Spies win right to keep monitoring all traffic at world's biggest internet hub

Vital internet hub, De-Cix in Frankfurt, has lost its fight against German intelligence services' mass surveillance.

De-Cix in Frankfurt is the largest internet hub in the world. For years, it quietly went along with the German intelligence services' insistence on sifting through the floods of data that traverse its facilities, until September 2016, when it sued them.

Until a revision to German law last year, the Federal Intelligence Service, Bundesnachrichtendienst or BND, could only inspect up to 20 percent of the traffic flowing through the hub.

That traffic amounts to over 5TB per second of information coming from and going to places all over the world. The 'G10 law' also says the agency can only inspect international communications.

However, De-Cix's 2016 complaint said the BND was scooping up the lot, without any targeting. It also said the agency was illegally monitoring internal German communications as part of those activities, as its filters for emails involving a .de address did not work properly.

Late Wednesday, De-Cix lost its fight at the federal administrative court in Leipzig against this strategic surveillance.

The court said the hub operator didn't have the legal standing to invoke the law on telecom secrecy, because it is only an intermediary for telecom traffic.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

So the spying can continue unabated. The decision is good news for the German intelligence service.

As Edward Snowden revealed several years ago, the BND shares its findings with the US National Security Agency, or NSA, under a scheme that was at the time codenamed Operation Eikonal. In the grand game of global intelligence-sharing, Germany now still has its bargaining chip.

De-Cix said in a statement that it finds it "incomprehensible" that the Leipzig court failed to deal with the BND's alleged violations, as detailed by the exchange. It added that everyone's privacy rights are now solely in the hands of the government's intelligence oversight committee.

"The sole responsibility for the protection of the rights of citizens and companies is therefore the responsibility of the G10 Commission, which apparently now also has to be responsible for the treatment of internal German communications," De-Cix said.

De-Cix said it will now ask Germany's constitutional court in Karlsruhe whether it is actually obliged to implement BND orders that are "formally correct" but "questionable".

A few years ago, Reporters Without Borders also sued the BND at the Leipzig court, arguing that the agency's surveillance scheme was likely to have scooped up the correspondence of journalists with their sources.

The court threw the case out, saying the NGO had not proved that the correspondence had been monitored in this way.

Reporters Without Borders then took the case to Karlsruhe, complaining about the breaking of the G10 telecom secrecy law, infringement of free expression and freedom of profession, and its lack of effective legal recourse.

However, the constitutional court rejected the complaint, again arguing that there was insufficient evidence of the BND monitoring journalists.

Reporters Without Borders took its case to the European Court of Human Rights at the end of 2017.

It also still has a case pending at the German constitutional court about last year's changes made to the G10 law, which now explicitly allows the BND to monitor journalists' communications, in addition to removing the 20 percent cap on surveillance of international communications.

See: IT pro's guide to GDPR readiness (free PDF)

Referring to the Leipzig court's latest decision, De-Cix echoed Reporters Without Borders' frustration.

"The decision raises questions concerning effective legal protection: on the one hand, where, in the absence of detailed knowledge, citizens are unable to demonstrate their own concern and their claims are therefore dismissed, and, on the other hand, the obligated undertakings [ie De-Cix] cannot enforce their rights," De-Cix said.

"We always have a duty to our customers to ensure that strategic telecommunications monitoring of their telecommunications takes place only in a lawful manner," De-Cix added.

Reporters Without Borders did manage to score one victory in its multifaceted battle against the intelligence services.

Last year it won the right in court to have journalists' phone numbers expunged from a database that the BND was compiling about everyone's phone connections.

The ruling also allowed anyone to request the same and, inundated with requests, the BND scrapped its telephony metadata collection altogether last month.

Previous and related coverage

Spy agency back in court over snooping: You're abusing mass surveillance powers

Although German security agency BND largely fought off an earlier lawsuit over snooping abuses, now the case is going to the constitutional court.

No, we're not trying to get backdoors in smart homes, cars, says Germany

The German government is trying to quell outrage over reported smart-home and car-bugging proposals.

Is Germany right to tell parents to destroy kids' smartwatches over snooping fears?

After banning smart dolls, Germany now says no to smartwatches that allow parents to listen in on classrooms.

Tech giants hit by NSA spying slam encryption backdoors

The tech coalition includes Apple, Facebook, Google, Microsoft, and Verizon and Yahoo's parent company Oath -- all of which were hit by claims of complicity with US government's surveillance.

Facebook's new court defeat: This time it 'may have free speech implications'

Far-right leader's win over Facebook in a German comment case could have international ramifications.