PRISM scandal: internet exchange points as targets for surveillance

Racks at the DE-CIX facility

At least some of the data traffic coming through the German internet exchange point DE-CIX is diverted to German intelligence and other agencies. This was confirmed by an expert connected to the company that runs the internet exchange point, talking to The H's associates at heise online. The peak load at DE-CIX, which claims to be the world's largest internet exchange point, is currently measured at more than 2.5 Tbit/s. Over 500 peering partners, including most of the major internet providers, use the more than 700 10Gbit/s and 200 Gbit/s ports, and the peering platform is due to be expanded to 100 Gbit/s connections in the next few months.

In accordance with Germany's G10 privacy act, which stipulates limitations of the privacy of correspondence, post and telecommunications, the DE-CIX cannot share any information on how and to what extent German agencies have access to the data streams in Frankfurt, says Klaus Landefeld, head of infrastructure and networks at German internet provider association eco. The association thinks it's a shame, Landefeld adds, that politicians have left the operators of the exchange point alone, dealing with what is effectively a gag order.

Justice Minister Sabine Leutheusser-Schnarrenberger and Hans De With, head of the G10 Commission, have both confirmed that German agencies have been conducting surveillance operations in this arena. De With even made some indications of the extent, stating that an average of five per cent of data traffic is accessed for strategic intelligence purposes, with the stipulated maximum of twenty per cent of data traffic almost never reached.

"How are DE-CIX and eco supposed to react when numbers like that are published?" Landefeld asks. He says that there is no standard way to discuss such issues, and that providers "have no choice but to walk on eggshells." Landefeld had no interest in repeating denials from previous discussions, although both he and his Dutch counterparts at AMS-IX reaffirmed that foreign agencies such as the NSA do not have access to the internet exchange points' infrastructure. He stated that a general diversion of all data on the DE-CIX switches could not go unnoticed.

Core switches in the DE-CIX racks

Cable management at the switches is documented, according to Landefeld, and nobody would be able to mirror ports at DE-CIX, the administrators of the facility would immediately detect tampering, he says. Monitoring the entire stream with a method like tapping fibre-optic cables (which, according to the Guardian, UK intelligence agency GCHQ has done to eavesdrop on transatlantic cables) would also not be particularly simple, since powerful parallel fibre-optic cables would be needed to divert the data. Just keeping that parallel universe secret would be incredibly expensive, says Landefeld, and that doesn't even include the costs of storing, filtering and analysing all of the data.

A technically much simpler method, in part because of the much more manageable amounts of data, would be passing on communications data using NetFlow, as defined in RFC3954, but that would require co-operation between services and operators, which is illegal according to German law.

According to Landefeld and other experts, US companies that are peering partners with DE-CIX and provide carrier services are caught between a rock and a hard place. If the NSA demands information using the Foreign Intelligence Surveillance Act (FISA) as justification, they have to decide whether to break German or US law. Technically, the NSA only has to go one rack further to access DE-CIX data traffic, one expert pointed out.

Could the US companies – and DE-CIX, if it knew about the surveillance – be liable to prosecution? They certainly could be, according to attorney Matthias Kettemann of Graz, Austria, who explains that there could be civil charges if a company is not protecting customer data to a sufficient extent; criminal charges are also a possibility. The Office of the Attorney General is of the same opinion and is currently investigating the situation at DE-CIX, Landefeld has confirmed.

He adds, however, that taking action against German agencies siphoning data for strategic surveillance is more difficult. If German citizens are caught up in the large-scale dragnet of the German Federal Intelligence Service (BND), though, there could be constitutional issues at play, Kettemann suggests. Nevertheless, challenging the very practice of online strategic surveillance due to the lack of commensurability under the German constitution would certainly not be easy because of both legal and factual considerations.

One of the options with the highest chances of success would be an international case – if, for example, Germany disputed British agencies' surveillance methods – at the European Court of Human Rights in Strasbourg. Nothing could be done about the US in that arena, however. One possibility in that case is a complaint to the United Nations Human Rights Committee, where just last year the US was one of the leading countries in declaring Internet access a basic human right.

In the EU Parliament, the Greens hope to lead the way on a draft resolution that would suspend the transfer of intelligence data that is resulting from various agreements with the US. The Safe Harbor agreement would also be suspended, and the beginning of negotiations for the bilateral trade agreement with the US would be postponed. "We're hoping to get a majority in Parliament today", Green MEP Jan Philip Albrecht told heise online.

(Monika Ermert / fab)