Secret Study Reveals: German Bnd Likewise Uses Xkeyscore For Information Collection

(Updated: Dec 3, 2016)

Over the yesteryear few years nosotros learned a lot virtually Germany's unusual intelligence service BND, although non from leaks, but from Earth hearings of the parliamentary commission that investigates NSA spying operations in addition to its cooperation alongside German linguistic communication agencies.

Recently even so a secret authorities study was leaked to German linguistic communication media, which non entirely identifies violations of the information protection human activity but also reveals the codenames for several BND systems in addition to the fact that BND uses the American XKEYSCORE organisation non entirely for analysis, but also for collection purposes.

Here, the novel information from the secret study is combined alongside things nosotros know from before sources in addition to reportings.

- A secret report
- The SUSLAG liaison office
- Selectors provided yesteryear NSA: TND in addition to SCRABBLE
- BND's selector database: PBDB
- Operations SMARAGD in addition to ZABBO
- Metadata analysis: VERAS
- Analysis in addition to collection: XKEYSCORE
- Integrated analysis: MIRA 4
- Legal defects

The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images)

A secret report

The study that at nowadays has been published goes dorsum to September 2013, when the in addition to then federal information protection commissioner Peter Schaar ordered a thorough inspection of the BND satellite intercept station inward Bad Aibling, which took place on Dec three in addition to iv of that year.

In Oct 2014, Schaar's successor Andrea Voßhoff conducted a 2nd see to Bad Aibling, which inward July 2015 resulted inward an extensive in addition to detailed study (German: Sachstandsbericht) virtually all the systems used at this BND station. This study was (and soundless is) classified equally Top Secret.

Additionally, Voßhoff made a legal assessment based upon the Sachstandsbericht. This was finished inward March 2016 in addition to sent to in addition to then BND president Schindler in addition to the federal chancellery. It was classified equally Secret, but was leaked to regional broadcasters NDR in addition to WDR in addition to a transcription of the total document was published yesteryear the digital rights platform Netzpolitik.org on September 1.

Both reports are virtually the cooperation betwixt BND in addition to NSA, which goes dorsum to 2004, when the Americans turned their satellite intercept station Bad Aibling (codenamed GARLICK) over to German linguistic communication intelligence. In return, BND had to part the results from its satellite collection alongside the NSA, for which the latter provided selectors, similar email addresses, telephone numbers, etc. of the targets they were interested in.

Google Maps persuasion of the Mangfall Barracks inward Bad Aibling, Germany.
The edifice at the really superlative seems to travel the BND facility,
the i nearby alongside the white roof NSA's "Tin Can".

The SUSLAG liaison office

After taking over the Bad Aibling satellite station, BND seems to guide hold moved the command facility to the nearby Mangfall Barracks, which were taken over from the German linguistic communication military (Bundeswehr) inward 2002. For the Special U.S.A. of America Liaison Activity Federal Republic of Federal Republic of Germany (SUSLAG), which is the liaison office of NSA for Germany, a novel highly secure container edifice was built on the Mangfall Barracks premises inward 2003 (nicknamed "tin can" or Blechdose).

According to the commissioner's report, the SUSLAG edifice in addition to the edifice alongside BND servers in addition to equipment are connected through a 100 MBit/s fiber oculus cable. SUSLAG also has a technical information link to the NSA's primary communications hub inward Europe, the European Technical Center (ETC) inward the Mainz-Kastel district of the metropolis of Wiesbaden.

Cooperation betwixt the U.S.A. of America in addition to Federal Republic of Federal Republic of Germany inward the Joint SIGINT Activity (JSA, 2004-2012) took house within the BND building, for which NSA personnel had access permissions. After the JSA was terminated, SUSLAG personnel kept their entrance rights for the BND building, but it has split upwards rooms for highly sensitive information to which none of the Americans guide hold access.

Influenza A virus subtype H5N1 alphabetic quality from BND from Oct 15, 2015 says that at that moment, 10 people from NSA worked at SUSLAG, alongside next access rights:

- 2 guide hold access to edifice seven (SUSLAG) only
- iv guide hold access to edifice seven in addition to edifice iv (Administration)
- iv guide hold access to edifice seven in addition to edifice viii (BND)

The SUSLAG edifice is entirely used yesteryear NSA personnel in addition to BND claims that the information protection commissioner has no jurisdiction over the SUSLAG, but she disputes that in addition to says the SUSLAG edifice is only component of the BND complex. She also regrets that SUSLAG doesn't recognize her oversight authority.

Selectors provided yesteryear NSA: TND in addition to SCRABBLE

For the satellite interception inward Bad Aibling, to a greater extent than or less iv out of five selectors come upwards from NSA, the residuum from BND. According to Süddeutsche Zeitung, NSA provided BND alongside roughly 690.000 telephone numbers in addition to 7,8 1000000 mesh identifiers betwixt 2002 in addition to 2013. That is an average of something similar 60.000 telephone numbers in addition to 700.000 mesh identifiers a year, or 164 telephone numbers in addition to over 1900 mesh identifiers each day.

From the parliamentary hearings nosotros already knew that BND personnel pulls the American selectors from an NSA server, in addition to the commissioner's study at nowadays reveals that this server is inward NSA's ETC inward Wiesbaden. On this server BND puts dorsum whatsoever results for these selectors. These information transfers from in addition to to ETC become through the SUSLAG facility, but BND is able to acquire direct access to the NSA server inward Wiesbaden through an FTP-gateway (a "BACOM system").

Selector databases

From an before parliamentary hearing nosotros know that BND stores the selectors from NSA inward 2 databases: i for IP selectors (from NSA only), in addition to i for telephone selectors (from both NSA in addition to BND). Each agency had access to its ain IP database; the telephone database was managed jointly, but BND could entirely approve or disapprove NSA selectors, in addition to NSA could entirely practise so alongside those from BND.

The names of these databases were non known until now, but the commissioner's study mentions them, along alongside to a greater extent than or less additional details:

- Target Number Database (TND), which exists since 2008 in addition to holds the telephone selectors from both NSA in addition to BND. The latter either come upwards from BND's ain tasking database PBDB or are provided yesteryear domestic safety services.

- SCRABBLE, which entirely holds selectors for packet-switched (internet) communications provided yesteryear NSA, after their format has been converted. These selectors initially had no description (Deutung, similar a justification for the target). Because of this, BND temporarily stopped using them equally of May 2015, in addition to for the commissioner whatsoever results from them are unlawful because BND was non able to create upwards one's take away heed whether they are necessary for its mission.

Their names betoken that these database systems were provided yesteryear NSA, in addition to together alongside the fact that they also comprise NSA-provided selectors, this is probable the ground why these names were never mentioned during the parliamentary hearings - dissimilar those of BND's ain systems.

Updates:

It was noticed that TND in addition to SCRABBLE were genuinely mentioned i time during the parliamentary hearings, when one-time BND president Schindler said that "the U.S.A. of America has [its own] databases TND in addition to SCRABBLE".

- PBDB - During a parliamentary hearing on Nov 9, 2016 it came out that BND's ain tasking database PBDB (PersonenBezogene DatenBestände) became operational inward the Summer of 2014, after a examine menses that started belatedly 2012. Both inward this organisation in addition to inward the previous system, it is/was logged when for instance a selector was deactivated. An fifty-fifty older organisation had no such logging capability. Before 2014, BND land stations had their ain proprietary tasking databases, at to the lowest degree to a greater extent than or less of them maintaining their selectors using Excell lists.
The PBDB is maintained yesteryear the T2-branch from BND headquarters. Analysts tin lav travel inward whatsoever selectors (often multiple ones for a especial target) into PBDB that they assume useful for unusual intelligence purposes. Newly entered selectors are checked (through the DAFIS system) at BND headquarters to brand sure enough they don't delineate inward German linguistic communication communications.
Results generated yesteryear approved in addition to activated selectors are enriched alongside PBDB information inward social club to attribute them to their target. Maybe results are also stored inward the PBDB database, where they tin lav travel accessed yesteryear groups of iv to five analysts working on the especial topic. After it came out that BND itself also used selectors related to partner countries, those selectors were moved to a split upwards partition (called Gruppenliste) of the PBDB database inward Oct 2013, so they couldn't travel tasked anymore.

Approval

Before beingness stored inward the SCRABBLE in addition to TND databases, both the telephone in addition to mesh selectors guide hold to travel yesteryear the DAFIS filtering system, which checks whether they belong to German linguistic communication citizens or companies or may otherwise contradict German linguistic communication interests. Accordingly, the selectors are marked equally "allowed" or "protected".

Those marked "allowed" are afterwards beingness activated ("tasked") on the actual information collection systems. The study says that for this, difficult selectors similar telephone numbers in addition to email addresses tin lav travel freely combined alongside content search price (Inhaltssuchbegriffe) similar fundamental words, which could refer to the GENESIS language used for to a greater extent than complex XKEYSCORE searches.

According to the report, selectors marked equally "protected" are ship dorsum to NSA in addition to are also deactivated inward the TND in addition to SCRABBLE databases - to brand sure enough that they won't acquire activated when NSA provides them a 2nd fourth dimension (this confirms that there's no split upwards database (Ablehnungsdatei) alongside rejected selectors equally was suggested during the before parliamentary committee hearings).

BND refused the information protection commissioner access to TND in addition to SCRABBLE, so she wasn't able to banking company check the private selectors. She regarded that equally a massive restriction of her supervision authority.

Operations SMARAGD in addition to ZABBO

Selectors that guide hold been approved are ship to the systems that filter out communications that tally those selectors. Some of these systems are inward Germany, others are abroad. The study of commissioner Voßhoff for the get-go fourth dimension discloses 2 specific information collection operations in addition to their codewords:

- SMARAGD, a cable tapping functioning somewhere exterior Europe in addition to inward cooperation alongside to a greater extent than or less other unusual intelligence agency.

- ZABBO, collection inward Bad Aibling of satellite communications from Afghanistan.

There's no explanation for why the commissioner entirely mentions these 2 operations. The satellite antennas inward Bad Aibling undoubtedly collect from many to a greater extent than countries, but perhaps these are the entirely operations from which, during the investigation period, information were shared alongside NSA.

SMARAGD = WHARPDRIVE ?

The way SMARAGD is described perfectly fits a sure enough type of operations inward which a 3rd Party partner of NSA similar inward this instance BND, cooperates alongside yet to a greater extent than or less other province that secretly provides access to information traffic, which is in addition to then also shared alongside NSA. According to the volume Der NSA Komplex, BND in addition to NSA conducted virtually one-half a dozen of such operations inward recent years.

In its english version of the tidings study virtually this issue, the website Netzpolitik.org points to an NSA document that was published before yesteryear Der Spiegel. In it, nosotros encounter EMERALD mentioned equally an alternate codename for the NSA functioning WHARPDRIVE, which is just such a trilateral programme inward which a tertiary secret service participates.

WHARPDRIVE was soundless active inward 2013, but inward the Spring of that year, employees of the private companionship that operated the communication cables, accidently discovered the cloak-and-dagger BND/NSA equipment, but the functioning was rescued yesteryear providing a plausible comprehend story.*

The NSA study from Apr 2013 even so said that "WHARPDRIVE has been identified for possible termination due to financial constraints", but this may guide hold been coincided alongside the exposure of the programme inward the volume Der NSA Komplex inward March 2014.

It should also travel noted that Netzpolitik.org came upwards alongside this identification yesteryear translating the German linguistic communication codename SMARAGD into its English linguistic communication equivalent EMERALD. It is possible that the Americans also translated the German linguistic communication codeword SMARAGD into EMERALD, but just equally probable is that it's a different programme (maybe equally a successor alongside the same set-up).

Update:
During a parliamentary hearing on Nov 9, 2016, fellow member of parliament Renner said that SMARAGD is identical alongside EMERALD in addition to that the functioning was deactivated after Snowden, because it was mentioned inward documents. BND-employee R.U. said that a cable access which terminates inward Bad Aibling (likely the i from the SMARAGD operation), provided just a minimal information stream, yesteryear error of the unusual intelligence service (probably the 3rd partner involved).

Operation Eikonal

But there's to a greater extent than or less other codeword connection: from 2004 till 2008, NSA cooperated alongside BND inward functioning EIKONAL inward social club to acquire access to fiber oculus cables from Deutsche Telekom inward Frankfurt.

From the parliamentary hearings nosotros know that functioning EIKONAL had GRANAT equally its internal BND codename. And alongside GRANAT beingness German linguistic communication for garnet, in addition to SMARAGD for emerald, nosotros encounter that both operations are genuinely named after a gemstone, which oftentimes indicates to a greater extent than or less variety of similarity.

In Oct 2014, the Danish newspaper Information reported that the WHARPDRIVE access was opened inward Feb 2013 in addition to had the same size equally EIKANOL. This functioning EIKANOL or EIKONAL was a typical instance of the way NSA cooperates alongside 3rd Party partner agencies nether its RAMPART-A program, but dissimilar the SMARAGD/WHARPDRIVE operations alongside the cable access dot beingness within Germany:

Left: bilateral cable access functioning (RAMPART-A) - Right: trilateral cable access operation
In the cases discussed here, Federal Republic of Federal Republic of Germany would travel "Country X"
(click to enlarge)

It is tempting to position SMARAGD in addition to ZABBO equally the 2 collection programs (SIGADs US-987LA in addition to US-987LB) from the BOUNDLESSINFORMANT chart for Germany that was published inward July 2013. For both facilities together, to a greater extent than than 552 1000000 metadata records were counted betwixt Dec 10, 2012 in addition to Jan 8, 2013.

Provided that this nautical chart shows the entirely information shared yesteryear BND, it's really good possible that the satellite collection programme ZABBO is i of them. For the cable access SMARAGD this is less sure enough in addition to depends on when this programme started in addition to whether it is identical alongside WHARPDRIVE (which started inward Feb 2013).

BOUNDLESSINFORMANT screenshot showing metadata provided yesteryear BND
(click to enlarge)

Data transfer

The study of the information protection commissioner also provides an impression of the BND networks through which collected information are brought dorsum to headquarters.

Data collected abroad are ship dorsum to Federal Republic of Federal Republic of Germany over the operational network ISNoVPN (apparently something that goes "over VPN" for secure tunneling) in addition to and then arrives at a dedicated demilitarized zone (DMZ) network for information collection (Datenabholungs-DMZ).

In this DMZ network there's a virtual machine (VM) that acts equally a host for information that come upwards inward from each collection facility (Erfassungsansatz). The study mentions the virtual machines "Import VM SMARAGD" in addition to "Import VM ZABBO" for the operations SMARAGD in addition to ZABBO respectively.

In these virtual machines, the metadata become through an Application Level Gateway (ALG), which is a safety components combined alongside a firewall. Such an ALG is able to detect, filter in addition to when necessary, delete information from an incoming information stream. Again, there's an ALG for each collection facility: for instance SMARAGD-ALG for information from the SMARAGD collection effort.

Finally, the collected information brand it at a network called NG-Netz, which is the back-end inward Bad Aibling of the transfer organisation that pulls inward information collected at a front-end access dot (Erfassungskopf) somewhere abroad.

(click to enlarge)

Metadata analysis: VERAS

The organisation that BND uses for analysing mass metadata from circuit-switched communications is called VERAS, which stands for Verkehrs-Analyse-System or Traffic Analysis System. VERAS stores metadata entirely for upwards to xc days in addition to according to the commissioner's study they are derived from 2 sources:

- Metadata that come upwards alongside communications collected after matching alongside specific selectors (the related content goes to the INBE database)

- All the metadata from selected communication links (satellite frequencies in addition to fiber oculus channels) that are regarded useful for intelligence purposes, but entirely after passing the DAFIS filter.

According to the manual for VERAS version 4.3.x from 2010, the organisation has a topology mode, inward which connections tin lav travel created grade after level, similar to the "hops" nosotros know from the NSA's contact chaining method. There's no limitation to the number of levels that tin lav travel added in addition to analysts tin lav also focus on specific targets to create patterns-of-life (Bewegungsprofile) for them.

This variety of contact-chaining in addition to metadata analysis inevitably involves metadata from innocent people. BND distinguished betwixt straight in addition to indirectly relevant. Directly relevant are metadata related to people who are already known or suspected for beingness relevant for intelligence purposes.

Indirectly relevant are metadata related to people who guide hold to a greater extent than or less variety of connexion to straight relevant people, or when such metadata are beingness stored from a "geographical dot of view", which evidently refers to metadata of people beingness somewhere close a target without having been inward direct contact.

The study says that metadata connected on such a geographical footing results inward much to a greater extent than people beingness involved than when using telephone shout out upwards or connexion chaining. Data related to indirectly relevant people are also used yesteryear BND, for instance equally novel selectors.

VERAS was introduced inward 2002 in addition to recently, VERAS iv has been replaced yesteryear VERAS version 6, which was developed yesteryear the German linguistic communication military (Bundeswehr) equally component of the VERBA (VERkehrs-Beziehungs-Analyse) project.

For VERAS half dozen there's non yet a database establishing social club (see below), but inward Feb 2015 BND sent the commissioner a draft version, which she already considers illegal because BND admits that it is technically impossible to forestall that information of innocent people are beingness used inward the VERAS system.

Analysis in addition to collection: XKEYSCORE

Already inward July 2013, Der Spiegel confirmed yesteryear W. K., a sub-division managing director inward the BND's Signals Intelligence division, during a parliamentary hearing.

But now, the study of the information protection commissioner says that BND uses XKEYSCORE non just for analysis, but also for the collection of both metadata in addition to content.

The study explains that inward its information collection, or front-end function, XKEYSCORE uses selectors, unmarried ones or freely combined ones inward the cast of fingerprints, to search for matches inward IP traffic of both world in addition to privat networks, in addition to stores anything that matches these selectors.

Remarkably enough, the commissioner writes that XKEYSCORE searches all mesh traffic worldwide ("weltweit den gesamten Internetverkehr"), which seems to travel a copy/paste from sensationalistic press reports, equally XKEYSCORE tin lav entirely search information which are collected at to a greater extent than or less physical access points in addition to non fifty-fifty NSA has access to all the world's communications traffic, permit lonely BND.

Slide from an establishing order (Dateianordnung) in addition to that they were also fix without prior approving yesteryear the commissioner. This makes the existance of these databases unlawful, which way the information they comprise should travel deleted immediatly until an establishing social club is provided.

BND argued that the absence of a database establishing social club is just a formal defect in addition to doesn't impact the legal condition of a database in addition to its content. The commissioner doesn't grip alongside that in addition to says that i of the functions of an establishing social club is to create upwards one's take away heed the purpose of a database, which limits in addition to restricts the usage of the personal information inward it. The lack of such an social club also way that at that topographic point are no rules for when approvals yesteryear oversight bodies are required, thence making the usage of these databases both unlawful in addition to uncontrolled.

In response

Meanwhile, on September 7, the German linguistic communication interior ministry building released a draft for a novel information protection act, inward which it is proposed that inward the future, the information protection commissioner volition non guide hold the potency anymore to impose sanctions or fines on the secret services - so restricting the commissioner's potency rather than strenghten it.

Finally, on September 15, Edward Snowden also mentioned the commissioner's study on Twitter, proverb that it "confirms mass surveillance". Apparently he didn't read the report, equally it is genuinely virtually the lack of specific legal restrictions, non virtually the orbit of BND's collection efforts.

Extraordinary: a classified investigative study from Federal Republic of Federal Republic of Germany confirms mass surveillance. https://t.co/Oo5niqeHSB pic.twitter.com/C1FR0da0uk
— Edward Snowden (@Snowden) 15 september 2016