The operator of the world’s largest Internet hub, the German Commercial Internet Exchange (DE-CIX), has taken the German government to court over mass surveillance.
DE-CIX claims that since 2009 Germany’s foreign intelligence agency, the BND, has intercepted and copied all traffic going into its Frankfurt data center - including data on domestic citizens’ communications. German law limits mass data collection, as well as the interception of citizen data.
The Internet exchange group, a part of ‘eco - Association of the Internet Industry,’ originally filed the lawsuit in 2016, but it has just gone to court.
Have it all
“The purpose of our lawsuit is to subject the practice of strategic monitoring of communications according to Paragraph 5 of the G10 Act by the Federal Intelligence Service (Bundesnachrichtendienst) in our company to a judicial review,” DE-CIX said in a statement.
“We have grave doubts about the legality of the current practice, not least on the basis of the recently published expert opinion of Prof. Hans-Jürgen Papier, retired President of the German Federal Constitutional Court (Bundesverfassungsgericht).
”We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner. We seek a judicial clarification and, in particular, legal certainty for our customers and our company.”
The company claims the BND inserted Y-piece prisms into the fiber optic cables leading to its Frankfurt data center, duplicating all traffic and diverting copies to servers owned by the BND. It is also believed some of that data was shared with the United States’ National Security Agency.
DE-CIX lawyer, Sven-Erik Heun, told the court in Leipzig this week that “the BND looked for the biggest pool in which it can fish,” DW reports. Board member Klaus Landefeld told print newspaper Süddeutsche Zeitung that the firm did not want to be an “accomplice” to mass surveillance.
The incident is not without precedent - between 2004 and 2008, as part of Operation Eikonal, a joint collaboration between the NSA and BND, the German agency forwarded almost all data from DE-CIX to its US counterpart. It even enlisted Deutsche Telekom’s help, renting two rooms in one of its data centers. The telco received €6,000 every month in return for access to data.
Germany - which is particularly sensitive to mass surveillance after experiencing Nazi rule, as well as Soviet-era Stasi spying in East Germany - has passed two laws that are likely to be crucial in the current case.
While the BND is allowed to capture foreign communications passing through German territory, in the 1990s, Germany’s constitutional court outlawed widespread data dragnets, placing a ban on capturing more than 20 percent of overall traffic.
The BND is also forbidden from intercepting German citizens’ communications, and yet the prism technology copies everything it sees. The BND claims it uses data filters to remove domestic traffic, but has not detailed how, or shown the technology to any independent body. It was previously revealed that similar technology, when used in Operation Eikonal, was somewhat faulty - the filtering program Dafis was thought to be only 95 percent effective when its existence was revealed in 2014, although during a parliamentary hearing, witnesses claimed it was 99 percent effective.
In addition to its Frankfurt facility, DE-CIX runs data centers in Hamburg, Munich, Dusseldorf and Berlin. Outside of Germany, it operates in New York, Dallas, Madrid, Marseille, Palermo, Istanbul, Dubai and Mumbai.
The BND, meanwhile, is also thought to be collecting 220 million sets of metadata every day from telephone conversations, as well as tapping at least 11 major fiber cables and satellite links. The extent of its own data center infrastructure remains unclear.
A few details were revealed when the agency opened its new headquarters in Chausseestraße in 2014. BND president Gerhard Schindler announced that the building complex had an on-site data center, The Local reported, with its own air conditioning system designed to handle at least 8,000 servers. The headquarters, which features some 1,300 rooms, has its own thermal power station capable of powering the building for two weeks.
In 2015, German media reported on the BND’s five-year IT modernization plan, ending in 2020. It called for some €300m ($349m) in upgrades, in addition to around €615m ($717m) in annual costs to run the agency. Some technology, such as the prism equipment, is provided by the NSA.