New details about the joint NSA-BND operation Eikonal

This weblog first reported about the joint NSA-BND operation Eikonal on October 15, 2014, but meanwhile interesting new details became available from the hearings of the German parliamentary inquiry, and from recent disclosures by a politician from Austria.

Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about this operation so far. New information may be added as it comes available.





 

Initial reporting

Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitung and the regional broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the intercepted data with the NSA.

For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started in 2004, internet data were captured since 2005. Reportedly, NSA was especially interested in communications from Russia.

To prevent communications of German citizens being passed on to NSA, BND installed a special program (called DAFIS) to filter these out. But according to the reporting, this filter didn't work properly from the beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be filtered out, which was considered a violation of the constitution.

Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as somepeople noticed, Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn't add up.

As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.




Eikonal as part of RAMPART-A

As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella program RAMPART-A, under which the Americans cooperate with 3rd Party countries who "provide access to cables and host U.S. equipment".

Details about the RAMPART-A program itself had already been revealed by the Danish newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.

On October 20, Information published about a document from NSA's Special Source Operations (SSO) division, which confirms that an operation codenamed "EIKANOL" was part of RAMPART-A and says it was decommissioned in June 2008.

The slide below shows that under RAMPART-A a partner country taps an international cable at an access point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA processes the data and analysts from the host country can then analyse the intercepted data (C), while they are also forwarded to NSA sites in the US (D, E):




 

Parliamentary hearings

Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation commission of the German parliament (NSAUA) decided to also investigate whether this company assisted BND in tapping the Frankfurt internet exchange.

During hearings of BND officials it became clear that operation Eikonal was not about tapping into the Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was first confirmed by German media on December 4, 2014.


Commission hearing of November 6, 2014(Live-blog)

According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that the filter system was only able to filter out 95% of German communications. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.


Commission hearing of November 13, 2014(Live-blog - Official transcript)

During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The internal codename for Eikonal was Granat, but that name wasn't shared with NSA. There was even a third codename.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program.

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not all selectors can be attributed to a particular country and there may have been up to several hundred thousand selectors, witness W.K. said that BND was still able to check whether every single one was appropriate: only selectors that could be checked were used.



Commission hearing of December 4, 2014(Live-blog - Official transcript)

During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.

These rooms were only accessible for BND personnel and contained the front-end of the interception system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and servers. These devices were remotely controlled from the headquarters in Pullach.

Based upon analysis and research using public sources BND choose specific cables that would most likely contain traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other one.




After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND and NSA.

Timeframe

Eikonal started with access to a telephone cable (Leitungsvermittelt), which was based upon the so-called Transit agreement between BND and Deutsche Telekom. Project manager S.L. told that the first cable was connected (zugeschaltet) in 2004, but that it's signal was too weak.

In January 2005 an amplifier was installed, so collection started in the spring of 2005. By the end of 2006, Deutsche Telekom decided to terminate its business model for this type of links, so in January 2007 the telephone collection was ended.

BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by the end of 2005, but here the back link was missing. In the spring of 2006 they got access to a second cable, for which they tested the filter systems until mid-2007 (Probebetrieb).

During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully automated forwarding only happened from late 2007 until the operation was terminated in June 2008 (Wirkbetrieb).

Legal issues

For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it couldn't be ruled out that German communications were in there too. Therefore, Deutsche Telekom was only willing to cooperate when there was an order from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their own citizens could be involved.

BND considered the restrictions of a G10-order cumbersome, but they requested and got the order, which allowed the collection of both G10 and fully foreign traffic (Routine-Verkehre). Nonetheless, some employees from Deutsche Telekom, and also from BND still had doubts about the legality.

Eventually, the federal Chancellery, upon request of the BND, issued a letter saying that the operation was legal. This convinced the Telekom management and the operation went on. It didn't become clear under what authority this letter was issued.

Results

The collection under operation Eikonal resulted in only about 500 intelligence reports (German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call.

According to S.L., metadata were "cleaned" so only technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.

Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical metadata are for example used to identify the telecommunication providers, transmission links and the various protocols.


Commission hearing of December 18, 2014(Live-blog - Official transcript)

During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.


Commission hearing of January 15, 2015(Live-blog - Official transcript)

In the hearing from January 15, 2015, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom personnel only knows between which cities a cable runs, but they don't know what kind of traffic it contains - they are not allowed to look inside.



 

Disclosures from Austria

On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party, disclosed an e-mail from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic cable had been connected to the interception equipment. The e-mail describes this cable as follows:

Transit STM1 (FFM 21 - Luxembourg 757/1), containing 4 links of 2 Mbit/s:

Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of 155,52 Mbit/second. A similar multiplexing method is Wavelength-Division Multiplexing (WDM) commonly used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5 Gbit/second.

The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA and/or BND selected it carefully.

FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom's network map is the name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied - the location where that Eikonal tapping took place.

This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in Frankfurt, but containing channels to cities which are much further, so they have to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:




The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal connections. It is not known where 750 stands for, maybe it's for channels within a (757) cable.

As this e-mail is from February 3, 2005, it must relate to a cable for telephone collection, because for Eikonal, the first cable containing internet traffic only became available by the end of that year.


The Transit agreement

On May 18, the Austrian tabloid paper Kronen Zeitung published the full "Transit" agreement (pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables, and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective effect as of February 2004.

This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.

It is not known how Pilz came into possession of these documents, but it seems the source must be somewhere inside the German parliamentary investigation commission. They are the only persons outside BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the other documents.

Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that the commission will ever get access to the list of suspicious NSA selectors.


An NSA or BND wish list?

On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German government, and two tables with cable links to or from Austria and Luxembourg:




According to Pilz, these are samples from a priority list of the NSA, which is said to contain 273 (or 254?) cable links. The list contains the names of 31 European countries and 33 countries outside Europe. Most of the links, 71, are from/to the Netherlands. The US, the UK and Canada are not on the list. The cables related to Belgium and the Netherlands were disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015.

On May 27, Pilz said in Switzerland, that the list was from BND and was given to NSA, who marked in yellow the links they wanted to have fully monitored. The Dutch website De Correspondent reports that the full list even contains some 1000 transit links, of which ca. 250 were marked in yellow. Besides these 250 there were apparently also 156 links from/to Britain.

In the German parliamentary commission hearing from January 15 it was said that there was a "wish list of BND" containing some 270 links, but on March 5, former SIGINT director Urmann said he couldn't remember that NSA requested specific communication links.

In media reports it's said that these cables belong to providers from various European countries, but in the lists we see a different provider mentioned for each of the endpoints of the link. That doesn't sound very much like an owner or operator.

It seems more likely that these cables were owned and/or operated by Deutsche Telekom, and connect the network of one provider to that of the other one (for example: KPN in Amsterdam - {Deutsche Telekom cable} - Austria Telekom in Vienna). Deutsche Telekom operates a Tier 1 network, a worldwide backbone network that connects the networks of lower-level internet providers.




Questions

It is not clear how many of the 273 links on the list were actually intercepted. We only know that for sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche Telekom to BND.

Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about "a cable in Frankfurt", which sounds like one single physical cable, whereas the disclosures by Peter Pilz show that multiple channels must have been intercepted.

Another question is whether it is possible to only filter the traffic from specific channels, or that one has to have access to the whole cable.

It should be noted that not the entire communications traffic on these links was collected and stored, but that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for which there was a match was picked out and processed for analysis.


Possible targets

Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom and one employee of BND for spying on Austria, although at the same time he said he was convinced the NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.

Apparently he didn't consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.

Green party members from various countries claimed that this cable tapping was used for economical or industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.



Links and sources
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Duitse BND tapte tientallen internetverbindingen KPN af
- DerStandard.at: BND-NSA-Affäre: Laut Pilz auch Spionage in Belgien und Niederlanden
- Golem.de: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt