New Details Close The Selectors Nsa Provided To Bnd

(Updated: August 24, 2016)

Since in conclusion Spring, the High German parliamentary commission investigating NSA spying is trying to honor out whether the Americans secretly tried to spy on High German as well as European targets.

During the hearings it became clear that the High German unusual intelligence service BND wasn't able to fully foreclose that selectors, similar email addresses as well as telephone numbers, provided yesteryear the NSA, were fed into the collection system.

Influenza A virus subtype H5N1 special investigator was allowed access to the lists of rejected selectors as well as he reported well-nigh his findings in conclusion week. Here follows the background of this thing as well as the most of import as well as interesting details from the investigation report.

> Many to a greater extent than details pieced together from the commission hearings tin endure found here

The BND satellite intercept station at Bad Aibling, Germany
(Photo: AFP/Getty Images)

Satellite interception

The origins of the selector thing become dorsum to 2004, when the Americans turned their satellite intercept station Bad Aibling over to High German intelligence. In return, BND had to part the results from its satellite collection amongst the NSA, for which the latter provided selectors, similar email addresses, telephone numbers, etc. of the targets they were interested in.

Besides the satellite interception, Bad Aibling was also involved inwards cable tapping, but exclusively nether functioning Eikonal (2004-2008), which was express to cables from Deutsche Telekom inwards Frankfurt.

Until 2013, NSA is said to accept provided some 690.000 telephone numbers as well as 7,8 1 1000 m meshing identifiers. As a unusual intelligence service, BND is non allowed to collect High German communications, permit solitary manus them over to NSA. In social club to foreclose that, BND tried to cheque all these selectors, initially yesteryear hand, but since 2008 yesteryear using a automated filter scheme called DAFIS.

Blocking High German selectors

During a issue of tough as well as lengthy hearings of the parliamentary commission that investigates NSA spying, BND employees had to acknowledge that DAFIS was exclusively able to defeat selectors that were clearly recognizable every bit belonging to Germans, similar post service addresses ending amongst .de or telephone numbers starting amongst (00)49.

There was hardly whatsoever endeavor to sort out selectors related to other European countries. Also the unusual email addresses, similar from Hotmail or Google, used yesteryear Germans were exclusively blocked when someone at BND stumbled upon them. Although these form of selectors could accept been blocked to a greater extent than systematically, it's impossible to instruct into all relevant ones into the DAFIS filter.

This means, when NSA targeted such unusual addresses, the chances they were rejected yesteryear DAFIS are non real high as well as volition thence accept been activated on the collection system. Such selectors went into the tasking database, without practicable or reliable agency to seat as well as block them.

Rejected selectors

When the DAFIS scheme found recognizable High German selectors, they were marked every bit disapproved as well as non entered into the collection system, so they could non atomic number 82 to whatsoever results.

Initially it seemed that these rejected selectors were set into a carve upward repository (German: Ablehnungsdatei, also Ausschussliste), but genuinely they stayed inwards the tasking databases as well as were exclusively extracted for the role of the parliamentary inquiry.

This resulted inwards a listing of almost 40.000 rejected selectors. An investigation yesteryear BND employee medico T. inwards August 2013, revealed almost 2000 email selectors that had been activated, but straight off seemed politically sensitive. Influenza A virus subtype H5N1 simultaneous investigation yesteryear W.O. resulted inwards over 10.000 email selectors belonging to European authorities agencies.

Overview of the dataflow for the NSA-BND cooperation at Bad Aibling
(Click to enlarge)

Special investigator

Members of the parliamentary investigation commission were eager to run into those selectors, but they are sensitive as well as classified, so the authorities denied them access. Finally, a compromise was made, nether which an independent special investigator was allowed to examine the lists of rejected as well as suspicious selectors as well as study dorsum to the commission, without disclosing private targets.

The coalition parties agreed upon medico Kurt Graulich, a old estimate at the Federal Administrative Court, for this job. During the yesteryear 4 months he examined the selector lists as well as finished his investigation on Oct 23 amongst a report, which was presented inwards 3 versions on Oct 29:

- Influenza A virus subtype H5N1 classified study for the federal government
- Influenza A virus subtype H5N1 classified study for the commission
- Influenza A virus subtype H5N1 public report (263 pages pdf)

Report yesteryear special investigator medico Kurt Graulich
(Click for the total study inwards .pdf)

Selector lists

Special investigator Graulich examined the next lists (German: Liste) of selectors that had been rejected yesteryear the DAFIS filter, or sorted out yesteryear manus because they were considered politically sensitive:

a. The Ablehnungsliste, containing 39.082 selectors (2.918 from the telephony as well as 36.164 from the meshing tasking database) from 2005 till March 2015.

Including most parts of:

b. The 2000er-Liste, containing 1.826 email selectors, which were found inwards August 2013 yesteryear medico T. as well as afterwards marked every bit disapproved.

c. The 2005er-Liste, containing 74 telephone selectors (52 belonging to EADS, 22 to Eurocopter), which were found yesteryear the terminate of 2005 as well as were marked every bit disapproved inwards Jan 2006.

d. The Nachfund 1, containing several lists amongst a total of 444 telephone selectors that were found yesteryear semi-manual checks inwards 2007 as well as were all marked every bit disapproved.

e. Not available anymore were betwixt 10.000 as well as 12.000 email selectors that were found yesteryear BND employee W.O. when he checked the tasking database for damage related to European authorities agencies. He found results for eighteen European Union fellow member countries as well as these selectors were marked every bit disapproved.

Types of selectors

By examining the largest listing of rejected selectors (Ablehnungsliste), medico Graulich found that it contains the next types of selectors:

For telephony:
- IMSI: Numbers of jail cellphone telephone SIM cards
- IMEI: Numbers of jail cellphone telephone devices
- SCREENNAMES: User names or numbers, mainly used for VoIP calls.
- EMAIL_ID: E-mail addresses, mainly used for VoIP calls
- PSTN: Phone as well as fax numbers

For internet:
- EMAIL_ID: E-mail addresses without permutations
- IMEI: Numbers of jail cellphone telephone devices
- IMSI: Numbers of jail cellphone telephone SIM cards
- IPV4: IP addresses
- PSTN: Phone numbers
- OTHER: For instance user names, messenger or social network identifiers, cookies, login-data, telephone numbers, hashes, etc.

In the tables that comprise telephone selectors there's also a acre for a description, similar a text explaining the argue for targeting, a code or an abbreviation similar CT for Counter-Terrorism.

For meshing selectors, these descriptions were exclusively visible for NSA personnel, but due to technical reasons non for BND as well as are thence non available anymore. Because they lacked justifications, BND stopped using NSA provided meshing selectors for the fourth dimension beingness every bit of May 2015.

Keywords were also used every bit selectors, but according to the report, they are rarely used, because they accept to endure real specific. Generic words similar "bomb" would create way also many irrelevant results.

It's non clear whether PSTN exclusively applies to traditional the world draw telephone numbers, or also includes mobile telephone numbers (known every bit MSISDN).

Telephone selectors

Together amongst experts from BND, special investigator Graulich examined all the selectors on these lists as well as tried to create upward one's brain the argue for which they were originally rejected. Most of import is the Ablehnungsliste, amongst the selectors that had been filtered out yesteryear the DAFIS system.

Most of the telephone selectors appeared to accept been rejected because they belonged to High German persons or companies and/or contained .de or (00)49. The email addresses for VoIP calls were all blocked because they had no top-level domain - selectors that could non endure attributed to a province were rejected.

Update:
On the website Netzpolitik.org it was noticed that for VoIP, 1 doesn't usage email addresses, but SIP addresses, which practise accept a similar format, similar 3246697@voipprovider.com, but which are oft nether generic top-level domains. Also, blocking IMEI addresses containing "49" wouldn't endure real effective, every bit at that spot are other codes used for Germany, as well as phones may endure sold throughout the European Union.

Some telephone selectors were also non activated because the description acre contained damage similar for instance "German", "Germany" as well as "Europe".

Permutations

For 1 meshing identifier, similar for instance an email address, at that spot are multiple permutations, each of which is counted every bit a carve upward selector. There tin endure upward to twenty dissimilar permutations for 1 identifier, which explains the real high total issue of meshing selectors (7,8 million), compared to those for telephony (690.000).

Such a permutation is used to address the diverse encoding protocols used on the internet. The study gives the next examples:

mustermann@internet.org
mustermann%40internet%2Eorg (HTML-Hex)
mustermann\&\#37;2540internet.org (multiple encodings)
mustermann\\U0040internet.org (UTF-16)

Taken together, all permutations of an meshing address are called a Telecommunications Identifier (German: TeleKommunikationsMerkmal or TKM). For telephony, the TKM equals the selector, inwards other words, at that spot are no permutations for telephone numbers.

Internet identifiers

Many meshing selectors were rejected yesteryear the DAFIS filter scheme because they belonged to High German persons or companies, contained High German codes similar .de as well as (00)49, or names of High German companies. Also a issue of IP addresses had been rejected, but it wasn't possible to create upward one's brain why. They straight off belong to providers exterior Europe.

The investigator could also non create upward one's brain what the reasons had been for blocking the remaining meshing identifiers, similar user names, messenger or social network identifiers, cookies as well as login-data. NSA provided them combined amongst other selectors inwards a so-called equation, but BND separated these for DAFIS filtering, which makes it impossible straight off to relate them to identifiable selector types.

Numbers

Of the Telecommunications Identifiers (TKMs) found inwards the master copy Ablehnungsliste amongst the rejected selectors, 62% belong to authorities agencies of European Union fellow member states, 19% to Germans exterior Europe, 7% to European Union institutions, 6% to Germans, 4 to foreigners abroad, 1% to Germans inwards Europe as well as 1% to High German embassies.

For all selector lists, the reasons why the selectors were patently rejected tin endure found inwards this table:

Table amongst the reasons why BND rejected surely NSA selectors
(Table: Graulich report; Translation: ; Click to enlarge)

German targets

The exam of the selector lists revealed that NSA provided several hundred selectors related to Germans, but most of them were blocked yesteryear the DAFIS filter. Around 250 had been active for a shorter or longer current of time, but it is non known whether this resulted inwards communications beingness collected.

As the 2002 Memorandum of Agreement (MoA), nether which the cooperation at Bad Aibling was established, prohibits targeting Germans, the High German selectors that had been activated are a violation of the agreement, as well as moreover also a violation of High German law.

The rejected selectors are mainly well-nigh High German companies, both within FRG as well as exterior Europe. Without knowing the reasons for targeting these companies, it cannot endure said whether this would constitute economical espionage. Construction companies for instance tin endure involved inwards both civilian as well as armed forces projects (so-called dual-use).

WikiLeaks' lists

It is interesting to run into that at that spot are no rejected selectors that belong to High German cabinet ministers. This means, NSA wasn't so stupid to ship BND the listing of selectors that contains the telephone numbers of chancellor Merkel, several ministers as well as high-level federal authorities officials - a listing that was published yesteryear WikiLeaks in conclusion July.

Even to a greater extent than interesting would endure to know whether the rejected selectors comprise the telephone numbers of the French prime number government minister as well as his cabinet ministers, which were on a similar tasking database listing that was published yesteryear Wikileaks inwards June. Special investigator Graulich wasn't able to create upward one's brain this, because Wikileaks redacted the in conclusion 4 digits of the telephone numbers.

> About this list: Wikileaks published some of the most hugger-mugger NSA reports so far

European targets

The biggest issue of rejected selectors are email addresses (and another meshing identifiers) of European authorities agencies: 22.024 selectors, beingness the permutations of 2195 telecommunications identifiers (TKMs).

The overwhelming bulk of them was exclusively blocked after August 2013, when the world scandalise over NSA spying began. First, selectors were disapproved after the investigations yesteryear medico T. as well as W.O., as well as inwards November, BND president Schindler ordered all email addresses amongst a European Top-Level Domain (TLD) to endure removed from the BND as well as NSA tasking database.

Before that novel directive, the DAFIS filter wasn't configured to block these European selectors:

- Stage 1 of this scheme exclusively blocked things similar the High German TLD .de, the telephone province code (00)49 as well as the IMSI province code 262;
- Stage 2 blocked unusual identifiers when BND noticed that they were used yesteryear High German citizens or High German companies;
- Stage 3 blocked an initially small-scale issue of unusual identifiers that should non endure activated because that would endure against "German interests".

This agency that until the terminate of 2013, the email addresses belonging to European governments had been active inwards the collection system: 12% of them for upward to 100 days as well as 87% for an fifty-fifty longer current of time.

Violation

Foreigners as well as peculiarly unusual authorities agencies, accept no correct to privacy nether the High German constitution, so the collection of their communications is non a violation of High German law. But investigator Graulich does consider the targeting of European governments a violation of the Memorandum of Agreement, which allows collection against European targets exclusively for a real few specific topics.

Although the reasons why NSA was interested inwards these subjects are non known, the investigator judges that the wide targeting of European governments (like email addresses of all members of authorities staff bureaus) is far beyond what the memorandum allows, as well as thence this constitutes a severe violation of the agreement.

Embarrassment

Graulich also says that NSA patently misused the Bad Aibling satellite station to spy on other European countries - risking an embarrassment for FRG inwards its human relationship amongst European Union as well as NATO partners.

However, BND itself also targeted for instance the British diplomatic mission inwards Republic of Republic of India as well as the French diplomatic mission inwards Mali, as well as eavesdropped on the US Defense as well as Foreign secretaries every bit good every bit senators, when they used non-secure telephone lines piece traveling.

When inwards Nov 2013, BND searched through its ain tasking database (PersonenBezogene DatenBestände, or PBDB), it came out that it also contained some 2800 selectors belonging to friendly nations. They were afterwards deleted, but this was kept placidity for almost 2 years.

Updates:

On Nov 11, 2015, it was reported that a preliminary study yesteryear the investigation squad of the parliamentary intelligence oversight commission says that amidst BND's ain selectors, at that spot were ones belonging to the FBI, the Voice of America, French unusual government minister Fabius as well as the interior departments of European Union fellow member states similar Poland, Austria, Kingdom of Denmark as well as Croatia. Also targeted were international organizations similar the ICC, the WHO as well as UNICEF. The selectors also included email addresses, telephone as well as fax numbers of the diplomatic representations of the US, France, Great Britain, Sweden, Portugal, Greece, Spain, Italy, Austria, as well as Switzerland, every bit good every bit European as well as US companies similar for instance Lockheed.

On Nov 26, 2015, Albert Karl, an official from the federal Chancellery, testified that European governments are non amidst the official goals which the authorities laid upward for BND's intelligence mission (German: AufgabenProfil der Bundesregierung or APB). It's of course of study possible that European citizens are targeted because they are involved inwards terrorism or weapon proliferation.

On Dec 16, 2015, High German media reported that at to the lowest degree 3 BND-employees, including SIGINT-director Hartmut Pauland, volition accept to resign. This after the regular parliamentary intelligence oversight commission found that BND had some 3300 targets, including European Union institutions as well as governments, that were non according to the goals laid upward yesteryear the authorities as well as thence illegal. In the future, politically sensitive selectors volition accept to endure approved yesteryear the BND leadership.

Crisis regions

One in conclusion thing that should endure mentioned is that at Bad Aibling, the collection endeavor is directed at (the downlinks of) satellite links from crisis regions similar the Middle East, Transitional Islamic State of Afghanistan as well as Africa. This means, that if NSA deliberately provided BND all those selectors of European authorities officials, they should accept known that they couldn't outcome inwards their day-to-day trouble organisation communications.

Using these selectors to filter traffic from the satellite links from the crisis regions, would exclusively render content when those European officials communicate amongst their counterparts or other people over there. And perchance it was merely that what NSA wanted to honor out - an selection that was non considered inwards the Graulich study though.

Reactions

In a kickoff reaction on the report, the High German authorities said that at that spot volition endure stricter guidelines for the cooperation betwixt BND as well as NSA, as well as also that oversight yesteryear the federal Chancellery volition endure increased. Opposition political party members of the commission aren't fully satisfied amongst the study as well as nevertheless desire access to the rejected selectors, every bit good every bit an exam of all viii 1 1000 m selectors that NSA provided to BND.

Hearings

On Thursday, Nov 5, special investigator medico Kurt Graulich was heard yesteryear the parliamentary investigation commission well-nigh his findings. This hearing didn't render whatsoever meaning novel insights.

The other witness that day, BND lawyer medico Werner Ader, revealed that at Bad Aibling, there's highly sophisticated equipment, which allows the interception of satellites fifty-fifty nether hard circumstances, similar coping amongst atmospheric disturbances as well as next non-geostationary satellites. The equipment "can follow what happens at the satellite".

Update
In the High German periodical Der Spiegel from Apr 2, 2016, it was explained on page 33 that selectors used yesteryear BND accept the next format: they start amongst an email address, a telephone issue or a similar designator, followed yesteryear the intelligence topic, amongst WPR for Waffenproduktion, LAP for Landwirtschaftspolitik, TEF for Terrorfinanzierung as well as ISG for Islamistische Gefährder, as well as then the province which is spied upon, designated yesteryear 3 letters, as well as finally a Sperrvermerk for those unusual intelligence agencies that should non run into the results for this selector. They are designated amongst a 4-letter abbreviation of their codename, similar HORT for HORTENSIE (United States) or BEGO for BEGONIE (Denmark).