Saturday, November 9, 2013

Oversight on Dutch SIGINT is still broken

UPDATE 2014-03-11: today, a new CTIVD oversight report was published, together with the Dutch cabinet's response to the Dessens report. The report covers exercises of various telecom-related powers by the AIVD and MIVD. Concerning the undirected (bulk) collection of phone metadata from wireless sources, the CTIVD has now established that it has not been motivated as required by law: nothing is known about necessity, proportionality or subsidiarity of such collection. IMHO the new report --- which only exists as a result of Snowden's revelations --- reemphasizes that up until today, oversight on Dutch SIGINT is broken. 
UPDATE 2013-12-16: the Minister responded (.pdf, in Dutch) today. Here is the relevant part:
"The cabinet thinks, as does the Parliament, that it is very important that the CTIVD can assess the legality of SIGINT selection activities [carried out by the AIVD and MIVD]. Measures have been taken, and are being taken. These are aimed at enabling the CTIVD to assess legality of SIGINT selection activities in future reports."
Original Dutch: "De regering hecht er, evenals de Kamer, zeer aan dat de CTIVD ook tot een rechtmatigheidsoordeel kan komen over de selectie van sigint. Op dit vlak zijn en worden maatregelen getroffen. Deze zijn erop gericht de CTIVD in staat te stellen in toekomstige rapporten tot een oordeel te komen."
Unfortunately, nothing is stated about what measures have been taken.

UPDATE 2013-12-04: on December 2nd, the Dessens Committee published their final report --- I'm blogging about it here.
UPDATE 2013-11-28: the below was brought up (in Dutch) by MP Gerard Schouw (D66 party) during yesterday's Parliamentary debate on the FY2014 budget for the Ministry of the Interior & Kingdom Relations. My translation of Schouw's words:
"Today I want to talk about political responsibility. We have the CTIVD, that oversees the legality of information collection by the AIVD and MIVD. A close look at their reports shows that the CTIVD regularly or even systematically withholds from making a statement about the general picture of legality of the activities of the AIVD and MIVD. The legality of the AIVD and MIVD activities concerning Article 27 [SIGINT selection, mk] cannot be established by the CTIVD, as we can read in CTIVD reports 19, 26, 28, 31 and 35. These span the years 2008 to 2013. In those five years, the CTIVD has not been able to assess the legality. I'd like to know what the successive Ministers of Internal Affairs have done about that. I mentioned the reports. The Minister should be able to find his way with that. What did the previous Ministers do? What has this Minister done? How does this relate to the statement of the Minister that both services comply with the law? Isn't that very difficult if the CTIVD says it can not assess the legality?"
Original Dutch: "Ik wil het vandaag hebben over de politieke verantwoordelijkheid. Wij hebben de CTIVD, die de rechtmatigheid van de informatiewinning van de AIVD en MIVD controleert. Wie echter goed naar de verslagen kijkt, ziet dat de CTIVD zich regelmatig of zelfs stelselmatig onthoudt van een oordeel hierover. De rechtmatigheidstoepassing van de AIVD en de MIVD rondom artikel 27 is door de CTIVD niet vast te stellen, zo lezen wij in verschillende rapporten met de nummers 19, 26, 28, 31 en 35. Dat zijn de jaargangen 2008 tot en met 2013. In die vijf jaar heeft de CTIVD de rechtmatigheid niet kunnen vaststellen. Ik wil weleens van de minister weten wat achtereenvolgende ministers van Binnenlandse Zaken daaraan hebben gedaan. Ik heb de rapporten genoemd. De minister zal daarmee dus wel weg weten. Wat hebben zij daaraan gedaan? Wat heeft deze minister daaraan gedaan? Hoe verhoudt zich dit tot de opmerking van de minister dat beide diensten zich aan de wet houden? Dat kan toch heel moeilijk als de toezichthouder zegt dat hij de rechtmatigheid niet kan beoordelen?"
Let's see how the Minister (Ronald Plasterk) will respond. A big Parliamentary debate on surveillance is scheduled for January 2014.

====== START OF ORIGINAL BLOGPOST FROM 2013-11-09 ======

In this previous post I explained the following about the Dutch Intelligence and Security Act 2002 (WIV2002):
  • the WIV2002 is the legal framework for Dutch intelligence & security services;
  • Article 25 regulates wiretapping powers, Article 27 regulates SIGINT powers;
  • the use of either power requires explicit prior permission from the Dutch Minister of the Interior and Kingdom Relations (in case of the AIVD) and/or the Minister of Defense (in case of the MIVD);
  • unlike wiretapping, SIGINT is legally restricted to non-cablebound communications (i.e., radio and satellite). SIGINT on cablebound communications is illegal.
  • the WIV2002 is being reviewed by the Dessens Committee, and it is expected that one change they will propose is to extend the SIGINT power to cablebound communications. I don't know what changes, if any, will be proposed concerning safeguards and oversight.
The Review Committee on the Intelligence and Security Services (CTIVD) was born in 2003 by means of Article 64. The CTIVD is tasked with oversight on legality of the operations of the Dutch intelligence & security services; providing solicited and unsolicited advice to the relevant Dutch Ministers about the CTIVD's findings; handling complaints; and providing solicited and unsolicited advice regarding the Article 34 notification to former subjects of investigation.

The CTIVD has three members (including the chair person) who are appointed for a period of 6 years by royal Decree and nominated by the relevant Ministers. (Yes, it is the Ministers who nominate the persons that will perform oversight on their Ministries. This is not necessarily a problem, but worth noting.)

The CTIVD has published some 35 oversight reports so far. In 2009, the first oversight report specifically aimed at legality of the use of wiretapping and SIGINT powers was published (CTIVD Nr. 19). In 2010, the CTIVD decided that SIGINT and wiretapping would become topics of an annually recurring in-depth examination.

Based on the method of oversight and the contents of the oversight reports, I am convinced that the CTIVD is generally doing a good job. The CTIVD can and does access the highest level of classified information `Stg. ZEER GEHEIM' (TOP SECRET), consult intelligence personnel, etc. The oversight reports on SIGINT and wiretapping are primarily based on the requests for permission sent by the AIVD/MIVD to the relevant Ministers.

Below are some observations from CTIVD oversight reports on SIGINT and wiretapping CTIVD Nr.19 (.pdf, in Dutch), CTIVD Nr.26 (.pdf, in Dutch), CTIVD Nr.28 (.pdf, in Dutch), CTIVD Nr.31 (.pdf, in Dutch) and CTIVD Nr.35 (.pdf, in Dutch).

WARNING: for full context, read the original documents. 

The general picture according to the CTIVD regarding the use of Article 25 (e.g. microphone, phone tap, internet tap; more specifically: wiretapping, receiving, recording and monitoring any kind of conversation, telecommunication or datawiretapping; where `telecommunication' in Dutch law means any transmission, emission or reception of signals of any kind by means of cables, radio, by optical means or by other electromagnetic means):
  • Nr.19 (2008-2009): AIVD operates carefully (Dutch: `zorgvuldig' and `doordacht');
  • Nr.26 (2010-2011): AIVD operates carefully;
  • Nr.28 (2011-2012): MIVD operates unlawfully in that it (also) intercepts `generic identities' 
    • e.g. types of persons instead of identified persons. (Note that for MIVD, use of Article 25 mainly means interception of HF frequencies, e.g. by the Dutch National SIGINT Organization (NSO), which recently became a part of the new Joint SIGINT Cyber Unit, and military SIGINT detachments in Dutch military missions abroad.)
  • Nr.31 (2011-2012): AIVD operates carefully;
    • the CTIVD noted that in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. One motivation was classified as `Stg. GEHEIM' (SECRET), the other as `Stg. ZEER GEHEIM' (TOP SECRET). The stated explanation involved practical difficulties of working with `Stg. ZEER GEHEIM'-classified information. The CTIVD strongly rejected this m.o.;
    • the CTIVD noted that the quarterly bundled requests-for-permission (Dutch: `driemaandelijkse verzamelbeschikkingen') concern a large number of taps and microphones, and are insufficiently motivated. The Minister of the Interior and Kingdom Relations does not have departmental support in judging the requests.
  • Nr.35 (2012-2013): AIVD operates carefully;
    • the CTIVD noted that again, in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. CTIVD rejected that.
    • the CTIVD noted that in one instance, the AIVD used the line of reasoning "necessity implies proportionality". CTIVD rejected that.
    • the CTIVD noted that in five operations, the use of Article 25 powers was not proportional and therefore unlawful. (Although not specified in the report, I believe these involve some instances where Dutch journalists were wiretapped.)
    •  the CTIVD noted that in one instances, Article 25 powers were exercised based solely on a comment posted on the internet. The CTIVD stated that that is insufficient ground for the use of Article 25 powers. In addition, the wiretapping had already seized after one period (max. three months).
The general picture according to the CTIVD regarding the use of Article 27 (SIGINT selection; restricted to non-cablebound communications; unencrypted intercepted data can be retained for a period of one year; encrypted intercepted data can be retained indefinitely until the encryption has been undone, the unencrypted outcome can, again, be stored for a maximum of one year (Article 26, paragraph 10)):
  • Nr.19 (2008-2009): legality unknown.  
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality. 
    • the CTIVD noted that it is `not careful' that it is not explained whom the numbers or technical characteristics belong to that are used to select SIGINT;
  • Nr.26 (2010-2011): legality unknown. 
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.28 (2011-2012): legality unknown.
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.31 (2011-2012): legality unknown. 
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.35 (2012-2013): legality unknown.
    • the CTIVD noted that a single operation was examined in-depth, and unlawful activities were found related to lack of adequate motivation.
    • the CTIVD noted that the use of Article 27 is modest when compared to Article 25 powers.
To me it seems that the above warrants the conclusion that the Netherlands has a structural problem regarding the oversight on (and hence democratic control of) the use of Article 27 powers. Given the expectation that an (overdue) proposal for change of the WIV2002 will emerge that will extend SIGINT powers to cablebound communications, there's some scrutiny to be done by the Dutch Members of Parliament.

Furthermore, from the 2011 report CTIVD Nr. 28 (concerning the MIVD, not the AIVD), I translate the following part (note: `searching' is done to identify the radio/satellite channels to include in bulk data collection; then `selection' can be done within the collected data, which requires Ministerial permission. under WIV2002, searching is only allowed if at least either the receiver or sender of communication is outside the Netherlands, i.e., the Dutch services are not permitted to search domestic-only communication):
"The CTIVD notes that the reason for and purpose of conducting a SIGINT search focused on SIGINT selection can vary. At least the following common practices can be distinguished:
  1. The searching of the bulk of communication to determine whether it is possible to generate the desired data using the selection criteria for which permission has been granted;
  2. The searching of the bulk of communication to identify targets; 
  3. The searching of the bulk of communication for data from which, in the context of an expected new area of investigation, future selection criteria can be derived. "
Original Dutch: "De Commissie constateert dat de aanleiding voor en het doel van het uitvoeren van een searchactiviteit gericht op selectie gelegen kunnen zijn in meerdere zaken. Zij onderscheidt in ieder geval de volgende gangbare praktijken:
1. Het searchen van de bulk aan communicatie om te bepalen of met de selectiecriteria waarvoor toestemming is verkregen de gewenste informatie kan worden gegenereerd
2. Het searchen van de bulk aan communicatie om potentiële ‘targets’ te identificeren of te duiden;
3. Het searchen van de bulk aan communicatie naar gegevens waaruit, in het kader van een verwacht nieuw onderzoeksgebied, toekomstige selectiecriteria kunnen worden afgeleid." 
The CTIVD stated that (1) is permissible and that (2) and (3) are not permissible (hence: unlawful). Interestingly, CTIVD hinted at changing the law rather than changing the practice:
"The CTIVD leaves it to be considered whether, in accordance with privacy protection, it is necessary that wider powers be granted that better reflect this (desired) practice at the MIVD (and AIVD)."
Original Dutch: "De Commissie geeft in overweging te bezien of het, met inachtneming van de privacybescherming, noodzakelijk is dat aan de MIVD (en de AIVD) ruimere bevoegdheden worden toegekend die beter aansluiten op deze (gewenste) praktijk."
While the CTIVD also stated the following:
"The CTIVD has noticed that not all individuals who are daily engaged in Sigint processing appropriately estimate the infringement associated with Sigint."
Original Dutch: "Het is de commissie opgevallen dat niet alle personen die zich dagelijks bezighouden met de verwerking van Sigint de inbreuk van dit middel op waarde schatten."
Lastly, I refer Dutch readers to Tot het lachen ons vergaat - Over de noodzaak van parlementaire aandacht voor inlichtingen- en veiligheidsdiensten (.pdf, 2013), an excellent piece by @ConstantHijzen who is a PhD student at Leiden University.
I welcome anyone with relevant insights or information to contact me.

Related:
Related in U.S. (let's learn from what is happening there):
EOF


2 comments:

  1. Hallo Matthijs,

    De 4de bullit bevat een stelling die pertinent NIET waar is:

    Quote: •unlike wiretapping, SIGINT is legally restricted to non-cablebound communications (i.e., radio and satellite). SIGINT on cablebound communications (i.e., nearly all internet communications in the Netherlands) is illegal. Unquote.

    Het betreft hier de stelling dat bijna alle internetverkeer in Nederland over vaste verbindingen verloopt. Daar zit hem nu juist de kneep: dat is inderdaad wel het geval als je puur over de backbone's praat. Ik durf te beweren dat bijna alle internetverkeer start en eindigt via draadloze verbindingen, en ja, die vallen onder SIGINT !!!! Dit kan nog een interessante discussie opleveren.

    groet,

    Ad Koolen

    ReplyDelete
    Replies
    1. Ok, veel dank voor je comment --- ik heb die zinsnede weggehaald!

      Delete