This is an excerpt from the annex of this October 2013 EU study. Read the introduction to the study here.

The available evidence indicates the use of electronic surveillance practices that go beyond traditional, targeted surveillance for intelligence purposes in five EU countries: the UK, Sweden, France, Germany and the Netherlands. Each member state is examined with the following criteria in mind: the basic technical features of large-scale surveillance programmes; stated purpose of programmes, targets and types of data collected; actors involved in collection and use, including evidence of cooperation with the private sector; cooperation or exchange of data with foreign intelligence services, including the NSA; and the legal framework and oversight governing the execution of the programme(s).

Germany

Evidence gathered on the surveillance activities of the German intelligence services also indicate that Germany has been engaging in large-scale surveillance of communications data, and that these activities are linked to a network of exchange and transfer of data with both domestic intelligence and law enforcement agencies as well as with international partners, despite the existence of a strong constitutional and legal framework for the protection of privacy.

Programme(s) for large-scale surveillance

At the centre of the allegations concerning German large-scale surveillance activities is the Bundesnachrichtendienst (BND) or Federal Intelligence Service which is responsible for conducting foreign intelligence analysis and electronic surveillance of ‘threats to German interests’ from abroad. It employs approximately 6,500 persons and had a budget of €504.8 million for the year 2012. However, also implicated are the Militärischen Abschirmdienst (MAD) - the Military Counterintelligence Service - and the Bundesamt für Verfassungsschutz (BfV) - the Federal Office for the Protection of the Constitution - which is tasked with "intelligence-gathering on threats concerning the democratic order, the existence and security of the federation or one of its states, and the peaceful coexistence of peoples; with counter-intelligence; and with protective security and counter-sabotage”. The latter is under the responsibility of the Ministry of Interior and specific regional offices exist in all 16 Länder. The BfV employed 2,757 persons and had a budget of €210 million in 2012.

According to the information available to the public, the BND operates a service capable of directly connecting to digital traffic nodes through which most of the foreign communications flow. This is legally authorised by the G-10 Law (see below) which allows the three intelligence agencies mentioned above (the BND, the MAD and the BfV) to search up to 20% of communications having a foreign element according to certain keywords for specific purposes such as the fight against terrorism or the protection of the Constitution.

In terms of data flows, the biggest node in Germany – and, according to certain figures, in the world – is the DE-CIX (German Commercial Internet Exchange) in Frankfurt. According to Der Spiegel, the BND has set up special offices at this location to divert incoming traffic, copy the data and analyse it later in the BND headquarters in Pullach, Bavaria. This was confirmed by a reply to a parliamentary question by the government, as well as by Germany’s Justice Minister Sabine Leutheusser-Schnarrenberger and by the head of the G-10 Committee Hans De With. The gathered data is then analysed through the use of keywords and selectors on terrorism.

According to Der Spiegel,

Via this hub, the largest in Europe, e-mails, phone calls, Skype conversations and text messages flow from regions that interest the BND like Russia and Eastern Europe, along with crisis areas like Somalia, countries in the Middle East, and states like Pakistan and Afghanistan.

The same article mentions that the head of the BND, Gerhard Schindler, recently requested an increase in the BND’s budget of €100 million for the next five years in order to hire new agents and improve the technological surveillance capabilities. This modernisation project has been given the name of “Technikaufwuchsprogramm” (which can be translated into “Technological Coming-of-age Programme”). Several sources of information hint at a possible German system collecting data through private companies, similar to the US PRISM programme. Private companies such as Internet service providers allegedly copy the data requested by the BND on its special servers. The hardware and software architecture used in that case could be the so-called ‘SINA-box’ which is a means oftransferring sensitive data in unsecure environments.

It is also worth mentioning that the Federal Police has set up a computerised architecture called ‘INPOL-neu’ which contains millions of data extracted from police and judicial investigations and from the SIS database. Intelligence services have complete access to the INPOL database, which is also linked to the Europol Information System (EIS).

As seen in the French case, there is considerable pooling of resources/data exchange between the various German intelligence and law enforcement bodies. Since 2001 the three intelligence services have been authorised to extend their domain of investigation in terms of information collection, analysis and dissemination and may exchange information between themselves as well as with police agencies, something which was once regulated and restricted by federal laws.

In particular, the MAD has been allowed to collect information on the national borders and exchange information with the two other intelligence services, which has broken the long established German tradition of complete separation between a military intelligence service and its civilian counterparts.

Concerning police-intelligence cooperation, it is interesting to note that the BfV has implemented a common database on Islamic terrorism with the Federal Criminal Police Office (Bundeskriminalamt, BKA), a first tool bridging the historical gap between federal police and secret service. A recent bill also extended the powers of the BKA to secretly gather data on private computers through the use of highly specialised software (so called "Bundestrojaner" or Federal Trojan Horses) for the purposes of criminal investigations.It is also worth noting the existence of integrated police services that have been set up at federal level to boost data exchange and analysis at all levels, such as the GTAZ (Gemeinsames Terrorismusabwehrzentrum). The GTAZ, located in Berlin, is aiming at strengthening national cooperation between Länder and State, i.e. between regional and federal police forces, the military, the customs, intelligence services, financial services, and at fostering international cooperation against Islamic terrorism.

Cooperation with foreign intelligence services

Reports publishing the Snowden revelations concerning German surveillance programmes such as Der Spiegel, also highlighted evidence regarding cooperation between the German intelligence services and their US counterparts.

Allegedly, millions of metadata collected by the BND were transferred to the NSA via data collection sites on German territory:

The Snowden documents mention two data collection sites known as signals intelligence activity designators (SIGADs), through which the controversial US intelligence agency gathered about 500 million pieces of metadata in December 2012 alone. The code names cited in the documents are "US-987LA" and "US-987LB." The BND now believes that the first code name stands for Bad Aibling. Day after day and month after month, the BND passes on to the NSA massive amounts of connection data relating to the communications it had placed under surveillance. The so-called metadata - telephone numbers, email addresses, IP connections - then flow into the Americans' giant databases.

The same article underlines the fact that copies of two pieces of software developed by the German BND have also been given to NSA agents: “Mira4” and “Veras”. These two programmes are allegedly similar in nature to the US XKeyscore system, but there is a clear lack of information on the functions and scope of such software. According to the Spiegel information, the NSA and the BND jointly presented the XKeyscore programme to the civilian Bundesamt für Verfassungsschutz in 2011. Also, according to disclosures by the Washington Post, Germany participates in meetings in the framework of the secret intelligence “Alliance Base” in France, along with US, UK, French, Canadian and Australian representatives which routinely exchange information.

Many articles mention the long history of data exchanges between Germany and its Western allies, mostly during the Cold War in the 1960s but also after the 9/11 attacks. Bilateral data transfer agreements with the former powers that occupied West Germany – United States, UK and France – have recently been cancelled following the PRISM scandal. These agreements included a task foreseen for the German intelligence agencies to spy on post and radio communications for the purpose of protecting Western troopsstationed in Germany.

Legal framework and oversight

Article 10 of the German Constitution on the privacy of correspondence, posts and telecommunications states that:

1) The privacy of correspondence, posts and telecommunications shall be inviolable.

2) Restrictions may be ordered only pursuant to a law. If the restriction serves to protect the free democratic basic order or the existence or security of the Federation or of a Land, the law may provide that the person affected shall not be informed of the restriction and that recourse to the courts shall be replaced by a review of the case by agencies and auxiliary agencies appointed by the legislature.

The main federal law in Germany regulating communications surveillance is the G-10 Law, which allows for certain limitations to the secrecy of communications as provided in the Article 10 of the Constitution. Under the G-10 Law, intelligence services may operate warrantless automated wiretaps of domestic and international communications for specific purposes such as the fight against terrorism or the protection of the Constitution. The G-10 Law was amended in 1994 and 2001 to add electronic and voice communications to the list of communications that intelligence agencies may monitor. Also, the law in its paragraph 10 allows the BND to search up to 20% of foreign communications according to certain keywords – these communications include telephone conversations, e-mails, chats etc.

Two major decisions of the German Federal Constitutional Court have limited the scope of the G-10 Law in recent years:

• * In March 2004, the Court ruled that the G-10 Law infringed the German Constitution, especially its Article 1 on human dignity and Article 13 on the inviolability of private homes. The court held that certain communications, such as contacts with close family members, doctors, priests or lawyers, are protected by an absolute area of intimacy that no government may infringe.

• * In February 2008, in a landmark decision, the Court declared certain provisions of a regional law unconstitutional. The regional law (of North-Rhine Westphalia) allowed the regional Office for the Protection of the Constitution to secretly gather data on private computers. The Court interpreted Articles 1 and 2 of the German Constitution as containing a fundamental right for every citizen to have the integrity and confidentiality of IT systems guaranteed by the state. The possibility of secret online searches on computers is not categorically ruled out – the Court specified that such measures can only be justified under strict conditions and when there is an imminent threat to the life, physical integrity or liberty of persons, or to the foundations of the state or the existence of mankind.

  Two oversight bodies exist at Parliamentary level for controlling the activities of German intelligence services:

• * The G-10 Committee is a committee of the German Parliament (Bundestag) which has the task to decide on the necessity and legitimacy of the measures taken by the three intelligence agencies mentioned above which could infringe upon the fundamental rights enshrined in Article 10 of the German Constitution. It is composed of 4 Members of the German Parliament. The G-10 Committee is triggered when an intelligence service makes an official request for a surveillance measure to the German Ministry of Interior and this request is granted. The G-10 also follows the whole procedure, including the collection of the personal data, its analysis and its use. The G-10 also checks whether fundamental rights of German citizens have been violated following individual complaints. Compared with oversight authorities in the USA and in other member states examined in this briefing paper, the German G-10 is the only oversight body that does not only authorise surveillance requests, but also checks how the collection, storage, and analysis of personal data is carried out, investigate individual complaints and holds responsibility for the implementation of the surveillance programmes. [1]

• * The PKGr – Parliamentary Control Committee is the oversight body responsible for controlling the three federal intelligence services mentioned above. The German government is obliged to inform the PKGr and to provide all relevant information on the activities of the intelligence agencies to its members. The PKGr is composed of 11 Members of Parliament. According to a recent report by the PKGr on the 2011 activities of the BND, more than 2,9 million of e-mails and text messages have been the subject of surveillance measures.

  In parallel to these two oversight authorities, several other official bodies may have an influence on the ways in which the intelligence services operate in Germany:

• * The Committee on Budget of the Bundestag (Haushaltsausschuss),

• * The Courts at national and regional levels,

• * The Federal Court of Auditors (Bundesrechnungshof),

• * And the Data Protection Authority (Federal Commissioner for Data Protection and Freedom of Information).256

  German data protection bodies at the federal and the regional levels have, in a joint statement, called for increasing the control powers of the two German oversight bodies and strengthening the links with data protection authorities.

Data presented in this section has been gathered primarily on the basis of press reports and official documentation (e.g. Parliamentary questions, reference to official legal texts and case law).

[1] See S. Heumann, B. Scott (2013), “Law and Policy in Internet Surveillance Programs: United States, Great Britain and Germany”, Stiftung Neue Verantwortung / Open Technology Institute publication, September 2013.

Read more from our 'Joining the dots on state surveillance' series here.