Frederiksen, who was defense minister from November 2016 to June 2019, is also charged under section 109. This was made public in a brief press release which the Liberal or Venstre Party sent to Danish media.

As a member of parliament, Frederiksen has immunity, but the Liberal Alliance party doesn't want to lift it unless the Danish parliament gets full insight into a possible criminal case against him. In the press release he said that he never had the intention to harm Denmark or Danish interests.
Update:
On February 4, 2022, Frederiksen issued a statement on Facebook in which he said that the day before he got insight into the charges against him and that they are only based on newspaper articles and public debates.

During two interviews in December 2021 (with the television programs Deadline and Lippert), Frederiksen had been remarkably talkative about the FE's cooperation with the NSA, but he was also angry about how his successor as defense minister, Trine Bramsen, handled the case by suspending Findsen and some other officials, including a general responsible for the relations with the Americans.

Just recently it was revealed that on February 28, 2019, Frederiksen had arranged a meeting with the Oversight Board to convince them to drop their investigation into the FE in order to not endanger the cooperation with the NSA - a controversial move given the independent position of the Oversight Board, which accordingly continued its investigation that eventually sparked the current intelligence crisis.


Current Danish defense minister Trine Bramsen (left) and her predecessor
Claus Hjort Frederiksen (photo: Linda Kastrup/Scanpix)


After the revelations in the media, Frederiksen apparently felt free to explain and stress that the FE did nothing wrong: that spying on European countries is common practice and that to protect Danish citizens (i.e. to keep within the law) the FE had installed filter systems.

He was especially concerned about the relationship with the NSA, because in recent years, Denmark had reached almost the same level as the Five Eyes partnership, an achievement that his successor had put at risk now, according to Frederiksen.

There are actually several countries that claim a position very close to the Five Eyes, but fact is that Denmark is a so-called Third Party partner of the NSA already since 1954 and, as such, a member of the SIGINT Seniors Europe (SSEUR) and, between 2009 and 2014, of the Afghanistan SIGINT Coalition (AFSC).



Development of the intelligence crisis

The Danish intelligence crisis started on August 24, 2020, when the ministry of Defense issued a short statement saying that Lars Findsen and two other officials of the military intelligence service had been suspended from duty until further notice.

The same day, the Intelligence Oversight Board (Tilsynet med EfterretningsTjenesterne or TET) issued a press release with the unclassified results of an investigation that had been initiated by information provided by one or more whistleblowers. The main accusations were:
- The FE withheld key and crucial information and provided the Oversight Board with incorrect information;
- There were risks that the FE's collection activities led to unlawful collection against Danish citizens;
- The FE failed to investigate indications of espionage within the Ministry of Defense;
- There's a culture of insufficient legal awareness within the FE's management;
- There were activities in violation of the Danish law, including obtaining and sharing information about Danish citizens;
- The FE has unlawfully processed information about an employee of the Oversight Board.

On December 21, 2020 the Danish justice minister established the FE Commission (FE-kommissionen) to further investigate the allegations against the FE and to present a report within a year.




The Kastellet fortress in Copenhagen, the workplace of most of the FE's employees
(photo: Danish Air Force Photo Service)


The FE uses XKEYSCORE to process data from the cable tap

Meanwhile, Danish media came with unprecedented disclosures: on September 13, the newspaper Berlingske revealed how in the mid-1990s the FE, in cooperation with the NSA, started to tap a backbone cable containing communications from countries like China and Russia - very similar to Operation Eikonal (2004-2008) in which the NSA cooperated with the German foreign intelligence servce BND.

According to Berlingske, the communications of interest were extracted from the cable in Copenhagen and were then sent to the Sandagergård complex of the FE on the island of Amager. Part of the agreement between the US and Denmark was that "the USA does not use the system against Danish citizens and companies. And the other way around".

On September 24, 2020, the Danish broadcaster DR reported that after 2008, NSA employees traveled to Denmark to build a data center for a new system to process the data from the cable tap. The heart of this system is formed by XKEYSCORE, the sophisticated processing and filtering system for internet data used by the NSA and GCHQ.


The Sandagergård complex of the FE on the island of Amager,
where a data center was built specifically to store data
from the joint NSA-FE cable tapping operation.
(Click to enlarge)


According to DR News, the FE tried to develop a number of filters to ensure that data from Danish citizens and companies is sorted out and not available for searches. Former defense minister Frederiksen confirmed the existence of such filters, but also admitted that there can be no 100% guarantee that no Danish information will pass through.

Berlingske had also identified the whistleblower as a young IT specialist of the FE, who in 2013 became increasingly concerned, after which then head of the FE Thomas Ahrenkiel ordered an internal investigation, which found no signs of abuse by the NSA. The IT specialist, however, was not satisfied with this result and informed the intelligence oversight board somewhere in 2018 and provided them with new information in November 2019.



The NSA tried to spy on Danish and other European targets

On November 15, 2020, the Danish broadcaster DR published a story about two internal assessments from the FE, one from 2012 and another one from 2015 (or 2014?), which contain an analysis of the phone numbers and e-mail addresses (also known as selectors) which the NSA sent to the FE for collecting information from the cable tap.
- According to the analysis from 2012, the NSA submitted selectors for Danish targets, including the ministry of Foreign Affairs and the ministry of Finance, as well as the Danish defense company Terma.

- The 2015 analysis of selectors showed that the NSA also used the cable tapping cooperation to spy on targets in European countries like Sweden, Norway, the Netherlands, Germany and France, according to DR News.
On May 30, 2021, joint reporting by DR, SVT, NRK, Süddeutsche Zeitung, NDR, WDR and Le Monde revealed that the internal investigation which FE boss Ahrenkiel initiated in 2014 was codenamed Operation Dunhammer and concluded in May 2015 that the NSA had provided telephone selectors for Norwegian, Swedish, German, Dutch and French politicians and officials, including former German chancellor Angela Merkel and then foreign minister Frank-Walter Steinmeier.


This outcome is actually not very surprising, because from the German parliamentary investigation (2014-2017) into the cooperation between the NSA and the BND it also became clear that, among hundreds of thousands of identifiers for legitimate targets, the NSA had provided the BND with thousands of selectors related to European and even German targets, which in 2015 resulted in the "Selector Affair".




The FE Commission finds no wrongdoing

On December 13, 2021, the independent FE Commission finally presented its report about the accusations against the FE. Surprisingly, the commission found no evidence of wrongdoing by the FE and also found no basis to hold the former and current head of the FE, Ahrenkiel and Findsen, accountable.

The report from the FE Commission is classified, but its conclusion have been published on the commission's website. Because they are only available in Danish, I made a preliminary translation using Google Translate with some manual corrections, which can be found here.

Focusing on the most important accusations, the commission found no evidence that the FE provided incorrect information to the subsequent defense ministers nor to the Intelligence Oversight Board. The commission also found no basis for assuming that the FE has generally obtained and passed on information about Danish citizens in violation of the law.

Given everything that emerged from the various revelations by Danish media this conclusion came as a surprise, but it can probably be explained by the fact that spying on other European governments is not prohibited by Danish law, how embarrassing it may be when it becomes public.

And if the FE has a similar filter system as used by the German BND, then the Danish selectors which the NSA provided to the FE would have been blocked before they were entered into the actual collection system (see diagram below). This means no Danish data were selected and so there was also no violation of the law.




It's unclear whether the commission found any minor deficiencies at the FE. As we have seen during the German parliamentary investigation, employees of the BND's signals intelligence units often had little feeling with political sensitivities, while government officials didn't know about the complexities and limitations of the collection systems. Similar issues may have been the case at the FE.



Similarities to the Snowden case

Most recently, Edward Snowden also commented on the Danish intelligence crisis in an interview with the newspaper Politiken from January 22, 2022. In the interview, however, Snowden acted as if the cooperation between the NSA and the FE is a mass surveillance program that "violates the rights of hundreds of thousands, if not millions, of people every single day" while it's actually about selectors for individual and generally legitimate targets.

Snowden also seems convinced that "Danish communication will be intercepted in these programs. No country possesses the capabilities to filter out all the information of its citizens", but according to previous press reports, the controversial selectors were telephone numbers and those are quite easy to filter, because they include a country code. For internet communications this is much more difficult.

In the interview, Snowden said, again with maximum exaggeration, that he is impressed by the young IT specialist at the FE who started the current crisis: "it is hard not to be inspired by this person's courage and ability to do so. The person has investigated the investigators and caught them in breaking the law and the rights of everyone in Denmark and the whole world."

Edward Snowden during the interview with the
Danish newspaper Politiken, January 22, 2022


Unlike Snowden, the FE's IT specialist didn't go straight to the press when he became concerned about certain things at his work place, but initially followed the proper channels and addressed his concerns to the FE management. However, an internal investigation found no abuse of the cable tapping operation by the NSA.

Then the IT specialist acted very similar to Snowden: because he was not satisfied with this result he secretly started to gather internal information on his own: he "smuggled a recorder into his workplace, arranged meetings with colleagues and bosses for several months and recorded them in secret". In November 2019 he provided this to the intelligence oversight board, which also started an investigation.

Then defense minister Claus Hjort Frederiksen (now 74 and liberal conservative) tried to keep this behind closed doors in order not to endanger the longstanding cooperation with the NSA - which is the common way governments handle such intelligence issues.


What made the Danish case different is that his successor Trine Bramsen (40 and social democrat) followed the concerns of the oversight board and suspended FE chief Findsen. At that moment it seemed the IT specialist was right and that things were wrong at the FE.

But Frederiksen and maybe Findsen and other FE officials fought back by telling the press about the joint cable tapping operation in an apparent attempt to convince the public of the importance of the cooperation with the NSA.

Several months later it was revealed that the NSA had tried to spy on European and even on some Danish targets - highly classified information that may have been leaked by insiders hat shared the concerns of the IT specialist.

This fight through press leaks seriously threathened Denmark's intelligence position and therefore the government apparently saw only one option left, that of unprecedented tough measures against leakers, even when they defended the cooperation with the NSA.



Conclusion

Ultimately, the whole issue in Denmark boils down to the same positions we saw earlier in other countries that were affected by the Snowden revelations:
- People close to the intelligence agencies claim that their interception operations are strictly within the law, particularly by using filter systems to protect the communications of their own citizens.

- Outsiders usually think that bulk cable tapping is wrong anyway and that spying on governments and companies of friendly countries is also wrong, even when that's not prohibited by law.

Despite being seen as a former insider, Snowden represents the outsider position by claiming that cable tapping automatically means bulk collection and mass surveillance. In reality, bulk collection is usually limited to metadata, which are not used to monitor as many people as possible, but to find targets that were not yet known. Selectors for individual targets are then used to pick their communications from the cable just as targeted as a traditional wiretap.

It's likely that the NSA also acquired metadata from the cable tap in Copenhagen, but the Danish press reports didn't provide further information on this. During the similar operation Eikonal in Germany, the BND made sure the NSA only got 'technical metadata' and no 'personal metadata' like phone numbers and e-mail addresses (see diagram below).

All this shows once more that in order to make a good judgment about signals intelligence operations it's often necessary to look at even the smallest details of the technical systems that are involved.



Overview of the joint NSA-BND operation Eikonal (2004-2008)
(Click to enlarge)


UPDATE:

On November 1, 2023, the Danish prosecution service dropped its cases against the head of the FE Lars Findsen (59), former defense minister Claus Hjort Frederiksen (76) and a former employee of the police security service PET.

After the Danish Supreme Court had ruled that both cases should take place in public and sessions were only to be closed off whenever sensitive information was presented, the public prosecutor said that this would lead to the disclosure of highly classified information and was therfore not in the interest of national security.

In a reaction, the head of the PET Finn Borch Andersen noted that this is an unsustainable legal situation because it prevents the prosecution of cases in which state secrets are part of the evidence. He therefore called for new legislation for cases that include classified information.



Links and sources

- The Guardian: Scandinavian spy drama: the intelligence chief who came under state surveillance (Oct. 2, 2023)
- Politiken: Edward Snowden: Det, der foregår i Danmark lige nu, er en demokratisk skandale (Jan. 22, 2022)
- Peter Kofod: FindsenGate 1½ | Anbefaling & forbehold (Jan. 21, 2022)
- DR: Claus Hjort ville beskytte spionsamarbejde: Forsøgte at bremse kulegravning af Forsvarets Efterretningstjeneste (Jan. 21, 2022)
- Politiken: Eksperter: Claus Hjort afslørede meget dårligt bevarede statshemmeligheder (Jan. 19, 2022)
- De Volkskrant: Staat de veiligheid en geloofwaardigheid van Denemarken op het spel nu de inlichtingenchef in de cel zit? (Jan. 18, 2021)
- BBC: Danish spy scandal: Ex-minister accused of state secrets leak (Jan. 15, 2022)
- Intel News: Ex-director of Danish spy agency charged with treason in ‘unprecedented’ case (Jan. 12, 2022)
- DR: Hemmelig PET-taskforce aflyttede spionchef Lars Findsen i månedsvis for at afsløre læk til medierne (Jan. 10, 2022)
- DW: Danish spy chief detained over 'highly sensitive' leak (Jan. 10, 2022)
- Politiken: Kommission afviser alle anklager mod spiontjeneste og hjemsendte chefer (Dec. 13, 2021)
- DR: Forsvarets Efterretningstjeneste lod USA spionere mod Angela Merkel, franske, norske og svenske toppolitikere gennem danske internetkabler (May 31, 2021 - including timeline)

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties