Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Spy Agency Can Keep Tabs On Internet Hubs, Federal Court Rules (phys.org)

Posted by BeauHD on from the hide-and-seek dept.

Earlier this week, a federal court in Germany threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service. What this means is that the country's spy agency can continue to monitor major internet hubs if Berlin deems it necessary for strategic security interests. From a report: The operator had argued the agency was breaking the law by capturing German domestic communications along with international data. However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND." De-Cix says its Frankfurt hub is the world's biggest internet exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, which handles more than six terabytes per second at peak traffic.

De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence. It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow. The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.

32 of 54 comments (clear)

  1. A great argument... by Gravis+Zero · · Score: 2

    ...for encrypting all traffic to every site and even DNS.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:A great argument... by Joce640k · · Score: 2

      Yep.

      Let them do it if they want. Their days are numbered.

      --
      No sig today...
    2. Re:A great argument... by KiloByte · · Score: 1

      This. DNS in particular gives you complete metadata of the host name of every URL visited (stub resolvers don't do caching). As for https, the header also gives you the host name in plain text, thus having your site hosted on a shared server with a million others, contrary to common belief, doesn't hide where you connect to. And, for some "mysterious" reason all major browsers completely declined to implement DNSSEC+DANE which would prevent most kinds of active attacks while current CA-based SSL is trivial to subvert for any state-based adversary.

      But even encryption is not enough. Traffic analysis goes a long way towards uncovering your tracks; for this reason no nosy govt agency must be ever allowed this data, nor ISPs+transit providers allowed to aggregate it.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:A great argument... by Joce640k · · Score: 2

      This. DNS in particular

      It's almost as if you think these people can't do reverse DNS on your followup connection.

      --
      No sig today...
    4. Re:A great argument... by KiloByte · · Score: 2

      There's no 1:1 relation between host names and IP addresses, either way.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:A great argument... by fisted · · Score: 1

      As for https, the header also gives you the host name in plain text

      Just a little nitpick while overall I couldn't agree more: HTTP headers are still encrypted when doing HTTPS; the intended host name (has to) leak from the SSL handshake via SNI. "Has to" because of multiple vhosts; the web server (or reverse proxy) has to know what site you want to hit so that it can give you the right certificate for that vhost in the SSL handshake.

      --
      CLI paste? paste.pr0.tips!
    6. Re:A great argument... by AHuxley · · Score: 2

      The BND has a way into the very end of every DSN.
      German quality malware. With extra government and now with 200% more contractors.
      No OS, no modem is safe from the reach around of the BND. They will get into any OS.
      From space. "German intelligence agency gets spy satellite system funds" (06.11.2017)
      http://www.dw.com/en/german-in...
      In cyber space.
      New surveillance law: German police allowed to hack smartphones (22.06.2017)
      http://www.dw.com/en/new-surve...
      Welcome to the world of the "State Trojan"
      The German gov malware reads plain text along with the user.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:A great argument... by WinstonWolfIT · · Score: 1

      I've been using vpn based in a country immune from snooping, so my traffic is tunneled, essentially double encryption. Good luck decrypting my xkcd visits suckers.

    8. Re:A great argument... by Gravis+Zero · · Score: 1

      The BND has a way into the very end of every DSN.

      They may but this is due to the proliferation of insecure software. There needs to be a focus on secure software. Secure software isn't perfect but as each flaw is found, the software is quickly updated until people stop finding flaws.

      --
      Anons need not reply. Questions end with a question mark.
    9. Re:A great argument... by AHuxley · · Score: 1

      Strange how the few really good AV brands with real time global comparison ability are not so welcome in the NATO nations.
      Clean code in lots of other nations makes real time government malware changes in just one nation stand out.

      --
      Domestic spying is now "Benign Information Gathering"
    10. Re:A great argument... by Gravis+Zero · · Score: 1

      If you need antivirus software then you have already lost the security game.

      --
      Anons need not reply. Questions end with a question mark.
    11. Re:A great argument... by Joce640k · · Score: 1

      There's no 1:1 relation between host names and IP addresses, either way.

      There is for 'interesting' servers.

      --
      No sig today...
    12. Re:A great argument... by Agripa · · Score: 1

      But even encryption is not enough. Traffic analysis goes a long way towards uncovering your tracks; for this reason no nosy govt agency must be ever allowed this data, nor ISPs+transit providers allowed to aggregate it.

      So generate more encrypted traffic. Generate an order of magnitude more encrypted traffic.

      Sure, it will make all of the various links look like they are an order of magnitude smaller but so what?

  2. Arguments for encryption by Anonymous Coward · · Score: 1

    If it doesn't encrypt, don't connect to it.

  3. Next round at the Bundesverfassungsgericht by ffkom · · Score: 4, Interesting

    One notable aspect of this court rule was that it did not even consider the legality of _what_ the BND wants others to do - they were purely ruling on the validity of the formal order to provide them access.

    The more interesting round will be at the Bundesverfassungsgericht, where (hopefully) the legality of eavesdropping on all that (mostly intra-country) traffic will be considered.

    But in the end, all those court rules are not really important - spy agencies will spy on every bit of traffic, legal or not, as long as they exist. And in the case of the BND we have already seen how they do it even to provide their "friends" in other countries a favour - e.g. for industrial espionage.

    1. Re:Next round at the Bundesverfassungsgericht by fazig · · Score: 2

      Yes, legality was never a factor in whether they're doing it or not. *Technical possibilities are factor. I still hope that they get slammed in Karlsruhe. At least some moral integrity can be shown by a justice system that is still a separated power.

      *The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a crap about it even though they get millions of € from the government in order to fix the issues, I prefer the former.

    2. Re:Next round at the Bundesverfassungsgericht by BlueStrat · · Score: 1

      It doesn't work like that in every country. In some countries the spying has always been legal due to the interest of national security giving a sufficient weight into the consideration of proportionality for an exception to the associated rights, as the constitution explicitly allows. Since most EU documents already contain lots of national security exceptions, I do expect the German constitution to contain such proportionality argument as well.

      The problem I see is one of legal interpretation regarding spy agencies possessing positive powers or negative powers.

      Positive powers means that the agency can do whatever is not explicitly prohibited, and negative powers means the agency only has those narrow & specific powers granted by law.

      All intelligence gathering agencies should be constrained under negative powers. Secret powers lead to secret governments which inevitably lead to public tyranny.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    3. Re:Next round at the Bundesverfassungsgericht by Agripa · · Score: 1

      The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a crap about it even though they get millions of € from the government in order to fix the issues, I prefer the former.

      Both encryption and chaff data will be required to foil traffic analysis.

      Ultimately Ron Rivest was right but for a different reason.

  4. East Germany called by bobstreo · · Score: 1

    they want their secret police surveillance back.

    What's next? Youth groups and book burnings? /s

  5. GDPR by shayd2 · · Score: 2

    Since the feed includes German domestic accounts. Will the agency have to get a permission letter from every internet user in Germany? The EU? The world?

    1. Re:GDPR by deimios666 · · Score: 2

      The GDPR has a convenient exemption for "national security"

      --
      I think, therefore you are.
    2. Re:GDPR by Agripa · · Score: 1

      Since the feed includes German domestic accounts. Will the agency have to get a permission letter from every internet user in Germany? The EU? The world?

      They have a default opt-in policy.

  6. Commies/Nazis/Krauts by Vinegar+Joe · · Score: 1

    They never change.

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
    1. Re:Commies/Nazis/Krauts by currently_awake · · Score: 1

      The Purpose of an Intelligence Agency is to spy. You seem surprised that they would want to do that. If we want privacy we need to make spying so expensive that they only do it where required.

    2. Re:Commies/Nazis/Krauts by AHuxley · · Score: 1

      Nobody expects the new look Stasi on the webcam, in the OS, listening to the mic.
      All that bad Germanness stopped in 1989 right? All the other bad Germans had long since found full employment in South America, the USA, UK, France...

      --
      Domestic spying is now "Benign Information Gathering"
  7. In Germany by AHuxley · · Score: 1

    your hub is any microphone, camera and text the German gov can detect on the internet.

    --
    Domestic spying is now "Benign Information Gathering"
  8. Re:The BND has all dirty secrets of Karlsruhe judg by fazig · · Score: 2

    German courts have a history of not overturning such surveillance laws. The constitutional court overturned previous data retention laws in 2010 as being unconstitutional.
    But since that kind of surveillance was something the EU wanted, they sued Germany for non compliance. Then a new data retention law had been drafted by the German government, with some opposition, but eventually it went through and was reinstated in 2015. Ever since then the courts are again working on the validity of this new law, because of course there's been appeals on constitutional issues from various interests groups.
    In June 2016 a Court in Munster ruled that a local ISP did not have to comply to the data retention laws because they're unlawful. More recently, in April this year, a court in Cologne ruled that telcos don't have to comply with the law. In this case it was the largest telco of Germany, the Deutsche Telekom, that sued because they apparently didn't want to store meta data. In the end it costs money for them and it hurts their business.
    Of course that still means ISPs can comply out of their own volition.
    Currently our eyes are focused on the constitutional court that are still in the process of investigating the issue. Hopes are that they'll overturn it again.

  9. They are late AF to the club by drinkypoo · · Score: 1

    Never Forget

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Old news by Velox_SwiftFox · · Score: 1

    Yeah, I remember back when 70% of the traffic between European IP addresses was routed through MAE-East in West Virginia.

    1. Re:Old news by AHuxley · · Score: 1

      Thats why peering was so not expensive to the USA. All the "international" data got lured to the USA for collection.

      --
      Domestic spying is now "Benign Information Gathering"
  11. Exactly. Make it difficult / expensive so targeted by raymorris · · Score: 1

    Exactly, their job is to spy. There are a few people (out of billions) that need to be spied upon, too. Bin Laden and his compatriots, for example. The ideal is to make it very difficult or expensive to spy on people, so they only spy on the few people they need to be spying on.

  12. Re:Exactly. Make it difficult / expensive so targe by CrimsonAvenger · · Score: 1

    The ideal is to make it very difficult or expensive to spy on people, so they only spy on the few people they need to be spying on.

    Devil's Advocate Mode: Activated.

    The problem with spying only on the "the few people they need to be spying on" is that you generally don't know who you need to be spying on till you've spied on them.

    Devil's Advocate Mode: Off.

    Which is not to suggest I approve of spying on the general population. Just that I can see why spy agencies gotta spy. And on as many people as they can get away with.

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"