Comments

Jojo May 17, 2006 12:48 PM

But the Verfassungsschutz is for internal affairs, the MAD (Militärischer Abschirmdienst) is for the issues of the Bundeswehr (army) and we have the BND (Bundesnachrichtendienst) which is for foreign affairs.

Valentin May 17, 2006 1:00 PM

comparing BSI and NSA is a bit far fetched. BSI employs like 400 people .. and its role (at least officially) is only defensive i.e. securing computer systems (especially those owned by the state), not spying on anyone.

Klaus May 17, 2006 1:31 PM

Even though it is also a government agency, the BSI is basically the opposite of the NSA, since one of it’s goals (in addition to improving general IT security) is providing Counter-Eavesdropping technologies for the administration but also the general public, e.g. IT companies (see their own web page: http://www.bsi.bund.de/english/department3.htm).

Nicholas Weaver May 17, 2006 1:48 PM

One thing people forget is that the NSA has two roles. There’s the “Spy on everyone else” roll, and there is the “Keep our systems safe” role.

Jorge May 17, 2006 3:32 PM

What’s probably important to know for non-germans is that the BSI, contrary to the NSA, has a good reputation, especially a reputation for suggesting sensible things and actually sponsoring security-enhancing projects (e.g., an own debian-based Linux desktop distribution targeted at other government agencies). Part of their activities even entered official open source packages, like their S-MIME/OpenPGP efforts – see http://www.gnupg.org/aegypten/.

With all the insanity that happens in governments around the world (our own, too), it is refreshing to have some people who still use their brain.

Jonas May 17, 2006 4:37 PM

They are like the NSA only in the way that they have a lot of good people who seem to understand cryptography and computer security. They opposed the “Epassport”-initiative, they provide and support open-source cryptography software and they analyze security vulnerabilities.

They do not, in any way, spy on people. It’s simply not their role. In fact, spying on people in Germany is primarily the NSA’s job, who shares its results with the German government, but we also just had a huge scandal with the BND (= CIA equivalent) eavesdropping on journalists for almost a decade.

So your statement is certainly not entirely true.

Fuzzy May 17, 2006 9:12 PM

@Jorge

The NSA has also sponsored security-enhancing projects, like SELinux (Security-Enhanced Linux). http://www.nsa.gov/selinux/
The NSA has also published guides to help secure systems (Security Configuration Guides). http://www.nsa.gov/snac/
As Nicolas pointed out, the NSA is also charged with helping to protect computer systems.

RandomEvent May 18, 2006 1:41 AM

@Fuzzy
NSA and BSI are both sponsering open source software but the BSI ist definitely not the equivalent of the NSA. The BSI is just the appropriate authority of the german goverment for everything which has to do with information technology. The BSI is neither monitoring civilian telephone, fax and data traffic nor integrated in operations of the army.

Rochus May 18, 2006 4:11 AM

The closest equivalent to the BSI is the NCSC – with the difference, that the NCSC is part of the NSA, but the BSI is not part of any intelligence agency.

Clive Robinson May 18, 2006 11:02 AM

Bruce,

You have forgoton to mention that Germany unlike most other countries has quite good laws for protecting their citizens from unwarented search. This also carries over to the electronic realm as well so they end up with some of the best privecy laws around.

This is due in the main to the problems caused by a certain little corpral who thought he could rule the world by any means he and his cronies deamed necasary…

Interestingly their securtiy serivces make a lot lot less noise about “super criminals” using “hard crypto” etc…

Till May 18, 2006 7:46 PM

  • I agree that the BSI does a lot of good work and often makes sensible suggestions (the only exception I remember being their argument defending a small keyspace for e-passports).
  • The law establishing the BSI mentions support of law enforcement and the Constitution Protection Offices (http://en.wikipedia.org/wiki/Verfassungsschutz) as one of their jobs. However, the law also says that every such request for support has to be documented. Here’s a rough translation of the relevant paragraph

    BSIG § 3 (1) The BSI has the following mission: […] 6. Support of a) the police and law enforcement agencies in the execution of their mission as defined by law, b) the Constitution Protection Offices in the analysis and evaluation of information gathered during the observation of terrorist activities or [of??] intelligence activities within the limits set by the state and federal laws concerning the Constitution Protection Offices. This support may provided only in so far as it is necessary to prevent or investigate activities that are targeted against Information Security or make use of Information Security.”

Source: http://www.bsi.de/bsi/bsiges.pdf

  • The BSI used to be part of the crypto division (Zentralstelle für das Chiffrierwesen, ZfCh) of Germany’s equivalent of the CIA, the Bundesnachrichtendienst (BND). See the official history of the BSI (in English): http://www.bsi.de/english/history.htm .

  • Googling found this 1995 inquiry by German members of parliament (Green Party):

http://dip.bundestag.de/btd/13/033/1303313.pdf

They compare ZfCh to NSA and GCHQ and ask how BSI deals with the seemingly conflicting goals of helping the general public improve computer security and helping the BND (and MAD?) gather intelligence. Here’s the federal government’s reply:

http://dip.bundestag.de/btd/13/034/1303408.pdf

They deny that the BSI has conflicting goals. Most importantly, on p. 8, they deny that in 1991-1995 any support has been provided to the intelligence agencies BND, MAD, and the Constitution Protection Offices. This was more than 10 years ago, when the BSI didn’t even have a website, so who knows what they’re doing now. I also would like to know what checks and balancies are in place.

This is not some twist by the Government, but included in Germany’s constitution under the umbrella of a “defensive democracy”. In three words, Hitler was elected.

falsepositive May 18, 2006 7:53 PM

Well, your basically right about the laws, Clive – but the laws aren’t worth to much when agencys like the BND ignore them frequently… and sadly, the current developments (data retention etc) aren’t to encouraging.

Thomas May 19, 2006 3:16 AM

Clive,
the protection of the privacy of european citizens will end soon when the european countries implement the European Data Retention Act into national law… 🙁

Till May 19, 2006 10:12 AM

I agree that the BSI does a lot of good work and often makes sensible
suggestions (the only exception I remember being their argument
defending a small keyspace for e-passports).

  • The law establishing the BSI mentions support of law enforcement and
    the Constitution Protection Offices
    (http://en.wikipedia.org/wiki/Verfassungsschutz) as one of their jobs.
    However, the law also says that every such request for support has to be
    documented. Here’s a rough translation of the relevant paragraph

    BSIG § 3 (1) The BSI has the following mission: […] 6. Support of
    a) the police and law enforcement agencies in the execution of their
    mission as defined by law, b) the Constitution Protection Offices in the
    analysis and evaluation of information gathered during the observation
    of terrorist activities or [of??] intelligence activities within the
    limits set by the state and federal laws concerning the Constitution
    Protection Offices. This support may provided only in so far as it is
    necessary to prevent or investigate activities that are targeted against
    Information Security or make use of Information Security.”

Source: http://www.bsi.de/bsi/bsiges.pdf

  • The BSI used to be part of the crypto division (Zentralstelle für das
    Chiffrierwesen, ZfCh) of Germany’s equivalent of the CIA, the
    Bundesnachrichtendienst (BND). See the official history of the BSI (in
    English): http://www.bsi.de/english/history.htm .

  • Googling found this 1995 inquiry by German members of parliament
    (Green Party):

http://dip.bundestag.de/btd/13/033/1303313.pdf

They compare ZfCh to NSA and GCHQ and ask how BSI deals with the
seemingly conflicting goals of helping the general public improve
computer security and helping the BND (and MAD?) gather intelligence.
Here’s the federal government’s reply:

http://dip.bundestag.de/btd/13/034/1303408.pdf

They deny that the BSI has conflicting goals. Most importantly, on p. 8,
they deny that in 1991-1995 any support has been provided to the
intelligence agencies BND, MAD, and the Constitution Protection Offices.
This was more than 10 years ago, when the BSI didn’t even have a
website, so who knows what they’re doing now. I also would like to know
what checks and balancies are in place.

This is not some twist by the Government, but included in Germany’s
constitution under the umbrella of a “defensive democracy”. In three
words, Hitler was elected.

J. Asscroft May 21, 2006 3:46 PM

Jojo wrote:

But the Verfassungsschutz is for internal affairs, the
MAD (Militärischer Abschirmdienst) is for the issues of the Bundeswehr

But hey, the NSA is now for internal affairs as well, isn’t it?? ;->

Lasse Norson May 23, 2006 3:28 AM

The good reputation of BSI got some damage in the recent past. E.g., last year they excluded invited talker Andreas Pfitzmann, a German professor for privacy and IT-security, from BSI’s German IT-Security Conference, when they learned that his talk would criticize the use of biometrics. Also, some research results (esspecially regarding biometrics) are withheld from the public.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.