German BfV - NSA Cooperation

The German newspaper Zeit is reporting the BfV, Germany's national intelligence agency, (probably) illegally traded data about Germans to the NSA in exchange for access to XKeyscore. From Ars Technica:

Unlike Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), the domestic-oriented BfV does not employ bulk surveillance of the kind also deployed on a vast scale by the NSA and GCHQ. Instead, it is only allowed to monitor individual suspects in Germany and, even to do that, must obtain the approval of a special parliamentary commission. Because of this targeted approach, BfV surveillance is mainly intended to gather the content of specific conversations, whether in the form of e-mails, telephone exchanges, or even faxes, if anyone still uses them. Inevitably, though, metadata is also gathered, but as Die Zeit explains, "whether the collection of this [meta]data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts."

The BfV had no problems convincing itself that it was consistent with Germany's laws to collect metadata, but rarely bothered since­ -- remarkably­ -- all analysis was done by hand before 2013, even though metadata by its very nature lends itself to large-scale automated processing. This explains the eagerness of the BfV to obtain the NSA's XKeyscore software after German agents had seen its powerful metadata analysis capabilities in demonstrations.

It may also explain the massive expansion of the BfV that the leaked document published by Netzpolitik had revealed earlier this year. As Die Zeit notes, the classified budget plans "included the information that the BfV intended to create 75 new positions for the 'mass data analysis of Internet content.' Seventy-five new positions is a significant amount for any government agency."

Note that the documents this story is based on seem to have not been provided by Snowden.

Posted on August 28, 2015 at 9:23 AM • 17 Comments

Comments

Retired Old FartAugust 28, 2015 9:51 AM

Note that the documents that this story is based on seem to have not been provided by Snowden.

HHmm... and what is the significance of this

Bob S.August 28, 2015 9:56 AM

Negation of the right to privacy, free speech, free association and other fundmental human rights is rampant world wide when it comes to electronic communication.

I tend to think the current generation of targets, suspects, unarrested criminals, terrorists, enemies of the state and potential customers formerly known as the citizenry is lost and has been sacrificed to the all seeing eye of big brother.

The key to turning it around is the children. They must be taught to be suspicious of corporate-miliitary-police strangers and how to protect their communications.

I know a lot of very smart people who, in my opinion, have been brainwashed into thinking the wonderment and convenience of the internet is well worth the price of their liberyy, freedom and property. They are wrong and will without a doubt regret their mistake, sooner or later. But for them, the glaze on their eyes when you talk about electonic security is impenetrable.

Anyway, teach the children to be safe. It can be done. It is a worthy mission.

samAugust 28, 2015 10:15 AM

@Retired Old Fart

> what is the significance of [not been provided by Snowden]

Let me badly paraphrase Alice's Restaurant:

If one person does it, they may think he's really sick (insane)
And if three people do it - they may think it's an Organization!
And can you imagine fifty people? Friends, they may think it's a MOVEMENT.

The theme is: Snowden isn't (or wasn't) the only person inside the industry who thinks it's 1/ wrong 2/ publicly notable.

deLaBoetieAugust 28, 2015 10:48 AM

Seems to me there are three important issues to this, even granted that the BfV are actually doing the "right" thing with targeted surveillance and not using mass surveillance.

a) secret (and convenient) interpretations of the law with no independent oversight, or oversight by those clearly responsible for such - keeping this in the dark.
b) secret treaties, untroubled by democratic niceties or oversight
c) handing over data without local laws applying to its use

It would be to the point if lawyers' professional bodies around the world, specifically their ethics committees became more proactive with giving guidance to members that secret interpretations of law, unscrutinised by independent bodies is NOT justice, is unethical and against the rule of law that they should be upholding. And that they will be struck off if they collude in it, and do not report such attempts to their professional line of command and democratic oversight.

The current situation has strong analogies with the behavior of the American Psychological Association (APA), and their collusion with unethical torture.

Enoch BouchetAugust 28, 2015 12:34 PM

Not unlike the proliferation of nuclear weapons (which, funilly enough, was another gift from Uncle Sam to the world). Thank you for keeping us safe, guys...

rgaffAugust 28, 2015 1:08 PM

@deLaBoetie

You forgot something:

a) BfV gives NSA all data about all Germans in exchange for access to XKeyscore.
b) NSA enters that German data into XKeyscore
c) BfV now no longer needs any "approval of a special parliamentary commission" of any kind to do anything they please with any German data whatsoever. They can just look it all up in XKeyscore. You might as well just disband all such commissions.

This is equivalent to the "end run" around the US Constitution that we do over here in the USA, by exporting all our data to friendly foreign nations, then re-importing it so we can do whatever we want domestically with no limitations whatsoever.

rgaffAugust 28, 2015 1:25 PM

@z

I thought you said "collide" for a second... I guess I have traffic accident on my mind :)

GrauhutAugust 28, 2015 2:06 PM

The autor is a real killer!

After reading his "Zeit" article about xkeyscore i had to clean my display, keyboard, workspace and change shirt. Sprayed some coffee... :)


"What exactly is XKeyscore?

Xkeyscore is a database system. It contains a collection of functions to sort and analyze data. It is based on the operating system Red Hat Enterprise Linux 5.7. This is totally out of date, current version is 7.1, but it is considered a mature, stable operating system. The NSA has removed all functions that normally serve to talk with other systems and programs. As if you were welding a cars doors in order to lock it and remove the windows and seats because you presume anyway only the engine is used and nobody drives with you therein. The database used for the analysis uses the common MySQL format.

All this is run by the Verfassungsschutz in Berlin on a computer that is not connected to the Internet or to another networks. Only the computer analysts are connected to it. The analysts access data via their Firefox browser connecting to the database.

NSA and BND use xkeyscore in order to search the Internet for clues and suspects. For them it is a kind of super-Google, they use it to find, for example, vulnerabilities in third-party servers. The Verfassungsschutz is not allowed to do so by the law. Xkeyscore as run by them, therefore, works as a completely closed system. ...

Xkeyscore recognizes and understands even the most exotic and app information contained in (internet data). All data is shown byte by byte in hexadecimal and analyzed on this lowest level of the data processing in a so-called hex editor.

The Verfassungsschutz therefore referres to xkeyscore as a "sorting tool". This analysis is very fast and large amounts of data, gigabytes are available, are no problem for the software."

http://www.zeit.de/digital/datenschutz/2015-08/bfv-verfassungsschutz-was-kann-xkeyscore

Alien JerkyAugust 28, 2015 2:31 PM

On a semi-related note

http://www.cbsnews.com/news/appeals-court-reverses-ruling-that-found-nsa-program-illegal/

A federal appeals court on Friday ruled in favor of the Obama administration in a dispute over the National Security Agency's bulk collection of telephone data on hundreds of millions of Americans.

The U.S. Court of Appeals for the District of Columbia Circuit reversed a lower court ruling that said the program likely violates the Constitution's ban on unreasonable searches.


deLaBoetieAugust 29, 2015 5:48 AM

@rgaff - I very much had the dangers of the outflanking manoeuvres you mention in my point c). In my opinion it's treasonable and trashing the rule of law for them to have done this, and the only circumstances they should be able to do the data sharing is under the same protection as provided by their local laws.

But that's very much not happening, and in fact, bulk data sets are being shared amongst the x-eyes, like shipping around radioactive toxic waste.

A ThoughtAugust 30, 2015 4:44 PM

This whole "news" rests on the asusmption that there is even a country called "Germany". After WWII, Germany as a country was dismantled and the german people undergone an extensive program of cultural manipulation and "re-education" with the only goal to cripple german culture and substitute it with a more "americanized" version. Acting as a puppet for NATO and american economy politic, Germany is nothing more than an administrative unit, slowly being cleansed from old remains.

Only if you accept this as historic fact, you can then understand why politicians and this nation's intelligence agency can sell out their own people to foreign countries while reporting it openly on television and in newspapers and no one really cares. No riots, calls for re-election - nothing.

Same applies for other countries within the European Union and NATO, which have crippled the souvreignity of member states to the extent of becoming nothing more than megaphones for the USA.

That's why there is never an uproar or real consequences as in the case of Snowden's release, cases of blatant corruption or simply lies being told and not even disguised as such. People can't do anything or simply are busy being consumer drones.


ifyouthoughtAugust 31, 2015 11:55 AM

If you thought Duestchland had secret treaties and understandings with NATO and the USA, you should see, errr or not see, the secret documents relating to Nippon.

The approach to a white people run NAZI military state vs a fanatical our emperor is a God non-white people state was and *still is* quite different.

DavidSeptember 2, 2015 3:17 AM

All of the new immigrants and refugees from Syria, Afghanistan, and Libya will keep them busy. Meanwhile, the real terrorists will make sure to stay off the radar since everyone in the world knows about metadata and surveillance. We still have a while, one hopes, before Germany goes back to NS-Zeit and STASI status. Let's hope that does not really happen, but even a first step in that direction is reason enough to cause nausea. Those immigrants and refugees know they are targets, and they are not going to like it. Keep that in mind. And who would like a foreign country getting handed one's personal information? Nobody. Be ready for the headline, "Angry Refugees Feel Alienated and Betrayed in Germany."

Dirk PraetSeptember 2, 2015 1:54 PM

@ David

Be ready for the headline, "Angry Refugees Feel Alienated and Betrayed in Germany."

Reality check: Germany and Sweden are among the most hospitable countries in Europe when it comes to taking in refugees. Merkel has stated in public that asylum seekers can apply in Germany, even if they have entered the EU somewhere else.

And this in sharp contrast to most Eastern European and Baltic countries that are actively opposing European quota for equally spreading refugees over the entire EU, to the point that Germany is now threatening to revise the Schengen agreements. It's really outrageous that countries like Poland, the Czech Republic, Slovakia, Bulgaria, Romania and the like almost refuse to take refugees and are doing nothing for them while millions of their own citizens over the past decades have migrated to the West. The Icelandic government is doing a great job too: they generously offered to take in no less than 50 (fifty) Syrians.

As to the US, the prime culprit for the rise of Da'esh (IS) and the collapse of the entire Iraq-Syria region, they have recently made a major contribution to solving the problem by some stupid agreement with Turkey that is now waging full war on the Kurds, their Peshmerga being the only force on the ground that was actively succeeding in pushing Da'esh back. Pure genius, only to be topped by David Petraeus's recent suggestions to actively support AQ affiliate Al-Nusra in their fight against the Islamic Caliphate.

Is it any wonder that every person with even half a brain is trying to get away there? Millions of refugees have flooded into Turkey, Lebanon and Jordan. Hundreds of thousands of others are trying to make their way into Europe. Make no mistake about it: the entire continent over here is blaming batsh*t insane US foreign policy and their esteemed allies in the region for this human catastrophe.

Dirk PraetSeptember 2, 2015 7:19 PM

Correction to my previous post: Replace Bulgaria with Hungary. Bulgaria is in fact the only Eastern European country doing anything. For detailed statistics, see here (The Economist).

Máté WierdlSeptember 23, 2015 9:09 AM

While this refugee/migrant crisis is off topic, I really would like to hear Mr Schneier's opinion on this. After all, the problem has a has two components: security of a country and the possible humanitarian care of the refugees.

It's one thing to have somebody knock on your door, and ask for shelter. It's another thing, when 100 people break your door down, refuse to tell you who they are, and try to dictate what you are supposed to do for them as they move trough your home.

I remark that in evaluating what a given country could or should do for migrants, comparing population numbers are not enough to make an educated decision. For example, the average salary in Hungary is $10K, which is significantly below the US or German poverty levels. Consider also that Germany does have a need for workers, while Hungary has a significant unemployment rate and has no need for workers at all.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.