December 16, 2014

German investigation of the cooperation between NSA and BND (II)

This is part II about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

Here we provide summaries of the hearings of a number of BND employees, who provided some interesting details about satellite interception at the Bad Aibling station, the subsequent processing and storage of data and also about the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

The room where the hearings of the parliamentary committee take place
(photo: DPA)

14th Meeting, September 25, 2014 (Transcript)

- Hearing of the witness Mr. R. U. (BND, head of the site in Bad Aibling):

The BND site in Bad Aibling is for satellite interception. In Bad Aibling there's no interception of point-to-point microwave transmissions, which is done by putting an antenna in between the two microwave antennas that transmit the signals that have to be intercepted.

(This BND satellite station is part of the former NSA Bad Aibling Station that was codenamed GARLICK, from which BND took over most of the facilities in 2004, including nine of the large satellite dishes hidden under white radomes)

When the Bad Aibling site was led by the witness, it had 120 personnel and was divided into three sections:
- Management
- Technical (operation of the antennas, network security, script programming, installation of computers)
- Analysis (analysing the collected data, language translating capabilities)

An important goal was protection of German troops deployed in countries like Afghanistan. BND was also able to prevent attacks on ISAF forces. Other goals for the satellite interception were anti-terrorism and rescuing people who have been kidnapped.

Satellite interception

In remote countries, domestic communications also use satellite links, which can also be intercepted from inside Germany. This collection is restricted by technical limits, which make that there's access to only a small number of satellites, and from them, only part of the communications can be intercepted. Also, not everything can be analysed, because much of it is in local languages. Therefore, there's no mass surveillance. BND only collects promilles of what would be theoretically possible.

Nonetheless, the amount of satellite traffic from Afghanistan that can be intercepted from Bad Aibling is rather high. Asked about media reports quoting former NSA and CIA director Michael Hayden "We kill people based on metadata", the witness replied that metadata are not specific enough for pinpointing drone attacks on specific people. Metadata like cell-IDs define areas of 50-60 square kilometers, which is not precise enough for bombarding a house.

(Hayden's "we kill people based on metadata" was followed by "but that's not what we do with this metadata", referring to the 215 (domestic metadata) database. How Hayden meant the first part of this statement isn't clear. There was also a report by The Intercept, in which a former JSOC drone operator said that some targets were tracked by metadata and then killed based upon the SIM card they use.)

The former NSA satellite intercept station in Bad Aibling,
parts of which are now used by the BND
(Click to enlarge)

The Joint SIGINT Activity (JSA)

Since 2004, NSA and BND cooperated in the Joint SIGINT Activity (JSA), which was located at the Mangfall Barracks, also in Bad Aibling. The JSA consisted of both German and American personnel. Most of the equipment was provided by NSA. Management was in the hands of BND, and in turn, NSA got access to the German satellite collection.

For this satellite interception, NSA provided BND with selectors, like phone numbers and e-mail addresses, most of them belonging to targets in Afghanistan. These selectors are on an American server, from which BND personnel can pick them up 2, 3 or 4 times a day. Then these selectors were checked at the headquarters in Pullach for whether they included German citizens or companies. These were taken out, just like the ones that contradicted German national interests.

The cooperation between NSA and BND declined since 2004. Since the JSA was closed in 2012, there's only an NSA liaison office and some technical support left in Bad Aibling. Both are located in a building that is nicknamed Tin Can (Blechdose), because of its windowless exterior of black-painted metal. Here, BND personnel has to ring a door bell when they want in, and there's a similar procedure for when US personnel wants to visit BND buildings.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Tools and databases used by BND

After selectors have been cleared and entered into the collection system, it results in for example a phone call that appears in the dataprocessing tool of an analyst. This is not a random phone call, but one that has been filtered out based upon the selector. The analyst can then listen to this phone call, maybe has to translate it, and decides whether it is relevant or not. If not, it is deleted, otherwise he writes a report (Meldung), which is sent back to headquarters.

XKeyscore is an analysis tool that is used to look whether internet data that have been collected contain relevant information. BND uses XKeyscore on their own computers and servers. NSA only provides (software) updates and has no access to BND networks through XKeyscore. For sharing data, there was only one-way traffic from BND to NSA through highly secured firewalls.

Collected internet content is stored for only a few days, other (meta)data for a few days up to a few weeks. When there's a match, the selected data are stored for 1 or 2 years at most, not in Bad Aibling, but at the BND headquarters. In Bad Aibling there was no real-time collection. Quasi real-time means many many minutes, and until something shows up on the monitor it takes hours.

Besides XKeyscore, BND uses, among others, the programs MIRA4 und VERAS, which are classified analysis tools. The first one is used to listen in to phone calls, the latter one for visualising metadata and showing who has called who. Metadata are data that contain no content. When for example a website like is viewed from a computer, this creates more than 100 pieces of metadata.

- Hearing of the witness Mr. J. Z. (BND official, since 2008 head of the technical unit of the JSA, which uses XKeyscore). This hearing was entirely behind closed doors.

- . - . - . - . -

16th Meeting, October 9, 2014 (Transcript)

- Hearing of the witness Ms. H. F. (BND, legal counsel for data protection):

This witness is responsible for data protection regulations, but not for the implementation of the so-called G-10 Act, which protects the communications privacy of German citizens and corporations under article 10 of the constitution (Grundgesetz).

The witness has set up educational programs for BND employees and is regularly auditing the various systems and databases used by BND, especially in the SIGINT division, where not all databases have formal data protection procedures (like for access control) yet. All BND databases, regardless of where their data come from, fall under the German Data Protection Act (BundesDatenSchutzGesetz).

The witness audited many databases, like for example:
- INBE (INhaltliche BEarbeitung)
- VERAS (VERkehrsAnalyseSystem)
- PBDB (PersonenBezogene DatenBestände)
In total, there are about 25 databases (Auftragsdatenbanken) which serve the SIGINT collection process. Besides these databases, BND uses about 20 programs provided by NSA, most of them are technical tools, like for language translation.

In Bad Aibling, only satellite communications are intercepted. After German communications have been filtered out, they are stored in databases according to their type: metadata go to VERAS and content goes to INBE. The latter database succeeded MIRA4 in 2010 and currently contains several hundred thousand data sets, including data from German citizens. Both VERAS and INBE were developed by BND.

The witness couldn't estimate how many data are in VERAS (which was set up in 2002), which contains mainly metadata from telephone communications, with the purpose of call chaining for creating contact graphs. BND uses this tool for connecting phone numbers as far as 4 or 5 hops from a known target. This doesn't mean that it always goes that far, because the further away from the initial known target, the more difficult it is to discover the connections.

In several cases, like for example with INBE and VERAS, BND failed to comply with the formal requirement from the Data Protection Act for a so-called "Dateianordnungsverfahren", even for several years. After the witness recognized this, she forced to fulfill these legal requirements, although it was more a bureaucratic formality than a big shortcoming.

There's still discussion at BND about whether metadata are always personal data. Metadata like German telephone numbers are considered to be personal data, because it is easy to look up to whom such a number belongs. In foreign countries, like Afghanistan and Pakistan, that's not so easy. Phone numbers are also used by a whole clan for example.

The president of the BND has decided that collection in Bad Aibling is not subject to the provisions of the BND Act (BND-Gesetz), because only foreign satellite communications are intercepted. The witness disagrees, but was overruled by the president.

- The planned hearing of the witness A. F. (also a BND employee) was postponed to November 13.

- . - . - . - . -

18th Meeting, October 16, 2014 (Transcript)

- Hearing of the witness Mr. T. B. (BND, at Bad Aibling from 2002-2007):

The witness explained that one phone call creates between 20 and 30 pieces of metadata. Not all of them are usefull for targeting because they are not specific enough, like for example a mobile phone cell-ID. Metadata include the number that was called, the cell-ID, the provider, the duration of the call, etc.

Raw data are signals (like radio frequencies) that have been processed. Raw data on their turn can be processed into metadata and content. These are then automatically filtered and selected, and when finally a human takes a look at them, this can result in a report (Meldung).

Raw data were not counted by BND, only the reports, of which only a handful were produced at Bad Aibling. This low number was also due to the fact that only a small part of the collected communications was actually translated.

XKeyscore was first used by BND in 2007, but back then this tool wasn't by far as sophisticated as in 2013.

- After just a short while, this hearing was ended after it became clear that the witness had read internal BND documents that had not yet been fully handed over to the committee.

Links and Sources
- Offical page of the committee: 1. Untersuchungsausschuss ("NSA")
- Internal NSA presentation: Structure of the BND (pdf)
- Spying Together: Germany's Deep Cooperation with the NSA

> See also: BND Codewords and Abbreviations

1 comment:

Anonymous said...

I'm really not surprised there's a huge on going investigation into all of this spying (c)rap going on. You know they where talking about knocking back these guys and there huge budget and then the guy in the oval office simply approved more spying. The man is an absolute tool, he codes one line into the movie frozen and suddenly he thinks he can grasp all the programming that goes into securing his cell phone? At least programmers everywhere now have a heads up and thanks for the articles most informative with all the pics and codewords, clearly if you want to run a huge spying cluster, you need a Cybex Switchview, four PC's with Green, Red and Yellow Stickers, (preferably without implants) a SIPRnet Box (it came out in the 80's for christ sake) which has never exactly been a secret with regards to what protocol. The corresponding IP ranges and your all set to rock an roll.