Metadata help America’s intelligence agencies kill. And the BND, Germany’s foreign intelligence agency, is helping the NSA and CIA collect precisely these kinds of metadata. Not in a targeted manner, but on a massive scale. The BND scoops up several million metadata and passes them on to its American counterparts. More precisely: 220 million metadata every day.
A paradigm change is taking place at the BND: Rather than investigating individual suspects, the agency is placing its bets on mass surveillance. Research conducted by ZEIT ONLINE now shows for the first time just how extensive – and troubling – this reorganization is.
It used to be that spies would eavesdrop on people, secretly copy their letters and wiretap their phones. They wanted to know what people were saying, what they were arranging with and disclosing to others. To this day, people have continued to picture surveillance as an agent wearing earphones and listening in. But those days are over.
Today’s spies are interested in completely different traces: metadata. From them, intelligence agencies can deduce who communicated with whom, when, where and for how long. Every email bears such metadata, every text message, every digital image, every WhatsApp message. Whoever can interpret them knows not only what people are telling each other, as metadata betray much more: exactly where people are, where they came from, what they are doing at that moment, even what they are planning. They uncover every hiding place and every secret contact. "We kill people based on metadata," former NSA and CIA head Gen. Michael Hayden said in 2014. Whoever knows the right metadata knows where the deadly drone must be dispatched.
This is precisely what the NSA and CIA are doing. The human targets that American drones pick off with Hellfire missiles in Yemen, Somalia and Afghanistan have been detected using just these kinds of metadata intercepted across the world – with GPS location coordinates, with communication patterns, with cellphone identifiers. Using these pieces of information, one can also compile profiles and recognize patterns in the behavior of targeted individuals. In this manner, intelligence agencies can predict with a high degree of certainty the next move that a certain person will make and where he or she will be at a certain point in time. For the NSA, metadata are one of the most important sources of intelligence.
The BND has also known about the power of metadata for a long time. Since September 11, 2001, officials there have pondered whether to have the agency’s work rely more on such data. Agency files document that these considerations started taking shape beginning in 2002. They also show that, in the meantime, the BND has shifted a major part of its surveillance-related activities to analyzing metadata.
ZEIT ONLINE has learned from secret BND documents that five agency locations are involved in gathering huge amounts of metadata. Metadata vacuumed up across the world – 220 million pieces of it every single day – flows into BND branch offices in the German towns of Schöningen, Reinhausen, Bad Aibling and Gablingen. There, they are stored for between a week and six months and sorted according to still-unknown criteria. But the data aren’t just collected; they are also used to keep tabs on and track of suspects.
Exactly where the BND obtains the data remains unclear. The Bundestag committee investigating the NSA spying scandal has uncovered that the German intelligence agency intercepts communications traveling via both satellites and Internet cables. The 220 million metadata are only one part of what is amassed from these eavesdropping activities. It is certain that the metadata only come from "foreign dialed traffic," in other words, from telephone conversations and text messages that are held and sent via mobile telephony and satellites.
"Neither confirm nor deny..."
Of these 220 million data amassed every day, one percent is archived for longer periods. These 2 million metadata land in a fifth agency location, where they are stored in a database for 10 years for "long-term analysis." So far, this long-term storage doesn’t hold any Internet communications, data from social networks or emails. Although the BND is also interested in such data and collects them, the scale of such activities remains unknown. In any case, just the store of telephone-related data already contains "about 11 billion entries per year."
But even that is apparently far from enough for the BND. ZEIT ONLINE has been able to review additional secret files. These have included indications that the intelligence agency wants to collect much more of this kind of information. For example, already several months ago, the BND submitted a request for a budget increase of €300 million. These funds are supposed to be used for upgrades in electronic equipment. The project’s name translates as "Strategic Initiative Technology" (SIT). Part of this initiative is a project called "EASD," an acronym for the German version of the phrase "real-time analysis of streaming data." The files document that the BND wants to invest almost €700,000 to install a special database software called Hana, which is manufactured by the German software corporation SAP.
The Hana system is a so-called "in-memory" database. All of the data stored there is on so-called RAM, the main memory, instead of on hard disks. Information stored on RAM can be accessed within milliseconds. As a result, Hana can answer within a second search queries that a disk-based system would need at least half a day to answer. If an intelligence analyst asks this kind of system "Where have we already noticed this terrorist before?" he or she will get an immediate response. However, what’s even more important is that Hana can also process complex queries almost as quickly. This means that the database can draw connections between several different data in order to identify patterns. This kind of technology is required whenever one wants to analyze huge amounts of metadata.
Disguised as routine traffic
Many people don’t realize how much information can be derived from metadata – and the BND is working hard to keep it that way. For example, during hearings before the Bundestag committee investigating the NSA affair, intelligence officials have consistently spoken about "routine traffic" whenever they have actually meant metadata. Given that the German word for "traffic" is the same as that for "intercourse," this has sounded more like bad sex and has aimed to obscure the fact that hidden behind it was comprehensive, groundless and massive surveillance.
What’s more, the officials have argued that they are permitted to vacuum up this kind of routine traffic all over the world without any restrictions and to use it as they see fit. However, Peter Schaar doesn’t share this view at all. Instead, the German government’s former commissioner for data protection and freedom of information believes that metadata should also be protected by the basic right of privacy of correspondence, posts and telecommunications guaranteed by Article 10 of Germany’s Basic Law.
But even if metadata aren’t protected by the constitution, the BND must secure the approval of the Chancellery to have a long-term database that is an "automated data file" according to the Federal Data Protection Act (BDSG), meaning a file that "can be evaluated ... by means of automated procedures." Moreover, the federal commissioner for data protection and freedom of information must also be informed about any automated data file that officials plan to store in their databases for more than six months.
Unfortunately, it hasn’t been possible to ascertain whether the latter requirement was met. In response to inquiries, the commissioner’s office said that procedures for approving analysis of secret files are also secret. The office couldn’t comment on that matter, nor could it either confirm or deny the existence of such an order. Accordingly, one can only hope that the data collection was properly approved. But there is only a glimmer of hope, as the BND has already operated other databases, sometimes for years, without obtaining the legally required approval of oversight authorities.
"The intelligence agencies’ trust in parliamentarians is evidently not unlimited."
The BND’s smoke machine apparently also works vis-à-vis the federal government. It was 2013, during the period when there was a flurry of excitement over the revelations of Edward Snowden. In June and July of that year, members of the federal government, including Chancellery Chief of Staff Ronald Pofalla, made repeated assurances that the NSA and the BND were abiding by German laws.
However, at that time, the only issues being discussed were content data, that is, recorded calls and the content of faxes and emails. It wasn’t about metadata yet at all. It was only in mid-August 2013 that Hans-Christian Ströbele, a Bundestag member with the Green Party, first hinted that there could be a second level of surveillance. After a meeting of the Parliamentary Control Panel (PKGr), the Bundestag committee responsible for scrutinizing the work of the intelligence services, he said that he had learned that the BND was storing "hundreds of millions of pieces of information from communication links" from reconnaissance abroad and then passing this information on to the United States. However, even Ströbele apparently didn’t recognize the scale of the problem at that time.
At the BND, people were probably very happy that the public debate had exhausted itself on other issues – and it worked to make sure that nothing changed about that, either. For example, ZEIT ONLINE has knowledge of secret files indicating that the BND had compiled information about the number of scooped-up metadata for the Parliamentary Control Panel meeting held on June 26, 2013. But the intelligence service didn’t want to actively disclose its activities to this panel, even though it holds its meetings in secret and keeps any information about them very confidential. It is noted in the file that information should only be brought forth "reactively" – in other words, only if parliamentarians on the panel specifically ask for this information.
Overseers only learn what they already know
Intelligence officials often act in this way. They thereby make it tremendously more difficult for the parliamentarians to perform their oversight duties. In this way, the lawmakers can only force intelligence officials to concede things that the overseers already know about. "They can obviously only ask about concrete activities if they already have knowledge of them," says Gisela Piltz, who was a member of the Bundestag for the Free Democratic Party (FDP) at the time and held a seat on the Parliamentary Control Panel. "It was always difficult to obtain comprehensive information, as the intelligence agencies’ trust in parliamentarians is evidently also not unlimited."
At present, the Bundestag’s NSA committee is facing a similar situation. For example, in November 2014, the head of a BND subdivision identified only as W.K. named a figured before the committee for the first time: 500 million. That, he said, was the number of metadata that the BND passes on to the NSA – every month. The huge amount, he continued, can be explained by the fact that a single telephone conversation already entails dozens of metadata.
His aim was to convey that it really wasn’t all that much. In fact, however, hidden behind these 500 million metadata of Mr. K. is already the equivalent of several million telephone calls or text messages. And that is most likely just a fraction of what is actually forwarded to the NSA. The reason for this is that the monthly figure of 500 million only relates to the satellite interception program in Bad Aibling that goes under the codename "Eikonal." Meanwhile, there are still the rest of the 220 million metadata collected each day by the other eavesdropping programs, and just how many of these are being sent to the United States has yet to be disclosed. W.K. didn’t say a single word about that.
Given these circumstances, Piltz, the FDP politician, as well as various other members of Bundestag’s NSA committee have long been calling for an overhaul in the oversight of the intelligence agencies. They would like to have more people, more expertise. But, more than anything, they would like to have more insight into the work these agencies do.