In order to obtain a copy of the NSA's main XKeyscore software, whose existence was first revealed by Edward Snowden in 2013, Germany's domestic intelligence agency agreed to hand over metadata of German citizens it spies on.
According to documents, after 18 months of negotiations, the US and Germany signed an agreement in April 2013 that would allow the Federal Office for the Protection of the Constitution (Bundesamtes für Verfassungsschutz—BfV) to obtain a copy of the NSA's most important program and to adopt it for the analysis of data gathered in Germany.
This was a lower level of access compared to the non-US "Five Eyes" nations — the UK, Australia, Canada, and New Zealand — which had direct access to the main XKeyscore system. In return for the software, the BfV would "to the maximum extent possible share all data relevant to NSA's mission." Interestingly, there is no indication that the latest leak comes from Snowden, which suggests that someone else has made the BfV's "internal documents" available.
Unlike Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), the domestic-oriented BfV does not employ bulk surveillance of the kind also deployed on a vast scale by the NSA and GCHQ. Instead, it is only allowed to monitor individual suspects in Germany and, even to do that, must obtain the approval of a special parliamentary commission.
Because of this targeted approach, BfV surveillance is mainly intended to gather the content of specific conversations, whether in the form of e-mails, telephone exchanges, or even faxes, if anyone still uses them. Inevitably, though, metadata is also gathered, but "whether the collection of this [meta]data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts."
The BfV had no problems convincing itself that it was consistent with Germany's laws to collect metadata, but rarely bothered since — remarkably — all analysis was done by hand before 2013, even though metadata by its very nature lends itself to large-scale automated processing. This explains the eagerness of the BfV to obtain the NSA's XKeyscore software after German security agents had seen its powerful metadata analysis capabilities in demonstrations.
It may also explain the massive expansion of the BfV that the leaked document published by Netzpolitik had revealed earlier this year. The classified budget plans "included the information that the BfV intended to create 75 new positions for the 'mass data analysis of Internet content.' Seventy-five new positions is a significant amount for any government agency."
The BfV may have been keen to deploy XKeyscore widely, but it wasn't so keen to inform the German authorities about the deal with the NSA. Peter Schaar, who was data protection commissioner at the time, told: "I knew nothing about such an exchange deal [of German metadata for US software]."
He says that he only discovered that the BfV was using XKeyscore when he asked the surveillance service explicitly after reading about the program in Snowden's 2013 revelations. The same is true for another key oversight body: "The Parliamentary Control Panel learned that the BfV had received XKeyscore software and had begun using it. But even this very general briefing was only made after the panel had explicitly asked following the Snowden revelations," according to Die Zeit.
110 Reykjavik, Iceland