16 May 2015

Study of BND Use of NSA Selectors for Spying on Europe

Peter Koop

Over the last couple of weeks, the German foreign intelligence agency Bundesnachrichtendienst (BND) was accused of helping the NSA by carelessly or even deliberately entering selectors used for spying on foreign targets in the German satellite interception system at Bad Aibling.

Here, recent outcomes of the German parliamentary inquiry will be combined with information from the various press reportings, in order to provide a more integrated picture of what happened over the past years.

It becomes clear that BND did everything that seemed reasonable to prevent that German data were passed on to the Americans, but that they didn’t really care about whether NSA collected communications from other European countries.

It remains unclear to what extent BND is able to prevent German communications being collected from internet traffic.

This latest affair started on April 23, when the German magazine Der Spiegel reported that NSA apparently spied upon European and German targets for years, with the knowledge of the German foreign intelligence agency BND.

Other news reports inflated this to BND deliberately helping NSA in spying on these targets illegally, which led opposition leaders accusing the German government of treason. This although by then there was no clear evidence, only sometimes confusing and not always very accurate press reports.

Committee hearings

Meanwhile there’s somewhat more clarity, also because last Thursday, May 7, the parliamentary committee investigating NSA spying and cooperation with BND (German: NSA UntersuchungsAusschuss, NSAUA) questioned three BND employees (designated R.U., D.B. and Dr. M.T.) who were involved in this issue.

The day before, May 6, the regular parliamentary intelligence oversight committee (Parlamentarisches KontrollGremium, PKGr) heard BND president Gerhard Schindler and Thomas de Maizière, currently the Interior Ministor, but previously responsible for intelligence affairs at the Chancellery.

The cooperation between NSA and BND

The cooperation between NSA and BND which is at stake here, started with a Memorandum of Agreement (MoA) signed on April 28, 2002, in which both parties agree on joint espionage areas and targets, such as counter-terrorism, the battle against organized crime and against proliferation of weapons of mass destruction.

Two years later, NSA abandoned its Bad Aibling Station for satellite interception, that under the codename GARLICK was part of the ECHELON network. Most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to BND.

In return, BND had to share the results from its satellite collection with the NSA. For this cooperation the Joint SIGINT Activity (JSA) was set up, consisting of personnel from both NSA and BND. The Americans provided most of the equipment. The JSA was located at the nearby Mangfall Barracks and was closed in 2012.

Selectors

For the satellite interception in Bad Aibling, approximately 4 out of 5 selectors came from the Americans, the rest were German. According to the testimony of BND employee D.B., NSA started providing the Germans with phone numbers around 2005, followed in 2007 with selectors for IP communications. Most of them were related to Afghanistan.

According to Süddeutsche Zeitung, NSA provided BND with roughly 690.000 phone numbers and 7,8 million internet identifiers between 2002 and 2013. That is an average of something like 60.000 phone numbers and 700.000 internet identifiers a year, or 164 phone numbers and over 1900 internet identifiers each day.

Such selectors (German:Telekommunikationsmerkmale) include phone and IMEI numbers, e-mail, IP and MAC addresses of computers and tablets, but also other kinds of internet identifiers, like names, nicknames and chat handles. These are called “hard selectors”. It is not known whether also “soft selectors” like keywords were used.

How BND checks NSA selectors

The selectors provided by NSA were picked up by BND employees at Bad Aibling from an NSA server a few times a day. Initially their number was not very large. They were for example on Excell sheets which were checked manually at Bad Aibling.

Apparently talking about the Eikonal operation, witness D.B. explained the committee that in the testing phase, one BND employee did this on his own, which led to a delay of one day. In 2007 NSA wasn’t satisfied by that and wanted the results in real-time.

3-stage filtering

Later, the number of selectors increased to a level that couldn’t be checked by hand anymore. A new procedure was set up, in which, at least since 2008, Bad Aibling personnel sent over the selectors to BND headquarters in Pullach once a week, without further inspection. At the headquarters, the selectors were checked in an automated process of 3 stages:

1. A negative filter which filters out e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

2. A positive filter consisting of a list of German citizens using foreign communication identifiers, for example businessmen, journalists, but also jihadis who have a foreign phone number. Numbers from this relatively large list of a few thousand numbers will also not be monitored.

3. A filter to sort out selectors that collide with German interests. Witnesses heard by the committee wouldn’t publicly explain how this works, but maybe in this stage selectors for European military contractors in which Germany participates (like EADS and Eurocopter, both now part of Airbus) are filtered out.

The only regular manual check is for false positives, because for example SIM cards can have an IMEI number that also starts with 49.

Although this filtering was considered 99,99% accurate, the witness R.U. admitted in the hearing on Thursday that this method is not always able to prevent German communications being intercepted, for example when a German citizen uses an Afghan phone number and/or is calling locally in Afghanistan. Such numbers would not be rejected for tasking, and there’s also no system that filters out spoken German language.

How to determine nationality?

During an earlier hearing, BND lawyer Stefan Burbaum said that in rare cases a conversation first had to be collected and listened to in order to determine whether the contents are under constitutional protection or not.

Likewise it is impossible to determine the nationality of the person using an e-mail address like for example “redgoose1432@hotmail.com” without further circumstancial information. Even the content isn’t always decisive.

We know that NSA analysts have to determine a “foreignness factor” for every selector, to exclude that it belongs to an American. For BND however it’s impossible to automatically check whether such a mail address could belong to a German.Witness R.U. reminded that such cases are rather speculative, because generally selectors like phone numbers are only tasked when they have a connection to a known suspect or target.

How to check internet selectors?

During the hearing for the parliamentary inquiry, the witnesses mainly spoke about (selectors for) intercepting telephone calls, and they weren’t questioned about how internet communications are filtered.

This seems to be a missed opportunity, because for the latter it is much more difficult to sort out domestic communications. Phone numbers always start with a country code, but on the internet people use many kinds of identifiers that are not easily attributable to a specific country.

It would have been interesting to know how BND thinks they can prevent for example MAC addresses of devices used by Germans being monitored, or to what extent it is possible to determine the nationality of people behind nicknames. This is important, not at least because there are far more selectors for IP traffic than for telephony.

Positive filtering

It seems that BND tries to solve this issue with the positive filter, using a list of foreign identifiers used by German citizens. However, keeping such a list up-to-date would almost require an intelligence operation itself, but maybe they take a shortcut by requesting the phone numbers and e-mail addresses of Germans abroad from for example the foreign ministry, chambers of commerce and press organisations.

This seems doable for Germans, but it’s obvious that this is impossible for companies and citizens from other European countries. This explains why apparently some NSA selectors for European companies made it through BND’s selection system.

Economical espionage?

This doesn’t automatically means NSA was conducting economical or industrial espionage. According to Süddeutsche Zeitung, there are only very few indications for that. The paper says NSA was mainly interested in certain companies because they were looking for illegal (arms) exports.

For example, the e-mail address of an Airbus employee who was probably targeted by NSA, reportedly belongs to someone who is responsible for applying for arms export licences, which shows that targeting commercial companies can very well have valid foreign intelligence reasons.

Discovery of suspicious selectors

Already in 2005, a BND employee discovered that among the selectors provided by NSA (at that time also used for the cable tapping under operation Eikonal), there were indentifiers for the European defense contractors EADS and Eurocopter.These companies have no protection under the German constitution, but it was considered that such information shouldn’t be forwarded automatically. Selectors for French government officials were discovered somewhat later, according to witness D.B. last Thursday.

Then in 2008, a BND official informed the Chancellery saying that NSA was apparently going after its own interests in Europe too. At least by then, BND started sorting out suspicious NSA selectors and put them in a separate database.

Storing rejected selectors

This selection took place at BND headquarters, but after that, all selectors were sent back to Bad Aibling, where they were either entered into the collection system or stored in the rejected selectors repository (German: Ablehnungsdatei).

Although it could be interesting to know what NSA looks for but didn’t pass BND filters, witness D.B. said this database isn’t routinely looked at. He also said that NSA is informed about the selectors that have been rejected, which was apparently no problem for them.

Storing the rejected selectors was said to be useful because when NSA sends a suspicious selector again, it can be sorted out by checking against this list. Approved selectors are also sometimes marked as inactive, for example when a foreign extremist travels into Germany. Then BND monitoring has to stop, but when he leaves the country, the selector is activated again.

40.000 rejected selectors

Until 2013, the Ablehnungsdatei was filled with some 40.000 NSA selectors which therefore didn’t make it into the collection systems. Initially, Der Spiegel reported that these 40.000 were found through an investigation in the Fall of 2013, suggesting they had been active all the time and that thereby, BND enabled NSA to illegally spy on some 40.000 targets.

Given the criteria of BND’s 3-stage filter system, these 40.000 must include NSA selectors that either have a German country code, a foreign identifier used by a German citizen or entity, or a match with the mysterious “German interests” criteria.

We don’t know how many selectors were rejected for each of these stages, but we can assume that in a number of cases NSA did sent identifiers for targets that were recognizable as German. For selectors rejected in the second stage, NSA may not have known that a particular identifier was used by a German, something that BND could probably find out easier.

We also don’t know how these 40.000 are divided among phone and internet selectors, which can also make a big difference, as it is much easier to attribute phone selectors to a particular country than it is for internet identifiers. Opposition leaders are demanding that the parliamentary investigation committee can see the list, but the government said they are still negotiating with NSA about this.

Investigating active selectors

Early August 2013, just several months after the start of the Snowden revelations, BND Unterabteilungsleiter D.B. asked technical employee Dr. M.T. to take a look at the active NSA selectors to see what types of identifiers they contain and whether it could be determined what regions NSA was interested in (Interessensschwerpunkte).

For that, Dr. T. was provided with a copy of the database containing all selectors used in Bad Abling. This database copy was stored on a separate computer, because ordinary work stations couldn’t process such a large dataset.

To his surprise, he found selectors that seemed politically sensitive. He put them in a separate database, of which a single copy was printed out. This investigation took about four weeks and resulted in some 2000 suspicious selectors. These were still active at that time, unlike the 40.000 which were prevented from being activated.

The database containing all selectors was deleted after the job was done. The one with the 2000 sorted out by Dr. T. wasn’t found back after he had returned the dedicated computer.

Suspicous selectors deactivated

Immediatly after finding suspicious selectors, Dr. T. informed his superior Referatsleiter H.K., who reported this to Unterabteilungsleiter D.B. Around mid-August 2013, D.B. called the unit in Bad Aibling and ordered Dienststellenleiter R.U. to deactivate (although press reports call it “delete”) the suspicious selectors in the tasking database.

For this, D.B. sent him the printed list with the 2000 selectors by courier. Using some specific criteria (like those mentioned down below??), it was then possible to remove the suspicious selectors. Strangely enough, D.B. thought all this not to be relevant enough to report to the Chancellery.

Der Spiegel reported that in the hearing behind closed doors on May 6, BND president Schindler said that the list of 2000 selectors almost exclusively contains e-mail addresses, not of companies, but mainly of European politicians, EU institutions and government agencies.

The reason for that is clear, because as we have seen, BND didn’t systematically filtered out such selectors. But at least this seems to confirm that preventing German selectors from being monitored was successful, and that therefore there’s no evidence that BND helped NSA in spying on German citizens, corporations or government officials.

Another investigation?

According to a report by Der Spiegel, BND employee R.U. was instructed on August 14, 2013 to “delete” some 12.000 search terms. These were apparently the outcome of an investigation in which BND’s database with NSA selectors had been searched using terms like “gov”, “diplo” and “bundesamt” (initially in some press reports erroneously presented as search terms provided by NSA).

This search had resulted in 12.000 hits (which doesn’t necessarily means an equal number of selectors). The tabloid paper Bild am Sonntag reported that e-mail addresses containing the term “bundesamt” were targeted against Austrian government agencies and appeared in over 10 NSA selectors.

However, during the parliamentary inquiry, witness Dr. T. said that the three search terms mentioned by Der Spiegel and the number of 12.000 had nothing to do with his investigation. It’s therefore unclear whether there was a second investigation, or that the press has mixed things up.

BND takes measures

In November 2013, BND president Schindler issued a new internal regulation, saying that at least BND selectors may not include European targets anymore.

Reportedly e-mail addresses ending with .eu will now be blocked and the same has to happen for all European partners. We can assume this also applies to their telephone country codes.

However, this won’t help European citizens, companies and organisations who are for example using phone numbers from outside Europe or mail addresses with a generic top level domain like .com, .org or .net. The new regulation is therefore most effective for preventing that communications of European government agencies will get caught in the filter systems.

Recently, BND asked NSA to provide a justification for every of their selectors. For telephone numbers, this was already practice, but the Americans said that for internet selectors they needed more time. This led BND to stop the collection of internet data for the time being as of early last week. Phone and fax data are still collected and forwarded.

According to Süddeutsche Zeitung, there are currently some 4,6 million active selectors, most of them for filtering internet communications.

Results of the collection

After the approved selectors have been entered into the collection systems, these will automatically pick out all data for which there’s a match with one or more selectors.

These results are then converted into a readable format and stored in a database: metadata went into VERAS and content into INBE. From there, analysts can see whether it is relevant for the foreign intelligence as required by the government. If not, the data are destroyed.

Many metadata collected in Bad Aibling were automatically forwarded to NSA, after passing a final filter to sort out those related to Germans. According to the newspaper Zeit, BND collects about 220 million metadata each day, which is 6,6 billion a month. Up to 1,3 billion of these metadata are shared with NSA, an example being the 552 million metadata seen in a chart from the NSA tool BOUNDLESSINFORMANT.

Shortages

Content collected through selectors provided by NSA was also automatically forwarded after a final filter, but here, BND personnel in Bad Aibling also took random samples to check whether it contained German data.

Because of shortages in personnel and technical capacity, BND employees were fully occupied with the results from their own selectors, and therefore had no time to take a closer look at what came out for NSA. They simply relied upon the initial selector check. Only when BND’s own selectors didn’t provide useful results, they would take a look at the results of the NSA selectors.

Selected communication links

One important fact that was largely overlooked in the reporting on this issue, but was pointed to by BND president Schindler and one of the witnesses, is that the Bad Aibling station only intercepts satellite links from crisis regions in the Middle East and Africa. BND selects which satellites and which communication channels from those satellite links are intercepted; NSA is said to have no influence on that.

Interception results therefore include for example/ phone calls between Afghanistan and Pakistan or communications from European companies and agencies with activities in the Middle East. This would also minimize the chance that German communications were being collected.

No records kept

According to Der Spiegel, BND president Schindler said that his agency has no technical means to reconstruct which data were passed on to NSA as no records or statistics were kept on this. Earlier, BND employees also testified that their agency doesn’t count the raw data that come in, only the end reports.

This means, that the lists of selectors can only show what NSA was interested in, but that we will probably never know what exactly the results from that collection were.

> BND president Gerhard Schindler will be questioned by the parliamentary committee during a public hearing on Thursday, May 21.

Links and sources







No comments: