The agents from the Federal Office for the Protection of the Constitution (BfV), Germany’s domestic intelligence agency, were deeply impressed. They wanted to be able to do that too. On Oct. 6, 2011, employees of the US intelligence agency NSA were in the Bavarian town of Bad Aibling to demonstrate all that the spy software XKeyscore could do. To make the demonstration as vivid as possible, the Americans fed data into their program that the BfV had itself collected during a warranted eavesdropping operation. An internal memo shows how enthusiastic the German intelligence agents were: Analyzing data with the help of the software, the memo reads in awkward officialese, resulted in "a high recognition of applications used, Internet applications and protocols." And in the data, XKeyscore was able to "recognize, for example, Hotmail, Yahoo or Facebook. It was also able to identify user names and passwords." In other words, it was highly effective.
It was far beyond the capabilities of the BfV’s own system. In response, then-BfV President Heinz Fromm made a formal request five months later to his American counterpart, NSA head Keith Alexander, for the software to be made available to the German intelligence agency. It would, he wrote, superbly complement the current capabilities for monitoring and analyzing Internet traffic.
But fully a year and a half would pass before a test version of XKeyscore could begin operating at the BfV facility in the Treptow neighborhood of Berlin. It took that long for the two agencies to negotiate an agreement that regulated the transfer of the software in detail and which defined the rights and obligations of each side.
The April 2013 document called "Terms of Reference," which ZEIT ONLINE and DIE ZEIT has been able to review, is more than enlightening. It shows for the first time what Germany’s domestic intelligence agency promised their American counterparts in exchange for the use of the coveted software program. "The BfV will: To the maximum extent possible share all data relevant to NSA's mission," the paper reads. Such was the arrangement: data in exchange for software.
It was a good deal for the BfV. Being given the software was a "proof of trust," one BfV agent exulted. Another called XKeyscore a "cool system." Politically and legally, however, the accord is extremely delicate. Nobody outside of the BfV oversees what data is sent to the NSA in accordance with the "Terms of Reference," a situation that remains unchanged today. Neither Germany’s data protection commissioner nor the Parliamentary Control Panel, which is responsible for oversight of the BfV, has been fully informed about the deal. "Once again, I have to learn from the press of a new BfV-NSA contract and of the impermissible transfer of data to the US secret service," complains the Green Party parliamentarian Hans-Christian Ströbele, who is a member of the Parliamentary Control Panel. The Federal Office for the Protection of the Constitution, for its part, insists that it has adhered strictly to the law.
The data in question is regularly part of the approved surveillance measures carried out by the BfV. In contrast, for example, to the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, the BfV does not use a dragnet to collect huge volumes of data from the Internet. Rather, it is only allowed to monitor individual suspects in Germany -- and only after a special parliamentary commission has granted approval. Because such operations necessarily imply the curtailing of rights guaranteed by Article 10 of Germany’s constitution, they are often referred to as G-10 measures. Targeted surveillance measures are primarily intended to turn up the content of specific conversations, in the form of emails, telephone exchanges or faxes. But along the way, essentially as a side effect, the BfV also collects mass quantities of so-called metadata. Whether the collection of this data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts. Well-respected constitutional lawyers are of the opinion that intelligence agencies are not allowed to analyze metadata as they see fit. The agencies themselves, naturally, have a different view.
It is clear, after all, that metadata also enables interesting conclusions to be drawn about the behavior of those under surveillance and their contacts, just as, in the analog world, the sender and recipient written on an envelope can also be revealing, even if the letter inside isn't read. Those who know such data can identify communication networks and establish movement and behavioral profiles of individuals. Prior to 2013, Germany's domestic intelligence agency was only able to analyze metadata by hand -- and it was rarely done as a result. But that changed once the agency received XKeyscore. The version of the software obtained by the BfV is unable to collect data on the Internet itself, but it is able to rapidly analyze the huge quantities of metadata that the agency has already automatically collected. That is why XKeyscore is beneficial to the BfV. And, thanks to the deal, that benefit is one that extends to the NSA.
In practice, it assumedly works as follows: When an Islamist who is under surveillance by the BfV regularly receives calls from Afghanistan, for example, then the telephone number is likely exactly the kind of information that is forwarded on to the NSA. That alone is not necessarily cause for concern; after all, combatting terrorism is the goal of intelligence agency cooperation. But nobody outside of the BfV knows whose data, and how much of it, is being shared with the NSA. Nobody can control the practicalities of the data exchange. And it is completely unclear where political responsibility lies.
In 2013 alone, the BfV began 58 new G-10 measures and continued 46 others from the previous year. Who was targeted? What information was passed on to the NSA? Was information pertaining to German citizens also shared? When confronted with such questions, the BfV merely responded: "The BfV is unable to publicly comment on the particulars of the cooperation or on the numbers of data collection operations."
How important XKeyscore has become for the BfV can also be seen elsewhere. Not long ago, the website Netzpolitik.org published classified budget plans for 2013 which included the information that the BfV intended to create 75 new positions for the "mass data analysis of Internet content." Seventy-five new positions is a significant amount for any government agency. A new division called 3C was to uncover movement profiles and contact networks and to process raw data collected during G-10 operations. The name XKeyscore does not appear in the documents published by Netzpolitik.org. But it is reasonable to suspect that the new division was established to deploy the new surveillance software.
Germany’s domestic intelligence agency is itself also aware of just how sensitive its deal with the Americans is. Back in July 2012, a BfV division warned that even the tests undertaken with XKeyscore could have "far-reaching legal implications." To determine the extent of the software’s capabilities, the division warned, employees would have to be involved who didn’t have the appropriate security clearance to view the data used in the tests. The BfV has declined to make a statement on how, or whether, the problem was solved.
Germany’s data protection commissioner was apparently not informed. "I knew nothing about such an exchange deal," says Peter Schaar, who was data protection commissioner at the time. "I am also hearing for the first time about a test with real data." He says he first learned that BfV was using XKeyscore after he asked of his own accord in 2013 -- in the wake of revelations about the program from whistleblower Edward Snowden.
Schaar is of the opinion that the agency was obliged to inform him. Because real data was used during the tests, Schaar says, it constituted data processing. The BfV, by contrast, is of the opinion that the use of XKeyscore has to be controlled solely by the G-10 commission. It is a question that has long been the source of contention. In testimony before the parliamentary investigative committee that is investigating NSA activities in Germany, Schaar has demanded that the G-10 law be more clearly formulated to remove the ambiguity.
The fact that the BfV recognized the problems with its NSA cooperation can be seen elsewhere in the files as well. During the negotiations over the XKeyscore deal, the BfV noted: "Certain NSA requests … cannot be met insofar as German law prevents it." But the Americans insisted that the software finally be "used productively." The NSA wants "working results," the German agents noted. There is, they wrote, apparently "high internal pressure" to receive information from the Germans.
Ultimately, the BfV arrived at the conclusion that transferring information obtained with the help of XKeyscore to the NSA was consistent with German law. Insights gathered by way of G-10 operations were already being "regularly" shared with "foreign partner agencies." That, at least, is what the BfV declared to the German Interior Ministry in January 2014. Furthermore, the agency declared, a special legal expert would approve each data transfer.
That, it seems, was enough oversight from the perspective of the BfV. The agency apparently only partially informed its parliamentarian overseers about the deal. The Parliamentary Control Panel learned that the BfV had received XKeyscore software and had begun using it. But even this very general briefing was only made after the panel had explicitly asked following the Snowden revelations. The deal between the intelligence agencies, says the Green Party parliamentarian Ströbele, "is undoubtedly an ‘occurrence of particular import,’ about which, according to German law, the German government must provide sufficient information of its own accord." He intends to bring the issue before the Parliamentary Control Panel. The NSA investigative committee in German parliament will surely take a closer look as well.
Translated by Charles Hawley