Month: September 2013

SURFnet: ‘AMS-IX should not set up shop in U.S.; we ought to deliberate on U.S. spying capabilities’

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.
 
UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York 
UPDATE 2013-10-02: here is a blogpost (in Dutch) about how some of the AMS-IX members voted. 
UPDATE 2013-09-30: AMS-IX is expanding to the U.S.: 123 out of some 600 members voted in favor of expanding, 102 opposed, 14 abstained. The U.S. branch of AMS-IX will obviously be subject to FISA and the Patriot Act. One possible outcome is that the U.S. will get more / easier access to EU internet traffic that travels via AMS-IX. The AMS-IX management will examine how the Dutch/European AMS-IX can be legally protected. @sigwinch adds: “Internal AMS-IX post claims ‘INC’ would not expose ‘BV’ directly to US law but org/ops firewall needed to complete pic.


 

AMS-IX, the Amsterdam Internet Exchange, is one of the largest internet exchanges in the world. On September 23rd, AMS-IX issued a press release about a proposal to set up shop in the U.S. for possible expansion. On September 27th, the Dutch NOS brought the news that one of the biggest AMS-IX members, SURFnet, is against the proposal, citing concerns about U.S. spying capabilities.

Below I my translation of the NOS news report of September 27th. After reading it, go read Considerations on the expansion of AMS-IX to the US, posted by Bits of Freedom on September 25th. Do NOT forget to read the comments there.

SURFnet against establishment AMS-IX internet hub in U.S.

The proposal of the Amsterdam Internet Exchange (AMS-IX, the most important internet exchange of the Netherlands) to set up shop in the United States is not supported by SURFnet, one of its most important users.

Today, members of the AMS-IX will vote on the directors’ proposal to set up shop in the United States. Some are concerned that it will invite activities of American secret services such as the NSA.

Wiretapping capabilities
SURFnet provides for internet communication between universities, academic hospitals and other scientific institutions. In an email message addressed to other members, SURFnet explains that is against the proposal, among other because of concerns about the wiretapping capabilities of the Americans.

“If data are collected under U.S. law, foreign users only have very limited protection, because U.S. constitutional guarantees do not apply to them,” states SURFnet.

Legal extremism
More and more experts are speaking out against the plan of the AMS-IX. Professor Bart Jacobs (Radboud University) states that it is incomprehensible “that our own critical Internet Exchange AMS-IX” wants to open a branch in the U.S.

According to Jacobs, the AMS-IX thereby voluntarily subjects itself to the Patriot Act, meaning that U.S. authorities can compel access to our internet traffic. “Snowden will ask himself: do they still not understand things in the Netherlands?”

XS4ALL-cofounder Rop Gonggrijp states that “considering the growing legal extremism in the U.S., and recent revelations”, the potential consequences of the AMS-IX proposal should be thoroughly investigated first.

I commend SURFnet for acting prudent, cautious, diligent, in this serious matter.

Related:

EOF

Project Symbolon completed: the Dutch Joint SIGINT Cyber Unit (JSCU) is born

UPDATE 2014-07-03: June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started
UPDATE 2014-03-07:
the JSCU will officially start on May 1st 2014

UPDATE 2013-12-12: according to the Dessens report, there is an `Executive Board JSCU’ (Dutch: “de `Bestuursraad’ JSCU”) that consists of the three Secretary-Generals of General Affairs (chair), the Interior, and Defense. Plans exist to extend the `Executive Board’ for other issues than just the JSCU. In the opinion of the Dessens Committee these developments `fit well with the recommendation to give these three persons a joint coordinating role of the intelligence and security services’.


 

Here’s an English translation of an article in Dutch news paper NRC Handelsblad of September 24th 2013. Hyperlinks are mine.

MIVD and AIVD carry out operations in cyberspace under a new nameThe Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) join forces in a new unit, the Joint SIGINT Cyber Unit (JSCU), focused on cyber operations and eavesdropping of radio traffic. The JSCU was previously known under the working title Project Symbolon.

This was confirmed by a spokesperson of the services. The unit must be operational at the beginning of 2014. Some 350 people will be working there.

The JSCU head quarters will be located in the AIVD building in Zoetermeer. Other departments will be located in The Hague, where the MIVD is located. The existing joint AIVD/MIVD organization that intercepts and analyzes satellite traffic, the National SIGINT Organization (NSO), will be merged into the new unit. The NSO operates at two locations: dish antennas to receive signals are located in Burum, and the analysis is carried out in Eibergen. These two locations will remain operational.

The JSCU is tasked with, among others, developing instruments to counter “advanced” threats such as cyber attacks. The security of many Dutch government services was endangered as a result of the hijacking of electronic signatures issued by certificate authority DigiNotar. Cooperation with intelligence services of allies to recognize threats and developing responses are crucial, according to the AIVD and MIVD.

The quartermaster appointed by the AIVD and MIVD completed the blueprint for the new organization. The legal framework within which the JSCU should operate is not yet complete, however. The current Dutch Intelligence and Security Act 2002 (Wiv 2002) does not permit the services to wiretap “cable-bound communications” under all circumstances. When it was drafted in 2002, this clause was not significant as all international voice, text and data communication was carried, at some point among the path, via a wireless connection. Today, this is different.

The so-called commission-Dessens is now investigating if and how the Dutch law needs to be changed. The conclusions of the commission’s inquiry are expected to appear in 2013.

The establishment of this joint AIVD/MIVD unit was planned in the Dutch MoD Cyber Strategy (.pdf, September 2012, in English):

In the coming years, the [MIVD] will expand its capability for the covert gathering of information in cyberspace. This includes infiltration of computers and networks to acquire data, mapping out relevant sections of cyberspace, monitoring vital networks, and gaining a profound understanding of the functioning of and technology behind offensive cyber assets. The gathered information will be used for early-warning intelligence products, the composition of a cyber threat picture, enhancing the intelligence production in general, and conducting counterintelligence activities. Cyber intelligence capabilities cannot be regarded in isolation from intelligence capabilities such as signals intelligence (SIGINT), human intelligence (HUMINT) and the [MIVD]’s existing counterintelligence capability. A decisive factor for the effectiveness of operations is the combined deployment of scarce expertise and assets. With that in mind, the [MIVD] and the [AIVD] are intensifying their cooperation in the areas of cyber and SIGINT by establishing a joint SIGINT-Cyber Unit. The establishment of this unit should further improve the effectiveness of the national cyber intelligence capability. The [MIVD] will also contribute to the further development of the National Cyber Security Assessment which is being formulated under the responsibility of the National Coordinator for Counterterrorism and Security of the Ministry of Security and Justice.

EOF

Belgacom — “On the brink of catastrophe” (translation)

UPDATE 2018-09-20: according to Belgian news paper De Tijd, a new confidential report by the Belgian public prosecutor delivered to the Belgian government contains new clues pointing to GCHQ’s involvement in the Belgacom hack. The public prosecutor investigated a link to a computer in Indonesia, and when asking for information about its IP address, had learned that the British government had also asked questions about it. Furthermore, computers traced to other countries could be linked to the U.K., because some had been paid using anonymous prepaid payment cards that had been bought in the U.K. And lastly, when computer specialists were able to secure a copy of the malware back in 2013, it was found to contain names like `Daredevil’ and `Warriorpride’; from documents leaked via Snowden it is apparent that these names can be linked to CNE activities by GCHQ and the NSA.
UPDATE 2014-12-13: 10 new documents released. Three new stories. latter two in Dutch. 1)  The Inside Story of How British Spies Hacked Belgium’s Largest Telco (The Intercept), 2) Lees hier hoe de Britse geheime dienst GCHQ Belgacom aanviel (in Dutch, NRC Handelsblad), 3) Britse spionage bij Belgacom ging veel verder dan bekend (in Dutch, NRC Handelsblad)
UPDATE 2014-11-24: Secret Malware in European Union Attack Linked to U.S. and British Intelligence (The Intercept)
UPDATE 2014-10-26:
GCHQ cyber-attack cost €15m, says Belgacom security head Fabrice Clement
(Computing.co.uk)
UPDATE 2014-05-30:
Slides from Hack in the Box 2014 Amsterdam: HITB2014AMS – Day 2 – On Her Majesty’s Secret Service: GRX & A Spy Agency
UPDATE 2013-12-04:
Flemish newspaper De Tijd reports (in Dutch) that Belgacom is still struggling to control the remains of the malicious spyware at BICS.
The remaining malware is said to be “so complex” that it baffles experts.
UPDATE 2013-11-10: here are a few Snowden-slides from GCHQ that mention Belgacom (click to enlarge). Der Spiegel reported (in English) that GCHQ used fake, malicious LinkedIn and Slashdot sites to lure Belgacom engineers and get malware on their computers to obtain access to a GPRS roaming exchange (GRX) router system operated by Belgacom-subsidiary BICS. 

 
UPDATE 2013-09-27: The Belgacom compromise reinforces the correctness of the “Two Axioms for the Information Age” (I don’t know who first coined these): 1) Any device with software-defined behaviour can be tricked into doing things its creators did not intend; 2) Any device connected to a network of any sort, in any way, can be compromised by an external party.


 

Here is a careful English translation of this original article by Peter De Lobel and Nikolas Vanhecke in Belgian news paper De Standaard. Hyperlinks and parts in [] are mine.

On the brink of catastrophe (2013-09-21)

Ping. It’s Friday the 13th. Around 11 o’clock in the morning, the IT consultants that Belgacom employs at its largest customers in the private and public sector receive a message. The message doesn’t say much, except for an urgent request to cancel all appointments of that forenoon. An “emergency conference call” will take place instead.

The news that is brought in that call makes the IT consultants gasp for breath.  A piece of malicious software has been found on the network of BICS, a daughter company of Belgacom. It is hard to grasp even for well-informed insiders. The BICS network is so wide and deep that it is promptly clear to everybody that this is not just a Belgian problem. This problem is at least of European proportions. Because whoever controls BICS, controls the communication of a large part of the world. “This could have been larger than 9/11”, says one source who closely followed the case. Without a grain of irony.

The pressure on the teams of the Dutch digital defender Fox-IT, that started cleaning up together with an army of Belgacom employees last weekend, was enormous.

It was their second attempt, various sources confirm. A first attempt to remove the villainous software from the infected computers at Belgacom in the last weekend of August was cancelled. “At the time, not all conditions were met required to remove everything at once”, it was said. Some computers turned out to run the alternative operating system Linux, known of the penguin logo, not Windows. “The risk was too big that we could not remove everything at once.  In that case you should not touch it. Or the adversary will know that the virus has been found”, states someone politically involved.

Strict conditions

The investigation of the hacking started on July 19th, when Belgacom went to court. During their work, investigators at the intelligence services, police and justice were very wary of a leak about the entire operation. In early September they informed the Belgian cabinet on strict conditions: the list of attendees of that meeting was kept closely. If a politician would have wanted to reveal the news before the malware was dealt with, the investigators would press charges for breach of confidentiality of the investigation. “We could not risk everything going wrong due to someone talking”, it is said.

Belgacom was not infected with some common viruses, but with very professional malware that costed lots of money to develop. “We had to re-invent ourselves to do this”, an investigator said. “In other investigations there is a fixed idea of where you’re going, but in in this case it was continuously starting over because it was so difficult to get a grasp of the malware”.

Gradually it became clear that the hackers are not only interested in the communications in the Middle-East, where BICS holds a solid position via South-African minority shareholder MTN. “They have been looking around and took what they could”, state sources involved in the investigation. They are clear about one thing: the attack originated from the United States. “We determine that by the signature of the malware, but especially by where the trails lead.  They partially run through the UK. We think the US is the main destination. And the past weeks at the US Embassy, you notice some embarrassment when you request exchange of information.” Yesterday, the German weekly magazine Der Spiegel reported that the UK intelligence service GCHQ (Government Communications Headquartes) are responsible for the attacks. It based that claim on slides disclosed by whistleblower Edward Snowden. The news that GCHQ is behind the Belgacom attack is a surprise to at least the services working on the affair.

The malware could do anything

The malware at Belgacom actually consists of a complex system of complementary viruses. They are all connected. If a problem is imminent or if they are detected, they can signal each other. “It is somewhat like a human virus, which also mutates continuously”, states someone involved who monitors the situation for his service.  “For example, one part is responsible for searching and storing information, while another part is continuously looks for pathways to the internet to transfer information. Other pieces of code are responsible for circumventing firewalls, or carry out surveillance.  If someone detects the hacking or attempts to remove a part of it, the virus that is acting as a guard promptly signals the other parts. Because you don’t know what the malware is capable of, everything can go horribly wrong at the last step.”

The cost of the entire detection and cleaning operation is correspondingly high. Fox-IT, the Dutch cyber security/defence company that is commissioned by Belgacom to first make inventory of the problems and then solve them, is a familiar name. “For the first two weeks they estimated the costs to be one million euro”, states a well-placed source. And then adds that the entire operation lasted ten weeks. Moreover, Fox-IT did not expect that, at a certain point, it had to allocate all of its employees to this case. A price tag of over five million euro, then? “It won’t be far off.”

But what was so terrifying about this cyber attack? And why the panic that something would go wrong? Telephone data about conversations with countries such as Afghanistan, Yemen and Syria that disappear, how could that have such an impact? They are ‘just’ stolen phone data, right? The involved expert sitting opposite us, looks dead serious.  There is drama in his voice, but considering the contents of what he says, that is not unjustified. “This was highly performing malware and it was present in the nerve centre of communications.  Anything that a highly privileged network operator of Belgacom could do, this system could do as well. I don’t have to make a drawing of it? It had all the keys, all the passwords and full control. We must dare to classify this as a big crisis. This could have been a catastrophe. And people don’t seem to realize.”

Sensitive customers

Perhaps it wouldn’t hurt to make that drawing. BICS calls itself a “wholesale carrier”. Two words, four syllables, but behind it is a network that spans the entire globe and the beating heart of which is located in our capital, Brussels. BICS provides the hardware infrastructure that carries internet traffic, phone conversations, text messages and mobile data of telecom companies and government institutions. And the more sensitive the customer, the more likely he is the end up at BICS. The daughter company of Belgacom markets itself with the argument that they never ever look at what travels over its cables. “We provide the cables for you, and you just send whatever you want over them”, is what it basically boils down to.

A glance at the list of BICS’ customers makes one dizzy. The financial transport center Swift, Electrabel, bpost, Belgocontrol, they are all connected to BICS.  The NATO in Evere, the European Commission and Parliament, SHAPE, the Supreme Headquerters Allied Powers Europe, in Bergen; BICS, BICS, BICS. Even the headquarters of the NATO Allied Air Command, in Ramstein, Germany, from where the 2011 air attacks on Libya where coordinated, depends on BICS. Among the military, it is pointed out that military communications has an extra layer of security; but that pointing-out happens with a degree of humility that is very unusual to the military.  “Every organisation, not just the government, must now begin to wonder whether it is dependent of one single provider, of one single network. And specially how well it is secured itself”, states someone who was at the front row of the affair. “Belgacom, that is critical infrastructure. How can Belgium keep running without it? Those are the questions that we must ask now.  Because the organisation responsible for the attack has in fact the capability to completely disrupt Belgacom and BICS.” A different source confirms, reluctantly, the doom scenarios: “You can’t think of it. It would be larger than 9/11. The planes would pretty much fall out of the sky.” As a figure of speech?  “Hm, yeah.”

Lifeline

A governmental source points out the consequences of even a limited disruption of phone communications and internet. “If a crisis occurs, what is the first thing a human does? Grasp their phone. Imagine that that lifeline is lost.  Not just for you, but also for the emergency services, hospital, the fire department…? And for the police? At first glance it isn’t, because they use the Astrid network [a Belgian national radio communications network intended for emergency services].  But that network only works apart from BICS for local communications.  For interregional communications it is just as dependent on BICS as the rest. Hence, it is no coincidence that police chief Catherine De Bolle started looking for a backup for the communications system of the federal police on that Friday the 13th, just before the big cleaning operation would have started.

How long would it take before Belgacom was up and running again after a destructive cyber attack, is unclear. “But it is clear that we are not prepared to counter this type of attacks right now”, states a high-ranking source. “That awareness must finally start to grow. I am very apprehensive for the feeling of relief that I already observe in some people. ‘Ah well, that has been nicely dealt with. It’s over.’ It’s not, mind you. Whoever doesn’t realise, this week, that it is urgent, will never get it. Playing things down now is dangerous.”

After De Standaard brought the news of large-scale hacking at Belgacom, it turned out that the Ministry of Foreign Affairs and the cabinet of the prime minister had been hacked. “And this is merely the top of the iceberg”, states a source who was involved in the problems at Belgacom.  Because telecom is one thing, but there are many other critical sectors that are the fundament of a country. Transportation, for example. Trains, trams, busses, highways, airplanes, everything involves computer networks and everywhere one should be cautious for cyber attacks. The energy supply is another critical fundament. And last but not least: the banking sector of a country. Luxembourg has already contacted the Belgian cyberservices [?] to obtain more information about the malware that hit Belgacom.

Awareness

Besides budgets and well-paid IT personnel, the remedy against the growing cyberthreat will be found in improved awareness. “Belgium wants to invest in knowledge and innovation, but if one sector is vulnerable to espionage, it is that one. Just as many computers of the global diplomatic network of Foreign Affairs have post-its one them with the passwords, many small companies are slacking in their security”, a cyber specialist states. “And if you dare ask whether their Chinese interns are thoroughly screened, they look at you as if you’re from another planet.” Whether the gravity of the situation is apparent to everyone, is doubtful. In official communications, Belgacom states that it currently has no evidence of impact on its customers or their data.  Understandly, the company does not want to trigger hysteria, but it sounds like down-playing nonetheless. “What should we write then?”, states spokesman Jan Margot in his response. “The infection was at dozens of computers in our own system. They have been cleaned together with the entire network.”

BICS too doesn’t say much about it. “There are no indications of an impact on the telecomnetwork of BICS”, it states in a press release.  “A number of our IT systems are integrated in the infrastructure of Belgacom and are affected in that way, but that remained outside the network that carries customer traffic.”

“That’s all put rather euphemistically”, according to the investigators involved.  “But you cannot accuse them of lying. A lot of thought went into every comma of the communication.”

Joke

Did Belgium become the joke of de European mainland as a result of the compromise of Belgacom? Intelligence services are continuously in contact with each other and exchange information. For the image of our country, the past week has been anything but stellar, but it is emphasised nonetheless that in such contacts it is often also about personal relations between people. “Moreover, all countries have problems and everyone tries to rise above them.”

What about ethics? Isn’t it schizophrenic that our country, Belgium, receives information about threats that the US or others have stolen from us? “That is the eternal paradox”, a recipient of such information states. Diplomatically it is the hardest. But if you receive information about a serious threat such as terrorism, you cannot ignore it. Then you have different things on your mind.

EOF

Ben Nagy’s thoughts on “Cryptopocalypse”

Ben Nagy posted the following very sensible message on the DailyDave mailinglist:

[Dailydave] C…c…c..Cryptopocalypse!]

Recently, a lot of people have been talking and possibly even thinking about the “cryptopocalypse”, surveillance, and the ideal rate of exchange between liberty and safety. I have been vaguely seeking the ideal derisive verse for a while, but this morning I finally realised that it has already been sung.

“When you believe in things  that you don’t understand, then you suffer.”

     – Stevie Wonder [1]

Without quibbling over minor points, I think it’s reasonable to view the period since 2001 as one where privacy and fundamental individual liberties have been at a steady ebb. Some might characterise it as the ‘theft’ of those things by Governments, but really, it’s not. It has been driven by fear, and the belief that “The Government” can provide protection against Dark Forces. However, it’s not the steady advance of ridiculous legislation that I want to focus on. Those shavings of liberty can be counted where they fell, as a simple matter of public record.

What’s interesting is the use of the tools that these Governments already have. Nothing fundamental changed in the last few months. The NSA, GCHQ, MI5, DSD didn’t SUDDENLY ramp up any ops. They haven’t gone rogue. They’ve just been doing the same thing they’ve been doing for years, because people ASKED them for protection, but weren’t too bothered about asking for details. They may not have even had a concept of the missions of these organisations, except as a nebulous part of “Government”. They believed in things that they did not, fundamentally, understand, and now we all suffer.

So now we, the super smart computer crowd, get to be all smug and “I told you so!”, because we called it, just like that guy with no pants and a bird in his beard.

What I find hilarious, however, is the reaction. “Tor is the BEST tool that fails to fix a different but related problem!”, “You should all use CryptoCat because I say sorry every time I screw up!”, “Hemlis messenger is totes unbreakable, and has nice graphic design!”, “5 Weird Tips to NSA-proof YOUR life!”, “Try Silent Circle! We have Beards!”

All of this rubbish is just as much Security Theatre as the shoe removals, crotch-gropings and warrantless detention we’ve been enduring at airports. Statically, you’re just not a target, so it’s ALL going to be as “100% Effective” as Werewolf Repellent. So go nuts, I guess. Use CraptoCat inside TorBB to update your location on Facebook. Whatever.

If you happen to actually BE a person of interest, however, “better than nothing” is actually worse than nothing. If you had zero crypto, you might actually think about the content and traffic / timing patterns of your comms. If you had no ‘anonymisation’ then you might actually give a shit when and from where you connect. In either case you might give some measure of incredibly serious thought to:

– The known capabilities of your anticipated adversary
– Your operating risk
– Your worst case outcome

Because if you don’t have a strong mental picture of these things BEFORE you start deploying tools and being all crypto-ninja-slash-stealth-sexy-leopard, then you’re going to see exactly what that worst case outcome looks like from the inside.

I’m not saying it’s “impossible”. I’m just saying (to quote The Grugq) “Nobody’s going to go to jail for you”, and that includes the authors of these new (and old) “spook-proof” tools. The hard truth is that the only way to stay ‘safe’ from state-level actors is going to involve a consistently disciplined regimen of tools, techniques and procedures, and any software that claims to make it “easy” is flat-out lying.

Don’t outsource understanding.

“When you believe in things that you don’t understand, then you suffer. Superstition aint the way.”

( please now allow the best Clav riff EVER to stick in your head )

Baby Seals,

ben

[1] http://www.youtube.com/watch?v=wDZFf0pm0SE
    (and if you need this WHY ARE YOU SO YOUNG??)

EOF

Dutch govt response to revelations by Edward Snowden

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-09-21: European Parliament also responds (.pdf; not dated): The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens’ fundamental rights.


 

On September 13th 2013, the Dutch government responded (.pdf, in Dutch) to the revelations by Edward Snowded. Unfortunately, that response is currently only available in Dutch. I decided to translate it to English myself: see below. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Dutch government-wide response to revelations Snowden
Original Dutch: “Kabinetsbrede reactie onthullingen Snowden”

Motivation
On July 4th, the Dutch House of Representatives requested a government-wide response to the revelations by Mr. Snowden, and a joint European response to the United States (Besluitenlijst van de procedurevergadering van donderdag 4 juli 2013 (.pdf)).
Original Dutch: “Aanleiding
De Tweede Kamer heeft op 4 juli jl. verzocht om een kabinetsbrede reactie op de onthullingen van de heer Snowden en de gezamenlijke Europese reactie richting de Verenigde Staten (kenmerk 2013Z14045/2013D29496). In deze brief wordt de stand van zaken weergegeven.”

On June 21st, the Secretary of the Interior and Kingdom Relations, at request of the House of Representatives, submitted, also on behalf of the Secretary of Defense and the Secretary of Security and Justice, a letter about the powers and duties of the Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) (Kamerstuk 30977 nr. 56 (.pdf)). The letter covers, among others, the frameworks for international cooperation of these services. On July 3rd, additional information was provided about the international cooperations of the AIVD and MIVD, and the alleged espionage of EU diplomats (Kamerstuk 30977 nr. 59 (.pdf)). On July 9th, the questions by Rep. Schouw (D66) and Rep. Sjoerdsma (D66) about wiretapped EU diplomats were answered (Kamerstuk 2791 (.pdf)).
Original Dutch: “Op 21 juni jl. heeft de minister van Binnenlandse Zaken en Koninkrijksrelaties op verzoek van de Kamer mede namens de minister van Defensie en de minister van Veiligheid en Justitie een brief gestuurd over de taken en bevoegdheden van de AIVD en de MIVD (Kamerstuk 30977 nr. 56). Daarbij is onder meer aandacht besteed aan de kaders voor de internationale samenwerking van de diensten. Op 3 juli jl. is nadere informatie verstrekt over de internationale samenwerking van de AIVD en de MIVD, en de vermeende spionage van EU-diplomaten (Kamerstuk 30977 nr. 59). Op 9 juli jl. zijn de vragen beantwoord van de leden Schouw en Sjoerdsma over afgeluisterde EU-diplomaten (Kamerstuk 2791).”

CTIVD
On July 16th, the House of Representatives requested the Dutch Review Committee on the Intelligence and Security Services (CTIVD) to initiate an investigation inquiring into the data processing by the AIVD and MIVD regarding telecommunication. The CTIVD has now started that investigation.
Original Dutch: “CTIVD
De Tweede Kamer heeft op 16 juli jl. de Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten (CTIVD) verzocht een onderzoek te beginnen naar de gegevensverwerking van de AIVD en de MIVD op het gebied van telecommunicatie. De CTIVD is inmiddels gestart met het onderzoek.”

Response to Snowden’s revelations
The government is closely following the response of the United States to the revelations by Mr. Snowden. The government is committed, as previously stated, to highly meticulous and adequate protection of personal data. Hence, where national security and privacy protection meet, maximum transparency about procedures, powers, safeguards and oversight measures is a necessity. The government considers it encouraging that US Congress Members are specifically debating about those topics, and are submitting proposals for changing legislation, and that President Obama also declared, in his press conference of August 9th, that he is seeking more transparency and oversight. It is also gratifying that the US government has already acted by providing more insight into the powers and by publishing a legal substantiation for a few programs. The Netherlands is in conversation with the US about this.
Original Dutch: “Reactie op onthullingen Snowden
Het kabinet volgt met aandacht de reactie van de Verenigde Staten op de onthullingen van de heer Snowden. Het kabinet hecht, zoals eerder gemeld, zeer aan zorgvuldige en deugdelijke bescherming van persoonsgegevens. Het is daarom noodzaak om waar nationale veiligheid en privacybescherming elkaar raken, zo transparant mogelijk te zijn over procedures, bevoegdheden, waarborgen en toezichtmaatregelen. Het kabinet acht het in dat verband bemoedigend dat Amerikaanse Congresleden juist over die onderwerpen debatteren en voorstellen doen voor wijziging van de regelgeving en dat ook president Obama in zijn persconferentie van 9 augustus jl. heeft verklaard meer transparantie en toezicht na te streven. Het is tevens verheugend dat de Amerikaanse regering hiermee inmiddels een begin heeft gemaakt door meer inzicht te geven in de bevoegdheden en door publicatie van de juridische onderbouwing van enkele programma’s. Nederland is hierover in gesprek met de Verenigde Staten.”

After the initial consultation in Dublin on June 14th 2013, the EU Commissioners of Justice and Home Affairs, Reding and Malmström, the U.S. Minister of Justice Holder in a letter dated July 1st 2013 pledged that the United States will further inform the EU about PRISM and similar programs. Moreover, the United States also expect information from the EU (Member States) on the legal basis for intelligence gathering on foreign countries, and the oversight measures applicable to them.
Original Dutch: “Overleggen met de Verenigde Staten
Na het initieel overleg in Dublin op 14 juni 2013 met de Eurocommissarissen van Justitie en van Binnenlandse zaken, Reding en Malmström, heeft de Amerikaanse Minister van Justitie Holder in een brief van 1 juli 2013 toegezegd dat de Verenigde Staten de EU nader zullen informeren over PRISM en vergelijkbare programma’s. De Verenigde Staten verwachtten overigens ook informatie van de EU-(lidstaten) over de juridische basis voor inlichtingenvergaring over het buitenland en de toezichtmaatregelen die daarop van toepassing zijn.”

A joint EU/US expert group is currently examining the protection of privacy and electronic data of citizens, with the aim of mutual understanding of each other’s programs and how those are anchored in the rule of law (legislation and oversight of intelligence and security services). The EU Member States, including the Netherlands, the European External Action Service (EEAS) and the European Commission have recently been working in consultation with the U.S. at the start of this expert group, including at a meeting in Washington DC on July 8th, 2013. The current Lithuanian Presidency of the Council of the European Union, the European Commission, the EU coordinator for counterterrorism, the EEAS and the so-called `Article 29 Working Party‘ on EU data protection are represented in the expert group. In addition, the group has ten representatives of the Member States. The expert group had its first meeting on July 22/23 this year. A second meeting is planned for September 19th, 2013 in Washington DC.
Original Dutch: “Een EU-VS expertgroep buigt zich momenteel over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers, met als doel wederzijds inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtstaat (wetgeving en toezicht op I&V-diensten). De lidstaten van de EU, waaronder dus ook Nederland, de Europese Dienst voor Extern Optreden (EDEO) en de Europese Commissie hebben de afgelopen periode in overleg met de VS gewerkt aan de start van deze expertgroep, onder andere tijdens een bijeenkomst in Washington DC op 8 juli 2013. Het huidig Litouwse voorzitterschap van de Raad, de Europese Commissie, de EU-coördinator voor contraterrorisme, de EDEO en de zogenaamde Artikel 29-werkgroep van de EU voor dataprotectie zijn in de expertgroep vertegenwoordigd. Daarnaast zijn er tien afgevaardigden van de lidstaten lid van de expertgroep. De expertgroep heeft op 22 en 23 juli jl. een eerste bijeenkomst gehad. Een tweede bijeenkomst is voorzien op 19 september 2013 in Washington.”

Considering that the collection of data for national security is an exclusive competence of the Member States, it was agreed that EU countries must themselves make agreements with the United States about this.
Original Dutch: “Aangezien het verzamelen van informatie ten behoeve van de nationale veiligheid een exclusieve competentie van de lidstaten is, is afgesproken dat EU-lidstaten zelf hierover afspraken met de Verenigde Staten maken.”

Results of the consultations
In a statement a few days before the first meeting of the expert group, the U.S. Office of the Director of National Intelligence (ODNI) discussed, in detail, the intelligence programs of the United States, and particularly their legal basis and oversight. “
Original Dutch: “Resultaten van de overleggen
In een verklaring enkele dagen voor de eerste vergadering van de expertgroep is het Office of the Director of National Intelligence (ODNI) uitgebreid ingegaan op de inlichtingenprogramma’s van de Verenigde Staten, in het bijzonder op de wettelijke basis en het toezicht.”

In the meeting of the EU/US expert group, the United States provided information about PRISM (targeted investigations on non U.S. citizens), based on the Foreign Intelligence Surveillance Act (FISA). This Act regulates the oversight by, in total, eleven judges, who always assess requests with a total of three judges. Explanations were given about the possibilities that the FISA provides for collecting telecom metadata within the United States, and about the oversight to which it is subjected. In the next phase, the use of the XKeystore [sic] program by the  U.S. National Security Agency (NSA) in the processing of large databases will be discussed. Attention will also be given to the measures announced by President Obama regarding data protection and intelligence gathering, including the evaluation and expected changes in the FISA and the Patriot Act (Article 215). In addition, answers will be given to questions from the U.S., focused on legislation regarding the possibilities for intelligence gathering and oversight of intelligence and security services of the EU Member States. The meetings of the expert group are reported in private (`restreint’) meetings of the EU Committee of Permanent Representatives (COREPER). During these meetings EU Member States also can report on talks with the United States in the bilateral track.
Original Dutch: “In de bijeenkomst van de EU-VS expertgroep gaven de Verenigde Staten informatie over PRISM (gericht onderzoek op niet Amerikaanse burgers), gebaseerd op de Foreign Intelligence Surveillance Act (FISA). In deze wet is het toezicht geregeld door in totaal elf rechters, die verzoeken steeds met drie rechters beoordelen. Tevens is uitleg gegeven over de mogelijkheden die de FISA biedt om metagegevens van telecomverkeer in de Verenigde Staten te verzamelen en over het toezicht dat daarop wordt uitgeoefend.
In het vervolgtraject zal onder meer worden gesproken over het gebruik van het programma XKeystore [sic] door de Amerikaanse National Security Agency (NSA) bij de verwerking van grote databestanden. Tevens zal worden stilgestaan bij de maatregelen die president Obama heeft aangekondigd op het gebied van dataprotectie en inlichtingenvergaring, waaronder de evaluatie en beoogde aanpassingen van de FISA en de Patriot Act (artikel 215). Daarnaast zal antwoord worden gegeven op vragen van Amerikaanse zijde vooral gericht op wetgeving inzake de mogelijkheden van inlichtingenvergaring van en het toezicht op inlichtingen- en veiligheidsdiensten van de EU-lidstaten.
Over de bijeenkomsten van de expertgroep wordt verslag gedaan in besloten (restreint) zittingen van het COREPER. Tevens kunnen EU-lidstaten in deze zittingen melding maken van gesprekken met de Verenigde Staten in het bilaterale traject.”

In addition, the Chairman of the Article 29 Working Party, Mr. Kohnstamm, stated in a letter to Commissioner Reding that the Article 29 Working Party will not only focus on intelligence programs used by the United States, but also is committed to investigating, within its mandate, the impact of PRISM, including the use of information derived from PRISM on European soil. Moreover, the Article 29 Working Party will examine the extent to which the programs of the intelligence and security services of Member States comply with the data protection principles and legislation of the EU. The Article 29 Working Party takes these initiatives in response to the conversations in the EU/US expert group, in which the Article 29 Working Party participates.
Original Dutch: “Daarnaast heeft de voorzitter van de Artikel 29-werkgroep, de heer Kohnstamm, in een brief aan Eurocommissaris Reding te kennen gegeven dat de Artikel 29- werkgroep zich niet alleen zal richten op de inlichtingenprogramma’s die door de Verenigde Staten worden gebruikt, maar zich ook zal inzetten om binnen zijn mandaat de impact van PRISM te onderzoeken, inclusief het gebruik van de van PRISM afgeleide informatie op Europees grondgebied. Bovendien zal de werkgroep onderzoeken in hoeverre de programma’s van de inlichtingen- en veiligheidsdiensten van de lidstaten stroken met de dataprotectieprincipes en de wetgeving van de EU. De Artikel 29-werkgroep neemt deze initiatieven naar aanleiding van de gesprekken in de EU-VS expertgroep, waar de Artikel 29- werkgroep in deelneemt.”

Finally, the European Parliament has taken the initiative to further investigate the U.S. operations for collecting foreign intelligence. From September 2013, the EP anticipates twelve meetings on this subject.
Original Dutch: “Ten slotte heeft het Europees Parlement (EP) het initiatief genomen om de Amerikaanse activiteiten voor het verzamelen van buitenlandse inlichtingen nader te onderzoeken. Vanaf september 2013 voorziet het EP twaalf bijeenkomsten over dit onderwerp.”

Next
The House of Representatives will be informed about new developments.
Original Dutch: “Vervolg
De Kamer zal worden geïnformeerd over nieuwe ontwikkelingen.”

Related links:

EOF