While revelations of the unchecked authority of the NSA are blowing through international media, one group of tech-savvy cowboys are ducking their heads below the table and holding their breath. The DGSE, or Direction Générale de la Sécurité Extérieure*, has been bracing itself for similarly unflattering revelations. While its scale is small compared to its monstrous American counterpart, it too lives in a world without oversight or legal mandate. And a growing number of citizens of France and elsewhere are calling for it to be reined in.
Apart from kicking ass in other countries and blowing up Greenpeace boats, the main purpose of the DGSE is acquiring intelligence on a grand scale, which it does through three primary sources: spy satellites, electromagnetic signals, and large underwater fiber optic cables. Collecting metadata from these sources, the DGSE is able to establish complex graphs of human interactions, both French and foreign, with which it hopes to better understand and prevent terrorism.
According to the agency’s technical director, Bernard Barbier, “France plays in the Premier League in terms of technological spying capabilities,” handling one of the largest data collection programs in the world, and the second largest in Europe. Barbier continued his chest-thumping by allowing that his system could intercept (and record) over one billion simultaneous communications.
Barbier went on to explain that, as terrorists don’t use military-level or specialized encryption or communication, the agency’s focus had turned toward public networks. We know that these include emails, text messages, telephone calls, any social network activity, and more. As France 24 wrote, the DGSE “systematically collects information about all electronic data sent by computers and telephones in France, as well as communications between France and abroad.”
France has strict laws governing privacy and personal information, and unlike the United States, even has government watchdog to monitor the collection of data on its residents. The Commission nationale de l’informatique et des libertés, or CNIL, exists for the sole purpose of protecting the French from the misuse of information about them, though unfortunately this organization has no access to or contact with the DGSE’s massive database. The result is that it lacks the authority to go after the biggest abuser privacy: the government itself. Before the DGSE can legally spy on French residents, it also must request the authorization of the Commission nationale de contrôle des interceptions de sécurité, or CNCIS, which sends the request to the office of the Prime Minister for his approval, and then finally is approved by the Groupement interministériel de contrôle, which, bizarrely, is located underneath Les Invalides in Paris.
The CNCIS, however, has a staff of eight, which includes two secretaries and a chauffeur. The DGSE could claim that it limits itself to requests authorized by the CNCIS, or 6,396 in 2011, but this is just a single drop in the data-crunching, privacy-stomping well. The DGSE’s large servers are the only source of heat for it’s giant Paris campus. And its giant new 1000 m2 state of the art data center in Yvelines was built solely for communication collected abroad, beyond the CNCIS’s jurisdiction.
France’s Electronic Communications Secrets Act (1991) requires any intercepted data to be destroyed within 10 days. In 2012, Barbier proudly declared that “we store all this data for years, and when we’re interested in an IP address or telephone number, we look it up in our databases, and we can to reconstitute his whole network.”
Large legal loopholes allow for a great amount of leeway. French law extends as far as the French borders, and beyond that the DGSE can do what it wants, with absolutely no regulation. The DGSE has “listening stations” in former colonies and around the world – notably Djibouti, next to an underwater fiber optic cable so large it’s called one of the backbones of the internet. Fiber optic cables are even excluded from weak laws regulating electromagnetic (‘hertzienne’) spying, and with the amount of raw data, including French data, passing through them, they’re a favorite of DGSE.
Other intelligence agencies, such as the domestic spying Direction centrale du renseignement intérieur**, or DCRI, the Paris Police and even French Customs, are much more limited in their collection powers. But what is allowed is for the DGSE to share its (illegally acquired) information with these other agencies. It’s like there’s a group of kids, and they send the dumb one to Amsterdam to buy pot, and he brings it back and shares it with his friends. Perfectly legal!
And if all that doesn’t work, France is still one of seven countries with direct agreements for information sharing with the NSA. If the NSA picked up the info, it’s not our fault.
But all this is just what we know. As with the revelations about the NSA, most likely the airing of the DGSE’s dirtiest laundry is still to come.
When Le Monde reported in July that France was running the same types of programs as the NSA, hardly anyone blinked. Officials remain tight-lipped, no courts argued for greater transparency, and the public is still shuffling its feet.
Perhaps it will take a brave French whistleblower to say: “Hey, what the fuck?”
*Commonly translated as Directorate Of General Security, or DOGS.
** The DCRI is scheduled to be renamed the Direction Générale de la Sécurité Intérieur in January 2014. Convention will hold that the DGSE will at that point be referred to the Outside DOGS while the DGSI will be the Indoor DOGS
Bug Brother – excellent blog from Le Monde about surveillance. (French)
Zone d’Intérêt – thorough blog about surveillance and defense. (French) These guys practically go through the DGSE’s trash…