A Perspective On The Novel Dutch Tidings Law

(Updated: March 24, 2018)

Since the Snowden-revelations, several countries adopted novel laws governing their (signals) intelligence agencies, but instead of restricting the collection capabilities, they rather expand them. Previously nosotros examined the novel laws that withdraw maintain latterly been implemented inwards France. This fourth dimension nosotros volition accept a expression at the Netherlands, where a novel law for its 2 hugger-mugger services is at nowadays beingness discussed past times the parliament.

The province of affairs inwards the Netherlands is dissimilar inwards at to the lowest degree 2 major aspects from many other countries. First, at that spot is no institutional separation betwixt domestic safety in addition to unusual intelligence equally the 2 hugger-mugger services combine both tasks. Second, the electrical flow law restricts mass or untargeted collection to wireless communications only, so cable access is exclusively allowed for targeted in addition to individualized interception.

- Secret services - Oversight bodies - Towards a novel law -

- Bulk cable access - Cyber security - Third political party hacking -

- Updates -

The headquarters of the General Intelligence in addition to Security Service AIVD
inwards Zoetermeer, non far from The Hague
(photo: NOS - click to enlarge)

 

Secret services

In the Netherlands, at that spot are 2 hugger-mugger services, which were both created during a major reorganisation inwards 2002:

- interview amongst Dutch television set inwards Jan 2015, Edward Snowden said that "the USA intelligence services don't value the Dutch for their capabilities, they value them for their accesses, they value them for their geography, they value them for the fact that they withdraw maintain cables in addition to satellites... a sort of advantage signal that enables them to spy on their neighbours in addition to others inwards the share inwards a unique way."

This doesn't exhibit much familiarity amongst the issue, equally the Dutch services withdraw maintain no "cables" yet in addition to "satellites" are mainly intercepted for their unusual traffic. In reality, what makes Dutch intelligence interesting for NSA isn't spying on their neighbours, but their spying overseas: information they collect during military missions inwards Transitional Islamic State of Afghanistan in addition to Mali, during navy missions around the Horn of Africa, past times the tranquillity Dutch submarines, in addition to HF radio traffic from the Middle East intercepted at the Eibergen listening post.


Some numbers

In 2009, the Dutch authorities provided the number of targeted interceptions conducted past times the hugger-mugger services: 1078 past times AIVD in addition to precisely 53 past times MIVD. This number doesn’t seem real high (especially taking inwards concern human relationship that targets oftentimes utilisation multiple telephone numbers) - but inwards the same year, French intelligence services were allowed to tap 5029 telephone lines, although it’s non clear whether these number count inwards the same way.

Dutch authorities refuses to issue such numbers for to a greater extent than recent years, proverb that that would give to much insight inwards the modus operandi of the agencies. Influenza A virus subtype H5N1 unusual argument, because such numbers say zip almost the targets in addition to also because countries similar the USA in addition to Federal Republic of Federal Republic of Germany regularly issue fifty-fifty much to a greater extent than detailed numbers. Like the police, the hugger-mugger services also asking metadata (verkeersgegevens or printgegevens) from the telecoms, but for this at that spot are no numbers available.


Secret services vs. law force

In 2014, Dutch law conducted over 25.000 telephone in addition to network taps, which is way to a greater extent than oftentimes than inwards other countries (it seems that Snowden had this inwards withdraw heed when he erroneously said that the Dutch secret services are the “surveillance kings of Europe”). The ground for this is that Dutch law rarely conducts undercover, observation in addition to bugging operations, which are considered much to a greater extent than controversial in addition to intrusive than telephone taps.

Originally, targeted interception past times the law was exclusively allowed for crimes that could live sentenced amongst 4 years or to a greater extent than imprisonment in addition to exclusively for telephone numbers used past times the suspect himself, but amongst a novel law on special criminal investigation methods from the twelvemonth 2000, these restrictions were abolished.* Unlike inwards France, Dutch hugger-mugger services do non operate on or back upward law investigations under the say-so of a judge.

Eavesdropping authorities of Dutch law in addition to hugger-mugger services.
Situation until novel laws volition in all likelihood live passed inwards 2017.
(click to enlarge)

 

Oversight bodies

Kingdom of the Netherlands at that spot is a quite thorough oversight for the intelligence in addition to safety services. This is conducted past times the independent commission CTIVD in addition to the parliamentary commission CIVD:

The main oversight trunk is the Review Committee for the Intelligence in addition to Security Services (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, or CTIVD), which consists of 3 independent members, appointed past times regal decree, who are supported past times a secretariat of 10 people. The strength of this commission is that it has the correct to access all documents in addition to computers systems in addition to utter to all employees: commission members tin genuinely walk in, trace opened upward drawers in addition to log into the networks of both AIVD in addition to MIVD.

The CTIVD publishes an annual report, but also conducts investigations on specific matters, similar targeted interception inwards full general or specific cases based upon press revelations. This results inwards a steady menstruum of reports, most of them public, which supply a detailed insight into the operate of the Dutch services, of course of education without revealing specific methods or other sensitive details.


Parliamentary oversight

The other oversight trunk is the Committee for the Intelligence in addition to Security Services (Commissie voor de Inlichtingen- en Veiligheidsdiensten, or CIVD), comprising the leaders of all political parties represented inwards the Second Chamber of the Dutch parliament. In this commission, which meets almost 10 times a twelvemonth inwards utmost secrecy, the political party leaders are briefed past times the responsible ministers in addition to the heads of both hugger-mugger services.

Within the context of the CIVD, the political party leaders withdraw maintain the correct to read classified documents, but when they brand notes, fifty-fifty those notes are considered classified in addition to may non larn out the secure room. They tin also ask, through the minister, to query employees of the hugger-mugger services, but they withdraw maintain no powers to forcefulness them, nor to hear them under oath.


Oversight weaknesses

According to scholars in addition to historians, the CIVD commission isn’t genuinely fit to acquit thorough oversight. The political party leaders are involved amongst way likewise many other political issues, in addition to hence they non ever attend the commission meetings. Influenza A virus subtype H5N1 leak from this commission inwards Feb 2014 also made clear that the authorities tin plainly rather easily study almost things inwards such a way that the political party leaders immature adult woman the actual importance of it.

Independent experts proposed that the commission should at to the lowest degree live extended amongst specialized members of parliament so intelligence issues have total attending in addition to improve understanding, but this proposal was rejected past times the political party leaders. They seem non genuinely interested inwards the operate of AIVD in addition to MIVD, which is particularly worrying given the real secretive way the Dutch authorities deals amongst intelligence issues.

The Dutch satellite intercept station close Burum, operated past times JSCU
(photo: ANP - click to enlarge)

 

Towards a novel law

Currently, the 2 Dutch safety in addition to intelligence services are even so governed past times the Intelligence in addition to Security Services Act from 2002 (Dutch: Wet op de inlichtingen- en veiligheidsdiensten, or Wiv). In Feb 2013, an evaluation commission for this law was installed, led past times Stan Dessens.

In its study from Dec of that year, the commission recommended that the intelligence services would live allowed to also acquit mass collection on cable-bound communications. But given increased populace scrutiny since the Snowden revelations before that year, the commission also urged for stronger oversight in addition to to a greater extent than transparency.

It so took until July 2015 before the authorities published its proposal for a novel law. This was followed past times an internet consultation, inwards which anyone could submit an thought almost the proposal through a authorities website. This resulted inwards over 1100 reactions, 500 of them populace in addition to most of them real critical (it should live noted though that (the highly critical) digital rights organization Bits of Freedom provided an online tool for easily submitting standardized reactions).


A revised proposal

Given this amount of critique, including from major telecommunications providers in addition to network companies, the authorities reconsidered its proposal. On Apr 15, 2016 the draft was discussed inwards the council of ministers. The novel text wasn’t released, but the authorities announced that some changes had been made:

- Influenza A virus subtype H5N1 novel independent review commission (Toetsingscommissie Inzet Bevoegdheden, or TIB) that has to approve all requests for both the novel mass cable access in addition to the existing targeted interceptions. This commission volition live dissimilar from the existing independent oversight commission CTIVD in addition to volition genuinely consist of precisely 1 fellow member in addition to 2 substitutes, who withdraw maintain to live judges amongst at to the lowest degree half dozen years of experience.

- When AIVD or MIVD desire to intercept the communications betwixt lawyers in addition to their clients or betwixt journalists in addition to their sources, at that spot has to live prior approving past times the district courtroom of The Hague. This extra protection is required past times the rulings of the European Court for Human Rights.

- The authorities volition pay for the costs of the untargeted cable tapping, which are estimated at xv i G m inwards 2017, 25 i G m inwards 2018 in addition to 35 i G m inwards 2019. The initial excogitation was to allow the telecommunications companies pay for the necessary equipment on their networks, something they strongly opposed. The authorities plans to larn i access location gear upward for mass interception each year, so the agencies tin gradually larn used to this novel method. In 2020, at that spot volition live 4 access locations, which volition live chosen according to specific information needs in addition to inwards consultation amongst the telecoms.

On Apr 29, the paper De Volkskrant disclosed the total text of the revised proposal, including the over 400-page explanatory memorandum (Memorie van Toelichting, or MvT). Here it was read that the authorities had replaced the master "untargeted interception" (ongerichte interceptie) past times a horrible novel term pregnant something similar "interception according to inquiry assignment" (onderzoeksopdrachtgerichte interceptie) - clearly meant to audio to a greater extent than focused in addition to limited, inwards fellowship to counter the pop icon of an indiscriminate dragnet.


Critique past times the Council of State

This revised proposal was sent to the Council of State, which must live consulted before a law is submitted to parliament. Instead of a legal review of the total proposal, the Council exclusively addressed a few topics. The controversial mass cable access is considered necessary plenty to live inwards accordance amongst the European Convention on Human Rights (ECRM), provided that there’s rigid in addition to independent oversight.

However, the Council expressed serious doubts almost the effectiveness of newly proposed TIB commissioner, which lacks the expertise in addition to capacity of the existing CTIVD commission. The proposed approving past times the TIB could hence terminate upward similar a "rubber stamp". It would live improve to give the CTIVD commission the correct of non-binding prior approving in addition to the Council advises the authorities to alter the draft inwards this way, before sending it to parliament.

Another signal of critique is that information collected inwards mass may live kept for 3 years, which the Concil thinks is likewise long in addition to has to live shortened significantly. The Council was also particularly concerned almost the analysis of "big data" in addition to wants to watch a to a greater extent than full general vision on how large information analysis affects the operate of the hugger-mugger services, similar to what extent there’s a shift from collecting information to analysing already existing information sets.


Final proposal

After receiving the Council of State’s consultation from September 21, some changes were made, amongst the most of import i beingness that the TIB is extended from i commissioner to a commission of three, amongst 2 judges, i fellow member amongst for instance technical expertise, in addition to its ain secretariat - thereby ignoring the main signal of the Council of State’s recommendation.

The lastly proposal was discussed past times the Dutch cabinet on Oct 28 in addition to afterwards submitted to parliament. In December, the responsible parliamentary commission consulted the oversight committee, hugger-mugger service officials in addition to exterior experts. The Second Chamber of parliament is expected to vote on the novel law inwards the starting fourth dimension calendar week of February, which is precisely before the Dutch full general elections on March 15, 2017.


 

AMS-IX network Exchange co-location at the National Institute for Subatomic Physics (Nikhef)
Will the Dutch services withdraw cables at this sort of locations for mass collection?
(photo: Martin Alberts/Stadsarchief Amsterdam - click to enlarge)

 

Bulk cable access

The most of import in addition to most controversial novel characteristic of the proposed intelligence law is the mass collection of cable-bound communications. In the proposed law, the regulations for mass collection volition live made "technology independent", so they apply to both wireless communications (SHF satellite in addition to HF radio) in addition to fiber-optic cable traffic (internet in addition to telephony). For this, the novel law introduces a framework of 3 stages:

1. Acquisition (article 48):

Selecting specific cables in addition to satellite channels from specific network providers in addition to satellites. Then acquit filtering to allow through or block sure enough types of traffic (peer-to-peer, music in addition to film streams, etc.) and/or traffic from/to particular countries of interest. The remaining information may live stored for upward to 3 years.

It should live noted that this agency that both metadata in addition to content are merely stored, similar position inwards a large box, where at NSA in addition to GCHQ content is exclusively buffered for several days using the XKEYSCORE system, which prevents unnecessary storage of content that is non of interest.


2. Preparation (article 49):

   a. Search the communication links to determine the type of traffic in addition to the persons or organisations it belongs to. The law mentions this equally purpose of phase 2, suggesting that it follows upon phase 1, but genuinely this activity supports in addition to hence goes parallel to the alternative of the correct cables in addition to channels during phase 1.

   b. Look for new, or verify already known selectors related to known targets, in addition to expression for novel targets related to selectors already known - this is genuinely a sort of contact-chaining similar inwards phase 3, but hither non for the sake of analysis, but to watch whether the stored mass genuinely contains information or novel selectors that check already approved selectors of known targets.

(This phase 2 is real artificially composed in addition to the whole procedure would live much clearer in addition to simpler when department a. would live incorporated inwards phase 1 in addition to department b. inwards phase 3)


3. Processing (article 50):

   a. Conduct metadata analysis using the metadata from the stored mass sets of data. These tin live used for contact-chaining or other kinds of analysis inwards which the collected metadata tin also live correlated amongst other datasets.

   b. Selecting the content of communications past times picking them out of the stored mass information sets when there's a check amongst approved selectors, similar telephone numbers, email address or keywords (highly specific ones, similar names of chemic substances or parts of weapon systems).

This agency that when it comes to content, fifty-fifty information from the untargeted cable collection tin exclusively live accessed inwards the same way equally traditional targeted interception: using specific selectors.

For each of these stages AIVD in addition to MIVD demand a prior authorisation from their respective minister, which is valid for upward to 12 months (3 months for the content alternative of phase 3). Each authorisation volition so withdraw maintain to live approved past times the TIB commission.

The authorities already expects that authorisations for phase 1 in addition to 2 volition oftentimes live combined. As these stages are purpose of a continuous process, the Council of State also noticed that it seems non real realistic to brand such clear distinctions in addition to larn separate authorisations. This agency that inwards practice, authorisations volition probable live combined for all 3 stages, thereby largely mitigating the destination of the system.

Overview of the untargeted/bulk collection amongst the 3 stages of approval
equally proposed past times the novel Dutch Intelligence in addition to Security Services Act.
(click to enlarge)

Just similar amongst the abrupt introduction of the TIB commissioner, this 3-stage authorisation scheme seems primarily aimed at comforting the populace opinion. The authorities presents them equally safeguards against abuses, but they genuinely brand things unnecessarily complicated amongst a substantial adventure that they volition terminate upward to live counterproductive.

These extra safeguards were introduced partly because the authorities couldn’t real good explicate why the novel mass collection of cable communications is genuinely that necessary. The measure instance used past times the interior government minister is almost access to cables from the Netherlands to Syria, but communications related to known targets tin already live covered past times targeted interception, spell for instance Facebook in addition to Whatsapp messages genuinely become through cables from the US.


Supposed purposes

On Apr 20, 2016, populace broadcaster NOS revealed a confidential document that plainly addressed network providers in addition to contains some to a greater extent than specific examples for the proposed mass cable access. For instance when people from a fictitious urban center of 400.000 inhabitants communicate amongst a sure enough chat service, this should live interceptable. Also network traffic for a maximum of 200 people has to live 'searched', but it isn’t clear whether that applies to the instance of the city, or whether this is a total.

Another instance from the document is almost populace wifi hotspots. Communications of people accessing sure enough hotspots and/or using these to see sure enough unusual websites must also live interceptable. The document also speaks almost telephone traffic betwixt a Dutch urban center in addition to a unusual province equally good equally almost the network traffic betwixt someone inwards a Dutch urban center in addition to inwards a unusual province inwards which for instance bittorrent is used. All this must live interceptable.

There are no rules for "minimizing" (anonymising) the results of this sort of collection, probable because both hugger-mugger services withdraw maintain both a domestic in addition to a unusual intelligence task, so they are non prohibited from using domestic data, similar agencies inwards other countries.

Overview of the safeguards for untargeted cable access (in Dutch)
Stage 2 is exclusively mentioned where it prepares for phase 3
(source: Dutch authorities - click to enlarge)

The champions inwards cable tapping are NSA in addition to GCHQ, but at that spot nosotros already watch a shift towards cyber defence in addition to hacking operations, things that got much less attending inwards the Dutch populace thought in addition to (probably therefore) also non inwards the novel law.
 


Cyber safety monitoring

The proposed mass cable access is non exclusively meant for intercepting communications, but also for cyber safety purposes. The unusual thing is that this isn’t explicitly mentioned inwards the novel law itself, but only, in addition to fifty-fifty rather short, inwards the explanatory memorandum. It is said that the novel articles 48 in addition to 49 larn inwards possible for AIVD in addition to MIVD to scan cable-bound network traffic for malware signatures in addition to other anomalies which may pose a threat for national security.

This cyber safety monitoring may exclusively accept house after prior approving past times the minister, who volition specify on which particular purpose of the cable infrastructure in addition to for which destination the network monitoring or network detection may accept place. Where mass cable access for intercepting in addition to analysing communications volition exclusively live conducted on sets of information that are stored offline, the cyber safety business tin also accept house online: traffic volition so live analysed inwards real-time past times for instance a DPI (Deep Packet Inspection) system.

The explanatory memorandum mentions real-time online monitoring exclusively for cyber safety purposes. Later on, it is said that mass collection for the purpose of intercepting communications is less intrusive than a traditional targeted interception, because the latter results inwards an online in addition to real-time collection of all the target’s communications, spell the mass collection exclusively provides the limited laid of information that has been stored offline. This distinction isn’t explicitly mentioned inwards the proposed law itself, so it’s unclear whether real-time monitoring in addition to filtering systems are also allowed for interception purposes.


 

Antennas of the HF radio intercept station inwards Eibergen, operated past times JSCU
(photo: Peter Zandee/De Gelderlander - click to enlarge)

Third political party hacking

Another of import novel characteristic inwards the novel law is almost network in addition to figurer hacking. Already under the electrical flow law from 2002, both hugger-mugger services are allowed to hack into digital systems in addition to networks, but exclusively those beingness used past times a particular target (Dutch law isn’t allowed to hack, but some other novel law is expected to alter that soon). Additional to this, the proposal volition also allow AIVD in addition to MIVD (or JSCU on their behalf) to hack figurer systems used past times 3rd parties, whenever that is necessary to larn access to a target’s computer.

Obviously, so-called hard targets tin secure their systems inwards a way that it is hardly possible to intermission in, or they tin avoid online systems equally much equally possible, so the exclusively alternative volition live to larn access through 3rd parties close or inwards contact amongst such a target. But even so this extension of powers is remarkable because this is i of the most controversial methods that came to lite inwards recent years. GCHQ for instance published equally purpose of an ongoing serial almost novel laws on intelligence in addition to safety services.
 

Updates:

On Dec 30, 2016, members of parliament submitted hundreds of questions almost the draft Intelligence in addition to Security Services Act, but no substantial changes were proposed. In its answers from Jan 18, 2017, the authorities stuck to its initial position. The exclusively alter worth mentioning is that when during untargeted interception information are considered non of interest, they withdraw maintain to live deleted forthwith - the give-and-take "immediately" wasn't inwards the master text.

However, the government's answers also provided some clarity, equally it was said that the untargeted cable access doesn't hateful that the hugger-mugger services volition larn access to a consummate fiber-optic cable (through cable-splitting), but that instead the telecoms volition probable exclusively re-create specific in addition to selected channels (through port mirroring) in addition to supply these to the authorities for farther processing, which is a to a greater extent than targeted in addition to flexible way.

Given that members of parliament were mainly focused at the untargeted interception, or "dragnet" equally many telephone telephone it, at that spot was less attending for the novel hacking capabilities in addition to zip was clarified almost how the services volition utilisation the novel cable access for cyber safety purposes.

On february 8, the Second Chamber of the Dutch parliament discussed the proposal during a 9-hour ground inwards which several parties proposed over forty amendments to the novel law, but over again the authorities wasn't willing to alter anything. The vote was on Feb 14, 2017 in addition to the law passed amongst a fairly large majority. Finally, the Dutch senate approved the novel Intelligence in addition to Security Services Act on July 11, 2017.

The novel law was scheduled to come upward into forcefulness on Jan 1, 2018, but so a grouping of v students started a petition for organizing a plebiscite almost the Wiv. The petition was eventually supported past times some 384.000 people - plenty for a consultative referendum that volition live held on March 21, 2018.

The v students who initiated the "dragnet" (sleepwet) referendum
(photo: ANP/RTLZ)

Meanwhile, the newly elected authorities assured that under the novel law, at that spot volition live no indiscriminate in addition to mass information collection ("dragnet") in addition to also postponed the entry into forcefulness of the law until May 1, 2018 (it genuinely appeared to live rather hard to discover capable candidates for the novel TIB commission).

In the 2 months before the referendum, an increasing number of debates in addition to lectures took place, inwards which the pros in addition to cons of the novel Intelligence in addition to Security Services human activeness were discussed. Eventually such meetings were held almost daily in addition to all circular the province - a remarkable involvement for such a complicated subject. Also flyers in addition to several booklets amongst information almost the novel law were distributed:

The plebiscite on March 21, 2018 resulted inwards 49,5% against in addition to 46,5% inwards favor of the novel law, amongst a remarkable high number of blank votes: 4%. As the plebiscite was non-binding, it is at nowadays upward to the Dutch authorities to create upward one's withdraw heed inwards what way they volition address the outcome of the vote.

Links in addition to sources

- Dutch National Security Reform Under Review: Sufficient Checks in addition to Balances inwards the Intelligence in addition to Security Services Act 2017? (Mar. 2018)
- Netkwesties.nl: Bangmakerij en onjuiste feiten inwards strijd voor referendum (Oct. 2017)
- Nederlands Dagblad: Een nieuwe, achterhaalde wet (Febr. 2017)
- Bits of Freedom: Moties en amendementen bij de nieuwe Wiv (Febr. 2017)
- Tweede Kamer: Hoorzitting/rondetafelgesprek inzake de nieuwe Wiv (Dec. 2016)
- BoF protestation website: www.geensleep.net (Dec. 2016)
- NRC.nl: De geheime dienst is een gemakkelijke zondebok (Nov. 2016)
- Tweede Kamer: Wetsvoorstel 34588 (Oct. 2016)
- Volkskrant.nl: 'Onschuldige burgers hebben niet zoveel te vrezen' (Apr. 2016)
- Volkskrant.nl: Kabinet houdt vast aan massaal aftappen internetverkeer (Apr. 2016)
- Bart Jacobs: Select spell yous collect - Over de voorgestelde interceptiebevoegdheden voor inlichtingen- en veiligheidsdiensten (Jan. 2016)
- Blog.cyberwar.nl: [Dutch] Lijstje van reacties van organisaties op de Wiv-consultatie (Sept. 2015)
- Bart Jacobs: Vluchtig en Stelselmatig. Een bespreking van interceptie door inlichtingen- en veiligheidsdiensten (Febr. 2015)