Leaked Oversight Report Shows Illegal Surveillance, Massive Constitutional Violations By Germany's Intelligence Service
from the the-Snowden-Effect-continues dept
German website Netzpolitik might be headed for another treason investigation. The German government went after the site once for publishing leaked documents detailing mass surveillance operations and it may do so again after its latest publication.
The site has obtained a classified report from the country's intelligence oversight office that shows the BND (Germany's intelligence service) illegally collected and stored data and information obtained via its partnership with the NSA.
The report’s executive summary describes serious violations of the law [emphasis added]:
The BND has illegally and massively restricted my supervision authority on several occasions. A comprehensive and efficient control was not possible.
Contrary to its explicit obligation by law, the BND has created [seven] databases without an establishing order and used them (for many years), thus disregarding fundamental principles of legality. Under current law, the data saved in these databases have to be deleted immediately. They may not be used further.
Although this inspection was only focused on the BND station in Bad Aibling, I found serious legal violations, which are of outstanding importance and concern core areas of the BND’s mission.
The BND has collected personal data without a legal basis and has processed it systematically. The BND’s claim that this information is essential, cannot substitute a missing legal basis. Limitations of fundamental rights always need to be based on law.
German (constitutional) law […] also applies to personal data which the BND has collected abroad and processes domestically. These constitutional restrictions have to be strictly abided by the BND.
Some of what was illegally gathered and stored was obtained via the NSA's XKeyscore program, which harvests email, online chats, and browser histories in bulk. The report notes that the indiscriminate collection of data and communications was subject to very little in the way of minimization, resulting in plenty of non-targets being swept up in the dragnet and their data/communications dumped into the BND's databases.
Because of its […] systematic conception, XKEYSCORE – indisputedly – collects […] also a great number of personal data of irreproachable persons. The BND is not capable of substantiating their number […]. In one case I checked, the ratio was 1:15, i.e. for one target person, personal data of fifteen irreproachable persons were collected and stored, which were – indisputably – not required by the BND to fulfill its tasks […].
The collection and processing of these data are profound violations of [the] BND law.
These infringements of constitutional rights are conducted without any legal basis and thus harm the constitutional right of informational self-determination of irreproachable persons. Furthermore, these infringements of constitutional rights result from the inappropriately – and thus disproportionately – large scale of these measures, i.e. the inappropriately large number of irreproachable persons surveilled […].
Not only did the BND harvest in bulk, but it also passed on this 1:15 collection unminimized to the NSA.
The amazing part of this leaked report is that it only details the violations of a single BND collection outpost. There are seven more in Germany yet to be examined. On top of that, the oversight body couldn't even get a clear picture of the illegal activities occurring at this single station. There were just too many of them.
This "storage and processing of personal metadata in VERAS is subject to the BND law and subsidiarily to the Federal Data Protection Act". But in many aspects the Data Protection Commissioner was hindered from examining the data properly. When requesting only the retained data of individuals protected by fundamental rights, the database had too many be displayed. Thus, she gradually reduced the time frame: "90 days, 30 days, 1 day". Still too many hits:
In none of the these cases, the system was able to display the hits because the number exceeded the limit of 15,002 – not even in the case of the least possible time restriction of one day.
This means the Federal Data Protection Commissioner was not able to examine the contents of the massive meta data retention. Additionally, she was not able to check how the BND used personal data, because: There are no logs.
The BND is neither aware of the kind or the scope of logs, nor was it technologically possible to access the log data of VERAS 6. Further, there existed no technical capability to analyze the logs.
Unfortunately, the violations found by the Data Protection Commissioner have since been codified into law. The BND is harvesting even more than it was when it was inspected, having just finished a 300 million euro revamp of its surveillance tech. Much like here in the US pre-Snowden, the oversight in Germany is relatively toothless. Whatever exists will be actively thwarted by intelligence agencies (the report states that BND deleted logs the Commissioner asked to examine) or by other legislators who are always willing to sacrifice the public's rights for national security.