 It's quite distracting if there is noise. Why think of distant lands when nice things are so near is the beautiful title of the next talk. And I don't know if you knew it, but DE6 is the largest internet node in the world. But as they say, where there is data, the secret services show up. And in Germany, concretely, it's the BND, the German Secret Service, which wants to and does take data from there. And the maintainers of the DE6 have sued on this topic and want to stop that. And the next presenter is the CEO, or no, sorry, is in the... On the board? On the board, thank you, of the DE6. So thanks, and I'm going to do this disclaimer, much like everybody else except I am talking for my employers. I am speaking and presenting the views of my employer. So we're not going to be talking about surveillance, but it's going to be about putting this surveillance into a context. Well, and I think there's been some misinformation in some of the talks here and about what works and what's going on. So let's start. What's the problem? And what's going on with surveillance? And it's clear the courts have a clear stance here. And it's important that the perception of freedom of the citizens may not be surveilled. And the German government should actually work towards this freedom all over the world. And that's something I cannot see. And one of our, and our minister of the interior actually said, it's not the job of the courts to constantly obstruct the legislative in terms of security. And he said that after yet another law was sort of torpedoed by the courts. But that's the tensions we're moving around in. What do our laws say? What's the legal situation in Germany and internationally? And so the European Court of Justice has taken a clear stance on this. And that was 2014, the judgment on mass data retention. And they said clearly this is that you can get a lot of information from the totality of this metadata. So all of these things, so the metadata like where have you communicated, who have you communicated to? On the 22nd of December said also. They once again said we cannot do that and we cannot indiscriminately retain data about everyone. There has to be a cause. It has to be targeted. Sadly, it's not about the law we have right now in Germany. It was part of a check about something in Denmark and the UK. And of course, well, a lot of this stuff is being misunderstood. There's these targeted measures and these are about a person. There is some sort of cause. And usually these are supported by a service provider who is forced to provide some information, legal interception as it's called in English. And technically, mass data retention and cell phone location information is part of that. And that's actually the only thing that works automatically. But it's also malware attacks and exploits. And all of these things require a warrant from a court, which explains why and how and what you're going to do. And the German FBI, equivalent of the FBI, could use the BND to support detection of attacks on computer systems. And then there are the broad or untargeted strategic surveillance laws. What does strategic mean? Is it something just like Thailand? This is only for external threats or external objects. So talking about, this is also about long distance, long-haul communications that pass through Germany. And then for the protection of cyber attacks, they also need a warrant from a judge that's often a misunderstanding. So people often think that there's, or it's a misapprention, that people think that there's no ability to look over us. It would be legal to simply, without a cause, surveil someone. There is no legal basis for that at the moment in Germany. But there has been a systematic broadening of capacities in Germany after Snowden, and that's a shame, but that's what it is right now. And so first there was a law to improve the collaboration on the topic of the constitutional protection service, which is much like the German internal security. Sadly, there was a part in this law, which was about telecommunication surveillance. And it dates the law that introduced mass surveillance in Germany. And it's the law that also, especially for cybercrime, allows a surveillance of internet backbone. Then there was the law which forced a retention duty and maximum retention time for metadata. And right now there's the case that this law is going to take effect the day after tomorrow. But because of the European Court of Justice judgment, it's essentially, it's materially invalid. So it's still on the books because only our constitutional court or the parliament can strike it from the books, but it is not going to have any effect. And perhaps somebody would have to take it to the courts to force that, but it should be invalid. And then there is the law for foreign country to foreign country telecommunication surveillance. And we should have a minute of quiet, a minute of silence right now because today it took effect, today it was publicized in the official channel and is taking effect. So what's the position of the security agencies? Currently we don't have effective measures against global terrorism and cyber threats. We only figure out what happens after it happens and it's tricky to figure out where it comes from and if we don't retain all that data then we don't know where it came from. Of course, to be fair, there is a discrepancy between the security agencies and the secret services and they work very differently. And the security agencies, the law enforcement agencies need to have everything that they get as, must be available as evidence in a court and the secret services, well, they don't really care that much because it's important to have that data but you don't have to have that standard of being able to use it on a course. What both of these have as a problem is going dark as a problem and that comes from device and service encryption and that's actually what happened. So we see this very precisely after Snowden that the amount of devices that are being encrypted actually has gone up a lot after Snowden. By over 50%. That's a large appall. Unfortunately, there still are some things that don't support this or that work against us. Most of that new encrypted traffic goes to the big services but even in email we've seen a rise in encrypted communications. And the law enforcement agencies are clearly of the opinion that we need systematic metadata to find relations and that's the first step that the law enforcement agencies take. I find it very interesting. The people always think it's not so important that you look in the actual law books in 206 and you can find their paragraph 206 which specifically says that there is a telecommunication secret and it doesn't differentiate between different types of telecommunications whether it's a letter or a phone call or an email. The law says it's illegal to look at both the content and the metadata but of course it's treated differently. Metadata is generally not encrypted and keeping those hidden takes a huge amount of effort and you can basically only do it through Tor or something and otherwise they're just there. But as we can see, clearly there shouldn't be a difference and it really shouldn't be okay that in the new laws we actually do differentiate even though the basic law says no difference. So then there is a global trend, mass tracking and filtering and the services are trying to systematically gain bulk access and create selectors about everything. It's about content too. In our case always only with a warrant from a law, from a justice, from a judge but not in every other country. And of course it's also about direct access and automatic selectors and everything, cloud drives everything is being tried, they're trying to connect with an automatic connector and access automatically. What's even more problematic is what I would call the causeless mass surveillance in combination with retention and that's the case where they just save everything. Everything that's going through some cable, they don't even look at it, they just save it all. And then they can roll back and look at stuff from the past and they can say who has he been talking to, what services has he been using and that's the kind of security service, this big data that I have a big problem with and that's what they use to build up what social circles is somebody moving in. And on the same level there's the spy software, Trojan's malware, spyware which belongs to states and this isn't a new thing obviously, I don't have to tell anyone here but often that's by where it comes from state sources. So let's see how we can look at what specifically in German we can talk about. After the G10 there was a small things effective. So there was a 20% increase. It's limited to 20% of the capacity of the cable that they're allowed to surveil according to G10. So they need to have a permit that they have to have checked every three months and it's kind of weird to say that I know what I'll be looking for in three months but that's where these selectors show up and at the same time they're arguing that of course they need to be able to dynamically change these selectors and that's why those selectors aren't actually written into these permits and these very targeted selectors aren't permitted. It's not permitted to search for anything that is specific to a single person that you can attribute to someone. It has to be something general, some concept or something and it shouldn't be anything that is part of the core privacy, the core part of your lifestyle and all of that must be deleted immediately. That's what the law says. So what must the BND do? What is their job? The job of the BND, the Federal Secret Service, this is the official job of the BND is to provide them with comprehensive information at the right time, to provide his clients at the right time with comprehensive information and that's about important political, economical but also technical development, military information and of course abstract and concrete threats to the security of the state of Germany and their citizens and what threatens them? Well, anything really. So what exactly does this mean, the security of the BND and the citizens? Here the things they're looking at specifically, international terrorism, weapons profililization, collapse of states and resource crises and issues. So the international terrorism is obviously a large one. So things such as in Afghanistan and I'm not really sure what they mean when they talk about Ausenandl, resource conflicts. Regional targets at the moment are Western Central Asia, the Middle East, North Africa which doesn't really fit with all those selectors we found about Western Europe but somehow they can justify it. Of course they have some interesting interpretations like the open sky interpretation. So they claim that they are acting in foreign space because the satellites are in space and that's where they're collecting the data. They're only verifying or investigating it in Germany so they can use all of that data for everything but only they have to have that filter to protect the basic rights of Germans and there's also the virtual being abroad in Frankfurt. The DA6 is a connector for various international networks and there's carriers from lots and lots of different countries and all of these cables are connected to foreign countries and that's why it's virtually abroad and not Germany. I cannot follow that argumentation. I don't think that that's really the case but that's the theory that they worked on and that's how they convinced the G10 committee that this should be okay and if they hadn't managed to do that they couldn't have been active at the DA6 and well of course the trouble is that we don't know if there's actually German customers behind all of these foreign carriers and we can't tell that, we can't see that. So it's hard to value that or measure that. So to find German customers in foreign carriers is probably impossible or ineffective. Currently it's not possible until tomorrow to ask for data without a cause but of course there's a lot of problem with that and especially we have the case of the foreign country to foreign country transit traffic and that's something we have a lot of and that they want because they say well and they claim there is no law that prohibits them from getting that so we can take it, it's legal right? But of course the basic law says in article 10 that telecommunications are to be safe and it's illegal to tamper with them and if it doesn't specifically say it's permitted then you're not permitted to do it and here they're saying the opposite they're saying it's not prohibited so clearly it's permitted and when the BND came to us in 2008-2009 they said you know we're going to do that and I can only tell you that because the NSA investigation committee asked about that otherwise this wouldn't be public they wouldn't be allowed to talk about this so they said this isn't about cables this is you know we're doing packet orientation that there's no cable with connection to foreign countries so how do we apply this G10 law? Okay so how do we deal with the 20% limit? The old law says well okay you've got a thousand connections on this cable because that's how many connections it can carry so you take 20% of that, that's 200 and that's what you're allowed to take and in this case you know how do we measure because we could have traffic and then all the stuff that they're really interested in is really a tiny percentage of the actual capacity because stuff like WhatsApp doesn't take up a lot of bandwidth so if you have a gigabit connection you know that's not a lot but if you're looking at the traffic we get through then it's 30-50% which is up to double of that and then it wouldn't be okay and yeah so they're claiming that they only want bandwidth limiters so they're always going to be fine So it's hard to separate things from the international traffic from the national traffic So unfortunately the selection and the filtering has to happen after the connection After we stored the data and so we can't, we already stored it which is already not okay So how do we ensure that article 10 is satisfied specifically do we look at headers or what level and we asked all the way back then and then the chancellor's agency answered and said yeah sure it's all legal Of course that was 2009 and the world was different and here I'm going to have to take part of the blame and we got the order and we said yeah alright I guess we believe you and then the NSA investigation committee was formed and first thing was we got a couple of constitutional lawyers and they said well basic laws that applies to everyone and not just specifically Germans and that open sky thing that's just crap that doesn't stand up and I haven't found a single constitutional lawyer who would follow that argumentation and I've talked to a lot of them The data filtering system which was supposed to protect the basic rights is really really basic itself and it's way worse than anybody thought So they put together the IP list themselves without using international registrars and so the accuracy of the filter was much lower than expected So the data protection officer of the federal police said that it was impossible So they didn't filter all the traffic from Germans so it failed and the data protection officer of the state said that's not okay So it went as far as the leader of the G10 commission getting up in front of the investigative committee and saying this is highly highly dishonest and without the order from the G10 you couldn't have come to us and asked for that data there was no legal basis for that and there were cases where data was even without these orders even without a warrant stored for longer than is legal and metadata was even saved up to the 14th hop and the 14th degree there's a theory that 6 degrees would be sufficient for everything and now we're suing against those G10 orders and we had that investigated by someone who really knows his stuff and our expert clearly stated that the article 10 is a human right, not a German's right and the constitution already takes effect when a German service is acting and of course you could say our constitution applies everywhere but that's taking a bit far but at the very least when a German service is acting in the interior of our country it should count well the chancellor's agency said doesn't see it that way and our expert also basically concluded by saying all of these orders are in total invalid and that confirms all of our concerns from 2009 and we have to sue against this and if we don't do that basically we're breaking the law in doing so and well that's still ongoing we're fighting that the federal government hasn't been able to reply they're still censoring all the data and now we're a little step ahead because we got to see some of those files while others have been denied seeing that the basic question of do you have legal standing is of course given in our case so this is going to go in front of the court definitely we'll have to see whether this will get moved to the court in Karlsruhe from the court in Leipzig but we'll see about that but so now they've come up with a law which is going to turn this whole thing legal and there's been a long discussion about whether we could reform G10 and then the suit would have come too late and there was a political discussion about reforming G10 and so they just caught that debate short and beginning of June they came up with that law about foreign country to foreign country telecommunication surveillance so there's currently no exception for transit carriers and they were proposing to fill that hole because currently it is not within the law so there's the intent is to separate things between EU and German and other foreigners but that can't be because our rules don't separate that this would mean a completely new control instance aside from the parliamentary controls and it would also allow passing data on to partner services and this control instance should surveil more things but in less depth, less information and of course all the things that they're doing should be legalized so all the things we're criticizing and attacking should be legalized and there's a nice quote from the Secretary of State who's in charge of that, Klaus Dieter Fritsche and when we're talking about the question of legal stability for the employees of the BND versus the lawfulness of these activities as seen by the citizens well for me it's clear that the legal stability, legal clarity for the employees of the BND is more important to me and I personally think that is a very questionable statement from the Secretary of State so this question of is it connected to the foreign countries is eliminated completely it uses the definition of a network from the telecommunications law so all the connections, all the routers everything that is connected that's the network and so now I don't have to say this cable that's what we're talking about that's connected from us to England and that's why we as a foreign intelligence service should do this now they can say well we want this network but we want the foreign traffic and who can say what is connected to the foreign countries because of all of these services abroad and now everything is foreign traffic and they dumbed themselves down to they went from the capacity limit to saying basically well it's okay if you only take a tiny percentage of the worldwide traffic which is literally in there and you know if the budgets can be changed if they need more money to surveil a certain network well then you know they can spend more ammo suddenly they might have a huge huge budget for surveilling certain bits and all those agencies can basically go to a network and do what is called a technical discussion and then decide well that's what we're interested in and take of that the extent of that surveillance is not controlled anymore there's no oversight anymore it's not part of the process anymore at all so the only thing that protects us even as you know Germans is the filtering system which has already been criticized multiple times this DAFIS system is going to provide the protection for all the internal connections as well and it used to be you know cables with overwhelming connection to foreign countries but nope now it's everything so this is elementary and absolutely decisive the classification and everything happens entirely under the control of the service it's going to be grabbed at the carrier sent to the agency and filtered there and there's no oversight at all the extent what is being looked for how does it work no oversight no parliamentary control at all they can even you know turn it off for six months in order to test traffic flows or determine new things about the traffic and figure out how well the system can handle that and they may not use the results of this examination except of course if they find something that is relevant so all the things that they're supposed to look for they can still use and you know they can just turn off the filtering for six months and that's an internal thing and nobody else that just happens inside of the service there's no oversight at all not even within the government and that's the big problem here no basic right protection at all and so what does filter system do fundamentally the three things there'll be an IP filter that provides geolocation a protocol filters and so being able to filter out video or streaming things that aren't interesting for example chats and emails are generally much more email things that are human content based in email there's also the ability to filter on detail things like such as headers, email these are the interesting things and so these are the things that potentially are not that fall outside the encryption protections then of course all the content within the filters so these are all so the best commercial filters get up to maybe 99.5% and the deficit is a little worse than that and we're of the opinion that at least analysis of stage three and four are already an invasion of basic rights and you should be informed about it afterwards of course the services see that slightly differently so let's do some calculations and lawyers often say that the law doesn't calculate so let's do that for them so we have roughly 10 million peak flows per second average 6 million peak 10 million that's almost 500 billion connections per day and of course if we have and then that's just the connections that's not multiple metadata in one connection that's connections per day so if we have 99% filter quality or 99.5% but perhaps they have the best and I don't know where from let's say they have the best 99.9% that would still be half a billion connections that are just going to be classified wrongly where basic rights are violated which shouldn't happen let's say 20% are interesting mail chats, messenger services etc let's assume also that 1% of the data is being retained I can't tell you what it really is but let's say it's 1% and then we get down to 1 million connections that would be just at the DE6 that would be classified wrongly of course people who are affected by this are supposed to get informed about it but there's no budget for it so when we violate these federal law there's a requirement to look at it or to announce it or that it's violated there must be an announcement or that we announce when there's been a violation of the G10 rule in every law it should say specifically this is limiting the effect of this basic right and this law doesn't do that and whenever there is a violation the G10 commission should deliberate and decide whether that person is informed or not and if you do not inform them you have to check it again you have to deliberate again and you can't say no we're not going to inform them you can only say we're going to postpone the information and only if you postpone it for 5 years can you delete the data and not inform them but how do you do that in over a million cases and even with the low low amount of cases that we have right now I don't think you can do it with zero euros budget so that's a bit of a problem and then there is interestingly a law that does not allow any basic G10 commission to inform sorry I missed that ok so the scientific service said no you can't do that but it was still passed and the trust might be misplaced as you can see as a report documented 18 important violations and 12 official complaints and concludes that the BND is illegally retaining and analyzing systematically person related data and the data protector is complaining about missing understanding awareness of the fundamental rights and the function of the protective service of the fundamental rights so it's unclear whether it's going to be the data will be destroyed or they'll just stop additional collection unfortunately it's difficult to tie this to removal of the data so the scientific service is looking at this very critically all the experts are looking at it very critically but the great coalition thought this is a wonderful law with should be a role model internationally but of course we've got the first lawsuits at the constitutional court which Amnesty International is doing and more are being prepared at the moment and we also informed the secret service that as soon as we get the first order based on that law we are going to sue and are going to get this stopped accordingly well thank you if there's any need I will also be answering questions many many thanks so there's a possibility for questions now one question from the internet so I'll raise this one first also in so so can you tell apart virtual embassies online? can daykicks discover this? no the question is if you have digital foreign countries can you also have digital embassies so you can do things that you could do in a regular embassy slightly more seriously is the question can we ensure that certain sensitive jobs are not going to be scanned like journalists, doctors, lawyers and how would we ensure that this hasn't been looked at at all in the case of Germans you are not allowed to look at it you have to delete it immediately so the answer to the question perhaps let's look at the data retention laws hotlines and so on and so forth but what else can we not provide the list and first we have to determine the services the services as they are analyzing the data has to find the data as they are analyzing it and realize that it applies to a doctor, journalist, etc. and then they have to delete it and may not use it any further the question from the microphone at once did you for leverage already as part of your lawsuit limit the extraction of data towards the services we tried that but the trouble is that technically well what they did was that once we have a lawsuit you're supposed to stop it but a judge can then immediately decide that while the lawsuit is ongoing you still have to do it and that's what happened so we tried but we were stopped so thanks a lot and for this talk which really underlines what terrible laws are being passed right now and as as a compliment to the question we've had so far the lawsuit of amnesty is against the old law and they're currently preparing and it's not financed yet and on www.freiheitsrechte.org help us gather money to prepare a constitutional complaint against the new law that's www.freiheitsrechte.org I would like to remind you it's supposed to be questions only but do donate I mean we do want to support this so question from Mike number two so thanks one question so have you considered using the officers duty law in the case of somebody acting obviously far less and going after the officers no we're an economic we're an economic organization and if society decides that there needs to be some surveillance then so be it but it's really important to us that this has a legal basis and that this works correctly and otherwise it's not okay and the nailing that to a person and acting against people who are doing this individuals is something we really don't want to do you have to go after the agencies and the organizations and we really don't think that it would help us in society to go after single people legally perhaps it would be a tactic practically we don't think it would be helpful so one more question from the internet how do you know that encrypted data that there was more encrypted data in the internet did you do like random samples I don't have to do any analysis we just see that there is more and that's immediately visible without random sampling or anything and of course we see that at the node I can do this publicly and our members want this because they want to have port analysis and traffic analysis for their own ports and so this sort of traffic analysis on a completely anonymized basis the metadata and peering data is completely apart from that that's you know in the responsibility of the carriers of our members and we provide them with that service so one more question number 5 please was there the distinction between Germans and foreigners and then thinking of people with double citizenship are you like both very good question so first off it's being treated the same whether you're German or a foreigner in Germany technically but abroad the law says Germans abroad are not allowed to be surveilled but we can't really differentiate for EU citizens but for Germans we can no idea how and I don't know either double citizenship the law says Germans and I'd say if you have a German citizenship that applies they can't take that away from you but then again I'm not the legal expert I've got a technical question so I do trace route from Munich to Berlin and it goes via Frankfurt and then it takes an extra 10 milliseconds in Frankfurt is that the G10 filter I'm gonna say no you didn't do that on our infrastructure you're not gonna get 10 milliseconds it's below millisecond resolution you're not gonna see it if that would happen however we would exfiltrate this data it would be completely transparent and none of what we would do would be visible to you and of course part of what law enforcement wants from us is that if they want surveillance it remains invisible but the target isn't supposed to know about it yet another question from the internet wouldn't the shouldn't the E6 take the same decision as the provider love a bit and just shut down the service because they cannot protect their users any longer but first off our customers aren't the same users as you mentioned our customers are carriers and we don't actually know who the specific users are behind that and so as an exchange service we're kind of apart from that and we're trying to clarify some of that and that's the decision I think we'd have to talk about this and take such a decision after we lose in the court right now we're still heavily hoping that we win and that we can stop all of this and this is my personal opinion but this is a discussion that you could only have it would only make sense to have after we lost to do something that is wrong and illegal but it doesn't change that there would be connections between carriers and if those run through a node in another country it would just get worse so this is about something similar what's the consequences you would face if you would just refuse to cooperate and not do this surveillance well as CEO you'd be in big trouble because you might be put in jail for that and they can fine you with a couple of hundred thousand euros per case and if there is a lawful order it's really hard to refuse something that a court orders and I mean that's a question you always have to answer right I mean if a court says something you either follow or you get fined or go to jail we have to first clarify what the situation is and then we have to decide and we have to talk to our members and the carriers and ask them how do you want to deal with this and so I can't really answer that question final question from the internet you've emissively put what are the limits for the D6 to use the data we cannot look at contents the maximum that we do is this sort of statistical analysis of traffic data where we don't really save anything and it would be completely not okay if we looked at anything more than that and we would break many many laws and violate basic rights and I mean those are the legal limits for us to do that technically well any network admin theoretically we can copy all the data but of course that's what the law is for I mean yeah the law prevents us from just copying everything and there's fairly high strong punishments for that so sadly this is where we run out of time we hope you've learned a lot and so please one more big round of applause for Klaus Landerfeld and thank you for your attention from the translation team as well this was