Thursday, August 27, 2015

There is more on the NSA - German intel XKeyscore deal than meets the eye

German intel agencies have XKeyscore and pay with data (in English).

OMG* (Old Mustached German), the K-Landnews NatSec/all things spooks person, had been waiting for this ever since the news broke after the Snowden dustup of the German domestic intel agency BfV playing with the cool NSA toy XKeyscore.

When the news first broke in July 2013, the agencies told the public they were evaluating, or testing, the capabilities of the software. Statements acknowledging possession of XKeyscore by the BfV emphasized that they were performing tests, were merely evaluating the tool. Some commentators even made it look like this sudden interest was tied to the Snowden revelations.

At the time, OMG went: Not credible, it's not how these guys work. As long as the NSA does not have a freeware website touting Get your Free Evaluation Copy now!, I'd love to know details.

Some of the details are now available, and a remarkable one is this: The Germans were given a demo at the NSA area of the Bad Aibling, Bavaria, intelligence operations center on 6 October 2011, using data from real life BfV (domestic intel).

OMG comments:
This pushes the timeline of discussions on XKeyscore between the Germans and the US back by anywhere between six months and a year to early 2011 or late 2010, if not further. At least two years before Snowden.

The article goes on to say:
In contrast, for example, to the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, the BfV does not use a dragnet to collect huge volumes of data from the Internet.
It then goes on to state:
The version of the software obtained by the BfV is unable to collect data on the Internet itself, but it is able to rapidly analyze the huge quantities of metadata that the agency has already automatically collected.

It tries to resolve the "no dragnet" of the first sentence with the "huge quantities" already collected by introducing "metadata".

OMG comments:
The number of targeted surveillance measures given for 2013 is about 100, which makes the reference to huge quantities of metadata a little odd. Sure, you get a lot more metadata than content data, but I would not say "huge" based on one hundred or so targeted measures. Either the authors are unsure about what is going on, or we are not told the full story. My guess is that a full on dragnet did not exist but that the newly announced expansion of internet surveillance and the added personnel will make a "full on" dragnet a reality.

The most interesting and controversial aspect of the deal is that the German domestic intelligence agency is providing the NSA with "as much data as possible". As expected, the article and related pieces in other papers, treads very lightly with abundant quotes: "Certain NSA requests … cannot be met insofar as German law prevents it." and adds "Furthermore, the agency declared, a special legal expert would approve each data transfer."

OMG comments;
Judging by insights from the investigative committee on the collaboration between the BND and the NSA, I will believe this when I see it. Remember when Chancellery chief Pofalla went on TV in 2013 and said only two datasets of German citizens had been given the US?
"Productive" use does not mean a handful of data sets.

Issues not addressed in the reporting on the recent leaks:
1. Does BfV funnel data to the BND for forwarding to the Americans, thus working around stricter rules on domestic surveillance?
2. The BND can at least claim it is focused on foreign intelligence, which necessarily involves few Germans. The BfV cannot do that, and highlighting some real or imagined endpoint outside of Germany does not change the ratio of German vs. non-German data significantly. Remember the EU?
3. "In accordance with German law": how exactly has interpretation of German law changed, what changes to the law are in the pipeline? Given the irrationally broad interpretation of what is a "state secret" in the recent attempt to go after netzpolitik.org, this is not a whacky question.
4. Since both the domestic BfV and the foreign BND use XKeyscore, do they have even partial access to each others data?
5. Are technical measures in place or planned that "allow direct access while allowing denial of such access"? The way this is commonly done is through automation with some sort of manual intervention, where the "intervention" or "checks and balances" can be as little as a prompt "Press Enter to proceed" followed by a timer that automatically proceeds after a few seconds of wait time, or merely the option to have a human look at it.
 
The best comment by OMG, though, concerned this article snippet:
Prior to 2013, Germany's domestic intelligence agency was only able to analyze metadata by hand -- and it was rarely done as a result.

We provide it as is for your enjoyment:
Can someone explain to me, for fuck's sake, how the Germans have not had any notable Islamic terrorism for decades without performing this oh so crucial mass metadata surveillance in the first place? Doesn't this make even the most surveillance happy folks reconsider? Yes, they failed with domestic right wing terrorists, but not for lack of data - after all, they had a bunch of those guys on the payroll as CIs.

* Regarding OMG's qualifications, please see the footnote of the post This hybrid war and information war babble is deeply offensive for basic information on this matter.



No comments:

Post a Comment