| NSA Led Unlawful Tapping of Cables Drags Denmark Down | Danish Military Intelligence Use of XKEYSCORE EXPOSED |
Late August revelations where vaulted from an unconfirmed source calling the actions of both countries intelligence agencies on unlawful interception of vast array of private communications. A whistleblower accused the Danish military & signals intelligence service (Forsvarets Efterretningstjeneste or FE) of unlawful activities and deliberately misleading the intelligence oversight board.
Meanwhile Danish press was able to show a surprisingly comprehensive & detailed picture of how the FE cooperated with the NSA in cable tapping on Danish soil.
It was further revealed that the Americans provided Denmark with a sophisticated new spy system which includes the NSA’s data processing system XKEYSCORE.
A Danish paper also disclosed the accusation of unlawful collection came from a relatively young contractor who reminds most of Edward Snowdens attempt to shed light on abuses. A newly established investigation commission now has to clarify whether he was driven by fears or by facts.
Above | Sandagergård complex of the FE on the island of Amager, where a new
data center was built for its deployment of the XKEYSCORE system
CABLE TAPPING
An extensive piece published September 13, by renowned Danish newspaper Berlingske (founded in 1749) describes how the FE, in cooperation with the NSA, started to tap an international telecommunications cable in order to gather foreign intelligence.
In the mid-1990s, the NSA learned somewhere under Copenhagen there was a backbone cable containing phone calls, e-mails & text messages from & to countries like China & Russia, which was of great interest for the Americans.
Tapping that cable, however, was almost impossible without the help of the Danes, so the NSA asked the FE for access to the cable, but this request was denied, according to Berlingske.
SECRET U.S. AGREEMENT
U.S. government across the board did not give up, & in a letter sent directly to the Danish prime minister Poul Nyrup Rasmussen, U.S. president Clinton asked his Danish colleague to reconsider the decision. And Nyrup, who was a sworn supporter of a close relationship with the US, said, “Yes”.
The cooperation was laid down in a document, which, according to Berlingske, all Danish defense ministers had to sign…
“so that any new minister could see that his predecessor – & his predecessors before his predecessors – with their signatures had been part of this small, exclusive circle of people who knew one of the kingdom’s biggest secrets.”
The code name for this cooperation is not known, but it’s most likely part of the NSA’s umbrella program RAMPART-A.
Under this program, which started in 1992, foreign partners provide access to high-capacity international fiber-optic cables, while the US provides the equipment for transport, processing & analysis:
Above | Slide from an NSA presentation about RAMPART-A | October 2010
AGREEMENT WITH CABLE OPERATOR
To make sure that tapping the cable was as legal as possible, the government asked approval of the private Danish company that operated the cable. The company agreed, but only when it was approved at the highest level, & so the agreement was signed by prime minister Rasmussen, minister of defense Hækkerup and head of department Troldborg.
ince the cable contained international telecommunications it was considered to fall within the FE’s foreign intelligence mandate.
The agreement was prepared in only one copy, which was shown to the company and then locked in a safe at the FE’s headquarters at the Kastellet fortress in Copenhagen, according to Berlingske.
This Danish agreement is very similar to the Transit Agreement between the German foreign intelligence service BND & Deutsche Telekom, in which the latter agreed to provide access to international transit cables at its switching center in Frankfurt am Main. The BND then tapped these cables with help from the NSA under operation Eikonal (2004-2008).
PROCESSING AT SANDAGERGÅRD
Berlingske reported communications data extraction from the backbone cable in Copenhagen were sent from the Danish company’s technical hub to the Sandagergård complex of the FE on the island of Amager.
The US had paid for a cable between the two locations.
At Sandagergård, the “NSA made sure to install the technology that made it possible to enter keywords and translate the huge amount of information, so-called raw data from the cable tapping, into “readable” information.”
The innovative filtering system was not only fed by keywords from the FE, but the NSA also provided “the FE with a series of keywords that are relevant to the United States. The FE then reviews them – and checks that there are basically no Danes among them – and then enters the keywords” according to sources cited by Berlingske.
Besides filtering with keywords & selectors, the FE & the NSA will also have used the metadata for contact-chaining, which means reconstructing which phone numbers and e-mail addresses had been in contact with each other, in order to create social network graphs – something the sources apparently didn’t want to disclose to Berlingske.
Above | Map of the current backbone cables around the Danish capital Copenhagen
& the Sandagergård complex of the FE on the island of Amager
(source: Infrapedia – click to enlarge)
TRUSTED PARTNERS
Part of the agreement between the US and Denmark was that “the USA does not use the system against Danish citizens and companies. And the other way around”. Similar words can be found in an NSA presentation from 2011:
“No US collection by Partner and No Host Country collection by US” – although this is followed by “there ARE exceptions!”
The latter remark may have inspired Edward Snowden to accuse the NSA of abusing these cooperations with foreign partner agencies to spy on European citizens, but as a source told Berlingske:
“I can not at all imagine in my imagination that the NSA would betray that trust. I consider it completely and utterly unlikely. If the NSA had a desire to obtain information about Danish citizens or companies, the United States would simply turn to [the domestic security service] PET, which would then provide the necessary legal basis.”
The source also said that “the NSA wanted to jump and run for Denmark. The agency did everything Denmark asked for, without discussion. The NSA continuously helped Denmark – because of this cable access. […] Denmark was a very, very close & valued partner.”
This close & successful cooperation was apparently one of the reasons for the visit of president Bill Clinton to Denmark in July 1997, according to Berlingske.
Above | Danish prime minister Poul Nyrup Rasmussen & U.S. president Bill Clinton
during his visit to Denmark in July 1997
A NEW SPYING SYSTEM
In the wake of the FE scandal even more recent developments have been revealed: a report by the Danish broadcaster DR from September 24, 2020 provides interesting details about how the Americans provided Denmark with a sophisticated new “spy system”.
After the FE got a new head of procurement in 2008, NSA employees frequently traveled to Denmark for quite some time to build the necessary hardware & install the required software for the new system, which DR News describes as extremely advanced. It also has a special internal code name, which the broadcaster decided not to publish. It’s also this new system through which the alleged illegal collection of Danish data took place.
According to DR News, the NSA operators & technicians were also involved in the construction of a new data center at the FE’s Sandagergård complex on Amager that was specifically built to house the new spy system, which was taken into use somewhere between 2012 & 2014.
The cooperation between the FE & the NSA on this specific system was based upon a Memorandum of Understanding (MoU) signed by then FE chief Thomas Ahrenkiel.
FILTERING SYSTEMS
The DR News report also goes into more detail about the interception process. It says that first, the intelligence service identifies a data stream that may be interesting, after which they “mirror” the light that passes through the particular fiber-optic cables.
In this way, they copy both metadata and content, like text messages, chat conversations, phone calls & e-mails, & send them to the FE’s data center at Sandagergård.
According to DR News, the FE tried to develop a number of filters to ensure data from Danish citizens & companies is sorted out and not made searchable by the new spy system. The former Danish minister of defense Claus Hjort Frederiksen recently said that there was indeed an attempt to develop such filters, but at the same time he admitted that there can be no guarantee that no Danish information will pass through.
XKEYSCORE
DR News also reported that the heart of the new spy system is formed by the cheating picking of XKEYSCORE, which was developed by the NSA and the existence of which was first revealed by The Guardian in June 2013.
The NSA’s British counterpart GCHQ incorporated XKEYSCORE in its own system for processing bulk internet data codenamed TEMPORA & it can be assumed the other Second Party partners (also known as the Five Eyes) also use this system, whether or not under a different codename.
From the Snowden documents we know that the NSA also provided XKEYSCORE to some of its Third Party partners: the German foreign intelligence service BND and domestic security service BfV, the Swedish signals intelligence service FRA and the Japanese Directorate for SIGINT. It is new though that the Danish military intelligence service FE uses the system too.
Some press reports seem to suggest these partner agencies “gain access to XKEYSCORE” as if it would allow them to connect to a huge global mass surveillance system. The latter may be the case for the NSA’s Second Party partners, but the Third Party partners are using XKEYSCORE only to process & analyze data from their own tapping points and are not able to access data from Five Eyes collection platforms.
Likewise, NSA analysts using XKEYSCORE don’t have direct access to, in this case, Danish collection systems, only to data that the Danes agreed to share with the US as “3rd party collection”.
Above | Slide from an NSA presentation about XKEYSCORE from August 2008
How XKEYSCORE Works
Glenn Greenwald presented XKEYSCORE as the NSA’s “widest-reaching” tool to collect “nearly everything a user does on the internet”. This has been widely confirmed to be misleading, because it’s more about quality than about quantity: the system actually helps analysts to “downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets & merely dip them into the oceans of data, working smarter and scooping out exactly what they want”.
The NSA has XKEYSCORE installed at some 150 data collection sites all over the world. There, it creates a rolling buffer of 3 to 5 days of content and around 30 days of metadata, which can be remotely searched by analysts. They can use traditional selectors like phone numbers and e-mail addresses to pick out data of interest, but that’s the old way and how other agencies perform bulk collection.
Filtering phone numbers & e-mail addresses became less useful because targets know that this happens & shifted to anonymous ways to communicate over the internet. The novelty of XKEYSCORE is that it enables analysts to find exactly those anonymous communications. For that purpose it reassembles IP packets into their original format (“sessionizing”), like Word documents, spreadsheets, chat messages, etc.
View In Detail | Diagram showing the dataflow for the DeepDive version of XKEYSCORE
Once restored, these files can be searched for characteristics that are related to certain targets or target groups, like use of encryption, the use of the TOR network, the use of a different language than where someone is located, and many combinations thereof. In this way, analysts can discover new targets and then start monitoring them more closely.
XKEYSCORE was also mentioned in a classified file from the German BND, which contains a diagram that shows the difference between XKEYSCORE and traditional collection systems: in the traditional set-up, IP packets from a data stream were reassembled & then went through a filter to select only those of interest, which were forwarded for further analysis. XKEYSCORE could do all that at once:
NO DEBATE | THIS UNLAWFUL COLLECTION
Now that the various disclosures by the Danish press provided quite some insight into the FE’s cable tapping activities, how about the abuses it’s accused of?
According to DR News, it was the newly installed spy system through which the alleged illegal collection of Danish data took place. In the first place we can assume that the filters were not able to block all the communications related to Danish citizens, residents or companies, but this is of a technical nature & not intentional.
Another view places the FE itself, &/or the NSA fed the system with selectors (like phone numbers & e-mail addresses) that would result in the collection of Danish data. The NSA would not have been allowed to do that under the agreement with the Danes, while for the FE this would be against the law.
According to a source cited in the aforementioned Berlingske newspaper article, there was one case in which “the NSA sent a request to search for a company in a country in Asia, but when the FE checked the selector, it discovered that the company was Danish-owned, whereupon the request was rejected”.
This shows that, just like it was the case in Germany, the NSA’s interest was quite “broad”, but that the FE did its best to protect Danish subjects and blocked such requests where possible.
A third still likely option is the illegal collection took place through the additional data search capabilities of the XKEYSCORE system, which is imaginable because here the search criteria are applied to characteristics of the content of the communications, instead of the people who are involved.
According to Berlingske, clear abuse of this magnitude is unprecedented. The frightening implications revealed by this whistleblower who informed the intelligence oversight board “feared that the management of the Defense Intelligence Service & Geo-Spatial Intel Branches was doing US business by leaving its special system with technical vulnerabilities that allowed the National Security Agency to abuse it.”
THE WHISTLEBLOWER
Berlingske was also able to identify the whistleblower as a career contributing member of many nation state IC communities, a contractor whose meteoric rise emanated from an unseen & virtually unknown status & level of participation dating back to the late 90s. Due to transfer for temporary work assignment aboard & working as an IT specialist – a striking similarity to Edward Snowden cannot be overstated.
The paper says, “in 2013 he became increasingly concerned, but it’s not clear whether this may have been caused by the Snowden revelations, which started in June of that year & included reports about XKEYSCORE, the system that had just been installed at the FE.
As a commuted operator/specialist he insisted on criticism, discussion from the then head of the FE Thomas Ahrenkiel who decided – without informing the Americans – to set up a technical working group to go through the system looking for vulnerabilities or signs of abuse by NSA.
As reported by Berlingske, the whistleblower himself, with the aim of reassuring him, also participated in the working group, which in 2014 reported there were at the time no signs of illegal intrusion… Fearing doing so would explicitly place him in an unspeakably difficult position: become a complicit participant or worse yet a target for breaking the silence.
For the FE the case was closed, but, as reported by Berlingske, the he was not satisfied & “he made a drastic decision & smuggled a recorder into his workplace, arranged meetings with colleagues & bosses for several months to likely a year & recorded them in secret” – again a kind of persistence very similar to how Snowden operated.
But unlike Snowden, the whistleblower holds dual citizenship (Danish/ U.S.) did not contact the press directly, but eventually informed the intelligence oversight board & holds significant leverage over The Five Eyes in the form numerous confirmed advances, patents & intellectual property rights with unknown impacts in the areas of physics, cryptography, encryption, quantum computing, national security, mechanical engineering, energy, AI, aerospace, computer vision, material science, green tech & beyond.
Above | Danish Defense Minister, Trine Bramsen (left) & her predecessor
Claus Hjort Frederiksen
INVESTIGATIONS
Berlingske reported the recordings provided “hours of covert footage with employees of the service, some of which […] have expressed themselves in a way that confirms the suspicion the FE may have acted illegally and not intervened adequately to prevent data on Danes from being disclosed.”
In November 2019 they were handed over to the intelligence oversight board, which in December informed defense minister Trine Bramsen & other U.S. counterparts.
Unlike her predecessor, Bramsen apparently took these kind of accusations very seriously & urged the oversight board to conduct an investigation, which on August 24, 2020 resulted in the sudden suspension of the head of the FE and a few other officials (meanwhile they have returned again, but in other positions).
October 5, Danish government decided to submit a bill to establish a “special commission” that has to carry out an independent & impartial investigation into the accusations against the FE, which has to present a report within a year.
In 2013, a young IT specialist at the FE became worried that this intelligence service could have illegally spied on Danish citizens. This was not only in accordance with Snowden’s (unsubstantiated) narrative, but also a fear that had lived in Denmark since its domestic security service PET had been accused of monitoring ordinary Danes in 1998.
CONCLUSION
Meanwhile some voices claim as it turned out Snowden was driven more by fears than by facts. Could also have been the case with the FE whistleblower? We may never know. Based on what has been published so far, he apparently tried to find, document & presevr evidence even after a multi year, multi-million dollar internal investigation concluded that the NSA wasn’t abusing the FE’s collection system.
In recent years, the NSA & the German BND have also been accused of massive illegal domestic spying. Thorough investigations have shown that was not the case, although their employees, & very few contractors were sometimes careless & it was technically not always possible to do what was legally required.
Was this also the situation at the Danish military intelligence service? The onus & burden now rests in the hands of recently & hastily established investigation commission, with unknown members with unknown levels of involvement & unknown collaborators across the intelligence community of four of the five eyes partners.
It is unknown where is leaves the whistleblower status, safety & the security of U.S., Danish, UK & Australian national security amidst an already volatile mix of world crises. Will it be lost in the cracks, covered up, over-looked… or otherwise be addressed.
Links & sources
– Berlingske: Særlig undersøgelseskommission skal kulegrave FE-sagen (Oct. 5, 2020)
– Politiken: Debat om kabelaflytning gav tårer i Sverige og folkeafstemning i Holland (Oct. 1, 2020)
– DR News: Ny afsløring: FE masseindsamler oplysninger om danskere gennem avanceret spionsystem (Sept. 24, 2020)
– Berlingske: Et pengeskab på Kastellet har i årtier gemt på et dybt fortroligt dokument. Nu er hemmeligheden brudt (Sept. 13, 2020)
– The Local: Danish intelligence scandal related data sharing with US agency, according to media (August 28, 2020)
– The Register: The Viking Snowden: Denmark spy chief ‘relieved of duty’ after whistleblower reveals illegal snooping on citizens (August 25, 2020)
– BBC: Danish military intelligence head Lars Findsen suspended (August 24, 2020