The German Intelligence Service BND illegally collected and stored mass surveillance data and has to delete those data immediately, including XKeyscore. This is one of the results of a classified report of the German Federal Data Protection Commissioner that we are hereby publishing. In her report, she criticizes serious legal violations and a massive restriction of her supervision authority.

This is an English translation of the original German reporting, which also includes the full source document. Translation by Andre Meister, Arne Semsrott, Hendrik Obelöer, Kirsten Fiedler, Simon Rebiger, Sven Braun und Valerie Tischbein.

When Edward Snowden exposed the global system of mass surveillance by secret services three years ago, including the German foreign intelligence agency BND, the German government tried to shelf it off and declare the case closed. Only one small authority held out: Then-Commissioner for Data Protection Peter Schaar sent his staff on an inspection visit to the joint BND/NSA-station Bad Aibling in southern Germany, of which the BND feared a „very critical public“. The visit resulted in an elaborate „situation report“, but it’s classified „top secret“ and only accessible for few people.

Additionally, the new Data Protection Commissioner Andrea Voßhoff produced a legal analysis of the findings and sent it to the Federal Intelligence Service coordinator in the German Chancellery and former BND president Gerhard Schindler. But this analysis is still classified „secret“ and our Freedom of Information-request has been denied. Media have raised the question „Secret, because embarrassing?“. We have now received this legal analysis and have published the full text of the document (in German).

18 Severe Legal Violations, 12 Official Complaints

This report is indeed embarrassing for BND and Chancellery: On 60 pages, the highest German Data Protection Commissioner lists 18 severe legal violations and files 12 formal complaints. Such a complaint under the German Data Protection Act is the Commissioner’s most severe legal instrument – forcing the authorities to issue a statement in response. This is the first time that a German authority has received this many complaints at once. Usually, the Commissioner files a similar amount of complaints in an entire year – to all federal authorities combined.

The report’s executive summary describes serious violations of the law [emphasis added]:

The BND has illegally and massively restricted my supervision authority on several occasions. A comprehensive and efficient control was not possible. Contrary to its explicit obligation by law, the BND has created [seven] databases without an establishing order and used them (for many years), thus disregarding fundamental principles of legality. Under current law, the data saved in these databases have to be deleted immediately. They may not be used further. Although this inspection was only focused on the BND station in Bad Aibling , I found serious legal violations, which are of outstanding importance and concern core areas of the BND’s mission. The BND has collected personal data without a legal basis und has processed it systematically. The BND’s claim that this information is essential, cannot substitute a missing legal basis. Limitations of fundamental rights always need to be based on law. German (constitutional) law […] also applies to personal data which the BND has collected abroad and processes domestically. These constitutional restrictions have to be strictly abided by the BND.

Bad Aibling: Only One of Many Surveillance Stations

These are clear words, that are even more damning, considering that the inspection visit was limited to a single BND-outpost in Bad Aibling – and not a comprehensive review of all of the BND’s activities. Zeit magazine reported other stations across Germany, where the BND also collects, receives and processes mass surveillance data:

In the BND stations located in Schöningen, Rheinhausen, Bad Aibling and Gablingen, metadata from all over the world converge, about 220 million data points every single day.

But not even Bad Aibling could be thoroughly investigated by the Data Protection Commissioner: Repeatedly and contrary to law, the BND has „constrained [her] statutory powers of scrutiny“. These are „grave legal infringements“.

Emerald: „Non-European Cable Interception“

Nevertheless, the report corrects a few things, which were so far presented differently to the public and the Federal Parliament Inquiry Committee investigating the NSA spying scandal. For example, former BND-president Gerhard Schindler claimed that Bad Aibling intercepts only satellite signals from crisis regions. Now we have written proof that Bad Aibling also intercepts cables:

ZABBO is the satellite interception Bad Aibling in Afghanistan. SMARAGD is the cable interception in non-european countries with assistance by a foreign secret service.

An operation with code name „Emerald“ has also been mentioned in Snowden-documents published by Der Spiegel.

Last year, we reported that the BND intercepts cable communications in at least 12 locations. Now, for the first time, we have written proof that these data are also transferred to Bad Aibling and processed there.

No Database Establishing Orders: „Must Be Deleted Immediately“

All these data are collected by the BND’s computer systems, where they are stored and processed in various databases. The law obliges the BND to create an establishing order for each database and consult the Data Protection Commissioner. However, in at least seven cases, the BND did not comply with the law:

Contrary to legal provisions […] i.e. unlawfully, the BND created several databases (VERAS 4, VERAS 6, XKEYSCORE, TND, SCRABBLE, INBE, DAFIS) without having issued an establishing order and without the legally mandated consultation of the Commissioner. Additionally, the BND has stored extensive personal data in these databases and has processed them without respecting requirements that should have been set out in each particular establishing order – particularly defining the purpose of the database. These are severe infringements.

The Commissioners conclusion: The BND has to „immediately delete“ all data stored in these seven databases and „must not further process these data“. Delete all XKeyscore data. A slap in the face for the secret service.

XKeyscore: „Scan All Internet Traffic Worldwide“

One of these seven illegal BND databases is the notorious NSA tool XKeyscore – „NSA’s Google for the World’s Private Communications“, which collects „nearly everything a user does on the internet“:

The BND uses XKEYSCORE for SIGINT collection as well as for SIGINT analysis and stores both metadata and communication contents via XKEYSCORE – without an establishing order.

Contrary to the German domestic secret service, the Federal Office for the Protection of the Constitution, which purportedly uses XKeyscore only offline to analyze already gathered data, the BND employs XKeyscore also for massive SIGINT data collection – directly at internet exchange points and fiber optic cables:

For the SIGINT collection, i.e. as so-called front-end system, XKEYSCORE – using freely definable and linkable selectors – scans […] the entire internet traffic worldwide, i.e. all meta and content data contained in internet traffic, and saves selected internet traffic data (e-mails, chats, content from public social media, media, as well as non-public – i.e. not visible to the normal user – messages in web forums, etc.) and hence all persons appearing in this internet traffic (sender, receiver, web forum member, member of social networks, etc.). In real time, XKEYSCORE makes these internet traffic data – attributed to its users – readable and analyzable for an agent.

„Multitude of Personal Data from Irreproachable Persons“

This mass surveillance is not limited to terrorists, but affects many „irreproachable persons“:

Because of its […] systematic conception, XKEYSCORE – indisputedly – collects […] also a great number of personal data of irreproachable persons. The BND is not capable of substantiating their number […]. In one case I checked, the ratio was 1:15, i.e. for one target person, personal data of fifteen irreproachable persons were collected and stored, which were – indisputedly – not required by the BND to fulfill its tasks […]. The collection and processing of these data are profound violations of [the] BND law. These infringements of constitutional rights are conducted without any legal basis and thus harm the constitutional right of informational self-determination of irreproachable persons. Furthermore, these infringements of constitutional rights result from the inappropriately – and thus disproportionately – large scale of these measures, i.e. the inappropriately large number of irreporachable persons surveilled […].

The BND not only breaks several laws using XKeyscore, but – following the arrangement „data in exchange for software“ – also transfers the collected data to the NSA:

The content and metadata collected via XKEYSCORE are transferred to the NSA, following an automatic clearing of information falling under the G-10 law (G-10 assessment). These transmissions are additional severe violations of fundamental rights.

Fundamental Rights Filter: „Substantial Systematic Deficits“

However, this „automatic G-10 assessment“ does not work. The BND, as a foreign intelligence service, is not allowed to monitor German citizens in its „strategic“ mass surveillance. Therefore, the secret service uses the data filtering system DAFIS, which is supposed to filter out all data originating from German citizens and individuals according to article 10 of the German constitution (Privacy of correspondence, posts and telecommunications). Last year, we already revealed how this filter thwarts legal obligations.

The Data Protection Commissioner goes even further: The filter „has substantial systemic deficits“.

The DAFIS filter does not completely detect and filter data from individuals protected by article 10 of the constitution. Hence, the BND has – contrary to legal obligations resulting from the G-10 law – processed personal data of these individuals and has unlawfully intervened in communication that is protected by article 10 of the constitution.

A complete filter of all communications protected by the constitution is not possible in the internet age, even with DAFIS‘ three layers. The first layer includes of the German country code +49, the German top level domain .de and German IP addresses. If we are communicating in English using our domain netzpolitik.org and a foreign IP address (via Tor or VPN), our communication is not filtered out by this system. While some top politicians brushed us off with „Bad luck!“, the German commissioner is clear: This is illegal.

The BND knows it cannot rely on „rough“ filters based on criteria like country codes and top level domains. For this reason, it maintains „G-10 whitelist“ containing telephone numbers, e-mail addresses and domains which are then filtered on a second layer. This includes domains like eads.net, eurocopter.com and feuerwehr-ingolstadt.org. Our domain netzpolitik.org is not on this whitelist – and must not be, because already storing it on this list would be illegal:

For this, the BND would have to know the selectors of constitutionally protected persons beforehand and it would need to legally store them on the G-10 whitelist. Records of this kind are not allowed according to current law.

NSA Selectors: „Unconstitutional Infringement of Fundamental Rights“

So the BND monitors internet communication with XKeyscore on a massive scale and cannot effectively filter those protected by fundamental constitutional rights. Nevertheless, the BND also sends this data to the NSA.

For this purpose, the BND in Bad Aibling pulls a list of selectors from an FTP-server at the Wiesbaden NSA-agency European Technical Center „several times a day“ – totaling about 14 million. The BND then searches for these selectors in its mass surveillance streams like internet-cables. The „hits“ from these selectors are passed to the NSA, automatically. Thus, the BND collects, stores, processes and transfers the NSA selectors – all legal terms defined in the German Data Protection Act. Thereby, according to the law, the BND is the „controller“ of the data and the Data Protection Commissioner is authorized to see and inspect the NSA-selectors.

However, the BND actively prevents supervision by denying the Data Protection Commissioner access to the selectors. This puts her in good company: The Parliamentary Control Committee for the Secret Service, the G-10 Commission, and the Parliament Inquiry Committee investigating the NSA spying scandal are all denied access to the NSA-selectors. The latter two are suing the German government over this refusal. Only a special investigator by the government was allowed to see far less than one percent of the list – but his independence is heavily doubted.

The BND’s refusal constitutes another „unlawful constraint of [the Commissioner’s] supervision authority“ that leads to a „de facto elimination of an efficient data protection control“:

This is inconsistent with the requirements set out by the Federal Constitutional Court. Thus, the BND’s refusal is an unconstitutional infringement of the affected persons‘ informational self-determination.

Furthermore, the BND has an obligation to examine itself: The organization is only allowed to „store and process selectors, if they are required for its legal mission“. This requirement has to be „proven at the time of collection for each specific case“. The BND did not do this. It is unclear whether such a task is even possible with 14 million automatically transferred selectors. But on top of that, the BND used NSA-selectors which it cannot examine, because of a lack of proper background information. This is another serious violation of the law, these selectors are „impermissible“.

„Unexceptional Transfer of All Selector Hits to the NSA“

The conclusion of the Data Protection Commissioner:

The BND must not have processed nor used these selectors, because of the lack of necessity. It had to delete these […] selectors. Contrary to these legal provisions, the BND used the selectors […] as search terms and transferred the resulting hits […] to the NSA. This usage of data constitutes serious violations of [the BND law and the law of the Federal Office for the Protection of the Constitution].

Regardless of all these legal violations, the BND transferred all communication content, belonging to the 14 million US selectors, directly to the NSA:

The unexceptional transfer of all hits resulting from using the NSA selectors – G-10-filtered – constitute serious violations of the provision of the [BND law and the law of the Federal Office for the Protection of the Constitution]. The same conclusion is reached if one assumes that all of the NSA selectors are without exception central to the mission of the BND and that the DAFIS filter system does not have any systemic deficits.

VERAS: „All Metadata of All Communications Traffic“

For metadata, the BND does not even need selectors, because it stores all of them in its own database: VERAS 6. VERAS stands for „traffic analysis system“ [German: Verkehrs-Analyse-System“], the current version 6 was „developed by the Bundeswehr“. This database also lacks an establishing order, meaning that the BND would have to delete all data immediately. Instead, VERAS is likely one of the largest BND databases:

By diverting and collecting all metadata of all traffic on a communication line, the BND also stores and uses metadata of communication traffic by irreproachable persons which are not necessary to fulfill the BND’s mission. This means metadata of irreproachable persons is also stored in VERAS 6 and used for metadata analysis. Findings gained from this metadata analysis are used by the BND, f.e. as new selectors.

So: The BND stores all metadata of entire communication lines. For three months. Not from terrorists but from „bystanders or irreproachable people“. „Intentional and on a large scale“. This means that the BND violates the German BND law and constitutional law: „These are serious violations.“

Metadata Analysis: Discovery of „New Relevant Individuals“

This vast amount of data is permanently being screened by the BND: „the essential purpose of metadata analysis is to find new individuals who are relevant to intelligence services“. This is happening exactly in the way we constantly describe: through social network graphs and movement patterns and profiles.

According to the […] user manual, it is, for example, possible to expand the „topology“ view by one communication hop at a time. This process can be repeated at will. In combination with the […] technical capabilities, it is not only possible to extend communication hops at will, to conduct technical screenings, and to target specific persons directly, but also to create movement patterns and profiles of these persons.

Two years ago, the Parliament Inquiry Committee was surprised to learn that the BND stores metadata over five hops. Now we learn that this was an understatement. The BND stores all metadata and is capable of screening any amount of hops:

All persons having a connection to a directly relevant person, or if their metadata are stored because of a geographical perspective are indirectly relevant for the BND. The connection to a directly relevant person can be established over any amount of hops. VERAS 6 does not have a restriction.

Obstruction: „Potential Abuse of Law“

This „storage and processing of personal metadata in VERAS is subject to the BND law and subsidiarily to the Federal Data Protection Act“. But in many aspects the Data Protection Commissioner was hindered from examining the data properly. When requesting only the retained data of individuals protected by fundemental rights, the database had too many be displayed. Thus, she gradually reduced the time frame: „90 days, 30 days, 1 day“. Still too many hits:

In none of the these cases, the system was able to display the hits because the number exceeded the limit of 15.002 – not even in the case of the least possible time restriction of one day.

This means the Federal Data Protection Commissioner was not able to examine the contents of the massive meta data retention. Additionally, she was not able to check how the BND used personal data, because: There are no logs.

The BND is neither aware of the kind or the scope of logs, nor was it technologically possible to access the log data of VERAS 6. Further, there existed no technical capability to analyze the logs.

This is another grave violation of law and another constraint to the Data Protection Commissioner’s supervision authority. Particularly since she wanted to resolve „urgent matters which required further clarification with the help of log data“.

But that’s not all. The BND has also actively deleted data:

About two weeks prior to my inspection in October 2014, the BND deleted all data-sets in VERAS which were older than 60 days, even though VERAS is designed to have a maximum storage period of 90 days.

Even though the BND has to respect a moratorium not to delete data that might be examined by the Parliament Inquiry Committee or the Data Protection Commissioner, this is now the second time it deleted sensitive data: In March 2012, all e-mails with problematic selectors older than six months were deleted.

SUSLAG: Direct Data Exchange Between BND and NSA

The BND Bad Aibling Station also houses the Special US Liaison Activity Germany (SUSLAG), where BND ans NSA directly exchange mass surveillance data:

The SUSLAG is connected to Building 8, in which the BND’s IT servers are located, via fiber optic cables. There is a physical 100 Mbit/s connection between the server room in Bad Aibling and the SUSLAG building. SUSLAG also has a technical connection to the US-European Technical Center (ETC) in Wiesbaden. The data exchange between the BND office in Bad Aibling and the ETC Wiesbaden is facilitated via SUSLAG.

The Data Protection Commissioner is convinced, her supervision authority also extends „to SUSLAG and its staff members“. Therefore, she wanted to inspect this core area of BND-NSA collaboration. But the BND also blocked these attempts. The Commissioner and her staff are not allowed to enter the building and not even allowed to know how many people work there:

The BND denies my authority on this matter. It refused to answer my question concerning the amount of employees/contractors in the Bad Aibling Station working for US authorities.

This is another „grave infringement“ by the secret service. It fits the picture, though: The BND had concealed, covered up and lied before – including to the Data Protection Commissioner.

BND Reform: Everything The BND Does Is To Be Legalized

The paper’s conclusion: „The BND has to respect the law.“ Meaning: It is not doing so.

This criticism is as clear as it gets. The Data Protection Commissioner, usually rather soft, whips BND and Chancellery left and right. The secret service breaches law and constitution by the dozen – and that’s only a small glimpse into its actions.

Unfortunately, the consequence of this is not an end to the illegal actions: While the Data Protection Commissioner was examining the BND in Bad Aibling, the secret service ramped up its equipment for 300 million Euros. And while the Commissioner waited for an answer to her report from the Chancellery, the government drafted a reform bill for the BND that not only legalizes the organization’s actions, but even increases its powers. This legislative package is scheduled to be adopted this year and will presumably come into effect at the beginning of next year.

Edward Snowden and Andrea Voßhoff have shown that secret services always get close to the edge or even overstep the boundaries of law. Now, the governing coalition wants to extend the law.

Read the original full document in German.