December 16, 2016

A perspective on the new Dutch intelligence law

(Updated: March 24, 2018)

Since the Snowden-revelations, several countries adopted new laws governing their (signals) intelligence agencies, but instead of restricting the collection capabilities, they rather expand them. Previously we examined the new laws that have recently been implemented in France. This time we will take a look at the Netherlands, where a new law for its two secret services is now being discussed by the parliament.

The situation in the Netherlands is different in at least two major aspects from many other countries. First, there is no institutional separation between domestic security and foreign intelligence as the two secret services combine both tasks. Second, the current law restricts bulk or untargeted collection to wireless communications only, so cable access is only allowed for targeted and individualized interception.





The headquarters of the General Intelligence and Security Service AIVD
in Zoetermeer, not far from The Hague
(photo: NOS - click to enlarge)
 

Secret services

In the Netherlands, there are two secret services, which were both created during a major reorganisation in 2002:

- General Intelligence and Security Service (Dutch: Algemene Inlichtingen- en Veiligheidsdienst, or AIVD), which falls under the Interior Ministry and is mainly responsible for domestic security issues, but also has a small branch that gathers intelligence information from and about foreign countries. In 2015, AIVD had over 1300 employees and a budget of 213 million euros.

- Military Intelligence and Security Service (Dutch: Militaire Inlichtingen- en Veiligheidsdienst, or MIVD), which falls under the Defence Ministry and is mainly responsible for military intelligence related to peacekeeping missions and military operations overseas. They also have to provide security for the armed forces. In 2015, MIVD had over 800 employees and a budget of approximately 85 million euros.

The Netherlands has no separate signals intelligence agency, but in 2014, the Joint Sigint Cyber Unit (JSCU) was created as a joint venture of AIVD and MIVD. The JSCU integrates the collection of signals intelligence and cyber defense operations on behalf of both agencies. The unit is located in the AIVD headquarters building in Zoetermeer and has a workforce of some 350 people.

The head of JSCU is also the point-of-contact for foreign signals intelligence agencies, like NSA and GCHQ. The JSCU operates two listening stations: a relatively large satellite intercept station near the northern village of Burum, and a very capable High Frequency (HF) radio listening post in Eibergen near the German border.

The fact that the Dutch secret services combine both domestic security and foreign intelligence tasks, also means that there’s just one legal framework for both, and that authorisations are not only required for domestic operations, but also for foreign ones. Therefore, the Dutch services don’t have to separate foreign and domestic communications, which proved to be such a painful job for NSA and the German BND.



The headquarters of the Military Intelligence and Security Service MIVD
at the compound of the Frederik Barracks in The Hague


Dutch capabilities

During an interview with Dutch television in January 2015, Edward Snowden said that "the US intelligence services don't value the Dutch for their capabilities, they value them for their accesses, they value them for their geography, they value them for the fact that they have cables and satellites... a sort of vantage point that enables them to spy on their neighbours and others in the region in a unique way."

This doesn't show much familiarity with the issue, as the Dutch services have no "cables" yet and "satellites" are mainly intercepted for their foreign traffic. In reality, what makes Dutch intelligence interesting for NSA isn't spying on their neighbours, but their spying overseas: data they collect during military missions in Afghanistan and Mali, during navy missions around the Horn of Africa, by the quiet Dutch submarines, and HF radio traffic from the Middle East intercepted at the Eibergen listening post.


Some numbers

In 2009, the Dutch government provided the number of targeted interceptions conducted by the secret services: 1078 by AIVD and just 53 by MIVD. This number doesn’t seem very high (especially taking in account that targets often use multiple phone numbers) - but in the same year, French intelligence services were allowed to tap 5029 phone lines, although it’s not clear whether these number count in the same way.

Dutch government refuses to publish such numbers for more recent years, saying that that would give to much insight in the modus operandi of the agencies. A strange argument, because such numbers say nothing about the targets and also because countries like the US and Germany regularly publish even much more detailed numbers. Like the police, the secret services also request metadata (verkeersgegevens or printgegevens) from the telecoms, but for this there are no numbers available.


Secret services vs. police force

In 2014, Dutch police conducted over 25.000 phone and internet taps, which is way more often than in other countries (it seems that Snowden had this in mind when he erroneously said that the Dutch secret services are the “surveillance kings of Europe”). The reason for this is that Dutch police rarely conducts undercover, observation and bugging operations, which are considered much more controversial and intrusive than phone taps.

Originally, targeted interception by the police was only allowed for crimes that could be sentenced with 4 years or more imprisonment and only for phone numbers used by the suspect himself, but with a new law on special criminal investigation methods from the year 2000, these restrictions were abolished.* Unlike in France, Dutch secret services do not work on or support police investigations under the authority of a judge.



Eavesdropping authorities of Dutch police and secret services.
Situation until new laws will probably be passed in 2017.
(click to enlarge)
 

Oversight bodies

The Netherlands there is a quite thorough oversight for the intelligence and security services. This is conducted by the independent commission CTIVD and the parliamentary commission CIVD:

The main oversight body is the Review Committee for the Intelligence and Security Services (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten, or CTIVD), which consists of three independent members, appointed by royal decree, who are supported by a secretariat of 10 people. The strength of this commission is that it has the right to access all documents and computers systems and speak to all employees: commission members can actually walk in, pull open drawers and log into the networks of both AIVD and MIVD.

The CTIVD publishes an annual report, but also conducts investigations on specific matters, like targeted interception in general or specific cases based upon press revelations. This results in a steady flow of reports, most of them public, which provide a detailed insight into the work of the Dutch services, of course without revealing specific methods or other sensitive details.


Parliamentary oversight

The other oversight body is the Committee for the Intelligence and Security Services (Commissie voor de Inlichtingen- en Veiligheidsdiensten, or CIVD), comprising the leaders of all political parties represented in the Second Chamber of the Dutch parliament. In this commission, which meets about 10 times a year in utmost secrecy, the party leaders are briefed by the responsible ministers and the heads of both secret services.

Within the context of the CIVD, the party leaders have the right to read classified documents, but when they make notes, even those notes are considered classified and may not leave the secure room. They can also ask, through the minister, to question employees of the secret services, but they have no powers to force them, nor to hear them under oath.


Oversight weaknesses

According to scholars and historians, the CIVD commission isn’t really fit to conduct thorough oversight. The party leaders are involved with way too many other political issues, and therefore they not always attend the commission meetings. A leak from this commission in February 2014 also made clear that the government can apparently rather easily report about things in such a way that the party leaders miss the actual importance of it.

Independent experts proposed that the commission should at least be extended with specialized members of parliament so intelligence issues receive full attention and better understanding, but this proposal was rejected by the party leaders. They seem not really interested in the work of AIVD and MIVD, which is especially worrying given the very secretive way the Dutch government deals with intelligence issues.



The Dutch satellite intercept station near Burum, operated by JSCU
(photo: ANP - click to enlarge)
 

Towards a new law

Currently, the two Dutch security and intelligence services are still governed by the Intelligence and Security Services Act from 2002 (Dutch: Wet op de inlichtingen- en veiligheidsdiensten, or Wiv). In February 2013, an evaluation commission for this law was installed, led by Stan Dessens.

In its report from December of that year, the commission recommended that the intelligence services would be allowed to also conduct bulk collection on cable-bound communications. But given increased public scrutiny since the Snowden revelations earlier that year, the commission also urged for stronger oversight and more transparency.

It then took until July 2015 before the government published its proposal for a new law. This was followed by an internet consultation, in which anyone could submit an opinion about the proposal through a government website. This resulted in over 1100 reactions, 500 of them public and most of them very critical (it should be noted though that (the highly critical) digital rights organization Bits of Freedom provided an online tool for easily submitting standardized reactions).


A revised proposal

Given this amount of critique, including from major telecommunication providers and internet companies, the government reconsidered its proposal. On April 15, 2016 the draft was discussed in the council of ministers. The new text wasn’t released, but the government announced that some changes had been made:

- A new independent review commission (Toetsingscommissie Inzet Bevoegdheden, or TIB) that has to approve all requests for both the new bulk cable access and the existing targeted interceptions. This commission will be different from the existing independent oversight commission CTIVD and will actually consist of just 1 member and two substitutes, who have to be judges with at least 6 years of experience.

- When AIVD or MIVD want to intercept the communications between lawyers and their clients or between journalists and their sources, there has to be prior approval by the district court of The Hague. This extra protection is required by the rulings of the European Court for Human Rights.

- The government will pay for the costs of the untargeted cable tapping, which are estimated at 15 million in 2017, 25 million in 2018 and 35 million in 2019. The initial plan was to let the telecommunication companies pay for the necessary equipment on their networks, something they strongly opposed. The government plans to get one access location ready for bulk interception each year, so the agencies can gradually get used to this new method. In 2020, there will be four access locations, which will be chosen according to specific information needs and in consultation with the telecoms.

On April 29, the newspaper De Volkskrant disclosed the full text of the revised proposal, including the over 400-page explanatory memorandum (Memorie van Toelichting, or MvT). Here it was read that the government had replaced the original "untargeted interception" (ongerichte interceptie) by a horrible new term meaning something like "interception according to research assignment" (onderzoeksopdrachtgerichte interceptie) - clearly meant to sound more focused and limited, in order to counter the popular image of an indiscriminate dragnet.


Critique by the Council of State

This revised proposal was sent to the Council of State, which must be consulted before a law is submitted to parliament. Instead of a legal review of the full proposal, the Council only addressed a few topics. The controversial bulk cable access is considered necessary enough to be in accordance with the European Convention on Human Rights (ECRM), provided that there’s strong and independent oversight.

However, the Council expressed serious doubts about the effectiveness of newly proposed TIB commissioner, which lacks the expertise and capacity of the existing CTIVD commission. The proposed approval by the TIB could therefore end up like a "rubber stamp". It would be better to give the CTIVD commission the right of non-binding prior approval and the Council advises the government to change the draft in this way, before sending it to parliament.

Another point of critique is that data collected in bulk may be kept for 3 years, which the Concil thinks is too long and has to be shortened significantly. The Council was also especially concerned about the analysis of "big data" and wants to see a more general vision on how big data analysis affects the work of the secret services, like to what extent there’s a shift from collecting data to analysing already existing data sets.


Final proposal

After receiving the Council of State’s consultation from September 21, some changes were made, with the most important one being that the TIB is extended from one commissioner to a commission of three, with 2 judges, one member with for example technical expertise, and its own secretariat - thereby ignoring the main point of the Council of State’s recommendation.

The final proposal was discussed by the Dutch cabinet on October 28 and subsequently submitted to parliament. In December, the responsible parliamentary commission consulted the oversight committee, secret service officials and outside experts. The Second Chamber of parliament is expected to vote on the new law in the first week of February, which is just before the Dutch general elections on March 15, 2017.


 

AMS-IX internet Exchange co-location at the National Institute for Subatomic Physics (Nikhef)
Will the Dutch services select cables at this kind of locations for bulk collection?
(photo: Martin Alberts/Stadsarchief Amsterdam - click to enlarge)
 

Bulk cable access

The most important and most controversial new feature of the proposed intelligence law is the bulk collection of cable-bound communications. In the proposed law, the regulations for bulk collection will be made "technology independent", so they apply to both wireless communications (SHF satellite and HF radio) and fiber-optic cable traffic (internet and telephony). For this, the new law introduces a framework of 3 stages:

1. Acquisition (article 48):

Selecting specific cables and satellite channels from specific internet providers and satellites. Then conduct filtering to let through or block certain types of traffic (peer-to-peer, music and movie streams, etc.) and/or traffic from/to particular countries of interest. The remaining data may be stored for up to 3 years.

It should be noted that this means that both metadata and content are simply stored, like put in a big box, where at NSA and GCHQ content is only buffered for several days using the XKEYSCORE system, which prevents unnecessary storage of content that is not of interest.


2. Preparation (article 49):

   a. Search the communication links to determine the type of traffic and the persons or organisations it belongs to. The law mentions this as part of stage 2, suggesting that it follows upon stage 1, but actually this activity supports and therefore goes parallel to the selection of the right cables and channels during stage 1.

   b. Look for new, or verify already known selectors related to known targets, and look for new targets related to selectors already known - this is actually a kind of contact-chaining like in stage 3, but here not for the sake of analysis, but to see whether the stored bulk actually contains data or new selectors that match already approved selectors of known targets.

(This stage 2 is very artificially composed and the whole process would be much clearer and simpler when section a. would be incorporated in stage 1 and section b. in stage 3)


3. Processing (article 50):

   a. Conduct metadata analysis using the metadata from the stored bulk sets of data. These can be used for contact-chaining or other kinds of analysis in which the collected metadata can also be correlated with other datasets.

   b. Selecting the content of communications by picking them out of the stored bulk data sets when there's a match with approved selectors, like phone numbers, e-mail address or keywords (highly specific ones, like names of chemical substances or parts of weapon systems).

This means that when it comes to content, even data from the untargeted cable collection can only be accessed in the same way as traditional targeted interception: using specific selectors.


For each of these stages AIVD and MIVD need a prior authorisation from their respective minister, which is valid for up to 12 months (3 months for the content selection of stage 3). Each authorisation will then have to be approved by the TIB commission.

The government already expects that authorisations for stage 1 and 2 will often be combined. As these stages are part of a continuous process, the Council of State also noticed that it seems not very realistic to make such clear distinctions and acquire separate authorisations. This means that in practice, authorisations will likely be combined for all 3 stages, thereby largely mitigating the goal of the system.



Overview of the untargeted/bulk collection with the 3 stages of approval
as proposed by the new Dutch Intelligence and Security Services Act.
(click to enlarge)


Just like with the sudden introduction of the TIB commissioner, this 3-stage authorisation scheme seems primarily aimed at comforting the public opinion. The government presents them as safeguards against abuses, but they actually make things unnecessarily complicated with a substantial risk that they will end up to be counterproductive.

These extra safeguards were introduced partly because the government couldn’t very well explain why the new bulk collection of cable communications is actually that necessary. The standard example used by the interior minister is about access to cables from the Netherlands to Syria, but communications related to known targets can already be covered by targeted interception, while for example Facebook and Whatsapp messages actually go through cables from the US.


Supposed purposes

On April 20, 2016, public broadcaster NOS revealed a confidential document that apparently addressed internet providers and contains some more specific examples for the proposed bulk cable access. For example when people from a fictitious city of 400.000 inhabitants communicate with a certain chat service, this should be interceptable. Also internet traffic for a maximum of 200 people has to be 'searched', but it isn’t clear whether that applies to the example of the city, or whether this is a total.

Another example from the document is about public wifi hotspots. Communications of people accessing certain hotspots and/or using these to visit certain foreign websites must also be interceptable. The document also speaks about telephone traffic between a Dutch city and a foreign country as well as about the internet traffic between someone in a Dutch city and in a foreign country in which for example bittorrent is used. All this must be interceptable.

There are no rules for "minimizing" (anonymising) the results of this kind of collection, likely because both secret services have both a domestic and a foreign intelligence task, so they are not prohibited from using domestic data, like agencies in other countries.



Overview of the safeguards for untargeted cable access (in Dutch)
Stage 2 is only mentioned where it prepares for stage 3
(source: Dutch government - click to enlarge)


The champions in cable tapping are NSA and GCHQ, but there we already see a shift towards cyber defense and hacking operations, things that got much less attention in the Dutch public opinion and (probably therefore) also not in the new law.
 


Cyber security monitoring

The proposed bulk cable access is not only meant for intercepting communications, but also for cyber security purposes. The strange thing is that this isn’t explicitly mentioned in the new law itself, but only, and even rather short, in the explanatory memorandum. It is said that the new articles 48 and 49 make it possible for AIVD and MIVD to scan cable-bound network traffic for malware signatures and other anomalies which may pose a threat for national security.

This cyber security monitoring may only take place after prior approval by the minister, who will specify on which particular part of the cable infrastructure and for which goal the network monitoring or network detection may take place. Where bulk cable access for intercepting and analysing communications will only be conducted on sets of data that are stored offline, the cyber security task can also take place online: traffic will then be analysed in real-time by for example a DPI (Deep Packet Inspection) system.

The explanatory memorandum mentions real-time online monitoring only for cyber security purposes. Later on, it is said that bulk collection for the purpose of intercepting communications is less intrusive than a traditional targeted interception, because the latter results in an online and real-time collection of all the target’s communications, while the bulk collection only provides the limited set of data that has been stored offline. This distinction isn’t explicitly mentioned in the proposed law itself, so it’s unclear whether real-time monitoring and filtering systems are also allowed for interception purposes.


 

Antennas of the HF radio intercept station in Eibergen, operated by JSCU
(photo: Peter Zandee/De Gelderlander - click to enlarge)


Third party hacking

Another important new feature in the new law is about network and computer hacking. Already under the current law from 2002, both secret services are allowed to hack into digital systems and networks, but only those being used by a particular target (Dutch police isn’t allowed to hack, but another new law is expected to change that soon). Additional to this, the proposal will also allow AIVD and MIVD (or JSCU on their behalf) to hack computer systems used by third parties, whenever that is necessary to get access to a target’s computer.

Obviously, so-called hard targets can secure their systems in a way that it is hardly possible to break in, or they can avoid online systems as much as possible, so the only option will be to get access through third parties near or in contact with such a target. But still this extension of powers is remarkable because this is one of the most controversial methods that came to light in recent years. GCHQ for example hacked the network of the Belgian telecom company Belgacom as a means to get access to still unknown targets.


Safeguards

Despite third party hacking is probably just as controversial as the bulk cable tapping, the government didn’t introduce separate authorisations for the various steps in the hacking process, like they did for untargeted interception. This means that hacking operations, no matter how intrusive or extensive, require only a single authorisation set (minister + TIB commission).

However, each authorisation by the minister has to make sure that the use not only of hacking methods, but also of all other special intelligence methods is in accordance with these three basic rules:

- Necessity: a method must be necessary to fulfill the intelligence or counter-intelligence mission.

- Proportionality: the consequences of a method have to be in proportion to its goal.

- Subsidiarity: a method may only be used when the goal cannot be achieved through a less intrusive method.



Contributions to this article were made by Zone d'Intérêt, a French weblog about intelligence & defence, on which this article was also published as part of an ongoing series about new laws on intelligence and security services.
 

Updates:

On December 30, 2016, members of parliament submitted hundreds of questions about the draft Intelligence and Security Services Act, but no substantial changes were proposed. In its answers from January 18, 2017, the government stuck to its initial position. The only change worth mentioning is that when during untargeted interception data are considered not of interest, they have to be deleted immediately - the word "immediately" wasn't in the original text.

However, the government's answers also provided some clarity, as it was said that the untargeted cable access doesn't mean that the secret services will get access to a complete fiber-optic cable (through cable-splitting), but that instead the telecoms will likely only copy specific and selected channels (through port mirroring) and provide these to the government for further processing, which is a more targeted and flexible way.

Given that members of parliament were mainly focused at the untargeted interception, or "dragnet" as many call it, there was less attention for the new hacking capabilities and nothing was clarified about how the services will use the new cable access for cyber security purposes.

On february 8, the Second Chamber of the Dutch parliament discussed the proposal during a 9-hour debate in which several parties proposed over 40 amendments to the new law, but again the government wasn't willing to change anything. The vote was on February 14, 2017 and the law passed with a fairly large majority. Finally, the Dutch senate approved the new Intelligence and Security Services Act on July 11, 2017.

The new law was scheduled to come into force on January 1, 2018, but then a group of five students started a petition for organizing a referendum about the Wiv. The petition was eventually supported by some 384.000 people - enough for a consultative referendum that will be held on March 21, 2018.


The five students who initiated the "dragnet" (sleepwet) referendum
(photo: ANP/RTLZ)

Meanwhile, the newly elected government assured that under the new law, there will be no indiscriminate and mass data collection ("dragnet") and also postponed the entry into force of the law until May 1, 2018 (it actually appeared to be rather difficult to find capable candidates for the new TIB commission).

In the two months before the referendum, an increasing number of debates and lectures took place, in which the pros and cons of the new Intelligence and Security Services act were discussed. Eventually such meetings were held almost daily and all round the country - a remarkable interest for such a complicated subject. Also flyers and several booklets with information about the new law were distributed:



The referendum on March 21, 2018 resulted in 49,5% against and 46,5% in favor of the new law, with a remarkable high number of blank votes: 4%. As the referendum was non-binding, it is now up to the Dutch government to decide in what way they will address the outcome of the vote.



Links and sources

- Electrospaces @ Medium: Dossier Wiv 2017 (July 2020)
- Dutch National Security Reform Under Review: Sufficient Checks and Balances in the Intelligence and Security Services Act 2017? (Mar. 2018)
- Netkwesties.nl: Bangmakerij en onjuiste feiten in strijd voor referendum (Oct. 2017)
- Nederlands Dagblad: Een nieuwe, achterhaalde wet (Febr. 2017)
- Bits of Freedom: Moties en amendementen bij de nieuwe Wiv (Febr. 2017)
- Tweede Kamer: Hoorzitting/rondetafelgesprek inzake de nieuwe Wiv (Dec. 2016)
- BoF protest website: www.geensleep.net (Dec. 2016)
- NRC.nl: De geheime dienst is een gemakkelijke zondebok (Nov. 2016)
- Tweede Kamer: Wetsvoorstel 34588 (Oct. 2016)
- Volkskrant.nl: 'Onschuldige burgers hebben niet zoveel te vrezen' (Apr. 2016)
- Volkskrant.nl: Kabinet houdt vast aan massaal aftappen internetverkeer (Apr. 2016)
- Bart Jacobs: Select while you collect - Over de voorgestelde interceptiebevoegdheden voor inlichtingen- en veiligheidsdiensten (Jan. 2016)
- Blog.cyberwar.nl: [Dutch] Lijstje van reacties van organisaties op de Wiv-consultatie (Sept. 2015)
- Bart Jacobs: Vluchtig en Stelselmatig. Een bespreking van interceptie door inlichtingen- en veiligheidsdiensten (Febr. 2015)

2 comments:

Anonymous said...

Thank you for your great work!

Do you know already the decision o the Dutch government after the referendum?

P/K said...

Yes, the government came with some minor concessions, like for example intercepting communications has to be "as targeted as possible"; data may only be shared with foreign agencies when there's a review of their credibility; storage of data from bulk collection has to be approved every year. Meanwhile, these changes have been implemented in the law. There will be a general review of the new law as of May 2020 by an independent commission.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties