Largest Internet Exchange Point Announces Complaint Against Snooping

MUNICH – Decix, the largest internet traffic exchange point (IXP) worldwide, has had it with the snoops. Today (23 April), the Frankfurt company confirmed a report by the Sueddeutsche Zeitung that it will file a complaint at the German Federal Administrative Court against the obligation to grant broad access to the German Intelligence Service (BND) to the traffic transiting its large switches. Decix management thinks the constitutionality of the activities is highly questionable and the G10 legislation (allowing for preventive surveillance under certain conditions) is not adapted to an international IP communication network. New revelations today that the US National Security Administration (NSA) used the data collected by the BND to spy on politicians and companies in Germany and the EU companies like EADS, Eurocopter and French authorities fired the renewed debate in Berlin.

Around 650 large and small network providers from all over the world exchange their IP traffic at the Decix. The amount of data exchanged via the so-called switches in the 18 data centers around Frankfurt are stunning: 3.9 terabit/second during peak times. The exchange point is prepared to allow for as much as 13 terabit/second in the future. With all that data flowing through the Frankfurt Switches, it is an attractive point to tap for intelligence services and the company has to provide facilities for legal interception.

When it comes to broad-scale indiscriminate tapping of data streams by the intelligence service, the legal situation was not as clear, Decix CEO Klaus Landefeld said recently before the Inquiry Committee of the German Parliament on the NSA mass surveillance scandal. Decix had challenged the broad-scale tap orders as early as 2009, but did not get support from the BND oversight bodies.

Violation of German law, US-German Agency Agreements

Yet today the Inquiry Committee came to the conclusion that the BND had withheld information from its oversight bodies on how broad the tapping really was.

“There is a problem with the oversight of the intelligence services, if in 2013, after the Snowden revelations, thousands of so-called ‘selectors’ violating EU interests were used,” Konstantin Notz, Green Party lead member in the Inquiry Committee said in a statement today. In the joint NSA-BND program Eikonal, the NSA asked for data on selectors – IP addresses, phone numbers or email addresses from the tapped Decix data streams.

Traffic of German citizens – off limits for the BND – not only had been difficult to filter out, as the BND earlier had acknowledged. According to members of the Inquiry Committee after today’s hearing the agency did not bother to stop the transfers of EU data. News magazine Spiegel reported that an internal check of the agency in 2013 revealed around 2000 NSA selectors were addresses of Western European or German companies or individuals. An investigation spurred by questions from the inquiry committee now has come to the result this number might be as high as 40,000.

The German Chancellery reacted with a stiff statement noting: “Acting as supervisory and oversight body the Chancellery has identified technical and organizational shortcomings of the BND. The Chancellery has instructed to correct these.” Despite the rather strong statement, the German Chancellor is trying not to give up its cautious position on the NSA inquiry and added in the statement: “To date there is no evidence for a mass surveillance of German and European citizens.”

Nevertheless the Decix complaint against the existing German legislation regulating the broad strategic surveillance activities (G10 law) looks all the more promising against that background. An earlier complaint by a Nico Haerting, a lawyer in Berlin, was rejected by the Federal Administrative Court due to the fact that he could not prove that his email was in fact targeted. With the new evidence in the NSA inquiry committee the situation could be different.

Countering Mass Surveillance – Politically and Technically

Contrary to German Chancellor Angela Merkel’s denial of widespread mass surveillance, the European Parliament Science and Technology Options Assessment (STOA) report stated mass surveillance by the intelligence agencies of the “five eye” countries (US, Canada, Australia, New Zealand, UK) and their partners as a fact.

The lengthy, two-part report [pdf] presented to the LIBE Committee of the Parliament in Brussels today focused on potential countermeasures. These ranged from a fix the internet- and disruptive innovative scenario to the mantra-like recommendation for encryption of content, communication and metadata wherever possible.

The debate about backdoors for to encryption for the sake of law enforcement was challenged by the experts from Cap Gemini Consulting and Tecnalia Research and Investigation.

“Encryption does not mean they cannot do their work anymore,” said Stephan Schuster, project director at Tecnalia. “It might make their work a bit more difficult, but they have found means to fight crime without collecting internet data,” he said.

The STOA report included recommendations for EU institutions to consider to become less dependent on US encryption standards by setting up a Crypto certification or even Crypto standards body. Patrick de Graaf, Cybersecurity expert of Cap Gemini underlined several recommendations to foster and support open software and open standards development on which the EU could partner with academia, operators or organizations like the Internet Engineering Task Force.

The STOA mass surveillance report and debate was a follow-up to the report of a European Parliaments mass surveillance inquiry and report last year. The LIBE Committee is preparing a conference on mass surveillance in autumn and is preparing a follow-up to its first report.

Council of Europe Recommendations on Mass Surveillance

Another resolution on mass surveillance was passed this week by the Parliamentary Assembly of the Council of Europe (CoE). The report prepared by Dutch Conservative politician Pieter Omtzigt, who had tried to get Edward Snowden to testify in person in Strasbourg last year, includes the call for a “multilateral ‘intelligence codex’ for their intelligence services which lays down rules governing co-operation for the purposes of the fight against terrorism and organised crime.” It also lists the effective protection of whistleblowers (including an asylum right).

All 47 member states of the CoE are called on to review their national security oversight legislation and practice. Data protection and privacy standards should also be promoted through negotiations and agreements like the Transatlantic Trade and Investment Partnership (TTIP), the Safe Harbour decision, the Terrorist Financing Tracking Program (TFTP) and the Passenger Name Records (PNR) agreement.

The General Secretary of the CoE moreover is invited to gather information about the implementation or violation of human rights standards in the member states in their intelligence gathering (article 52 procedure). Despite some challenges from EU members, namely UK, of the final resolution, it did pass without difficulties. A follow-up report on better protection of whistleblowers is also in the making.

The Parliamentary Assembly of the Council of Europe also passed a resolution on mass surveillance.