The German Federal Administrative Court in Leipzig ruled that Bundesnachrichtendienst (BND), the country’s foreign intelligence agency, is not allowed to store metadata records on international calls, such as phone numbers, for intelligence analysis purposes. The court ruled in a lawsuit launched by the German branch of Reporters Without Borders (RSF Germany) two years ago against BND.
RSF Germany Sues BND
In 2015, RSF Germany accused BSD of spying on the organizations’ emails and phone calls with foreign partners and journalists. The non-profit organization argued that if the intelligence agency keeps spying on its communications, it cannot guarantee that the conversations and names of its sources remain confidential, thus impacting the effectiveness of the organization’s legal work.
When mass surveillance programs were unveiled by Edward Snowden's revelations, many intelligence agencies and governments started to deflect by implying that no human is reading their emails without due process. That's mainly because the initial analysis of email content is typically done by machines, not by humans.
However, following an annual report on intelligence programs,it was discovered that BND was scanning and analyzing hundreds of millions of emails based on certain “selectors” (which can be keywords, names, phone numbers, and so on) in 2013 alone. About 15,000 of those emails were further investigated in more detail.
During that year, RSF Germany was in close contact with civil society actors about the activities of various intelligence agencies, and it believes the BND may have used its surveillance powers to spy on the organization.
The nonprofit also said at the time that this sort of spying is disproportionate and illegal under German law. Journalists have enjoyed the ability to not disclose their sources in the past, but because of recent expansion of surveillance powers for various national intelligence agencies, that ability has come under threat.
The UK government was also under fire when its Snoopers’ Charter law tried to codify into law the spying on journalists, too, but after some outcry, government decided to make an “exception” for journalists.
However, it’s not clear how effective that is. Plus, the UK Parliamentary Committee evaluating the Snoopers’ Charter said that this should have been the other way around: the spying powers should be the exception, while privacy for everyone should have been the default human right that everyone was supposed to enjoy. Instead the UK government made the agencies’ surveillance rights the default, with some privacy clauses being the exception.
BND’s VerAS 4-Hop Phone Records Surveillance
RSF Germany also brought BND’s phone call metadata program into question in the lawsuit. The phone call analysis program, called VerAS, seems to have been even broader than NSA’s 3-hop (3 degrees of separation) phone records collection, which was eventually reduced to a 2-hop collection through the USA Freedom Act.
VerAS analyzed 4-hop connections, which means virtually every German’s phone calls were collected. As an example, if an BND target called to pizza restaurant, and the pizza restaurant called another customer to deliver their order, and that other customer called a friend from high-school, and that friend then called a relative, then everyone in this relationship, including that relative would essentially be suspects under the BND investigation of the original target.
Assuming everyone has 150 contacts in their phone’s agenda, from a single target in a single investigation, the BND would be able to “legally” spy on up to 500 million people, under the justification that everyone in the 4-degrees of separation can be a potential suspect in its investigation. The 500 million number also seems to coincide with how many phone records the BND was collecting every month.
BND's Phone Records Storage Illegal
The court presiding over this case has now ruled that at least the phone records spying program was illegal, according to a recent Reuters report.
RSF Germany now seems to feel vindicated and content that its legal challenge will be able to prevent at least some of the mass surveillance programs of the BND.
The nonprofit initially brought up the email mass surveillance program in court, too, but it was rejected based on the fact that RSF Germany couldn’t prove that BND was collecting its emails. The non-profit organization argued that this was virtually impossible to do, considering that the operations of the BND tend to be highly classified.
The nonprofit is now taking the German email mass surveillance program to the European Court of Human Rights (not to be confused with the Court of Justice of the European Union, which is the EU-only top court).
RSF Germany argued that its right to effective remedy (under Article 13 of the European Convention on Human Rights) has been violated. The intelligence agencies don’t notify citizens of being investigated or spied upon even after the investigation on a particular target has been closed, or after enough time has passed so as to not endanger that particular investigation.
The nonprofit also criticized the German government for allowing this sort of surveillance to take place while at the same time criticizing authoritarian governments for similar actions:
With its excessive surveillance practices, the BND is not just undermining the protection of sources as a key element of press freedom in a democracy. It is also undermining the credibility of Germany's demands that authoritarian regimes respect media freedom, as well as robbing journalists in these countries of an advocate in their fight against surveillance and other forms of repression by their governments.
As RSF Germany and other nonprofits win some lawsuits against Germany’s surveillance apparatus, while continuing to fight others, the Germany government is in discussions to ask car manufacturers, as well as other digital device makers to implement backdoors that would give its intelligence agencies direct access to said devices (while increasing the security risk for everyone across the board).