26 November 2020

To be or not to be spied: Snowden of Denmark

Liviu Ioniţă

The media in Denmark is talking about a secrete cooperation between the US and Danish intelligence agencies, which allowed the US to collect data on some of its allies. In August, the Danish Minister of Defence has announced that the Danish Defence Intelligence director (Forsvarets Efterretningstjeneste), Lars Findsen, was removed from office after an investigation initiated following the revealing made by a whistleblower. It seems that the two events are correlated, and the connections are pointing at the National Security Agency/NSA and its secrete program Xkeyscore, used to monitor the activities of an Internet user, a program which was revealed by Edward Snowden.

Image source: Mediafax

In an official 2013 statement, the NSA has said that XKeyscore is used as part of the legal collection system, outside the US, of the SIGINT information – a term that refers to the means and methods to intercept and analyze the radio (including through satellite and mobile phones) and cable communications.

Illegal practices of the intelligence agency

In August, three high Forsvarets Efterretningstjeneste/FE officials, including the chief of the Agency, Lars Findsen, who was in charge with the Danish defence intelligence service since 2015, and, then, with the home intelligence service (2002-2007), were dismissed after an investigation initiated because of the reports of the Danish Oversight Board, which was revealing some illegal practices of the FE.

Founded by the Danish government as a reaction to Edward Snowden’s actions, in 2013, the Danish Oversight Board/ TET is an independent special monitoring mechanism of the Danish secrete services Politiets Efterretningstjeneste - PET, Forsvarets Efterretningstjeneste - FE and Center for Cybersikkerhed.

 The Danish Security and Intelligence Service/ Politiets Efterretningstjeneste – PET has the national intelligence and security authority in Denmark, but it is also responsible with the threats targeting the Danish nationals and the Danish interests abroad.

The Danish Defence Intelligence Service/ Forsvarets Efterretningstjeneste is responsible with collecting, analyzing and providing foreign information to support the Danish foreign, security and defence policy.

Part of the FE, the Danish Centre for Cyber Security/CC is counseling the Danish authorities and private companies on the prevention, combat and protection methods against cyber attacks.

In a press release from August, the Oversight Board said that, since 2019, has come to their attention some documents provided by “one or more whistleblowers” which reveal that the Danish intelligence services have developed “operational activities which are breaking the Danish law, including by getting and transmitting a huge volume of data about Danish citizens”. According to the press release, the FE has “collection capacities, which are risking for the collection process to be made unreasonably against the Danish citizens”, and the agency has an “inadequate culture of legality”. Furthermore, the FE not only that it illegally kept information, but it also reported to the Oversight Board “incorrect data about the things related to information collection and disclosure”.

The press release also mentioned that FE transmitted information to other countries, but, given the “extremely sensitive” nature of this information, they cannot disclose who was spied, why and for whom.

However, the media has speculated that the disclosed information involves a mass surveillance system of the telecommunication and information collection from the communication between Danish citizens or between these citizens and foreigners, which, in Denmark, is forbidden by law.

The FE unauthorized activities, described in the Oversight Board’s August press release, are not actually a surprise.

Each year, the Oversight Board is presenting the Justice Minister and the Defence Minister a report on its activities, which is available for the public and offer general information about the nature of the monitoring activities made by the PET, FE and CC.

In the 2018 Annual Report, the Council was drawing the attention that the “FE did not follow the responsibility to inform, periodically, the monitoring authority about all the important issues on the information processing related to the residents in Denmark, as the FE Law foresees, as well as about a series of aspects related to one of the systems for data collection”.

After the assessment of the Oversight Board, it was established that the law was broken because of the “raw data collection”, including “the breaches of the searching term according to law orders” and the failure of the selectors system that was chosen before the search being made.

Also, it was established that the FE is collecting “huge quantities of unprocessed data, raw data”, and for the agencies this is another “challenge” when we are talking about following the law on collecting information about the residents in Denmark.

Previously, the 2017 Annual report was stating that “in four of the cases, FE committed to collect some information about residents in Denmark for a total of 20 days in 2014, eight months 2014-2015, four days in 2016 and 17 months 2016-2017”.

In the meantime, the national radio and television company – DR and the newspaper Jyllands-Posten reveals new information which seems to be related to what happened in August:

- FE provided the US National Security Agency huge volume of raw data, obtained by accessing the fiber optic cable;

- the information provided by the NSA “could have included personal data and private communication of the Danish citizens” and have allowed the US agency to collect information about some of its closest European allies. The affected countries include Germany, France, Sweden, Norway and Netherlands.

The two media structures also claim that the allegations come from “many independent sources”.

Based on a secrete data collection agreement, signed between the FE and the NSA, in 2008, the US secrete service would have helped the Danish one to intercept a series of internet fiber optic cables which are using Denmark’s territory in exchange of access to the intercepted traffic.

This collaboration was applied at a data processing centre, placed on the Danish island Amager, in South of Copenhagen, a facility built precisely for that.

Since 2015, a whistleblower addressed the Oversight Board saying that the data processing centre from Amager was used by the NSA to spy Danish targets, including the Ministry of Foreign Affairs and the Ministry of Finances.

The whistleblower says that the US sought “consciously, information about the Danish Ministry of Finances and the Minister of Foreign Affairs and the Terma company”, and Jyllands-Posten says that “the Americans would do anything to get the billions of dollars contract for fight aircrafts”.

A DR News source states that the NSA "targeted Terma in 2015 and 2016, before Denmark bought the new fighter jets", prior to the final decision that led to the replacement of the obsolete F-16 fleet with the F-35 the American company Lockheed Martin.

DR News sources say the whistleblower's reports include documentation of how the NSA used the XKeyscore program to spy on "Danish targets and Denmark's closest neighbors", including searches for Eurofighter and Saab companies participating in the "race" for the new Danish fighter jets.

Both the NSA and the FE have access to XKeyscore, which makes it possible to search and select huge amounts of data that are extracted from Danish communications cables and then stored in the data center that FE built to support its US partners, at Sandagergård, in the south of Amager.

One of the whistleblower/whistleblower reports contains an analysis of the selectors that the NSA used in 2012 and 2015, respectively, in the XKeyscore espionage program. The analysis of these descriptors reveals that the NSA used cooperation with the FE to "spy on Danish targets and interests, including the Ministry of Foreign Affairs and the Ministry of Finance", as well as "Denmark's closest neighbors, Sweden, Germany, France, Norway and the Netherlands".

A descriptor (selector) can be, for example, an e-mail address, a telephone number or a telephone identification number.

Intelligence services can also search for specific words or phrases.

SIGINT partnerships and Danish participation in the exchange of information

Documents released in 2013 by former NSA contractor Edward Snowden also mentioned international cooperation between SIGINT intelligence services - the Five Eyes Alliance, SIGINT Seniors Europe (SSEUR or 14-Eyes) and the Afghanistan SIGINT Coalition (AFSC or 9-Eyes) - highlighting the large-scale monitoring of online activities and the exchange between raw data partners, not only of final reports and analyzes.

To carry out the task of gathering SIGINT information, the US National Security Agency works with partner agencies in several countries, the closest relationship being with the states within the Five Eyes alliance - USA, UK, Australia, Canada, New Zealand.

But in 2018, The Intercept published information from a series of documents from the NSA's classified internal newsletter, also provided by Edward Snowden, showing details about the two-member SIGINT Seniors, SIGINT Seniors Europe and SIGINT Seniors Pacific meetings, which includes Denmark, along with Belgium, France, Germany, Italy, the Netherlands, Norway, Spain and Sweden.

Therefore, the countries covered by the Danish whistleblower's disclosures are all members of SIGINT Seniors Europe.

SIGINT Seniors Europe had a dedicated communication network, called SIGDASYS (Signal Intelligence Data System), a system proposed by the German intelligence service, BND, but which, since 2013, has been replaced due to "functional limitation", at the proposal of the NSA, with the Global Collaboration Environment (GCE), hosted by the USA.

SIGINT Seniors is considered to be still active and has probably increased its supervisory capabilities.

In April this year, Bart Jacobs, a professor of computer security at Radboud Nijmegen University in the Netherlands and a member of the Netherlands Cyber ​​Security Board and the Royal Dutch Academy of Sciences, published academic material on the existence of another alliance in field, Maximator, which has existed since 1976.

Denmark, along with Sweden, Germany, the Netherlands and France, is also part of this alliance.

Cooperation between Maximator states involves both SIGINT analysis and cryptographic analysis, which involved the exchange of algorithms used in various encryption devices used by target countries, and unlike Five Eyes, the alliance remained secret for almost fifty years. It seems that not only the American and German intelligence services have benefited from the data from the manipulated encrypted devices, but also several other countries: France, Sweden, the Netherlands, Denmark, the United Kingdom, Israel.

In June 2014, also based on documents published by Snowden, the Danish newspaper Information revealed that "Denmark is most likely cooperating with the Americans" for access to fiber optic cables, within the NSA program, RAMPART-A. The NSA also provided FE, collection and processing equipment.

Under the code name RAMPART-A, partner countries intercept fiber optic cables that carry most of the world's electronic communications, in collaboration with the NSA. These partnerships, Information writes, are among the NSA's best-kept secrets and "play a central role in the US agency's ambition to be able to intercept any electronic communication, anywhere in the world."

Even if Snowden’s documents are not mentioning explicitly which states are joining the RAMPART-A program, details from those materials are suggesting that Denmark is also one of the partners.

The disclosure of the National Radio and Television Company/DR and the newspaper Jyllands-Posten sparked a hot political discussion in Denmark, while the Norwegian, Swedish and Dutch authorities launched investigations into the alleged espionage. The Minister of Defense is also requested to make public the material provided by Tilsynet med Efterretningstjenesterne on the alleged FE-NSA collaboration.

Translated by Andreea Soare