May 12, 2015

German BND didn't care much about foreign NSA selectors

(UPDATED: January 2, 2017)

Over the last couple of weeks, the German foreign intelligence agency Bundesnachrichtendienst (BND) was accused of helping the NSA by carelessly or even deliberately entering selectors used for spying on foreign targets in the German satellite interception system at Bad Aibling.

Here, recent outcomes of the German parliamentary inquiry will be combined with information from the various press reportings, in order to provide a more integrated picture of what happened over the past years.

It becomes clear that BND did everything that seemed reasonable to prevent that German data were passed on to the Americans, but that they didn't really care about whether NSA collected communications from other European countries.

We also learned more about the selectors that are used for filtering communications traffic and it became clear that it is often difficult to determine the nationality of many types of internet identifiers.

Information from the parliamentary inquiry hearings is derived from the live blog provided by the German digital rights website Netzpolitik.org.



> See for the latest: New details about the selectors NSA provided to BND



The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images - Click to enlarge)


 
The context

The selectors affair started on April 23, when the German magazine Der Spiegel reported that NSA apparently spied upon European and German targets for years, with the knowledge of the German foreign intelligence agency BND.

Other news reports inflated this to BND deliberately helping NSA in spying on these targets illegally, which even led opposition leaders accusing the German government of treason. This although by then there was no clear evidence, only sometimes confusing and not always very accurate press reports.


Committee hearings

Meanwhile there's somewhat more clarity, also because on Thursday, May 7, the parliamentary committee investigating NSA spying and cooperation with BND (German: NSA UntersuchungsAusschuss, NSAUA) questioned the BND employees R.U., D.B. and Dr. M.T. (initials not of their real names, but of cover names!) who were involved in this issue.

The day before, May 6, the regular parliamentary intelligence oversight committee (Parlamentarisches KontrollGremium, PKGr) in a classified meeting heard BND president Gerhard Schindler and Thomas de Maizière, currently the Interior Ministor, but previously responsible for intelligence affairs at the Chancellery.

 
Update #2:

On May 20, 2015, the parliamentary investigation committee heard BND employees W.O., W.K. and D.B. about the issue of the selectors and the internal BND inquiries. New details from this hearing have been added to the relevant sections of this article. They are marked "Update #2".

In general, the witnesses from BND gave the impression that they don't look much further than the requirements and the responsibilities of their job. They just follow orders and that's it.

Update #3:

On May 21, 2015, the parliamentary investigation committee heard Hartmut Pauland, the former head of BND's SIGINT directorate, and BND president Gerhard Schindler. Details from this hearing have also been added and are marked "Update #3".

President Schindler admitted that the automated filtering of selectors was a mistake and that there were serious deficiencies in how this was handled internally. But he was also convinced that spying on European countries ("friends") isn't illegal, explicitly contradicting the opinion of three constitutional experts from the very first committee hearing.

Former SIGINT director Pauland said that with every newly disclosed Snowden-document, his people considered whether they were also capable of doing those things. In many things, NSA appeared to be way ahead of BND. Nowadays, signals intelligence is metadata-centric: from the metadata it's decided which communications are worth and useful to pick out for analysing their content.

Update #4:

After the Summer break, the commission started hearings about this subject again, and on September 10, 2015, BND employee W.O. testified for the second, and T.B. for the third time. Relevant details from this hearing have again been added to this article and are marked "Update #4".

Update #5:

On September 24, 2015, the commission heard three witnesses. For this topic there were relatively clarifying testimonies from BND employees D.B. and K.M., both having been questioned earlier. Since the late 1980s, K.M. worked in the Wortbankgruppe, which consists of 4 people who are responsible for checking the selectors before they are activated. Relevant details from this hearing are marked "Update #5".

Update #6:

On December 3, 2015, the commission heard BND employee H.K., who was head of several units in the Technical Division. He provided some additional details related to the selector affair. H.K. was heard for the second time on December 17, 2015, which didn't provide much new insights.

Update #7:

On January 28, 2016, BND employee D.B. testified for the fourth time. Some details he told are added and marked "Update #7".




BND president Gerhard Schindler just before he testified before
the parliamentary investigation committee on May 21, 2015
(Click to enlarge)



The cooperation between NSA and BND

The cooperation between NSA and BND which is at stake here, started with a Memorandum of Agreement (MoA) signed on April 28, 2002, in which both parties agree on joint espionage areas and targets, such as counter-terrorism, the battle against organized crime and against proliferation of weapons of mass destruction.
Update #3: This Memorandum, classified as Top Secret, is an extensive document, with 5 annexes, describing in detail the regions that should and should not be monitored. For reasons unknown, and also unknown to current BND president Schindler, these guidelines were never converted into internal regulations for the personnel that had to work on this.

Two years later, in 2004, the NSA abandoned its Bad Aibling Station (BAS) for satellite interception, that under the codename GARLICK was part of the ECHELON network. Most of the facilities, including nine of the large satellite dishes hidden under white radomes, were handed over to BND, which gave the facility the internal designation 3D30.
Update: During the hearing from October 2, 2015, former BND president August Hanning said that Bad Aibling station was not run by NSA, but by the US Army. Germany said the station was a violation of its sovereignty, but the US didn't want to give up this important facility easily. Then the following compromise was made.

Update: A BND document published by Wikileaks in December 2016 explained that originally, Bad Aibling Station (BAS) was a collection facility of NSA, but was transferred to the US Army in August 1994. NSA however kept a big role in tasking the satellite collection, which was mostly about Russian satellite communications and support for US troops in former Yugoslavia. In those days, BAS had some 650 employees.
The antennas were also used by BND for its own collection of Russian military satellite communications. From spring 1998 until June 30, 2011, the Joint Analysis Center (JAC) provided useful technical analysis of Russian satellite signals to both the Germans and the Americans.

In return for the station, BND had to share the results from its satellite collection with the NSA. For this cooperation the Joint SIGINT Activity (JSA) was set up, consisting of personnel from both NSA and BND. The Americans provided most of the equipment. For analysing the results there was the Joint Analysis Center (JAC).

The JAC and JSA were located at the nearby Mangfall Barracks and were closed in 2011 and 2012 respectively. According to BND vice-president Müller, his agency took over the software and hardware that NSA left behind in 2013, and checked it for backdoors.

Besides the satellite interception, Bad Aibling was also involved in cable tapping, but only under operation Eikonal (2004-2008), which was limited to cables from Deutsche Telekom in Frankfurt.



Google Maps view of the Mangfall Barracks in Bad Aibling, Germany.
The building in the upper left corner could be the BND facility,
and the one with the white roof the NSA's "Tin Can".

NSA Selectors

For the satellite interception in Bad Aibling, initially some 4 out of 5 selectors came from the Americans, the rest were German (currently still 4:1). NSA started providing the Germans with telephony selectors in April 2005, followed in 2007 with selectors for IP communications. They are classified as Secret* and most of them were related to Afghanistan.

According to Süddeutsche Zeitung, NSA provided BND with roughly 690.000 phone numbers and 7,8 million internet identifiers between 2002 and 2013. That is an average of something like 60.000 phone numbers and 700.000 internet identifiers a year, or 164 phone numbers and over 1900 internet identifiers each day.
 
Update #1: In the newspaper Die Zeit from May 19, 2015, the Left party member of parliament Martina Renner says that in August 2013, there were between 8 and 9 million active selectors. Other sources say 8,2 million.

Earlier, Süddeutsche Zeitung reported that currently there are some 4,6 million active selectors, most of them for filtering internet communications and related to 1,267 million people and corporations. If these numbers are correct, they would show a huge decrease of active selectors between 2013 and 2015.

Update #5: During the hearing of September 24, 2015, chairman Sensburg said that until 2013 some 8 million selectors were entered into the filter system, of which 4 million were activated. Since 2008, NSA provided 4 million selectors, of which 3 million were activated.

Selector databases

Not alle these selectors are still available as the so-called tasking databases (Steuerungsdatenbanken) have been restructured. Just recently, BND found two additional selector databases in the legal division of its SIGINT directorate: one containing some 400.000 selectors from early 2005, including some related to European governments, but it couldn't be determined whether selectors were rejected.

A second database contains 59.000 selectors from September 2006 till early 2008. 400 were marked as disapproved. Both lists contain phone and fax numbers as well as e-mail addresses, but no IP addresses. They don't include German companies or phone numbers starting with the German country code 0049.
Update #2: Already in 2005, there were separate databases for phone and internet selectors, which were newly set up in 2001. All selectors were first put in the database, and after they were checked, the ones that were rejected, were marked as inactive. So with all the old selectors staying in, and more and more new selectors came in, the database expanded rapidly.

Update #4: The selectors were entered into the database as "undefined". Once a week, the new NSA selectors were pulled out, checked at Pullach headquarters, and returned (often the same day) to the database as "approved" or "disapproved". BND selectors seem to have been activated immediately.

When the database was recreated in 2011, the number of selectors had risen to apparently some 14 million because no selectors were deleted and new ones came in continously.

Actually there were two databases: one for IP selectors (from NSA only), and one for telephone selectors (from both NSA and BND). Not involved in this inquiry is a separate database for IP selectors from BND only.
Each agency had access to its own IP database; the phone database was managed jointly, but BND could only approve or disapprove NSA selectors, and NSA could only do that with those from BND.

Types of selectors

Selectors generally include phone and IMEI numbers, e-mail, IP and MAC addresses of computers and tablets, but also other kinds of internet identifiers, like names, nicknames, chat handles and hashes. These are called "hard selectors". It is not known whether also "soft selectors" like keywords or maybe even cookies and malicious code signatures were also used in this cooperation.
Update #2: To the surprise of the commitee, witness W.O. testified that the category "IP selectors" does not include IP addresses, but denotes e-mail addresses and other internet communication identifiers, for example for messaging.

In general, for one target there are multiple selectors (German: Telekommunikationsmerkmale (TKM) but also Datenbegriffe or Suchbegriffe) like phone numbers or e-mail addresses. For the latter there can be multiple permutations, like using "%20" instead of a dot. The witness never saw the use of wildcards, like *@example.com.
 
Until 2012, the NSA sent the selectors in the form of a so-called "equation", which appears to be a record containing name(s), phone number(s) and e-mail address(es). An equation can contain up to one hundred selectors used by or related to a particular target. Besides phone numbers and e-mail addresses, an equation also contains the different ways of spelling and technical permutations thereof.

Because of this, when BND rejected say a phone number, BND employees in Bad Aibling had to ask NSA to remove that number from the equation, or else the other selectors in that equation were rejected too. It's always the full selector profile that has to be activated for collection. Until 2011 NSA saw all the selectors that were rejected by BND because of this.

As of 2011 these equations were split up and phone and internet selectors were each put in separate databases. This made it possible to reject individual selectors. Then the computer system combines these parts to their proper equations, which can now have for example a rejected phone number alongside an approved e-mail address. But if one part is disapproved, such an equation will not be forwarded to the collection system.

Update #3: According to president Schindler, e-mails can have up to 20 permutations, each of which is a separate selector, which explains the large numbers. He gave the example of gerhardschindler, gerhard.schindler, etc. However this seems a simplification, as such variations can of course belong to different persons with the same name.

Update #4: According to W.O. the equation format used by NSA only applied to internet selectors, although later on he says that an equation contains one phone number with wildcards and blanks.
Update #5: Witness D.B. confirmed that equations were only used for internet selectors.
 

How BND checks NSA selectors

The selectors provided by NSA were picked up by BND employees at Bad Aibling from an NSA server a few times a day. Initially their number was not very large. They were for example on Excell sheets which were checked manually at Bad Aibling.
Update #2: This check was only for the so-called G10-compliance, which means that selectors related to German citizens and corporations were taken out. Somewhere in 2005, BND also began to check for German interests, the meaning of that was determined by unit T2AB, which conducts these selectors checks.

Apparently talking about the Eikonal operation, witness D.B. explained the committee that in the testing phase, one BND employee did this on his own, which led to a delay of one day. In 2007 NSA wasn't satisfied by that and wanted the results in real-time.

 
3-stage filtering: DAFIS

Later, the number of selectors increased to a level that couldn't be checked by hand anymore. A new procedure was set up, in which, since June or August 2008, Bad Aibling personnel sent over the selectors to unit T2AB at the BND headquarters in Pullach once a week, without further inspection (until 2011 there was also a rarely used manual Emergency Approval).

At the headquarters, the selectors are checked in an automated process of 3 stages called DAFIS (probably the abbreviation of DatenFilterSystem):

Stage 1. A negative filter which filters out e-mail addresses ending with .de and phone numbers starting with 0049, but most likely also ranges of IP addresses assigned to Germany.

Stage 2. A positive filter consisting of a list of foreign phone numbers and e-mail addresses used by German citizens, for example businessmen, journalists, but also jihadis. Therefore, this relatively large list contains a few thousand numbers that will also not be monitored.

Stage 3. A filter to sort out selectors that collide with German interests. Witnesses heard by the committee wouldn't publicly explain how this works, but maybe in this stage selectors for European military contractors in which Germany participates (like EADS and Eurocopter) are filtered out.

The only regular manual check is for false positives, because for example SIM cards can have an IMEI number that also starts with 49.
Update #3: Former SIGINT director Pauland confirmed that stage 3 includes names of companies (also from other European countries when there's a German participation), but also names of German politicians (although not the names of the chancellor, members of parliament and EU commissioners), and newly added top level domains and country codes are blocked here too.

These names were not added systematically, but only after they stumbled upon them. The DAFIS filter system is used for all collection facilities. For metadata this filter is applied after they have been collected from specific links.
Update #5: Witness K.M. said that the criteria of stage 2 are checked daily. Regarding the keywords used as selectors, there are hardly any in Arabic or Cyrillic, and they once entered "bomb", which resulted in lots of garbage as "sexbomb" was also catched.

For DAFIS stage 2 there was a database of about 30.000 terms, and for stage 3 a list of no more than 500 terms (but heavily increased after the Snowden-revelations), against which new selectors are ran. Only few of these terms are IP-related.

For example when an analyst notices that a German calls using a foreign phone number, he informs the selector checkers, who add that number to the stage 2 criteria. Only since 2015 there's someone who is proactively searching to expand the positive list for stage 2. Before that, there was no effort to populate that list with all known Germans abroad from for example the foreign office or major German companies.

For the stage 2 database there are Sperrvermerke, saying that particular ones may not be forwarded to certain units or not collected at certain facilities to protect them against foreign agencies.

Initially, the whole selector database was checked quarterly, which took a day, and new selectors weekly; nowadays the whole set is checked every week. Reason for checking the entire set, is that new defeat criteria could have been added. Still not all selectors can be checked, partly due to personnel shortage.

Previously the selectors came ase equations, but nowadays, there's a new system that can also handle new media, but the witness was not allowed to provide further details.

Although the DAFIS filter was considered 99,99% accurate, witness R.U. admitted in the hearing on May 6 that this method is not always able to prevent German communications being intercepted, for example when a German citizen uses an Afghan phone number and/or is calling locally in Afghanistan. Such numbers would not be rejected for tasking, and there's also no system that filters out spoken German language.

BND also prevented that communications of American citizens would be collected, but the witnesses didn't explained how that was done.


How to determine nationality?

During an earlier hearing, BND lawyer Stefan Burbaum said that in rare cases a conversation first had to be collected and listened to in order to determine whether the contents are under constitutional protection or not.

Likewise it is impossible to determine the nationality of the person using an e-mail address like for example "redgoose1432@hotmail.com" without further circumstancial information. Even the content isn't always decisive.
Update: During the latest hearings, the e-mail address of the German EU commissioner Günther Oettinger, guenther.oettinger@ec.europa.eu, was taken as a real-life example. BND employees had to admit that (at least until 2013) an address like this wouldn't be blocked by stages 1 and 2 and probably also not by stage 3 of the DAFIS filter, so when it would result in hits, these would probably be forwarded to NSA.

We know that NSA analysts have to determine a "foreignness factor" for every selector, to exclude that it belongs to an American. For BND however it's impossible to automatically check whether such a mail address could belong to a German.

Witness R.U. reminded that such cases are rather speculative, because generally selectors like phone numbers are only tasked when they have a connection to a known suspect or target.
Update #1: As reported by Die Zeit on May 19, 2015, the Left party member of parliament Martina Renner said she found out that BND didn't check all these selectors for whether they contained suspicious ones, because there are more than 20 different kinds of selectors, and for 40% of the selectors (which would be over 3 million) it wasn't possible to attribute them to a particular country.

Update #3: Former SIGINT director Pauland said that selectors can be attributed to a particular country by for example a telephone country code, the extension of an e-mail address, a mobile phone cell-ID, or the IP address which is contained in metadata of certain messenger services.
He also explained that metadata include all data that are not content: not only an address, but also technical data that are generated automatically, and they can also include browser-specific features like the language.

Update #4: Witness W.O. testified that each cell phone selector has a label denoting the user, which can say that he or she is European. When a number is assigned to someone else, this can be detected by listening in and then the conversation is deleted.
W.O.'s superior T.B. said that German data are not only filtered out using the top-level domain .de, but that there are also other filters, the workings of which are classified.


How to check internet selectors?

During most of the hearings for the parliamentary inquiry, the witnesses mainly spoke about (selectors for) intercepting telephone calls, and they weren't questioned about how internet communications are filtered.

This seems to be a missed opportunity, because for the latter it is much more difficult to sort out domestic communications. Phone numbers always start with a country code, but on the internet people use many kinds of identifiers that are not easily attributable to a specific country.

It would have been interesting to know how BND thinks they can prevent for example MAC addresses of devices used by Germans being monitored, or to what extent it is possible to determine the nationality of people behind nicknames. This is important, not at least because there are far more selectors for IP traffic than for telephony.
Update #2: The way this is done became more clear during the hearings of May 20 and 21, when we learned that (internet) selectors come in "packets" (equations) that seem to include all known selectors for a particular target. Witness W.K. for example explained that for each target, there are multiple selectors, so when at least one selector can be attributed to a specific country, that also applies to the other selectors.


Positive filtering

It seems that BND tries to solve this issue with the positive filter, using a list of foreign identifiers used by German citizens. However, keeping such a list up-to-date would almost require an intelligence operation itself, but maybe they take a shortcut by requesting the phone numbers and e-mail addresses of Germans abroad from for example the foreign ministry, chambers of commerce and press organisations.

This seems doable for Germans, but it's obvious that this is impossible for companies and citizens from other European countries. This explains why apparently some NSA selectors for European companies made it through BND's selection system.


Economical espionage?

The sloppyness in checking foreign selectors doesn't automatically means NSA was (trying to) conducting economical or industrial espionage. According to Süddeutsche Zeitung, there are only very few indications for that. The paper says NSA was mainly interested in certain companies because they were looking for illegal (arms) exports.

For example, the e-mail address of an Airbus employee who was probably targeted by NSA, reportedly belongs to someone who is responsible for applying for arms export licences, which shows that targeting commercial companies can very well have valid foreign intelligence reasons.

On May 13, the head of Germany's domestic security service BfV, Hans-Georg Maassen, said that he has no evidence that the United States carried out industrial espionage in his country. The same was said by BND president Schindler, when he testified before the parliamentry commission on May 21, 2015.



An operations center room in the former BND headquarters in Pullach
(Photo: Martin Schlüter - Click to enlarge)

 

Discovery of suspicious selectors

Already in 2005, BND employee W.O. discovered that among the selectors provided by NSA (at that time also used for the cable tapping under operation Eikonal), there were indentifiers for the European defense contractors EADS and Eurocopter (both now part of Airbus Group).

These companies have no protection under the German constitution, but it was considered that such information was too politically sensitive to be forwarded to NSA automatically. Selectors for French government officials were discovered somewhat later, according to witness D.B. on May 7.
Update #4: W.O.'s superior T.B. testified on September 10, 2015, that the selectors for EADS and Eurocopter had the status "pending" when they were discovered by W.O. Subsequently they were marked as "disapproved".

Then in 2008, a BND official informed the Chancellery saying that NSA was apparently going after its own interests in Europe too. At least by then, BND started sorting out suspicious NSA selectors and put them in a separate database. Only in 2010 and 2011 three suspect things from 2005, 2006 and 2007/2008 were reported to the BND top management.
Update: During the hearing of June 12, 2015, former BND president Ernst Urhlau said that after it was discovered that NSA was apparently interested in some European targets too, the Americans were asked what that was about, and they apologized for that and said that it wouldn't happen again.


Storing rejected selectors

The check on the selectors took place at BND headquarters, and after being checked they were sent back to Bad Aibling, where they were either entered into the collection system or stored in the rejected selectors repository (German: Ablehnungsdatei, sometimes also Ausschussliste).
Update #3: Actually there are two separate tasking systems: the main system is for BND's own selectors, and another, unique one, is for the selectors from NSA. The latter is only used in Bad Aibling, the main system is used at all BND collection facilities, so in Bad Aibling there were two separate tasking systems.

Although it could be interesting to know what NSA looks for but didn't pass BND filters, witness D.B. said this database isn't routinely looked at. He also said that NSA is informed about the selectors that have been rejected, which was apparently no problem for them.

Storing the rejected selectors was said to be useful because when NSA sends a suspicious selector again, it can be sorted out by checking against this list. Approved selectors are also sometimes marked as inactive, for example when a foreign extremist travels into Germany. Then BND monitoring has to stop, but when he leaves the country, the selector is activated again.



Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)


40.000 rejected selectors

Until 2013, the Ablehnungsdatei was filled with up to 38.000 NSA selectors which therefore didn't make it into the collection systems. With the 2000 selectors sorted out by Dr. T. (see below) this makes number of 40.000 selectors the press reported about, which is about 0,47% of the total number of selectors provided by the Americans.

Initially, Der Spiegel reported that these 40.000 were found through an investigation in the Fall of 2013, suggesting they had been active all the time and that thereby, BND enabled NSA to illegally spy on some 40.000 targets.

Given the criteria of BND's 3-stage filter system, these 40.000 must include NSA selectors that either have a German country code, a foreign identifier used by a German citizen or entity, or a match with the mysterious "German interests" criteria.

We don't know how many selectors were rejected for each of these stages, but we can assume that in a number of cases NSA did sent identifiers for targets that were recognizable as German. For selectors rejected in the second stage, NSA may not have known that a particular identifier was used by a German, something that BND could probably find out easier.

We also don't know how these 40.000 are divided among phone and internet selectors, which can also make a big difference, as it is much easier to attribute phone selectors to a particular country than it is for internet identifiers. Opposition leaders are demanding that the parliamentary investigation committee can see the list, but the government said they are still negotiating with NSA about this.
Update: Meanwhile it came out that the US government left the decision about access to the rejected selectors to the German government, who kept this decision secret for some time. Ultimately it was decided that an independent investigator (former federal judge Kurt Graulich) will get access to the selector list, and that he will report to the investigation commission about the contents in general.

> See for the results of this investigation: New details about the selectors NSA provided to BND



Office room in the former BND headquarters in Pullach, used by
an employee who cleary is a hardcore fan of Elvis Presley
(Photo: Martin Schlüter - Click to enlarge)


Investigating active selectors

Early August 2013, just a few months after the start of the Snowden revelations, BND Unterabteilungsleiter D.B. asked technical employee Dr. M.T. to take a look at the active NSA internet selectors. This in order to see what types of identifiers they contain and whether it could be determined what regions (Interessensschwerpunkte) NSA was interested in. This was the first systematic check since 2005(!).

For that, Dr. T. was provided with a copy of the database containing all selectors used in Bad Abling. This database copy was stored on a separate computer, because ordinary work stations couldn't process such a large dataset.

To his surprise, he found selectors that seemed politically sensitive. This investigation took about four weeks and resulted in some 2000 suspicious selectors. Dr. T. put them in a separate database, of which a single copy was printed out. These selectors were still active at that time, unlike the 38.000 which had been disapproved.

Dr. T.'s copy of the database containing all selectors was deleted after the job was done. The dataset of the 2000 he sorted out wasn't found back after he had returned the dedicated computer, just like the list that had been printed out.
Update #3: Apparently, 40% of the selectors investigated by Dr. T. could not be attributed to a specific country.



Overview of the BND employees involved in the affair of the NSA selectors
(Click to enlarge)


Suspicous selectors deactivated

Immediately after finding suspicious selectors, Dr. T. informed his superior Referatsleiter H.K., who reported this to Unterabteilungsleiter D.B. Around mid-August 2013, D.B. called the unit in Bad Aibling and ordered Dienststellenleiter R.U. to deactivate (although press reports call it "delete") the suspicious selectors in the phone and internet tasking databases and put them in the Ablehnungsdatei.

Meanwhile, D.B. had received the printed list with the 2000 selectors, consisting of a large number of sheets of paper, from Dr. T., and he sent this list to R.U. through a regular courier. Using some specific criteria, it was then possible to remove the suspicious selectors. Strangely enough, D.B. thought all this not to be relevant enough to report to the BND president or to the Chancellery.

Der Spiegel reported that in the hearing behind closed doors on May 6, BND president Schindler said that the list of 2000 selectors almost exclusively contains e-mail addresses, not of companies, but mainly of European politicians, EU institutions and government agencies.

The reason for this result is clear now: e-mail addresses because Dr. T. only investigated internet selectors, and of European governments because BND didn't filter those out - according to BND president Schindler because they expected that NSA would comply with the Memorandum of Agreement, that prohibits selectors for European targets.

At least the fact that the list contains no German addresses seems to confirm that preventing German selectors from being monitored was successful, and that therefore there's no evidence that BND helped NSA in spying on German citizens, corporations or government officials.


Another investigation?

According to a report by Der Spiegel, BND employee R.U. was instructed on August 14, 2013 to "delete" some 12.000 search terms. These were apparently the outcome of an investigation in which BND's database with NSA selectors had been searched using terms like "gov", "diplo" and "bundesamt" (initially in some press reports erroneously presented as search terms provided by NSA).

This search had resulted in 12.000 hits (which doesn't necessarily means an equal number of selectors). The tabloid paper Bild am Sonntag reported that e-mail addresses containing the term "bundesamt" were targeted against Austrian government agencies and appeared in over 10 NSA selectors.

However, during the parliamentary inquiry, witness Dr. T. said that the three search terms mentioned by Der Spiegel and the number of 12.000 had nothing to do with his investigation. It's therefore unclear whether there was a second investigation, or that the press has mixed things up.

Update #2: During the committee hearing of May 20, it was confirmed that there was indeed a second investigation: mid-August 2013, R.U., head of the BND unit at Bad Aibling, ordered W.O. to check the NSA selectors for whether they were related to European governments.

He only looked at e-mail addresses, because for other selector types it is too difficult to do such a check. W.O. also did research on the internet for his investigation, maybe for finding out the elements used in foreign government e-mail addresses.

Already after one day he found some, which were then deactivated ("deleted"). After that the search was continued for three weeks, adding additional search criteria. In the end this resulted in a few ten thousand selectors that were marked as rejected and then being deactivated.

W.O. only reported this to his immediate superior R.U., but at the Pullach headquarters, D.B. only heard of this second investigation and the subsequent deactivations in March 2015. SIGINT director Pauland wasn't even aware of both investigations before March 13, 2015. Then, a working group, led by BND lawyer Ms. F. was formed to investigate these issues.

Additional updates:
On May 15, 2015, Der Spiegel reported that it seems some 25.000 of the 40.000 rejected selectors had actually been active.
Maybe these 25.000 are the ones that were deactivated after the second investigation conducted by W.O. If that's the case, then the 40.000 would consist of 2.000 found by Dr. T., 25.000 found by W.O., leaving 13.000 selectors that were sorted out before and/or after both investigations.

According to Klaus Dieter Fritsche, former official in the federal Chancellary responsible for BND, there are two printed versions of the list of the 40.000 selectors: one at BND and one in a safe in the Chancellery. However, this seems not to include the 2000 selectors sorted out by Dr. T.

Update #5: According to D.B., the list at the Chancellery contains all disapproved selectors from the whole period, both those found by Dr. T. and those found by W.O.


BND takes measures

In November 2013, BND president Schindler issued a new internal regulation, saying that BND's own selectors may not include NATO and European targets anymore (no reason was seen to apply this to NSA selectors too). Reportedly e-mail addresses ending with .eu will now be blocked and the same has to happen for all European partners. We can assume this also applies to their telephone country codes.
Update #2: This regulation was apparently issued after chancellor Merkel came with her famous statement that it is not done to spy upon friends ("Ausspähen unter Freunden geht gar nicht") on October 24, 2013, following revelations that her mobile phone was targeted by NSA.
For blocking selectors related to European governments, there's a profile containing the e-mail extensions for all foreign government agencies.

Updates: On October 15, 2015, the newspaper Süddeutsche Zeitung (SZ) revealed that at the same time (November 2013), BND president Schindler ordered (only orally!) that also BND's own tasking database had to be searched for selectors related to friendly nations.
Some 2800 of those were found and subsequently deleted. The Chancellery was informed about this, but the action was kept secret until October 14, 2015, when the government informed the regular parliamentary intelligence oversight committee (PKGr).
Update #7: This was confirmed by witness D.B. who said that by the end of October 2013, BND president Schindler called him and ordered all BND selectors related to EU and NATO partner countries to be deactivated. In November, these selectors were then moved to a separate part of the PBDB tasking system so they were not active anymore. But as not all BND field stations were yet connected to the PBDB, these selectors had to be deactived separately over there.

Update #8: During a hearing in September 2016, witness D.B. told the commission that after president Schindler's order from October 2013, up to 100 BND employees could have been involved in deactivating illegal selectors. These selectors were moved to a sub-file (Gruppenliste) of the tasking database from where they could not be tasked anymore. This involved some 3300 targets.

SZ further reported that according to former BND employees, there were hundreds of cases in which the Germans eavesdropped on the US Defense and Foreign secretary and senators, when they traveled and used non-secure phone lines. Also French embassies were targeted because the French knew a lot about Afghanistan. The commission will send a task force to BND headquarters to investigate this issue.

On November 11, 2015, it was reported that a preliminary report by the task force says that among BND's own selectors, there were ones belonging to the FBI, the Voice of America, French foreign minister Fabius and the interior departments of EU member states like Poland, Austria, Denmark and Croatia. Also targeted were international organizations like the ICC, the WHO and UNICEF. The selectors also included e-mail addresses, phone and fax numbers of the diplomatic representations of the US, France, Great Britain, Sweden, Portugal, Greece, Spain, Italy, Austria, and Switzerland, as well as European and US companies like Lockheed.

However, the new instruction won't help European citizens, companies and organisations who are for example using phone numbers from outside Europe or mail addresses with a generic top level domain like .com, .org or .net. The new rules will therefore most effective for preventing that communications of European government agencies will get caught in the filter systems.

Recently, BND asked NSA to provide a justification for every of their selectors. For telephone numbers, this was already practice,* but the Americans said that for internet selectors they needed more time. This led BND to stop the collection of internet data for the time being as of early May 2015. Phone and fax data are still collected and forwarded.
Update: The collection of satellite communications based upon internet selectors provided by the NSA was resumed somewhere around November 2015. As required by BND, NSA now provides a justification for all 4,5 million internet selectors, which are related to 1,2 million people or organizations. This gives the Americans access again to the internet communications collected by the Bad Aibling satellite station, which is primarily focused at countries like Afghanistan, Syria, Irak and Libia.



BND president Schindler standing inside one of the huge golfball-like
radomes at the satellite intercept station Bad Aibling
(Photo: Reuters - Click to enlarge)
 

Results of the collection

After the approved selectors have been entered into the collection systems, all data for which there's a match with one or more selectors will automatically be picked out. These results are then converted into a readable format.

Matches for BND's own selectors are stored in a database: metadata went into VERAS and content into INBE. From there, analysts can see whether it is relevant for the foreign intelligence as required by the government. If not, the data are destroyed.

Many metadata collected in Bad Aibling were automatically forwarded to NSA, after passing the DAFIS filter system to sort out those related to Germans. According to the newspaper Die Zeit, BND collects about 220 million metadata each day, which is 6,6 billion a month. Up to 1,3 billion of these metadata are shared with NSA, an example being the 552 million metadata seen in a chart from the NSA tool BOUNDLESSINFORMANT.

Update #2: After the chart with the 552 million metadata was first published on July 29, 2013, the BND unit at Bad Aibling was in shock. They worked day and night and over the weekend to find out what had happened, and provide explanations of the technical circumstances in weekly reports, like for the regular parliamentary oversight committee.
After a week, BND was then able to issue a statement that these 552 million metadata were not collected by NSA, but by them, from crisis regions abroad.


Screenshot from BOUNDLESSINFORMANT, showing some 552 million telephone and internet
metadata that were shared with NSA between December 10, 2012 and January 8, 2013
(Click to enlarge)


Shortages

Content collected through selectors provided by NSA was also automatically forwarded after a final check by the DAFIS filter system, but here, BND personnel in Bad Aibling also took random samples to check whether it contained German data.

Because of shortages in personnel and technical capacity, BND employees were fully occupied with the results from their own selectors, and therefore had no time to take a closer look at what came out for NSA. They simply relied upon the initial selector check. Only when BND's own selectors didn't provide useful results, they would take a look at the results of the NSA selectors.
Update #4: According to W.O., results from NSA selectors went to NSA, with a copy for BND. Results from BND selectors went to BND only - NSA wasn't interested in those.

Update #5: D.B. testified that sometimes a German analyst in Bad Aibling found results from NSA selectors also relevant for BND's mission, in which case he recommended the NSA selector to be entered into BND's own tasking database too. These selectors, which sometimes also came from, for example French intelligence, were only checked against the G10 positive list. In November 2013, also a number of these BND selectors were deleted after an extensive comparison (großer Abgleich) with the NSA selectors.


Selected communication links

One important fact that was largely overlooked in the reporting on this issue, but was pointed to by BND president Schindler and one of the witnesses, is that the Bad Aibling station only intercepts satellite links from crisis regions in the Middle East and Africa.
Update #3: During the hearing on May 21, Schindler specified this and said Bad Aibling collects data from all the countries where German forces are deployed and one other country he would not name. SIGINT director Pauland said BND is currently watching various crises around the world: Ukraine, IS, Boko Haram, Bundeswehr deployments, kidnappings, and Ebola; they are not spying on their own citizens.

Interception results therefore include for example phone calls between Afghanistan and Pakistan or communications from European companies and agencies with activities in the Middle East. This would also minimize the chance that German communications were being collected. BND selects which satellites and which communication channels from those satellite links are intercepted; NSA is said to have no influence on that.

Update #4: According to witness T.B., the Bad Aibling station could intercept 200 satellites and during his time, each satellite relayed about 500 channels, making a total of 100.000 channels. It seems he said that only 50 were actually targeted, which is 0,5 promille. Results are returned only when this small number of satellite channels contains communications that match the selectors. This can happen though when for example a European commissioner visits Afghanistan and uses his EU e-mail address from over there. Some channels result in just a few communications that are still worthwhile, while others yield hundreds or even thousands, but cannot be used because of a lack of translators.
Update #5: Witness D.B. told the commission that for example phone calls are only collected when there's a match for an approved phone number on a selected satellite link. If this phone call is unencrypted, it is made available to the analysis unit in Bad Aibling, consisting of about 20 people. An intercepted phone call comes as a sound file with metadata. Analysts listen to it, to determine whether it is relevant for the mission, and whether it is useful to prepare a report about it. Then the file can be deleted or left in storage.


No records kept

According to Der Spiegel, BND president Schindler said that his agency has no technical means to reconstruct which data were passed on to NSA as no records or statistics were kept on this. Earlier, BND employees also testified that their agency doesn't count the raw data that come in, only the end reports.

This means, that the lists of selectors can only show what NSA was interested in, but that we will probably never know what exactly the results from that collection were.




Links and sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Sueddeutsche.de: Der Geist von Bad Aibling
- SPD proposal for new legislation: Rechtsstaat wahren – Sicherheit gewährleisten! (pdf)
- Zeit.de: BND-Chef Schindler will nichts gewusst haben
- Netzpolitik.org: Interne Kommunikation: Wie der BND die „Weitergabe von Rohdaten in großem Umfang“ an die NSA verheimlicht (May 2015)
- Welt.de: Gezielter Angriff (May 2015)
- Zeit.de: BND liefert NSA 1,3 Milliarden Metadaten – jeden Monat (May 2015)
- Golem.de: Der Mann, der die brisanten NSA-Selektoren fand (May 2015)
- Netzpolitik.org: Untersuchungsausschuss: „Ich habe Weisung von oben empfangen und vollzogen“ (May 2015)
- Spiegel.de: Spionageaffäre: BND kann Daten-Weitergabe an NSA nicht rekonstruieren (May 2015)
- Sueddeutsche.de: BND half NSA beim Ausspähen von Frankreich und EU-Kommission (April 2015)
- FAZ.net: BND-Spionage-Vorwürfe: Spionieren und spionieren lassen (April 2015)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA (June 2014)
- NSA-document about NSA counter-terrorism cooperation with BND and BfV (pdf) (2013)

3 comments:

kemal said...

Great job, keep going!

Anonymous said...

Beste Zusammenfassung, die ich bisher lass!
Danke.
Kommt zu den Lesezeichen ;-)

Jordan said...

Very in-depth look at the issue here. I'm just glad that other places are being held under a little scrutiny for their action or lack of action when it comes to their peoples' data. Thanks for sharing your insight here!

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties