Revelations on the French Big Brother
If the revelations about the American espionage program Prism set off a chorus of indignation in Europe, France itself protested only weakly. For two excellent reasons: Paris already knew about it – and it”s doing exactly the same thing. Le Monde is able to disclose that the General Directorate of External Security (the DGSE, or special services) systematically collects the electromagnetic signals emitted by computers and telephones in France, and the flow of signals between France and countries abroad: the entirety of our communications are being spied on. All of our email messages, SMS messages, itemised phone bills and connections to FaceBook and Twitter are then stored for years. If this immense data base was used just by the DGSE, which operates only outside French borders, it would already be illegal. But the six other intelligence services – among them the Central Directorate of Internal Intelligence, the customs service and the Tracfin anti-money-laundering service – delve into this base daily for the data of interest to them. This takes place discreetly, on the margins of legality and and beyond any serious control. Politicians are perfectly aware of it, but secrecy is the rule.
A CLANDESTINE SYSTEM
This French Big Brother, a little brother of the American services, is clandestine. Yet its existence appears discreetly in parliamentary documents. In a report issued on April 30, the eight deputies and senators in the parliamentary intelligence delegation note that “progress has been made since 2008 in the mutualisation of capabilities, notably regarding intelligence of electromagnetic origin, effected by the DGSE for the benefit of the entire intelligence community.”
The parliamentarians propose to go still further, to “reinforce the capabilities exploited by the DGSE” and to “consolidate the access of other services to the capabilities mutualised by the DGSE.”
THE TARGET: “METADATA”
The intelligence services are not looking for the content of the messages, but rather their context. It is more interesting to know who is speaking to whom than to record what they are saying. More than phone tapping, it”s the technical data – the “metadata” – that is being combed through.
The DGSE thus collects the itemised telephone bills of millions of subscribers – the names of the callers and the called, the place, the date, the duration, the weight of the message. The same goes for email (with the possibility of reading the title of the message), SMS messages, faxes… And all activity on the Internet that takes place via Google, Facebook, Microsoft, Apple, Yahoo… It’s what the parliamentary intelligence delegation very aptly calls “intelligence of electromagnetic origin”, the equivalent of the NSA’s SigInt (signals intelligence).
This metadata may be used to draw huge graphs of links among people based on their digital activity, and it’s been going on for years. The idea is to sketch out a kind of diary of each person’s activity on both telephone and computer. When an interesting group has been identified, it then becomes the responsibility of the intelligence services to use more intrusive techniques, like wire-tapping or police tails.
A SUPERCOMPUTER ON BOULEVARD MORTIER IN PARIS
This system is obviously of great value in the fight against terrorism. But it allows spying on anyone, any time. The DGSE collects billions of billions of units of data, which are compressed and stored on three floors in the basement of the DGSE headquarters on Boulevard Mortier in Paris.
Bernard Barbier, technical director of the DGSE since 2006, has spoken publicly about this system on two occasions – in 2010 at a symposium on the security of information and communications technology, and to the Association of Reservists in Encryption and Information Security (Arsci). His comments were reported on a few specialised sites, including Bug Brother, a blog by Jean-Marc Manach on lemonde.fr. Mr. Barbier spoke of “the development of a calculator based on FPGA” – Field Programmable Gate Array, or an integrated circuit that may be programmed for logical functions – that is “probably the biggest data processing center in Europe after the English”, capable of managing dozens of petaoctets of data, in other words dozens of millions of gigaoctets. The heat emitted by the computers is sufficient to heat all the buildings of the DGSE…
France is said to be among the Top 5 in computing capacity, after the United States, Britain, Israel and China. Mr. Barbier estimated the number of connections picked up by the system at 4 billion in 2013, with a flow of about 1 billion simultaneous communications. “Today, our targets are the networks of the public at large,” the director said at the time, “because they are used by terrorists.”
The DGSE heads “the strongest team of crypto-mathematicians” in France, penetrates computer systems – and of course collects millions of units of personal data.
The other French intelligence services have access to this gigantic data base, which is soberly called the “mutualisation infrastructure”. They include the DGSE of course, but also the Directorate of Military Intelligence (DRM); the Directorate of Protection and Security of Defense (DPSD); the Central Directorate of Internal Security (DCRI); the Directorate of National Intelligence and Customs Investigations (DNRED); Tracfin, the anti-money-laundering unit; and even the small intelligence service of the police headquarters in Paris.
According to Senate reports, 80% of the resources of the technical management of the DGSE are used by these other intelligence services. Each supplies the name of the target of their investigation to the DGSE, which replies “hit” or “no hit” according to whether the target appears in the data base or not. Then the services of the DGSE make the metadata intelligible with the addition of classical intelligence.
Requests for consultation go far beyond just terrorism and the defence of France’s economic property. The very vague wording – protection of national security – makes it possible notably to identify the entourage of politicians at the highest level of the state, whatever their position and the nature of the links under surveillance.
ABSENCE OF MONITORING
The system is perfectly illegal – or “a-legal”, as the chief of one of the intelligence agencies puts it. According to the National Commission for Information Technology and Freedom (CNIL), the French agency in charge of protecting personal data, “The legal system governing security interceptions forbids the establishment by the intelligence services of a procedure like Prism.” It adds : “Each request for the requisition or interception of data must be targeted and may not be carried out massively in terms of the quantity or the time period. Such practices thus have no legal foundation.” The CNIL can neither confirm or deny the existence of the French system – it moveover does not have access to the files of the DGSE or the DCRI.
To be sure, there is a strict legal framework for security interceptions, which are to be authorised by the prime minister, on the recommendation of the National Consultative Commission for Security Interceptions, but this framework did not forecess the massive stocking of technical data by the secret services. “We’ve been operating is a zone of virtual autorisation for years”, confided a former chief of one of the services. “And each agency is quite content with this freedom, which is possible thanks to the legal vagueness surrounding metadata.” A parliamentarian confirmed that “a large portion of the electronic connections in France are effectively intercepted and stocked by the DGSE.” But, officially, the “mutualisation infrastructure” does not exist.
(Translated by Meg Bortin)
Jacques Follorou et Franck Johannès