German government collects and stores huge amounts survellance data illegally

[Independent voter]

This is a translated article that accuses the German government of running an NSA like agency that collects and stores massive amounts of surveillance data on its citizens.

If it's true, I wouldn't be all that surprised as thwarting terrorism is more and more of a priority these days and if the government is doing it just to keep everyone safe, who cares?





https://netzpolitik.org/2016/secret-...-by-the-dozen/

https://news.ycombinator.com/item?id=12429748

The German Intelligence Service BND illegally collected and stored mass surveillance data and has to delete those data immediately, including XKeyscore. This is one of the results of a classified report of the German Federal Data Protection Commissioner that we are hereby publishing. In her report, she criticizes serious legal violations and a massive restriction of her supervision authority.

This is an English translation of the original German reporting, which also includes the full source document. Translation by Andre Meister, Arne Semsrott, Hendrik Obelöer, Kirsten Fiedler, Simon Rebiger, Sven Braun und Valerie Tischbein.
When Edward Snowden exposed the global system of mass surveillance by secret services three years ago, including the German foreign intelligence agency BND, the German government tried to shelf it off and declare the case closed. Only one small authority held out: Then-Commissioner for Data Protection Peter Schaar sent his staff on an inspection visit to the joint BND/NSA-station Bad Aibling in southern Germany, of which the BND feared a „very critical public“. The visit resulted in an elaborate „situation report“, but it’s classified „top secret“ and only accessible for few people.

Additionally, the new Data Protection Commissioner Andrea Voßhoff produced a legal analysis of the findings and sent it to the Federal Intelligence Service coordinator in the German Chancellery and former BND president Gerhard Schindler. But this analysis is still classified „secret“ and our Freedom of Information-request has been denied. Media have raised the question „Secret, because embarrassing?“. We have now received this legal analysis and have published the full text of the document (in German).

18 Severe Legal Violations, 12 Official Complaints
This report is indeed embarrassing for BND and Chancellery: On 60 pages, the highest German Data Protection Commissioner lists 18 severe legal violations and files 12 formal complaints. Such a complaint under the German Data Protection Act is the Commissioner’s most severe legal instrument – forcing the authorities to issue a statement in response. This is the first time that a German authority has received this many complaints at once. Usually, the Commissioner files a similar amount of complaints in an entire year – to all federal authorities combined.
The report’s executive summary describes serious violations of the law [emphasis added]:

The BND has illegally and massively restricted my supervision authority on several occasions. A comprehensive and efficient control was not possible.

Contrary to its explicit obligation by law, the BND has created [seven] databases without an establishing order and used them (for many years), thus disregarding fundamental principles of legality. Under current law, the data saved in these databases have to be deleted immediately. They may not be used further.

Although this inspection was only focused on the BND station in Bad Aibling , I found serious legal violations, which are of outstanding importance and concern core areas of the BND’s mission.

The BND has collected personal data without a legal basis und has processed it systematically. The BND’s claim that this information is essential, cannot substitute a missing legal basis. Limitations of fundamental rights always need to be based on law.
German (constitutional) law […] also applies to personal data which the BND has collected abroad and processes domestically. These constitutional restrictions have to be strictly abided by the BND.
Bad Aibling: Only One of Many Surveillance Stations

These are clear words, that are even more damning, considering that the inspection visit was limited to a single BND-outpost in Bad Aibling – and not a comprehensive review of all of the BND’s activities. Zeit magazine reported other stations across Germany, where the BND also collects, receives and processes mass surveillance data:
In the BND stations located in Schöningen, Rheinhausen, Bad Aibling and Gablingen, metadata from all over the world converge, about 220 million data points every single day.

But not even Bad Aibling could be thoroughly investigated by the Data Protection Commissioner: Repeatedly and contrary to law, the BND has „constrained [her] statutory powers of scrutiny“. These are „grave legal infringements“.
Emerald: „Non-European Cable Interception“

Nevertheless, the report corrects a few things, which were so far presented differently to the public and the Federal Parliament Inquiry Committee investigating the NSA spying scandal. For example, former BND-president Gerhard Schindler claimed that Bad Aibling intercepts only satellite signals from crisis regions. Now we have written proof that Bad Aibling also intercepts cables:

ZABBO is the satellite interception Bad Aibling in Afghanistan. SMARAGD is the cable interception in non-european countries with assistance by a foreign secret service.

An operation with code name „Emerald“ has also been mentioned in Snowden-documents published by Der Spiegel.
Last year, we reported that the BND intercepts cable communications in at least 12*locations. Now, for the first time, we have written proof that these data are also transferred to Bad Aibling and processed there.
No Database Establishing Orders: „Must Be Deleted Immediately“

All these data are collected by the BND’s computer systems, where they are stored and processed in various databases. The law obliges the BND to create an establishing order for each database and consult the Data Protection Commissioner. However, in at least seven cases, the BND did not comply with the law:

Contrary to legal provisions […] i.e. unlawfully, the BND created several databases (VERAS 4, VERAS*6, XKEYSCORE, TND, SCRABBLE, INBE, DAFIS) without having issued an establishing order and without the legally mandated consultation of the Commissioner. Additionally, the BND has stored extensive personal data in these databases and has processed them without respecting requirements that should have been set out in each particular establishing order – particularly defining the purpose of the database. These are severe infringements.

The Commissioners conclusion: The BND has to „immediately delete“ all data stored in these seven databases and „must not further process these data“. Delete all XKeyscore data. A slap in the face for the secret service.
XKeyscore: „Scan All Internet Traffic Worldwide“

One of these seven illegal BND databases is the notorious NSA tool XKeyscore – „NSA’s Google for the World’s Private Communications“, which collects „nearly everything a user does on the internet“:

The BND uses XKEYSCORE for SIGINT collection as well as for SIGINT analysis and stores both metadata and communication contents via XKEYSCORE – without an establishing order.

Contrary to the German domestic secret service, the Federal Office for the Protection of the Constitution, which purportedly uses XKeyscore only offline to analyze already gathered data, the BND employs XKeyscore also for massive SIGINT data collection – directly at internet exchange points and fiber optic cables:

For the SIGINT collection, i.e. as so-called front-end system, XKEYSCORE – using freely definable and linkable selectors – scans […] the entire internet traffic worldwide, i.e. all meta and content data contained in internet traffic, and saves selected internet traffic data (e-mails, chats, content from public social media, media, as well as non-public – i.e. not visible to the normal user – messages in web forums, etc.) and hence all persons appearing in this internet traffic (sender, receiver, web forum member, member of social networks, etc.). In real time, XKEYSCORE makes these internet traffic data – attributed to its users – readable and analyzable for an agent.

Places with XKeycore on Earth. One of them is Bad Aibling. Picture: NSA.

„Multitude of Personal Data from Irreproachable Persons“

This mass surveillance is not limited to terrorists, but affects many „irreproachable persons“:
Because of its […] systematic conception, XKEYSCORE – indisputedly – collects […] also a great number of personal data of irreproachable persons. The BND is not capable of substantiating their number […]. In one case I checked, the ratio was 1:15, i.e. for one target person, personal data of fifteen irreproachable persons were collected and stored, which were – indisputedly – not required by the BND to fulfill its tasks […].
The collection and processing of these data are profound violations of [the] BND law.
These infringements of constitutional rights are conducted without any legal basis and thus harm the constitutional right of informational self-determination of irreproachable persons. Furthermore, these infringements of constitutional rights result from the inappropriately – and thus disproportionately – large scale of these measures, i.e. the inappropriately large number of irreporachable persons surveilled […].

The BND not only breaks several laws using XKeyscore, but – following the arrangement „data in exchange for software“ – also transfers the collected data to the NSA:

The content and metadata collected via XKEYSCORE are transferred to the NSA, following an automatic clearing of information falling under the G-10 law (G-10 assessment). These transmissions are additional severe violations of fundamental rights.

Fundamental Rights Filter: „Substantial Systematic Deficits“
However, this „automatic G-10 assessment“ does not work. The BND, as a foreign intelligence service, is not allowed to monitor German citizens in its „strategic“ mass surveillance. Therefore, the secret service uses the data filtering system DAFIS, which is supposed to filter out all data originating from German citizens and individuals according to article 10 of the German constitution (Privacy of correspondence, posts and telecommunications). Last year, we already revealed how this filter thwarts legal obligations.
The Data Protection Commissioner goes even further: The filter „has substantial systemic deficits“.
The DAFIS filter does not completely detect and filter data from individuals protected by article 10 of the constitution. Hence, the BND has – contrary to legal obligations resulting from the G-10 law – processed personal data of these individuals and has unlawfully intervened in communication that is protected by article 10 of the constitution.
A complete filter of all communications protected by the constitution is not possible in the internet age, even with DAFIS‘ three layers. The first layer includes of the German country code +49, the German top level domain .de and German IP addresses. If we are communicating in English using our domain netzpolitik.org and a foreign IP address (via Tor or VPN), our communication is not filtered out by this system. While some top politicians brushed us off with „Bad luck!“, the German commissioner is clear: This is illegal.
The BND knows it cannot rely on „rough“ filters based on criteria like country codes and top level domains. For this reason, it maintains „G-10 whitelist“ containing telephone numbers, e-mail addresses and domains which are then filtered on a second layer. This includes domains like eads.net, eurocopter.com and feuerwehr-ingolstadt.org. Our domain netzpolitik.org is not on this whitelist – and must not be, because already storing it on this list would be illegal:
For this, the BND would have to know the selectors of constitutionally protected persons beforehand and it would need to legally store them on the G-10 whitelist. Records of this kind are not allowed according to current law.
NSA Selectors: „Unconstitutional Infringement of Fundamental Rights“
So the BND monitors internet communication with XKeyscore on a massive scale and cannot effectively filter those protected by fundamental constitutional rights. Nevertheless, the BND also sends this data to the NSA.

[Reg]

*Insert Country* spies on their own citizens. Anyone that believes otherwise is being naive.

[Deleted]

They are currently under focus fire indeed...

[bladeXcrasher]

pft, stuff like that only happens in America

[Sunseeker]

*Insert Country* spies on their own citizens. Anyone that believes otherwise is being naive.

THIS.

And the Germans have a long history with and apparently a natural proclivity towards recording everything and storing it away. It's bit them in the ass before, I'm sure it will again.

That said, I'm not really concerned with government collection of data. The vast majority of it is incredibly useless data. The more data there is, the more chances there are for leaks. The bigger the chance for leaks, the quicker these things get resolved. Quite frankly I'd be more concerned if my government wasn't doing mass surveillance. Why?

Because mass surveillance means the government doesn't know what it's looking for, or it does, but it has no idea where it is. If the government wasn't committing mass surveillance then the more logical conclusion wouldn't be that they trust their citizens, but that they don't need to commit mass surveillance, and why wouldn't they need to? There are a couple reasons: a complicit population, you don't need to watch them if they're unable to do anything you need to worry about. Or more likely, they are so exacting in their collection of specific surveillance that it's unnecessary. The latter option is somewhat more frightening as it's more likely to lead to people "disappearing" than collecting every iota of data on when anyone takes a shit, buys some bolts or eats dinner.

[dd614]

To use against patriotic Germans who protest against their suicidal migrant policy.