Month: October 2013

Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.
 
UPDATE 2013-11-02: note that the below concerns the NSA program “BOUNDLESSINFORMANT” — that’s where the “1.8M” number comes from. See details at Cryptome and Wikipedia

UPDATE 2013-11-01:
according to this Parliamentary Paper (.pdf, in Dutch) of October 31st, the (unclassified) letter that the Dutch Minister received from the NSA contains the following (original) English text:

“statement on articles in European press alleging large numbers of phone call metadata collected by NSA in France, Spain, Italy. The assertions by reporters in France (Le Monde), Spain (El Mundo) and Italy (L’Espresso) that NSA collected 10s of millions of phone calls are completely false. They cite as evidence screen shots of the results of a web tool used for data management purposes, but both they and the person who stole the classified data did not understand what they were looking at. The web tool counts metadata records from around the world and displays the totals in several different formats. The sources of metadata include data legally collected by NSA under its various authorities, as well as metadata provided to NSA by foreign partners. To be perfectly clear, this is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations.” 

Hence, as was already clear to the informed observer, the data collected by the NSA concerns metadata, not audio signals. If the NSA got that data without consulting AIVD/MIVD, that is illegal in the Netherlands — as stated by the Minister himself. Nu.nl reports (in Dutch) that the Dutch Public Prosecution Service is currently not investigating this matter.

UPDATE 2013-10-30+31:
in the Dutch TV news program `Nieuwsuur Politiek’, the Dutch Minister of the Interior and Kingdom Relations, Ronald Plasterk, stated that the 1.8M telephone calls’ metadata were not collected by the Dutch govt or shared by Dutch govt with NSA. Plasterk stated that he received a written statement from the NSA confirming that the NSA collected such metadata in December 2012. The letter does not mention the reported number of “1.8M”. The question then is whether or not the data was collected with permission of the Dutch govt: an article from October 30th in El Mundo suggests (in Spanish), based on Snowden documents, that the Netherlands is one of 19 countries that have a ‘specific cooperation’ with the NSA, and that the NSA collected telecommunications (voice and internet data) in the Netherlands.

====== START OF ORIGINAL BLOGPOST FROM 2013-10-28 ======
On October 28th 2013, the Dutch cabinet 1) responded (.pdf, in Dutch) to the media report that the NSA intercepted 1.8M telephone calls in the Netherlands, and 2) responded (.pdf, in Dutch) to Parliamentary questions concerning that topic. Below is my English translation of both documents. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Date: October 28th 2013 Subject: Response to the report “NSA intercepted about 1.8 million calls in one month in the Netherlands”.
Motivation
On October 21st, a report was published on the website Tweakers on the eavesdropping of Dutch citizens by the U.S. National Security Agency (NSA). The report is based on an article in the French newspaper Le Monde of October 21st. The report in Le Monde provides further interpretation of a graph that was published on August 5th by the German weekly Der Spiegel. On October 22nd, the Parliament asked me to respond to this (Parliamentary Papers 2013Z20253/2013D41837). I hereby inform you on behalf of the Minister of Security and Justice, the Minister of Foreign Affairs and the Minister of Defense.

Media reports
From the media reports it would appear that the U.S. services store telephone traffic for further analysis. This concerns, for instance, data on who is calling, when, for how long, and from what location. After this additional analysis, the NSA could choose to inspect the content of the communication, in accordance with U.S. law. Given the U.S. law, including the Foreign Intelligence Surveillance Act (FISA), the cabinet is aware of the possibility that the U.S. can intercept telephone communications. Using the analysis of metadata, networks of people and organizations can be identified, and the intensity of the contacts can be estimated.

Position of the Dutch cabinet
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable. It is possible that other countries believe there is good reasons to gather intelligence in or from the Netherlands. In that case, the country involved must address a request to the AIVD or MIVD. That request will then be examined within the WIV 2002. The cabinet considers any action outside that legal framework unacceptable.

The two services therefore carry out structural investigation of espionage by foreign powers in the Netherlands. If such espionage is detected, measures are always taken. This applies even if allies carry out unwanted spying activities in the Netherlands. In the Netherlands, the Dutch law applies, also to allies.

Action by Dutch cabinet
Following the revelations of Mr. Snowden I spoke with the director of the NSA on a bilateral solution, as reported in the general meeting of October 16th. Further consultations are taking place between the Dutch intelligence and security services and the NSA. The Netherlands assesses the initiative of Germany and France as positive, will contact both countries, and will actively contribute where possible. The Minister of Foreign Affairs has previously expressed the Dutch concerns during his visit to Washington to his Dutch colleague Kerry, and called for more transparency. The Minister of Security and Justice, as coordinating minister for cyber security, submitted the new government-wide National Cyber Security Strategy [.pdf, in Dutch] to the Parliament. This includes extensive attention to measures for increasing the overall resilience in the digital domain. Moreover, the State Secretary of Security and Justice and I are also actively involved in the negotiations on the new EU legislation on the protection of privacy.

Actions of Parliament and the EU
At the request of the Parliament, the Review Committee on the Intelligence and Security Services (CTIVD) is investigating the data processing by the AIVD and the MIVD concerning telecommunications. The report is expected this fall and will be sent to the Parliament as soon as possible with a cabinet response. At the EU level, an EU/US expert group started with the aim of getting insight in each other’s programs and how they are anchored in the rule of law. The cabinet supports the activities of this expert group. The report of the expert group is expected this fall. The European Parliament is also holding hearings, following the revelations by Mr. Snowden. The report on these hearings is also expected this fall. International cooperation The CTIVD supervises the legality of the activities of the services, including the cooperation with foreign intelligence and security services, and on that account has access to all information at the AIVD and MIVD. The CTIVD reports to Parliament through the responsible minister.

The Minister of the Interior and Kingdom Relations,

Dr. R.H.A. Plasterk

And here are the Parliamentary questions and answers:

Questions from members Verhoeven and Schouw (both D66) to the Ministers of Economic Affairs and the Interior and Kingdom Relations concerning the signals that the U.S. NSA is also eavesdropping leaders in the corporate sector (submitted October 25th, 2013) 1. Have you taken note of the report “Snowden leaks: France summons U.S. envoy over NSA surveillance claims”? [1]
Yes.

2. Can you elaborate on the suggestion that not only potential terrorists are wiretapped, but also leaders in the corporate sector, and also respond to reports concerning the Brazilian Petrobras company?
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable.

3 Can you rule out that the U.S. security services are spying on Dutch companies for economic purposes?
4 How many examples of such corporate espionage are known to you, which sectors are involved, and what do you intend to do?

The AIVD investigates of espionage by foreign powers for the national security. No public statements can be made about the methods and information position of the AIVD, including examples of corporate espionage.

5. What are the risks to Dutch companies and Dutch citizens due to spying for economic purposes?
The AIVD has repeatedly highlighted the risks for espionage, including in the Annual Report 2012 [.pdf, in English] (Parliamentary Papers, 30977 No. 52). The [third] Cyber ​​Security Assessment Netherlands [.pdf, in English] (Parliamentary Papers, 26643 No. 285), which is established under coordination by the Minister of Security and Justice, appoints digital espionage as one of the greatest threats to government and industry. Moreover, the vulnerability of ICT remains high.

6 To what extent does industrial espionage remain a priority for the AIVD? The AIVD investigates espionage by foreign powers for national security. Moreover, the AIVD supports the vital sectors in improving security. You have been informed about this, including through the Annual Report 2012. Investigations into corporate espionage outside the context of national security is not a task of the AIVD, this is a matter for the companies themselves (supported by the AIVD via the Espionage Vulnerability Analysis [.pdf, in Dutch] and advice).

7 Are you willing to send an explicit signal to the U.S. that corporate espionage does not fit into a relationship between friendly countries?
Yes, see the activities described in my letter of October 28th, 2013.

8 Are you prepared to answer these questions before Monday October 28th 12:00?

[1] http://www.theguardian.com/world/2013/oct/21/snowden-leaks-france-us-envoy-nsa- surveillance
[2] http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras

Related:

EOF

NCSC publishes third Cyber Security Assessment Netherlands (CSAN-3)

On October 28th, the third Cyber Security Assessment Netherlands (CSAN-3) was published(.pdf, in English) by the Dutch National Cyber Security Center. These are the core findings of CSAN-3:

  1. Several trends show considerable IT dependence, rising fast due to advances such as hyperconnectivity, cloud computing and the ease with which the internet is used as an enabler. The potential impact of incidents occurring is all the more obvious. 
  2. Digital espionage and cyber crime remain the biggest threats to both government and the business community. This concerns:
    a) Digital espionage originating from a foreign state, aimed at government and the business community. Activities have been identified originating from, among other countries, China, Russia, Iran, and Syria.
    b) IT takeovers by criminals by means of malware infections, aimed at government, the business community and citizens. Criminals are becoming more daring in their ways of earning money quickly, for example, phoning citizens, or confronting them with shocking images in ransomware.
    c) Manipulation of information (fraud) by criminals, aimed at the business community, most obviously internet banking fraud, which victimises both banks and citizens. 
  3. States can develop and deploy advanced tools, while cyber criminals continue to develop their existing tools. Clearly visible in the past year has been the rise of a commercially available cyber services sector, ‘cyber crime as a service’, which offers far easier access to criminal tools to various parties. 
  4. Citizens, businesses, and governments alike are regular victims of botnets and ransomware. Malware can mutate so quickly that anti-virus programs are unable to even detect its presence. Although botnets are mainly used to manipulate (financial) transactions, certain incidents (such as Pobelka) show that the collateral damage of information stolen through botnets can be enormous. 
  5. The IT sector continues to be vulnerable. Following a few years of reduced levels, the number of openly published vulnerabilities in software is increasing again. Cloud services, mobile services and innovative devices all result in new vulnerabilities. 
  6. The end-user is burdened with a big responsibility for security, but more often than not has little influence or even knowledge of the vulnerabilities he confronts in the devices and services. 
  7. Public and private parties are starting up initiatives, both separately and together, to increase digital resilience and in anticipation of the ever-increasing dependence on IT and changing threats. The effectiveness of these initiatives can only be measured in the long term. 
  8. Disruption in the IT sector is displayed publicly, particularly when it comes from Distributed Denial of Service (DDoS) attacks. Resilience has been inadequate at times, which led to a decline in the availability of online services provided by organisations. In addition, DDoS attacks disrupted basic services such as DigiD and iDeal, and this had a chain effect on governmental organisations and businesses that use these services. It is not clear who is behind the DDoS attacks. 
  9. As yet, a broad group of organisations is unable to implement important basic (technical) measures, such as patch and update management or a password policy. Where individual organisations do have their basic security well organised, it appears that shared services and infrastructure are still vulnerable, which in turn leads to a risk for interests that transcend particular organisations. 
  10. The inherent dynamics of cyber security demand a new approach. Static information security measures are no longer sufficient; organisations need greater insight into threats (detection) and need the capacity to deal with the threats (response).

Furthermore, the report states:

In conclusion, a) dependence on IT by individuals, organisations, chains and society as a whole has grown; b) the number of threats aimed at governments and private organisations has risen, mainly originating from states and professional criminals; and c) digital resilience has remained more or less at the same level. Although more initiatives and measures are being taken, they are not always in step with the vulnerabilities, and basic security measures have not always been put in place.

Table 1 gives insight into the threats that various actors use to launch attacks on governments, private organisations, and citizens.  […]

Table 1:
EOF

Strengthening the Dutch-German cooperation on digital security

On October 25th, the Dutch National Coordinator for Counterterrorism and Security (NCTV) published (in Dutch) the following press release:

Strengthening the Dutch-German cooperation

On October 25th, 2013th, the Dutch National Coordinator for Counterterrorism and Security (NCTV), Dick Schoof consulted with the German Federal Government Commissioner for Information Technology, State Secretary Cornelia Rogall-Grothe. The aim of the meeting was to strengthen cooperation between the Netherlands and Germany in the field of cyber security.

Main topics discussed were the strategies of the two countries in the field of cyber security. Both strategies aim to better protect society against cyber attacks and disruptions. They require support from and close cooperation between national and international government agencies, operators of IT infrastructures, scientific institutes and the public. Preventive security measures, information exchange and coordination of actions are the most important topics.

In this context, Ivo Opstelten, Dutch Minister of Security and Justice, and his German colleague Dr. Hans-Peter Friedrich, Interior Minister, agreed on organizing a cross-border bilateral exercise in the area of cyber security. To this end, an exchange is currently taking place between the competent authorities, the German Federal Office for Information Security Technology (BSI) and the National Cyber ​​Security Center (NCSC). The bilateral exercise, which is scheduled for the 1st quarter of 2014, focuses primarily on operational issues.

Related:

EOF

SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002

UPDATE 2015-07-02: the Dutch government released a new intelligence bill into public consultation. Details here.
UPDATE 2013-12-04: on December 2nd 2013, the Dessens Committee published their final report. Details here.
UPDATE 2013-11-09:
added Oversight on Dutch SIGINT is still broken (blog).

UPDATE 2013-11-02: this Guardian article of November 1st 2013 cites the following from internal GCHQ notes on the Tempora program (=wiretapping fibre-optic cables that carry internet traffic):

“GCHQ also maintains strong relations with the two main Dutch intelligence agencies, the external MIVD and the internal security service, the AIVD. ‘Both agencies are small, by UK standards, but are technically competent and highly motivated,’ British officials reported. Once again, GCHQ was on hand in 2008 for help in dealing with legal constraints. ‘The AIVD have just completed a review of how they intend to tackle the challenges posed by the internet – GCHQ has provided input and advice to this report,’ the country assessment said.
‘The Dutch have some legislative issues that they need to work through before their legal environment would allow them to operate in the way that GCHQ does. We are providing legal advice on how we have tackled some of these issues to Dutch lawyers.'”

Obviously said “legislative issues” include the Dutch WIV 2002 Article 27 (=SIGINT selection) restriction to non-cablebound communications. As stated below, the WIV 2002 is currently in its final phase of an official review by a temporary committee (Dessens Committee) that exists between February 1st 2013 and January 1st 2014. It is expected that changes to the WIV 2002 will be proposed, and that the legal power of SIGINT selection will be extended to also cover cablebound communications. The question then is: what safeguards and oversight will be proposed? Article Dutch readers are referred to this article by Bits of Freedom.

============ ORIGINAL POST IS BELOW THIS LINE ============

The Dutch Intelligence and Security Act 2002 (WIV 2002) is the legal framework within which the Dutch intelligence and security services AIVD (general) and MIVD (military) operate. On February 1st 2013, a committee was formally established to review the WIV 2002. The committee (‘Dessens Committee’) consists of the following members:

The committee is tasked with addressing the following questions:

 

  • Did the WIV 2002 bring what the lawmakers intended?
  • Did the WIV 2002 in practice turn out to be a workable instrument for carrying out the tasks of the services?
  • What problems and issues can be identified in the practical application of the law?

 

And the committee is tasked with giving `particular attention’ to the following topic that is very relevant to the Dutch Joint SIGINT Cyber Unit (JSCU) that was recently established:

  • Are the investigative powers of the services adequate, are the safeguards sufficient? Current and future developments, such as in technology and in the area of cyber, must be taken into account.

The publication of the committee’s report was expected to appear in September 2013, but it (still) is overdue. I will update this post when the report is published.

Paragraph 3.2.2 of the WIV 2002 contains Article 18 to Article 33 that regulate all special investigative powers:

  • surveillance and monitoring of persons and property (Article 20);
  • deployment of agents (Article 21);
  • establishment of legal persons (Article 21);
  • searches of private places, including housing and closed objects (Article22);
  • examination of objects to establish the identity of individuals (Article 22);
  • opening letters and packages (Article 23);
  • intrusion into an automated work (Article 24); [hacking]
  • interception of communications, telecommunications or data exchange (Article 25);
  • exploring non-cablebound telecommunications (‘searching’) (Article 26);
  • undirected [=bulk] interception and selection of non-cablebound telecommunications (Article 27);
  • retrieval of traffic and subscriber data from providers (Articles 28 and 29);
  • physical intrusion in support of other powers (Article 30).

In 2009, the Review Committee on the Intelligence and Security Services (CTIVD) published (.pdf, in English) a review report on the application by the AIVD of Article 25 WIV 2002 (wiretapping) and Article 27 WIV 2002 (selection of undirected intercepted non cable-bound [=wireless] telecommunications).
For purposes of international comparison, discussion, etc., I hereby cite from that report the sections that explain Article 25 and Article 27. For better understanding, I recommend reading the entire review report (39 pages) — which also discusses necessity, proportionality and subsidiarity. When the WIV 2002 evaluation report finally appears, I will update this post to include the committee’s opinion on Article 25 and Article 27. It is nearly certain that the SIGINT powers will be extended; notably, that selection of undirected intercepted telecommunications will also be legally possible on cable-bound telecommunications.

2.1 Article 25 WIV 2002

Article 25 paragraph 1 WIV 2002 reads as follows:

“The services are entitled with the aid of a technical device to wiretap, receive, record and listen in on any form of conversation, telecommunication or data transfer by means of an automated work, irrespective of where this takes place. The power, as mentioned in the first sentence, also includes the power to undo encryption of the conversations, telecommunication or data transfer.”

Based on this article the AIVD may for example record conversations using a microphone, wiretap telephone conversations, read email messages and monitor a person’s internet behaviour.

The article is broadly formulated. It involves any form of conversation, telecommunication or data transfer via an automated work. This means, among other things, that not only telephone conversations can be wiretapped, but also that data transfer taking place via a telephone line can be wiretapped [3]. For example, fax messages, or text messages. The advantage of such a broad formulation is that the AIVD can respond to new communication technology .

As shown by the description in the article it does not matter where the conversation, telecommunication or data transfer takes place (‘irrespective of where this takes place’). A microphone may therefore be placed everywhere, including in someone’s dwelling. Whether deployment of a means in a certain place is justified, is assessed on the basis of several assessment criteria including necessity, proportionality and subsidiarity. The assessment criteria are explained in section 4 of this review report.

During the drafting of the WIV 2002 the question was raised whether the words ‘despite where this takes place’ can mean that conversations, telecommunications and data transfer in other countries can be wiretapped from the Netherlands. The government provided the following answer to this:

“First of all we note that the power of these services to wiretap conversations, telecommunications and data transfer as provided in Article 25 among other things, does not extend beyond the jurisdiction of the Dutch State. For the Dutch legislator cannot unilaterally create jurisdiction in other countries. However, this does not alter the fact that application of the power provided for in Article 25, in particular insofar as this concerns the interception of telecommunications as well as application of the powers laid down in the, by memorandum of amendment, inserted Article 25a [Committee: now Article 26] and Article 26 [Committee: now Article 27], can also extend to interception of telecommunications with an origin or destination abroad.” [4]Application of the methods referred to in Article 25 WIV 2002 implies a serious intrusion on a person’s privacy, because cognisance is taken of the content of the communications of persons and organisations in a directed way. By application of this special power, the privacy of the telephone and telegraph laid down in Article 13 of the Constitution is violated. In the drafting of the WIV 2002, it was chosen not to provide a mandate arrangement for the special powers violating the more specifically provided rights of the Constitution, such as the right to inviolability of the home and the privacy of the telephone and telegraph [5]. This means that pursuant to Article 19 in conjunction with Article 25 paragraph 2 WIV 2002, only the Minister of the Interior and Kingdom Relations is competent to grant the AIVD permission for wiretapping. This permission can be given for a maximum of three months (Article 19 paragraph 3 WIV 2002). At the AIVD’s request to this end, the permission may be extended each time by three months.

2.2 Article 27 WIV 2002

Article 27 paragraph 1 reads as follows:

“The services are entitled to receive and record undirected intercepted non cable-bound telecommunications using a technical device. The power referred to in the first sentence also includes the power to undo encryption of the telecommunications.”As discussed in the previous section, Article 25 WIV 2002 provides that the AIVD may wiretap, receive, record and listen in on telecommunications. This provision provides for the directed wiretapping of the telecommunications of a person or an organisation known to the AIVD or of a telephone number known to the AIVD.

Article 27 paragraph 1 WIV 2002 also allows for the AIVD to intercept and records undirected telecommunications. This concerns non cable-bound telecommunications, i.e. ether traffic in the broadest sense of the word. In particular this refers to the interception of telecommunications traffic that takes place via satellites [6]. The AIVD does not intercept all ether traffic. Pursuant to Article 26 WIV 2002 (the so-called “searching”) it is first assessed what frequencies or satellite channels are possibly interesting to keep under observation. If during searching, frequencies or satellite channels are taken cognisance of that may yield interesting intelligence for the AIVD, the AIVD may select undirected intercepted information sent via such frequencies or satellite channels. The term ‘undirected’ is referred to because, beforehand, it is unclear what the yield will be and whether it will contain any information relevant to the AIVD. In case of undirected interception and recording, no cognisance is taken as yet of the contents of the communication. The bulk information is only stored in the computer systems.

The AIVD does not need permission for this undirected interception and recording of information (Article 27 paragraph 2 WIV 2002). However, if the AIVD wishes to take cognisance of the contents of the communication, the AIVD must first ask the Minister of the Interior and Kingdom Relations for permission to select intercepted information on the basis of certain criteria, after which the selected part of the intercepted information, can be taken cognisance of. The power to select has been included in Article 27 paragraph 3 WIV 2002:

“The services can select the data collected by exercising the power referred to in the first paragraph on the basis of:
a. data concerning the identity of a person or an organisation;
b. a number as referred to in Article 1.1, under bb, of the Telecommunications Act, or any technical feature;
c. keywords related to a subject described in more detail.”The selection criteria mentioned under a and b do not require much explanation. These concern, for example, names, address details or social security numbers (sub a) or telephone numbers or IP addresses (sub b). Data collection based on these selection criteria concerns specific persons and organisations, as a result of which the search action is referred to as directed. Therefore for selection based on these data the same regime must be followed as with the application of Article 25 WIV 2002, which means that it is only the Minister of the Interior and Kingdom Relations who can give permission, for a maximum period of up to three months, after which a request for extension for another three months can be submitted.

For the selection based on keywords related to a subject to be described in more detail (sub c) a different arrangement has been formulated. In this case, data collection is not focused on a person or an organisation, but it is important for the investigations the AIVD is involved with (for example proliferations of chemical weapons)7 in a general sense. Here, the keywords do not relate to persons or organisations, but to a specific subject. Upon introduction of this power in the WIV 2002, the following explanation was given:

“A list of keywords related to a subject will as a rule consist of (combinations of) specific technical terms and specifications in various languages. Such a list is drafted in such a way that the selection system is optimally used to find the desired information. For example, a list of keywords in the context of an investigation into proliferation of certain dual-use goods to a specific country or region might consist, among other things, of the names of certain chemical substances and chemical compounds in combination with these countries or regions. A somewhat simplified example concerns the search for messages in which the word sodium (or the Dutch equivalent natrium) is found and also within two positions the word chloride or fluoride. A list of keywords to be used in an investigation into the export of a missile system to certain countries or regions might consist of various names by which the specific missile system is specified, any project names or designations of the various elements that make up part of the system in question.” [8]Because the personal privacy of persons and organisations is not directly at issue here – as the data collection is not directed at persons or organisations – the Minister of the Interior and Kingdom Relations may give permission for a longer period – namely for a maximum of one year – to select intercepted information in the context of the investigation of a certain described topic. Experts within the AIVD subsequently formulate keywords relating to this topic, on the basis of which the selection can be made.. Therefore the Minister of the Interior and Kingdom Relations does not need to give permission for the specific keywords. Legally, the permission regarding the formulated keywords must come from either the Head of the AIVD, or another officer appointed by him. However, the AIVD has opted for having this power exclusively exercised by the Head of the AIVD.

2.3 “Silent tap”

The Committee has established that the AIVD applies a special power – a “silent tap” – under the denominator of Article 28 WIV 2002 (retrieving traffic data) whereas in the Committee’s opinion this method falls under the description of Article 25 WIV 2002 (wiretapping telecommunications).

Article 28 WIV 2002 provides that the AIVD can retrieve (telephone) traffic data from providers of public telecommunications networks and public telecommunications services. This way the AIVD can obtain data about, among other things, the dates and times at which someone called and the telephone numbers used for making the contact [9]. Article 28 WIV 2002 does not serve to take cognisance of the content of the communications that take place via the telephone connection. In that case permission from the Minister of the Interior and Kingdom Relations would be required pursuant to 25 WIV 2002, because this concerns the interception of (any form of) telecommunication. This difference was touched upon briefly during the drafting of the WIV 2002, when the monitoring of military data traffic was discussed:

“In our opinion violation of the privacy of the telephone is involved if taking cognisance of the content of a telephone conversation is aimed at the very content itself. If the content of a telephone conversation is taken cognisance of purely as a brief part of an investigation into the identity of persons or institutions communicating with one another, we do not consider this as a violation of the privacy of the telephone. Rather, the [Committee: monitoring of military data traffic] is comparable with an investigation into traffic data. Such an investigation can indeed be considered as a violation of the right of privacy as laid down in Article 10 of the Constitution, but not as a violation of the privacy of the telephone laid down in Article 13 of the Constitution.” [10]No permission from the Minister of the Interior and Kingdom Relations is required for retrieving (telephone) traffic data (Article 28 paragraph 3 WIV 2002). It is sufficient that the request is made to the telecommunication providers by the Head of the AIVD (Article 28 paragraph 4 WIV 2002).

Article 28 paragraph 1 WIV 2002 provides that the request may pertain both to data already processed at the time of the request and data processed after the request. Therefore the AIVD may ask the telecommunication providers for the data regarding the use of the telephone during, for example, the past month, but the AIVD can also request to keep the service informed of this data in, for example, the next two weeks. In the latter case a technical facility makes it possible that the AIVD has immediate (‘real time’) access to the current data regarding the use of the telephone by a person. This is also referred to as a “silent tap”. Basically, a silent tap is a telephone tap, the difference being that the sound signal in a silent tap is not provided to the AIVD.

The Committee has established that in a silent tap the sound signal may not be forwarded to the AIVD, but that in a number of silent taps applied by the AIVD, the content of (a form of) telecommunication was taken cognisance of as it turned out that text messages were also reaching the AIVD via the silent tap. The Committee has come across a case of a silent tap, whereby the AIVD received approximately 150 text messages in a short period of time. This is an exception. In most cases a much smaller number of text messages are involved. The number of silent taps whereby text messages were received, moreover, involved a minority compared with the silent taps where no text messages were received.

The text messages ending up at the AIVD via a silent tap are (automatically) stored in the AIVD’s digital systems. The AIVD has indicated that at the moment it is impossible to avoid the inclusion of text messages in a silent tap. Nor is it possible at this moment to separate the text messages in the AIVD’s wiretapping room from the information provided to the operational teams. As it does not intend to take cognisance of the content of the communication when applying a silent tap, the AIVD is of the opinion that the received text messages are to be considered so-called by-catch.

The Committee does not share this view held by the AIVD. In Article 2 of the Governmental Decree to Article 28 WIV 200211 text messages are not designated as data that can be retrieved from the telecommunications services pursuant to Article 28. This is not without a reason. The Committee calls to mind the 2000 report of the Committee “Constitutional rights in the digital era”, also referred to – after its chairman,- as the Franken Committee. This report noted the following on traffic data:

“Traffic data does not concern the content of the data traffic.
Because Article 13 of the Constitution [Committee: inviolability of the privacy of correspondence, telephone and telegraph] has the very intention of protecting the content of the communication, traffic data is not protected by this Article. This data is however protected by Article 10 of the Constitution [Committee: respect for and protection of the personal privacy].” [12]The Franken Committee describes various data that will also become visible in traffic data due to ongoing technological developments, an example being that in using the internet not only traffic data is recorded that pertains to the telephone traffic between user and dial-in access point of the provider of internet services, but it is also registered which websites have been visited [13]. In the Franken Committee’s report no examples are provided of data that actually provides an idea of the content of the communications, such as text messages.

In the government’s response to the report it shares the position of the Franken Committee that traffic data does not fall under the protection of Article 13 of the Constitution.

“In the Committee and government’s view there exists insufficient justification to bring traffic data under the specific protection of Article 13. This conclusion is related to the fact that traffic data may tell much about persons in our information society, but that the same applies for much more sensitive data that do not fall under the scope of Article 13. No proper arguments can be put forward to make a distinction in the constitutional protection level between categories of personal data based on the fact that it is or is not related to a content that, independently, is subject to constitutional protection.” [14]The Review Committee agrees with the view that in itself traffic data does not necessarily fall under the scope of the specific protection of Article 13 of the Constitution. However, as the text messages included when current traffic data is sent do themselves contain confidential communication, these messages are not “related to a content enjoying independent protection”, but are in themselves a content enjoying constitutional protection. The fact that a text message involves confidential communication has been phrased by the government in its response to Parliamentary questions on the report as follows:

“Electronic data traffic between individual citizens via email and text messaging falls under the scope of the proposal for Article 13 of the Constitution because it concerns confidential communication. The protection of confidential communication is not limited to communication actively protected, for example by means of encryption of the message. As mentioned, the nature of the channel chosen, the (manner of) addressing and the nature of the communication may serve as a guideline in determining the confidentiality.” [15]The text messages included in a silent tap therefore, in the Review Committee’s opinion, fall under the protection of Article 13 of the Constitution. This is in line with what the government has also included in its position on the traffic data:

“Insofar as taking cognisance of traffic data coincides with taking cognisance of information concerning its content, content-related information is involved..This content-related information falls under the stricter regime of Article 13.” [16]

For wiretapping, interception, recording and listening in on (any form of) telecommunication – as a result of which the privacy of the telephone laid down in Article 13 of the Constitution is violated – a special provision has been included in the WIV 2002, namely Article 25, the application of which has been surrounded by extra safeguards as it is only the Minister of the Interior and Kingdom Relations who can give permission for the application of this method. The Committee is of the opinion that, as long as it is technically unfeasible to avoid text messages being sent along with a silent tap or to ensure that text messages are separated in the wiretap room, a silent tap falls under the description of Article 25 paragraph 1 WIV 2002, namely under ‘any form of telecommunication’, because as a result of text messages being sent along, cognisance is taken of the content of the communication. Therefore the Committee urgently recommends that the request for permission to apply a silent tap must be made to the Minister of the Interior and Kingdom Relations in the way set out in Article 25 WIV 2002.

[0-2] (not used)
[3] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 41.
[4] Parliamentary Documents II 1999/2000, 25 877, no. 8, p. 65.
[5] Parliamentary Documents II 1999/2000, 25 877, no. 8, p. 45-46 and Parliamentary Documents II 2000/01, 25 877, no. 59, p. 7-8.
[6] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 44.
[7] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 45.
[8] Parliamentary Documents II 2000/01, 25 877, no. 14, p. 33.
[9] A full listing of the data that can be retrieved has been included in the Governmental Decree to Article 28 paragraph 1 WIV 2002, to be referred via http://wetten.overheid.nl.
[10] Parliamentary Documents II 2000/01, 25 877, no. 14, p. 35.
[11] See footnote 9.
[12] Report Committee on Constitutional rights in the digital era, May 2000, p. 159.
[13] Report Committee on Constitutional rights in the digital era, May 2000, p. 160.
[14] Parliamentary Documents II 2000/01, 27 460, no. 1, p. 27.
[15] Parliamentary Documents II 2000/01, 27 460, no. 2, p. 59.
[16] See footnote 14.

Related:

EOF

TorRAT: four Dutch suspects arrested in EUR 1M digital fraud and money laundering case

UPDATE 2013-10-29: added link to article on TorRAT by Tanya Shafir posted on April 22nd 2013.

On October 24th, the Dutch Public Prosecution Service announced the following:

Hackers plunder back accountsOctober 24, 2013 – Public Prosecution Service

Hackers are suspected of looting bank accounts and making hundreds of fraudulent transfers by installing malicious software on the computers of Dutch bank account holders.

On Monday, the police arrested four men from Alkmaar, Haarlem, Woubrugge and Roden on suspicions of involvement in large-scale digital fraud and money laundering case.

Fake email messages were sent containing a link that activates the so-called banking malware, giving the hackers access to the computers of unwitting account holders. It invading `TorRAT’ manipulates the online banking by adding, modifying or deleting data. The malware adds new payments, or changes existing payment orders without the account holder being able to see it.

TorMail

To protect their criminal activities the suspects made ​​use of TorMail, a free service that allows users to anonymously send and receive messages.

The fraudulent transfers have ended up in bank accounts of moneymules. They were recruited to make their bank accounts available or to open new bank accounts and handing off their credentials. To channel the stolen money, domestic and foreign companies were created and business bank accounts were opened.

Bitcoins

Moreover, the defendants exchanged money that was supposedly criminally obtained for bitcoins, a form of electronic currency. One of the men managed itself a bitcoin exchange service where (cash) money can be converted into bitcoins. The Public Prosecution Service seized 56 bitcoins, which have been exchanged for more than 7700 euros.

The police investigation focuses on the period from spring 2012 to the present, and on more than 150 fraudulent transactions. Several banks and companies have reported cybercrime. The extent of the damage is possibly around one million euros.

The suspects are taken into custody for twee weeks by ​​the magistrate in Rotterdam.

Related:

EOF