February 23, 2015

NSA and GCHQ stealing SIM card keys: a few things you should know

(Updated: February 27, 2015)

Last Thursday, February 19, the website The Intercept broke a big story about how NSA and GCHQ hacked the security company Gemalto in order to acquire large numbers of keys used in the SIM cards of mobile phones.

The story has quite some background information about how these keys are used and how NSA and GCHQ conducted this operation. But as we have often seen with revelations based upon the Snowden-documents, media once again came with headlines like "Sim card database hack gave US and UK spies access to billions of cellphones", which is so exaggerated that it is almost a scandal in itself.

Instead, analysing The Intercept's article and the original documents leads to the conclusion that the goals of this operation were most likely limited to tactical military operations - something that was completely ignored in most press reports. Also there is no evidence that Gemalto was more involved in this than other SIM card suppliers.

To what extent was Gemalto involved?

According to The Intercept, NSA and GCHQ planned hacking several large SIM card manufacturers, but in the documents we find only one for which this was apparently successful: Gemalto. Other documents merely show that GCHQ wanted to "investigate Gemalto" "for access to Gemalto employees" "to get presence for when they would be needed".

An internal GCHQ wiki page from May 2011 lists Gemalto facilites in more than a dozen countries, like Germany, Maxico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore, but also without explicitly saying whether or not these were successfully hacked.

One report and a few slides from a presentation that was not fully disclosed mention large numbers of SIM card keys that had been collected, but this is not specifically linked to Gemalto. Although Gemalto is the largest manufacturer, it seems likely these data were also collected from other companies, like Bluefish, Giesecke & Devrient, and other smaller manufacturers too.

Therefore, we actually don't know to what extent NSA and GCHQ used the access they apparently had to Gemalto's network, and it is definitely not correct to say that all 2 billion SIM cards that Gemalto produces every year were compromised by this hack.

And given the fact that other SIM card suppliers were targeted and/or hacked too, one wonders why The Intercept didn't left out the name of Gemalto. Because now its competitors profit from not being named, while Gemalto shares already had a huge drop on the stock market.

On February 25, Gemalto came with a press release in which results of its investigation into the alleged hack were presented. Gemalto concluded that NSA and GCHQ probably "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys". The report also says Gemalto never sold SIM cards to four of the twelve operators listed in the GCHQ documents, in particular to the Somali carrier, and that in 2010-2011, most operators in the targeted countries were using the vulnarable 2G networks, mostly with prepaid cards which have a very short life cycle, typically between 3 and 6 months.

The Netherlands

Gemalto is a digital security company providing software applications, secure smart cards and tokens and is also the world’s biggest manufacturer of SIM cards. It's essentially a French company, but it has some 12.000 employees in 44 countries all over the world.

The Gemalto headquarters are officially in Amsterdam in the Netherlands, which made Dutch media claiming that "NSA hacked a company in the Netherlands". This was rather premature, since the two Dutch locations of Gemalto seem not to be likely targets in this case.

The Amsterdam headquarters is very small, consisting of only some 30 people. The reason they are in Amsterdam is apparently mainly because the Dutch capital was already the seat of Axalto, one of Gemalto's predecessors, and because the company wanted access to the Amsterdam stock exchange.

Unnoticed by Dutch national media is the fact that Gemalto also has a plant in the city of Breda, where, according to an unrelated press report from last year, (only) bank cards are personalised. This plant also has a customer service team, but strangely enough Breda isn't in the list of locations on Gemalto's website.

The plant of Gemalto in the southern Dutch city Breda
(photo: Tom van der Put/MaRicMedia)

Also interesting is that last month, Gemalto acquired the US manufacturer of security products SafeNet. This company, founded in the late 1980s by former NSA officials, not only makes encryption devices used by commercial companies and banks all over the world, but also the KIV-7 network encryptor, which is used by the US Army, as well as the Enhanced Crypto Card (KSV-21), which provides the encryption functions for the US government's STE secure telephone.

How does the SIM card key work?

SIM cards, produced by companies like Gemalto, have a microchip which among other data includes a unique 128 bit Authentication Key, also known as "Ki". A copy of this key is given to the phone provider, so when a phone call is made, this key number can be used to make sure the handset connects to a valid provider, and the provider knows it connects to a handset that belongs to a known customer.

The Intercept's report suggests that this Ki number is also used as the encryption key to protect the subsequent communications, but in reality this is a bit more complex. Here's how it works for 3rd Generation (UMTS) networks:

1. After a handset connects to the base station, the latter sends the handset a 128 bit random number, a 48 bit sequence number and an authentication token.

2. The chip in the SIM card combines the Ki number with the random number and the sequence number to also calculate an authentication token and a response number, which are used to authenticate the network and the handset, respectively.

3. By combining the Ki number with the random number, the SIM card chip also calculates the:
- 128 bit Confidentiality Key (CK) for encrypting messages
- 128 bit Integrity Key (IK) for checking the integrity of messages
4. The actual (voice) data are then encrypted through the f8 algorithm (which is based upon the KASUMI block cipher) using the Confidentiality Key.

5. For additional security, both the Confidentiality Key and the Integrity Key have a limited lifetime. The expiration time is variable and send to the handset after establishing a connection.

Although for the actual encryption key CK, the Ki number from the SIM card is mixed with a random number, this provides no extra security: the base station sends this random number to the handset over the air unencrypted, so it can be intercepted easily by anyone.

Eavesdroppers would therefore only need the SIM card Ki to recreate the encryption key and use that to decrypt the conversation (see also this US Patent for a "Method of lawful interception for UMTS").

Why were these SIM card keys collected?

The press reports, speaking in general terms of "unfettered access to billions of cellphones around the globe", suggest that everyone's mobile phone could now be at risk of being intercepted by NSA or GCHQ.

One important thing they forgot, is that one only needs to steal SIM card keys when you are trying to intercept mobile phone traffic when it travels by radio between the handset and the cell tower. Only that path is encrypted.

Once the communications arrive at the provider's network, they are decrypted and sent over telephone backbone networks to the cell tower near the receiving end as plain text. It's then encrypted again for the radio transmission between the cell tower and the receiving handset.

As we know from previous Snowden-leaks, NSA and GCHQ have vast capabilities of filtering fiber-optic backbone cables that are likely to contain communications that are of interest for military or foreign intelligence purposes. The big advantage here is that on those backbone cables there's no encryption (although people can use end-to-end encryption methods themselves).

Therefore, the SIM card keys are only needed when NSA and GCHQ want to listen in or read traffic that is or has been intercepted from the wireless transmission between a handset and a cell tower. This narrows down the field where these keys can be useful substantially.

Tactical military operations

Intercepting the radio signal of mobile phones needs to be done from rather close proximity. To do this, the NSA uses StingRay and DRT devices, which are highly sophisticated boxes that in a passive mode are capable of detecting and intercepting the radio transmissions of multiple cell phones. In an active mode they can mimic a cell tower in order to catch individual phone calls and as such they are better known as IMSI-catchers.

These devices are widely used by the NSA and the US military in tactical ground operations, like in Afghanistan and previously in Iraq, as well as in other crisis regions. StingRays and DRT boxes can be used as a manpack, in military vehicles, but also aboard small signals intelligence aircraft like the C-12 Huron.

A Prophet Spiral Humvee which uses DRT devices
for collecting radio and cell phone signals

This military, or at least anti-terrorism purpose is confirmed by a disclosed slide which shows that Kis for mobile networks from Somalia, Kuwait, Saudi Arabia, Afghanistan, Iran and Bahrain were found among collected data.

A GCHQ report that was also published as part of The Intercept's story says that key files from "Somali providers are not on GCHQ's list of interest, [...] however this was usefully shared with NSA", which clearly shows that both agencies were looking for keys from specific countries.

The report also says that during a three month trial in the first quarter of 2010, significant numbers of Kis were found for cell phone providers from Serbia, Iceland, India, Afghanistan, Yemen, Iran, Tajikistan and Somalia, which is shown in this chart:

According to the report, this chart reflects "a steady rate of activity from several networks of interest", which again indicates that GCHQ is specifically looking for keys for countries where the US and the UK are involved in military operations.

The same reports says that Iceland appearing in this list was unexpected, but Dutch newspapers guessed this could be explained by the fact that in 2010, Julian Assange and other people related to WikiLeaks were staying there.

One also wonders why The Intercept didn't trace the companies that in 2010 and 2011 provided the SIM cards to the countries mentioned in the GCHQ report. The fact that SIM keys for those countries were collected, seems a strong indication that the security of those suppliers was apparently weak.

Eavesdropping in foreign capitals

Remarkably, the use of SIM card keys for tactical military operations is completely ignored by The Intercept, even though this is probably the main purpose (which was also expressed by at least two security experts). The Intercept does however claims that such keys would be useful to eavesdrop on mobile phone traffic somewhere else:

The joint NSA/CIA Special Collection Service (SCS) has eavesdropping installations in many US embassies, and because these are often situated in the city center and therefore near a parliament or government agencies, they could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials.

With the current UMTS (3G) and LTE (4G) mobile networks using encryption that is much harder to crack than that of the older GSM network, having the SIM card keys would make it easy to decrypt already collected mobile communications, as well as listing in to them in real-time.

A 16 port IMSI catcher from the Chinese manufacturer Ejoin Technology

As easy it may be to decrypt conversations when having the key, the more difficult it seems to get hold of keys that are useful for this purpose. SIM cards are shipped in large batches of up to several hundred thousand cards and while it is known to which provider in which country they go, one cannot predict in whose phone the individual cards will eventually end up.

So when NSA and GCHQ are stealing large numbers of keys, they have to wait for some of them ending up by people that are on their target lists - which really seems a very small chance. This method is also useless against people using an old SIM card, which could be the case for German chancellor Merkel, who has a phone number that was already used in 1999. For these kind of targets it would be much more efficient to hack or tap into local telephone switches.

The way to make it work would be to "collect them all" and create a database of keys that will eventually cover every newly assigned phone number. But in one of the documents, GCHQ notices that large SIM suppliers increasingly use strong encryption for their key files, which will make it hard to achieve such a full coverage.

This is another reason, why stealing SIM card keys is most likely focussed on war zones: over there, very large amounts of phone calls and metadata are collected, which, given the large number of suspects and targets over there too, makes much better chances of finding keys that are actually useful. But still, stealing these keys looks not like a very efficient method.

Could these hacking operations be justified?

This brings us to the question of how justified this method of stealing SIM card keys could be. The fact that NSA and GCHQ are hacking commercial telecommunication and security companies is seen as one of the biggest scandals that have been revealed during the Snowden-revelations.

It's not only because of breaking into their networks, but also because for this, the communications of specific employees like system administrators are intercepted to acquire the passwords and usernames for their Facebook-accounts, despite the fact that they themselves aren't a threat to the US or the UK.

They are targeted not as an end, but as means in order to get access to the communications of other targets elsewhere. These ultimate targets could maybe justify these means, but without knowing what the actual goals are, it's difficult to come with a final judgement.

Although this kind of hacking affects innocent civilians, it's still very focussed. According to The Intercept, "In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization" - which is a rather small number given that Gemalto alone has some 12.000 employees.

Targeting companies and organizations like Swift, Belgacom and Gemalto should not have come as a complete surprise. Nowadays internet and telecommunication providers have become similar of interest for national security as military contractors and top technological research institutions have always been.

This is also reflected by the last of the 16 Topical Missions in the NSA's Strategic Mission List from 2007:

"Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."

Links and Sources
- Tweakers.net: Gemalto: geen sim-sleutels buitgemaakt bij aanval geheime diensten
- Reuters.com: Hack gave U.S. and British spies access to billions of phones: Intercept
- Crypto.com: How Law Enforcement Tracks Cellular Phones
- Presentation about Network Security: GSM and 3G Security (pdf)
- Matthew Green: On cellular encryption
- GCHQ's aspirations for mobile phone interception: 4 slides + 2 slides
- This article appeared also on the weblog of Matthew Aid

February 12, 2015

Snowden would not have been able to legally "wiretap anyone"

(UPDATED February 19, 2015)

During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".

Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.

Targeting US citizens under FISA authority

The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:

Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)

In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.

If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.

Acquiring an individual FISA warrant

So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.

For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.

Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*

Collection under section 702 FAA

Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?

The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.

But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.

The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, the so-called Upstream collection.

Section 702 FAA certifications

What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.

For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.

Until now, we know of section 702 FAA certifications for three topics:
- Foreign Governments (FG, Certification 2008-A, including cyber threats?)
- Counter-Terrorism (CT, Certification 2008-B)
- Counter-Proliferation (CP, Certification 2009-C)

These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are always allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.


In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).

Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.

So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.

This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. Starting new surveillances (tasking) is done through the Unified Targeting Tool (UTT, see below).

Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:

This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data.

Clapper explained that these queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.

In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and the person is considered an agent of a foreign power.

The PCLOB report (pdf) about 702 FAA operations from July 2014 says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".

For example, the NSA has approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.

The details Snowden told to the Post and the framework for "back-door" searches, confirm that he wasn't authorized to target US persons, but apparently did had the authority to use US persons identifiers for querying already collected PRISM data.

But contrary to what Snowden said, the NSA's Minimization Procedures from October 2011 say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333). That again makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.

But even without a prior approval, querying US persons without the intention of retreiving foreign intelligence information is illegal, which brings us to the next chapter.

Circumventing official procedures

In an interview, Glenn Greenwald was also asked about this issue and he explained that the "authority" Snowden was talking about, was not an authority in a legal sense.

According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".

So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.

In that interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, although somewhat earlier in the interview he was speaking about the whole agency that "targets the communications of everyone" and ingests, filters, analyses and stores them.

Unified Targeting Tool

Circumventing official procedures and legal authorities could be done by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.

A rogue analyst could for example confirm that there's a FISA warrant, when there's no warrant present, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.

A rare screenshot of the Unified Targeting Tool (UTT), which shows some of the
fields that have to be filled in. We see that data about a "FAA Foreign
Governments Cert." is missing and therefore not valid to task (see below),
and also a drop down menu with various Foreigness Factors.

Unfortunately no manual for this tool has been disclosed so far, although that would have been useful to learn more about such internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.

Targeting procedures

We have no details about the procedure for targeting US citizens, but we do know about the process for collection under the PRISM program. As PRISM is used for gathering data about foreigners, it can be considered to be less sensitive than collecting data about US persons, for which there are maybe some extra safeguards and checks. The PRISM tasking process is shown in this slide:

Slide that shows the PRISM tasking process
(Click to enlarge)

We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.

A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released to be "tasked" on the various collection systems.

For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.


Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.

It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.

(Edited after adding Greenwald's interpretation of Snowden's words and adding something about the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a report by The Washington Post, and added some explanation about the back-door searches)

Links and Sources
- Privacy and Civil Liberties Oversight Board: Section 702 Program Report (pdf)
- Stanford Law Review: Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?
- The Guardian: The top secret rules that allow NSA to use US data without a warrant
- EmptyWheel.net: Postings about section 702 FAA
- Robert S. Litt, ODNI General Counsel: An Overview of Intelligence Collection
- Related documents:
  - President Policy Direction (PPD) 28 Section 4 Procedures (pdf) (2015)
  - Foreign Intelligence Surveillance Act - Summary Document (2008)

January 26, 2015

How GCHQ prepares for interception of phone calls from satellite links

Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.

What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.

These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.

Here we will analyse what's in these reports, which give an interesting impression of the techniques used to transmit telephone communications over satellite links.

Satellite dishes at the GCHQ intercept station near Bude, Cornwall, UK

Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.

Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.

The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.

Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.

Technical report nr. 35

The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.

Multiplexing and compression

By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:

This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical space as possible, making it also more difficult for intelligence engineers to unpack it.

Signaling System No. 7

Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.

In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.

Analysis of the link

In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.

All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:

On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.

The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.

After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.

Intelsat communications satellite from the 900-series,
nine of which were launched in June 2001.

The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.


The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."

Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.

Technical report nr. 44

The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).

The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.

The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 voice circuits (telephone calls) simultaneously.

The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.

The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) in Cyprus

Analysis of the link's metadata

The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.

It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.

From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.

On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.

For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.

GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.

Interface of an NSA tool with a page titled "SS7 Summary" which lists and visualizes
the number of OPC/DPC pairs accessible by various NSA fiber-optic cable
interception programs, identified by their SIGAD number.
(Screenshot from an NSA presentation
published in December 2013 - Click to enlarge)

Mapping the link

The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.

The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.

Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.

In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.


The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".

According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.

DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.

For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.

Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":

The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.

That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.

Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".

Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.


All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.

SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and UMBRA are still used.

Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.

Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security

January 13, 2015

German investigation of the cooperation between NSA and BND (III)

(Updated: January 16, 2015)

This is part III about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

The hearings of a number of BND employees which are summarized below, provided many interesting details about BND cable and satellite collection and how these data are selected and filtered and how privacy rights are implemented. This was especially of concern for the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

The witnesses also stated that contrary to the initial press report, under the joint operation Eikonal not a single German communication was passed on to NSA.

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

The room where the hearings of the parliamentary committee take place
(photo: DPA)

20th Meeting, November 6, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, head of the JSA unit from 2003-2007):

In Bad Aibling, the BND has dishes to intercept satellite communications. When satellite links are intercepted, the following things have to be done: first a specific frequency has to be selected, and as one frequency often contains multiple channels, these have to be broken down (de-multiplexed) into single data streams. Based upon metadata it can be decided that certain types of communications are not of interest for BND.

The next step is to separate the various content encodings, like for IP-traffic, telephony, fax, etc. This also needs error correction, which sometimes is a bit more difficult because some communication systems use proprietary methods. This results in data in a readable or audible format (like an e-mail or a phone call), which can be used to prepare an intelligence report. The witness estimates that BND produces around 20 reports a day.

For processing, filtering and selecting commercial computer systems were used, as wel as systems that were custom made by NSA. The Americans were ahead of BND in this, not necessarily better, but often just in doing more, or faster, like in analysing signals.

Compare: the data flow at NSA, according to a presentation
from the NSA's European Cryptologic Center (ECC)
(Click to enlarge)

Mass surveillance?

The witness stated that there was and is no mass surveillance by BND. Mass surveillance is even more difficult for fiber optic cables than for satellite links. If there would be any mass surveillance for the latter, then this should involve some 300 communications satellites, for which there should be ground stations at at least three places around the world.

There you would need 250 satellite dishes of 10 million euros each to receive the up to 500 frequencies per satellite. For each frequency two modems and converters were needed, and with the necessary processing capacity, this would require a nuclear power plant for electricity.

Mass surveillance on cable traffic could probably only be done with the capacity of the American, Russian and Chinese intelligence agencies combined. For BND, mass surveillance would drown the agency in data. The witness had never witnessed any kind of economical espionage by NSA in Germany. But he had to admit that not everything was talked about.

Joint SIGINT Activity (JSA)

NSA's Bad Aibling Station was scheduled for closure in 2002, but after 9/11 this was postponed to 2004, and maybe this led to the creation of the JSA. In the Joint SIGINT Activity, NSA and BND cooperated in collecting both satellite and cable communications.

The JSA was located at the Mangfall Barracks in Bad Aibling. In 2002, this military complex still had a compound of the Bundeswehr, where you had to go through to reach the BND section. The Bundeswehr left these barracks by the end of 2002, and NSA went to a new building nicknamed the Tin Can (Blechdose).

The compound had three sections: one for Germans only, one for US persons only and one common section. The collection of data took place in the common section, and the exits were strictly monitored, so NSA had no access to German sources on its own, although there weren't every day checks on people carrying thumb drives.

BND personnel had no access to NSA databases and vice versa, but both had access to joint databases. NSA had also some contractors working there. JSA was connected to NSANet, just like NSA's European Security Operations Center (ESOC) near Darmstadt.

Until 2007 only cable traffic from Frankfurt was passed on to JSA, not from other internet cables. Satellite traffic intercepted by the BND antennas in Bad Aibling was probably also transferred to JSA, where it was processed and analysed in the interest of both NSA and BND.

After the Joint SIGINT Activity (JSA) was closed in 2012, the logical path over the physical cables between BND headquarters and Bad Aibling was probably cut off. After 2012, BND continued to cooperate with NSA in the field of satellite interception and operations in Afghanistan.

Google Maps view of the Mangfall Barracks in Bad Aibling, Germany.
The building in the upper left corner could be the BND facility,
and the one with the white roof the NSA's "Tin Can".

Protection of German data

BND did everything to prevent that communications of German citizens or corporations were collected and/or passed on to NSA. Initially, 4 out of 5 selectors came from the Americans, the rest were German. The witness did not know the total number of selectors. These selectors were checked before they were fed into the collection system, and what came out was again checked whether it contained German communications.

The selectors from NSA were first checked by the Americans in the Tin Can at the Mangfall Barracks and then passed on to a unit of the technical division (which included lawyers) of BND at its then headquarters in Pullach. A final check was conducted by BND personnel in Bad Aibling. Only about one permille of the selectors were rejected because they were related to Germans or contrary to German interests.

Filtering out German data

This filtering works fine, but experience in Bad Aibling has learned that it is not possible to do this fully automated. Therefore, there was no automatic forwarding to NSA. A 100% accurate filtering was only possible with a final selection by hand. As far as the witness was aware of, not a single German communication was passed on to NSA.

In the press report about operation Eikonal it was said that the filter system could only filter out 95% of German communications, but according to the witness, this was only during the test period. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.

Especially e-mail addresses have to be checked by hand, because nowadays it's much more difficult to attribute such internet communications to specific countries. During the test period, about 3000 communications had to be checked by hand, 300 of which were e-mails. BND didn't collect data from US citizens or passed these on to NSA, so NSA did not use BND to get data that it wasn't allowed to collect by itself (Ringtausch).

The witness suggested that Süddeutsche Zeitung (the media that claimed that the BND filters wouldn't work and German data was forwarded to the NSA) had documents of conversations between BND and NSA, in which maybe BND made "political statements" about the efficiency of the filters.

(This could explain the discrepancy between the press reports and the BND witnesses, who all assured that the filter worked, and with additionally manual checks not a single German data was forwarded to NSA)

The witness clearly stated that German G-10 Act only protects Germans and people living in Germany. The privacy of foreigners living abroad is not protected by German law.

Operations center room in the former BND headquarters in Pullach
(Screenshot from ARD television - Click to enlarge)

- Hearing of Ms. G. L. (BND, head of IT development and operations at JSA from 2007-2008):

This witness is responsible for databases that store data after having been collected and filtered. These databases are at various locations. Currently, between 8.000 and 10.000 pieces of content with some additional information (Meldungen) come in each month, often but not always accompanied by metadata.

Joint SIGINT Activity (JSA)

Each unit of BND's analysis division (Auswertung) could request intelligence information from the JSA. They could suggest specific selectors to be tasked or articulate what their information needs were. Ultimate goal was to present relevant information for the federal government. BND sees itself as a service provider for customers in the government.

In 2005/2006 the selection process was fully automated. The witness couldn't remember how many selectors were used in her period at JSA. These numbers were also not registered. NSA was not able to get any German communications before these were thoroughly filtered and checked by BND. An e-mail that was selected, could be forwarded to NSA through a secured gateway. There was only access to local databases, not to those of NSA.

NSA employees working for JSA were not recognizable as such, they just had ID cards for the compound, issued by the security unit that was responsible for access control of the premises. The Tin Can building also housed SUSLAG (Special US Liaison Activity, Germany), which was a separate unit, different from JSA.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Operation Eikonal

The witness confirmed that in Frankfurt fiber optic cables were intercepted (operation Eikonal), although without mentioning whether this was at DE-CIX or somewhere else. She wouldn't answer the question whether BND is still doing this.

The data collected in Frankfurt were first sent to BND headquarters and then to Bad Aibling, where they were filtered by selectors from both NSA and BND. After the cooperation with NSA was ended, the transmission to Bad Aibling was cut off.

Legal issues

The witness was responsible for the implementation of the Federal Intelligence Service Act (BND Gesetz), which governs the activities of this agency. As such, she had the opinion that satellite interception conducted in Bad Aibling also took place under this act, but the Director of BND overruled her, saying this was not the case.

The BND management said: this kind of collection takes place in outer space, and therefore German law doesn't apply. But apart from that, employees should always apply with law and order. Once data collected from satellite links had been stored in BND databases, they fall under the German Data Protection Act (Bundesdatenschutzgesetz) though.

(In general, most of these witnesses didn't knew much about topics that are not related to their own duties. They also showed very little interest in the Snowden-revelations. This might be from a common attitude in the intelligence world: the less you know, the less you can (accidently) give away)

- . - . - . - . -

22th Meeting, November 13, 2014 (Transcript)

- Hearing of the witness Mr. W. K. (BND, sub-division manager in the Signals Intelligence division):

The witness stated that BND is definitely not comparable with the former East German Stasi and that BND only collects what is necessary for fulfilling the information need of the federal government.

Today, mainly fiber optic cables are intercepted, but not everything that flows through, only specific data channels are selected, or in case of satellite links: specific frequencies. Asked about the Snowden-revelations, the witness said that he was surprised by how close the Five Eyes partners are cooperating.

Tapping internet cables

There are search profiles and criteria according to which specific data flows are selected in a very focussed way. The first selection is of a route between two places (like from Afghanistan to Pakistan), then a specific fiber optic cable is chosen.

These are human decisions, based upon where a cable is located, by which company it is operated and where it's most useful to tap it. Picking a specific cable is also discussed with the provider, with some of them this is easier than with others.

Because internet traffic travels over many different routes, picking specific cables, means that a lot of communications cannot be collected. This is taken for granted as BND doesn't want to collect everything. Sometimes multiple routes are selected for interception, but not always.

According to the witness, BND doesn't provide foreign intelligence agencies access to cables. No raw data are transferred to foreign agencies, only end reports.

In some cases, internet data have to be converted into a readable format. This sometimes means cracking encryption, consisting either of complex algorithms or proprietary methods. This can be done on the traffic as it flows past, or with data after having been stored in databases.


The next step is filtering the data through selectors. This is done by a computer system, for which the data stream may be buffered for a few milliseconds. The amount of data flowing through these filter systems isn't counted by BND. Filtering by selectors is done as close to the actual tapping point as possible.

The selectors are chosen based upon the information needs and a set of criteria, which in combination prevent that communications of innocent people are touched. The results went to the (then) BND headquarters in Pullach over leased cables. The number of data forwarded to Pullach is not registered, it depends upon the costs of the capacity for transmission.

The constitutionally guaranteed Privacy of Correspondence can have effect on each of these selection stages: for example no cables are chosen that start and end in Germany, and no selectors belonging to Germans are used.

Data of Germans are currently filtered out by a system called DAFIS, which succeeded a BSI-certified filter system that was used since the 1990s. Data from German citizens and German companies (Grundrechtsträgern) are deleted.

After data have been selected, they are pulled out based upon their relevance and finally analysts can use them at a certain moment to write an intelligence report, of which approximately 20 a day are produced.

Operation Eikonal

Regarding the joint NSA-BND operation Eikonal, the witness said that there was no massive scale surveillance of German citizens with data forwarded to NSA. Under Eikonal, which was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The witness would give more details only behind closed doors, because BND is still using these methods. The internal codename for Eikonal was Karat, but that name wasn't shared with NSA. There was even a third codename. Eikonal was tested during a few months (early 2006?), during which period no data were shared with NSA.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

What was collected under Eikonal was far less than the 500 million metadata a month as shown in the German BOUNDLESSINFORMANT chart. Actual collection only led to a few hundred selected contents (in German: Daten, like phone calls or e-mails) a year, which was a huge disappointment for NSA. Nothing that was worth while came out anymore, contrary to the expectations when the operation was set up.

This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program. As a "compensation" for NSA, a joint project in a country outside Europe was planned. In crisis regions, the BND is still cooperating with NSA, which provides "huge benefits" for the Germans, according to the witness.

The witness wouldn't say anything about whether BND was tapping into the Frankfurt internet exchange DE-CIX, but later on he said that operation Eikonal involved just one telecommunications provider.

(These kind of indications by some of the witnesses eventually led the Committee to conclude that operation Eikonal was actually about tapping one single cable of Deutsche Telekom, instead of the DE-CIX exchange as a whole, as the initial report by Süddeutsche Zeitung said. More about this later)

Things the BND learned from the Eikonal-cooperation were:
1. How the technique worked, which is now used for own operations outside, and collection efforts inside Germany
2. It is not possible to conduct 100% automated filtering. This wouldn't be done anymore.

Filtering through selectors

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. A BND unit which included lawyers checked for every selector from the NSA whether it was legal and according to the goals of the cooperation. Besides German interests, also the interests of friendly countries were taken into account. Only a few selectors were rejected, but it wasn't told to NSA which ones. They were just not entered into the filtering system.

Selectors include not just phone numbers and e-mail addresses, but also MAC addresses, which have no country identifier. Although there may have been up to several hundred thoused selectors, BND was still able to check whether every single one was appropriate, this by using special criteria. Only selectors that can be checked are used.

Besides Eikonal, BND also taps into cables of multiple other communication providers, but this is within the proper legal framework, approved by the G-10 Committee. For this, there is dedicated hardware equipment in the building of the provider, in accordance with the regulations of the federal communications authority (Bundesnetzagentur). This hardware is installed at the point where the cable is tapped.

Screenshot from NSA's BOUNDLESSINFORMANT tool, showing the number of foreign
metadata that BND collected in crisis regions and shared with NSA
(Click to enlarge)

Telephony metadata

According to the witness, one phone call creates between 30 and 50 metadata, which includes not only time and number but also a lot more technical data. With the given number of users in a crisis zone, this easily adds up to billions of metadata. But not all these have to be collected (erfasst); less than one percent can actually be pulled in. This is no mass surveillance without a reasonable ground (anlasslose Massenüberwachung). The witness assumes that NSA and GCHQ operate in a similar way as the BND.

The over 500 million metadata records from the Germen BOUNDLESSINFORMANT chart were most certainly from Afghanistan, more precisely from satellite communication links between two foreign countries in crisis regions. According to the witness this huge number of metadata for a single month is quite normal.

It could be that these numbers are collected up to today, although he isn't sure about that. BND isn't counting every single part of metadata, as NSA is apparently doing and which leads to those huge numbers.


BND got the XKeyscore program from NSA, which is only used to analyse data that are already collected. BND didn't had such a tool before. Unlike NSA, which uses Xkeyscore as federated query system, BND uses it as a stand-alone system for analysis. The actual collection systems of BND are antennas and outposts (Aussenstellen).

The witness doesn't know how many servers BND purchased for XKeyscore. Presently, BND uses XKeyscore only for traffic that is intercepted from satellite links, apparently because the system isn't (yet) certified for filtering out communications of German citizens. BND got no software programs from NSA for profiling or for decrypting data.


Personal data are only those data that can be related to specific persons. For German data it is easy to retrieve the identity behind certain metadata, but for foreign metadata this is much more difficult and hence those metadata are not seen as personally identifiable information.

The witness said multiple times that he isn't a lawyer and he therefore had no opinion of his own about the legality of certain decisions. He also didn't knew whether data collected in foreign countries had been acquired with or without the consent of the provider. He just assumed that the data collection takes place in a legal way. Foreign partner agencies don't provide BND with data they are not allowed to collect themselves.

- Because of time shortage, the BND employees L. and W. P. couldn't be heard in this meeting.

> Next time: More hearings of BND employees

Meanwhile, the following numbers about government eavesdropping operations in 2013 have been made public. These numbers are only about the interception of communcations with at least one-end-German, so traffic with both-ends-foreign are not included:
- The G10 Committee approved 212 eavesdropping operations, most of them were conducted by the domestic security service BfV (up from 157 in 2012). This involved some 350 people, most of them suspected of islam fundamentalism.

- In 26 cases, the domestic security service BfV used an IMSI-catcher to trace or intercept the mobile phone of 29 persons (more as twice as often as in 2012)

- BND is allowed to filter communications by using selectors. If Germans could be involved, it is not allowed to use selectors that identify specific targets (like phone numbers and e-mail adresses), so in that case, only generic search terms (keywords) may be used.

- The official report (pdf) provided the following numbers of approved search terms, of what was filtered out and of what was marked as relevant for foreign intelligence purposes:

SubjectSearch termsFiltered outRelevant
Ca. 800
Content: 906
Metadata: 639
Ca. 11.700Content: 14.411
Metadata: 1
Ca. 28Content: 84
Metadata: 76

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spiegel.de: Spying Together: Germany's Deep Cooperation with the NSA
- Reports with numbers for 2013:
   - Gemäss Terrorismusbekämpfungsgesetz (pdf)
   - Gemäss Artikel 10-Gesetz (pdf)

> See also: BND Codewords and Abbreviations