The surveillance apparatus used by German intelligence to collect and store masses of communications and internet data may have taken a hit after a classified document that accused the spies of "serious legal violations" leaked online.
The 60-page analysis, conducted by Andrea Voßhoff, the German federal data protection commissioner, slammed how the Bundesnachrichtendienst (BND) stores data on citizens and demanded for key databases to be deleted with immediate effect.
The report was made in July 2015 after a visit to Bad Aibling in southern Germany, which is jointly managed by the US National Security Agency (NSA). The audit was conducted in light of the Edward Snowden revelations in 2013 that exposed how major agencies such as the FBI, NSA and UK's GCHQ use sophisticated tools to collect data in bulk.
The classified paper was obtained and published in full by German publication Netzpolitik. The conclusions cite at least 18 "severe legal violations" and 12 formal complaints. The commission has recommended the use of a number of key databases – including the NSA's XKeyscore – be shut down completely.
"The BND has collected personal data without a legal basis und has processed it systematically," Voßhoff wrote in the report. "The BND claim that this information is essential, cannot substitute a missing legal basis. Limitations of fundamental rights always need to be based on law."
She continued: "Contrary to its explicit obligation by law, the BND has created [seven] databases without an establishing order and used them (for many years), thus disregarding fundamental principles of legality."
The databases, the report argues, were created "contrary to legal provisions" and "unlawfully". These included a number – Veras 4, Veras 6, XKeyscore, Tnd, Scrabble, Ibne and Dafis – that were established without consulting the commissioner's office.
"The BND has stored extensive personal data in these databases and has processed them without respecting requirements that should have been set out in each particular establishing order – particularly defining the purpose of the database," Voßhoff said. "These are severe infringements."
XKeyscore, first exposed by the leaked NSA files released to news outlets by former US spy analyst Edward Snowden, is reportedly used by agencies to collect "nearly everything a user does on the internet." This allegedly includes emails, social media content and online messages in real-time.
"The BND uses XKeyscore for SIGINT [Signals Intelligence] collection as well as for SIGINT analysis and stores both metadata and communication contents via XKeyscore – without an establishing order," the classified report stated.
"Contrary to the German domestic secret service, the Federal Office for the Protection of the Constitution, which purportedly uses XKeyscore only offline to analyse already gathered data, the BND employs XKeyscore also for massive SIGINT data collection – directly at internet exchange points and fibre optic cables"
The data collection, according to the commissioner, included personal data of "irreproachable" citizens. Voßhoff wrote: "The BND is not capable of substantiating their number [...] In one case I checked, the ratio was 1:15, ie for one target person, personal data of fifteen irreproachable persons were collected and stored, which were – indisputably – not required by the BND to fulfil its tasks."
Ultimately, the report concludes by calling for the end of this collection until the proper legal backing is received to collect and store this data.
"Although this inspection was only focused on the BND station in Bad Aibling, I found serious legal violations, which are of outstanding importance and concern core areas of the BND's mission," Voßhoff said. "Under current law, the data saved in these databases have to be deleted immediately. They may not be used further."
According to Netzpolitik, the German parliament is currently debating a surveillance bill that would essentially legalise the spying activities outlined in the commissioner's analysis. Such a move strongly echoes the UK's own Investigatory Powers Bill – also branded the Snoopers' Charter – which is expected to be enacted before the end of the year.