The German Foreign Intelligence Agency Bundesnachrichtendienst taps internet traffic directly at the Internet Exchange Point DE-CIX in Frankfurt since 2009, replacing predecessor operation „Eikonal“ at Deutsche Telekom. This was stated by the operator of DE-CIX at the German Parliamentary Committee investigating Intelligence Agency mass surveillance operations. The German Federal Chancellery intervened several times and prevented both a Parliamentary Commission and the Federal Network Agency from investigating this mass spying operation.

This is an English translation of the summary of Klaus Landefeld’s statements as a witness in front of the German Parliamentary Committee investigating the NSA spying scandal.

First Eikonal, then DE-CIX

Klaus Landfeld is head of industry group eco, which operates the Internet Exchange Point ( IXP ) DE-CIX in Frankfurt, Germany. News magazine „Der Spiegel“ reported in October 2013 that the German Foreign Intelligence Agency Bundesnachrichtendienst (BND) is allowed to wiretap 25 Internet Service Providers at DE-CIX, including five German IXP and the traffic of multiple vendors, ideally within a single step.“ The „BND wanted access to the IXP and be able to say: today we want this cable, tomorrow maybe different ones.“ DE-CIX assumed the spies hat „to name individual, specific cables“. But BND wanted „everything“, „full access“.

DE-CIX analyzed the legal situation and concluded, that this is „not permitted in this way“. Their criticism involved, among other things, the implementation of the 20-percent rule from the G-10-law, the Federal wiretap law described by Wikipedia as „similar to Britain’s Regulation of Investigatory Powers Act 2000 and is comparable to the Foreign Intelligence Surveillance Act of the United States“. This G-10-law includes a limit that „strategic“ mass intercepts must be limited to a fifth of the „available bandwidth“. DE-CIX legal opinion was, that the BND should only be allowed to intercept 20% of the actual occurring traffic per line, but the BND wanted everything.

On top of that, in „2009 there were different ideas of filtering systems“ to filter out traffic from German citizens who are protected by law. DE-CIX came to the conclusion: „We did not want to implement that“.

Legal concerns ignored

But in the „preparatory talk“ in August 2008, the BND ignored the concerns of DE-CIX: „If we are ignored as the operator, because we do not think this is permitted by law, this is only one-sided information access.“ Topics of the meeting were IXP works. The BND did not want access to specific fiber optic cables, but to all traffic of certain „Autonomous Systems ( AS ), which concerned several cables“. Despite DE-CIX‘ criticism, the BND pushed for a implementation.

After the meeting, DE-CIX contacted members of the Federal Parliament’s G-10 commission, which decides about wiretaps, similar to the United States Foreign Intelligence Surveillance Court. „No one of the members wanted to talk to us“, including the subsequent witness at Thursday’s inquiry hearing. Only since deceased Liberal politician Max Stadler agreed to a meeting, but said: „he can’t do anything.“

Intimidation by the Chancellery

„That led to an appointment with the Chancellery, who told us that we were not allowed to talk to the G-10 commission, because the operation was not yet ordered“. This was a „very unusual approach“, „we were out under pressure“. „If I am summoned by the Chancellery, this is not the rule of law, but power play.“ This meeting at the Chancellery took place on February 27, 2009.

Afterwards, „nothing happened“ for a long time. The BND experienced „technical difficulties in implementation“, it „was new for them, too“.

Foreign intelligence agency monitors domestic service providers

„Then we received a G-10 order“, an order obliging a telecommunications provider to comply with surveillance requests, „which affected some providers, but not all of them“. It was „significantly less than what was discussed back in 2008“. This first order „also contained German providers“ and „German domestic cables“, for example a „cable from Frankfurt to Berlin with 95 % German traffic“. „German domestic Internet Access Providers, whose sole business is connecting cables in the region, therefore having at least one side of every communication always in Germany. I fail to see where the foreign traffic is here.“

The BND wanted to access traffic from German providers at DE-CIX, whose traffic they could have also received directly. „But right from the start, we thought that BND should contact the owners of the respective cables directly.“ Afterwards, DE-CIX „had discussions with companies that were affected by our order. They also asked themselves, why they were not contacted by the BND.“

In addition, the BND also wanted internet traffic from „other European countries and providers.“ International „transit traffic“ is considered as „beyond law“ anyways.

BND wiretaps DE-CIX since 2009

DE-CIX continued to ask „why this is possible“ and „if all of this makes sense,“ but nevertheless followed the order in early 2009. Since 2009, the BND wiretaps DE-CIX in Frankfurt, and receives approximately „two percent“ of the bandwidth sold and theoretically available.

The German government thinks, that this information is irrelevant to the investigation committee, because it does not happen in direct cooperation with the Five Eyes.

Usually „the entire cable traffic is mirrored. What happens afterwards is out-of-reach for the providers, we cannot check they comply with the rules and laws“. DE-CIX has „a formal auditing duty, but we cannot put that into practice.“

Landefeld wants a technical guideline for these „strategic“ mass interception measures, analogous to the monitoring regulations in classical telecommunication surveillance. There, „everything is documented down to the last bit. For G-10 there is nothing.“ Landefeld thinks „that the law as it is written does not meet the requirements of modern communication networks any more“.

20-percent limit sabotaged

To monitor internet telephony, one „has to record all VoIP -connections and save them, for technical reasons“. Only afterwards, they can be analyzed. It is undefined „how long these recordings can be retained“. „Can you listen to 100 percent of the telephone traffic because that’s within the 20 percent? My definition is different.“

The Federal Network Agency „Bundesnetzagentur“ proposed a solution: to apply the 20-percent rule „at the application layer, so that, for instance, the number of e-mails, web pages, etc. […] is reduced by randomized automatic deletion.“ Landefeld appreciates this idea: „These are the kinds of technical solutions I am looking for.“

Currently, „there are no checks and balances outside of the secret agencies“. „At the moment“, these questions are only defined by the „internal lawyers of the BND“: „This can’t be!“, Landfeld said.

Other communication exchange points wiretapped, too

„Previously“, other communication exchange points in Düsseldorf and Hamburg had been wiretapped by the BND, too. The entire foreign telephony communication was running through these old switching points of the former federal post office, now Deutsche Telekom.

Although DE-CIX had „doubts about the legality of the G-10 orders“, Landefeld would not say whether they „took legal action“. Eco has „several lawyers dealing with this topic. Also external ones. We have ongoing debates since mid-2014.“ But „well-established case law is very thin, the number of decisions vanishingly small. You cannot claim, that there is an established constitutional opinion about this topic“.

Intelligence agencies „trade data“

The BND claims that so called „transit traffic“ between two foreign states „can be passed on“ to foreign intelligence services, like the NSA, the „Google of intelligence agencies“. Intelligence agencies „engage in a flourishing trade of data“, a „business like any other.“

„In technical circles it has been talked about repeatedly“, that intelligence agencies „trade entire traffic streams“. „Everyone in the scene has heard that intelligence agencies exchange traffic“, it’s an „open secret“.

„Germany also does what they accuse the USA of“

On June 14, 2013 Landefeld was invited to the Ministry of Economic Affairs by the former Minister of Justice Sabine Leutheusser-Schnarrenberger and Minister of Economics Philipp Roesler, who wanted to receive „initial information“ after the PRISM-revelations: „The whole problem was unknown inside of the ministries. They had absolutely no knowledge of what is happening in Germany and what the usual practices are. We were very surprised. After all, what the US has been accused of, is also happening in Germany in one way or another“.

In early July 2013, Landefeld called the Intelligence Coordinator at the Federal Chancellery and asked what he should answer in response to media inquiries, because „by saying ’no comment‘ I would also admit it.“ The intelligence coordinator „said I wouldn’t have to invent anything and wouldn’t have to lie“.

He still wants more rights to speak publicly, because „if a measure is within the law, you should also be allowed to talk about it in a general form, obviously not about details.“ In other countries, this is possible: „In the UK, I can talk about it openly. They are obviously not disturbed by that.“ In Germany you „cannot even say that you had contact with BND. The self-understanding of the agencies is strange.“

German authorities wanted their own PRISM

On July 16 and 24, 2013, there had been „discussions with the Federal Network Agency, with a lot of stake holders and the Attorney General“.

„On July 24, some stakeholders wanted to know, why they do not have [the revealed] access [of the the NSA] at their disposal and why they do not have access to German domestic traffic. The demand for their own PRISM appeared rapidly.“ At that time, the DE-CIX wiretap was not discussed, „in 2013 it was still held under a lid“.

Chancellery stops Network Agency

On August 9, 2013 the Federal Network Agency „Bundesnetzagentur“ held a hearing with telecommunications companies. In preparation, they sent out a questionnaire to the companies, including the questions, „Does your business run monitoring devices […] to implement so-called strategic restrictions under […] G-10 law?“ and „Do you adhere to the rules for logging the use of this equipment and the control of these logs?“

In response, Landefeld called the Chancellery again and asked, „how to answer these questions.“ Afterwards, the Chancellery called the Federal Network Agency Vice President and said: „the companies must not answer these questions“ and the „Network Agency was not allowed to ask these questions“.

International Companies in a „two-sided war“

Foreign intelligence agencies did not openly approach DE-CIX: „There was no contact attempt. If there had been, we would have rejected them immediately.“

The DE-CIX IXP in New York is operated by DE-CIX North America Inc., a subsidiary of the German company DE-CIX which is subject to US law. „If there are mass surveillance orders, the involved parties are not allowed to talk about it.“ However, there haven’t been any FISA orders at DE-CIX North America yet: „I can talk about that, because there were no orders.“ However, if there are, they would have to remain secret.

Even DE-CIX IXP UAE-IX in Dubai has to „comply with the legal provisions of the country“.

Foreign companies in Germany, including German subsidiaries, are also obliged by their home country laws to pass Internet traffic to their secret services. The companies are fighting a „two-sided war: according to German law you are not allowed to ex-filtrate data from Germany, according to US law you are obliged. In result, the providers have to choose the lesser of two evils“. Landefeld pointed out, that „routers in Germany are often not operated domestically, but from a Network Operations Center (NOC) in the USA. As a consequence, employees in Germany have „limited influence“ on their configuration.

Secret Access technically possible

Technically, it would be possible for intelligence agencies to get undiscovered back-door access, if the switch or operating system is compromised. But this „requires a cable to ex-filtrate the data“. This could theoretically be done with a „cable under a cover-up“. It has been implied by the head of the committee that this could be implemented in the future.

As an advisor, Landefeld has seen intelligence agencies ex-filtrating mass traffic both with and without co-operation of the network operators.

„Every major switch supports [ex-filtrating data] and has lawful interception functionalities,“ because of laws like the American Communications Assistance for Law US Law Enforcement Act (CALEA). In the US, the „implementation of surveillance measures“ happens „fully automated“, triggered by the authorities. This is technically integrated into the systems.

In Germany, such measures are currently „only prevented by the legal need for individual evidence for surveillance measures. Therefore, German providers still confirm surveillance taps by ‚clicking a check-box‘.“

Industrial espionage with a swapped switch

DE-CIX employs a four-person security team that analyzes hardware and software. In addition, DE-CIX is IT certified and evaluated annually by the Federal Office for Information Security. Since the Snowden revelations, DE-CIX also tries to mitigate the uncovered scenarios. Currently, they are implementing „traffic counters on individual ports“, to make sure that the amount of incoming and outgoing traffic match.

Asked about his personal experiences as an expert in the field of industrial security, Landfeld reported a concrete example of „industrial espionage against a mechanical engineering company“: I „learned of occurrences, where people showed up at business customers premises, claiming to be from a communication provider. This is real, I went through this scenario with several customers“. They „even interrupted fibre optic cables to produce interruptions. Then someone showed up who ‚fixed‘ the situation by exchanging regular routers with compromised routers“.

[As always, we also published an almost complete live transcript of the inquiry hearing, including another witness.]