UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.
 
UPDATE 2013-11-02: note that the below concerns the NSA program “BOUNDLESSINFORMANT” — that’s where the “1.8M” number comes from. See details at Cryptome and Wikipedia. 

UPDATE 2013-11-01: according to this Parliamentary Paper (.pdf, in Dutch) of October 31st, the (unclassified) letter that the Dutch Minister received from the NSA contains the following (original) English text:

Hence, as was already clear to the informed observer, the data collected by the NSA concerns metadata, not audio signals. If the NSA got that data without consulting AIVD/MIVD, that is illegal in the Netherlands — as stated by the Minister himself. Nu.nl reports (in Dutch) that the Dutch Public Prosecution Service is currently not investigating this matter.

UPDATE 2013-10-30+31: in the Dutch TV news program `Nieuwsuur Politiek’, the Dutch Minister of the Interior and Kingdom Relations, Ronald Plasterk, stated that the 1.8M telephone calls’ metadata were not collected by the Dutch govt or shared by Dutch govt with NSA. Plasterk stated that he received a written statement from the NSA confirming that the NSA collected such metadata in December 2012. The letter does not mention the reported number of “1.8M”. The question then is whether or not the data was collected with permission of the Dutch govt: an article from October 30th in El Mundo suggests (in Spanish), based on Snowden documents, that the Netherlands is one of 19 countries that have a ‘specific cooperation’ with the NSA, and that the NSA collected telecommunications (voice and internet data) in the Netherlands.

====== START OF ORIGINAL BLOGPOST FROM 2013-10-28 ======
On October 28th 2013, the Dutch cabinet 1) responded (.pdf, in Dutch) to the media report that the NSA intercepted 1.8M telephone calls in the Netherlands, and 2) responded (.pdf, in Dutch) to Parliamentary questions concerning that topic. Below is my English translation of both documents. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Date: October 28th 2013 Subject: Response to the report “NSA intercepted about 1.8 million calls in one month in the Netherlands”.
Motivation
On October 21st, a report was published on the website Tweakers on the eavesdropping of Dutch citizens by the U.S. National Security Agency (NSA). The report is based on an article in the French newspaper Le Monde of October 21st. The report in Le Monde provides further interpretation of a graph that was published on August 5th by the German weekly Der Spiegel. On October 22nd, the Parliament asked me to respond to this (Parliamentary Papers 2013Z20253/2013D41837). I hereby inform you on behalf of the Minister of Security and Justice, the Minister of Foreign Affairs and the Minister of Defense.

Media reports
From the media reports it would appear that the U.S. services store telephone traffic for further analysis. This concerns, for instance, data on who is calling, when, for how long, and from what location. After this additional analysis, the NSA could choose to inspect the content of the communication, in accordance with U.S. law. Given the U.S. law, including the Foreign Intelligence Surveillance Act (FISA), the cabinet is aware of the possibility that the U.S. can intercept telephone communications. Using the analysis of metadata, networks of people and organizations can be identified, and the intensity of the contacts can be estimated.

Position of the Dutch cabinet
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable. It is possible that other countries believe there is good reasons to gather intelligence in or from the Netherlands. In that case, the country involved must address a request to the AIVD or MIVD. That request will then be examined within the WIV 2002. The cabinet considers any action outside that legal framework unacceptable.

The two services therefore carry out structural investigation of espionage by foreign powers in the Netherlands. If such espionage is detected, measures are always taken. This applies even if allies carry out unwanted spying activities in the Netherlands. In the Netherlands, the Dutch law applies, also to allies.

Action by Dutch cabinet
Following the revelations of Mr. Snowden I spoke with the director of the NSA on a bilateral solution, as reported in the general meeting of October 16th. Further consultations are taking place between the Dutch intelligence and security services and the NSA. The Netherlands assesses the initiative of Germany and France as positive, will contact both countries, and will actively contribute where possible. The Minister of Foreign Affairs has previously expressed the Dutch concerns during his visit to Washington to his Dutch colleague Kerry, and called for more transparency. The Minister of Security and Justice, as coordinating minister for cyber security, submitted the new government-wide National Cyber Security Strategy [.pdf, in Dutch] to the Parliament. This includes extensive attention to measures for increasing the overall resilience in the digital domain. Moreover, the State Secretary of Security and Justice and I are also actively involved in the negotiations on the new EU legislation on the protection of privacy.

Actions of Parliament and the EU
At the request of the Parliament, the Review Committee on the Intelligence and Security Services (CTIVD) is investigating the data processing by the AIVD and the MIVD concerning telecommunications. The report is expected this fall and will be sent to the Parliament as soon as possible with a cabinet response. At the EU level, an EU/US expert group started with the aim of getting insight in each other’s programs and how they are anchored in the rule of law. The cabinet supports the activities of this expert group. The report of the expert group is expected this fall. The European Parliament is also holding hearings, following the revelations by Mr. Snowden. The report on these hearings is also expected this fall. International cooperation The CTIVD supervises the legality of the activities of the services, including the cooperation with foreign intelligence and security services, and on that account has access to all information at the AIVD and MIVD. The CTIVD reports to Parliament through the responsible minister.

The Minister of the Interior and Kingdom Relations,

Dr. R.H.A. Plasterk

And here are the Parliamentary questions and answers:

Questions from members Verhoeven and Schouw (both D66) to the Ministers of Economic Affairs and the Interior and Kingdom Relations concerning the signals that the U.S. NSA is also eavesdropping leaders in the corporate sector (submitted October 25th, 2013) 1. Have you taken note of the report “Snowden leaks: France summons U.S. envoy over NSA surveillance claims”? [1]
Yes.

2. Can you elaborate on the suggestion that not only potential terrorists are wiretapped, but also leaders in the corporate sector, and also respond to reports concerning the Brazilian Petrobras company?
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable.

3 Can you rule out that the U.S. security services are spying on Dutch companies for economic purposes?
4 How many examples of such corporate espionage are known to you, which sectors are involved, and what do you intend to do?
The AIVD investigates of espionage by foreign powers for the national security. No public statements can be made about the methods and information position of the AIVD, including examples of corporate espionage.

5. What are the risks to Dutch companies and Dutch citizens due to spying for economic purposes?
The AIVD has repeatedly highlighted the risks for espionage, including in the Annual Report 2012 [.pdf, in English] (Parliamentary Papers, 30977 No. 52). The [third] Cyber ​​Security Assessment Netherlands [.pdf, in English] (Parliamentary Papers, 26643 No. 285), which is established under coordination by the Minister of Security and Justice, appoints digital espionage as one of the greatest threats to government and industry. Moreover, the vulnerability of ICT remains high.

6 To what extent does industrial espionage remain a priority for the AIVD? The AIVD investigates espionage by foreign powers for national security. Moreover, the AIVD supports the vital sectors in improving security. You have been informed about this, including through the Annual Report 2012. Investigations into corporate espionage outside the context of national security is not a task of the AIVD, this is a matter for the companies themselves (supported by the AIVD via the Espionage Vulnerability Analysis [.pdf, in Dutch] and advice).

7 Are you willing to send an explicit signal to the U.S. that corporate espionage does not fit into a relationship between friendly countries?
Yes, see the activities described in my letter of October 28th, 2013.

8 Are you prepared to answer these questions before Monday October 28th 12:00?

[1] http://www.theguardian.com/world/2013/oct/21/snowden-leaks-france-us-envoy-nsa- surveillance
[2] http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-26: UN Draft on Privacy
• 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002
• 2013-10-18: Dutch govt response to Parliamentary questions concerning U.S. spying / AMS-IX expansion to U.S. 
• 2013-10-11: Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic
• 2013-09-14: Dutch govt response to revelations by Edward Snowden

EOF

On October 25th, the Dutch National Coordinator for Counterterrorism and Security (NCTV) published (in Dutch) the following press release:

Strengthening the Dutch-German cooperation

On October 25th, 2013th, the Dutch National Coordinator for Counterterrorism and Security (NCTV), Dick Schoof consulted with the German Federal Government Commissioner for Information Technology, State Secretary Cornelia Rogall-Grothe. The aim of the meeting was to strengthen cooperation between the Netherlands and Germany in the field of cyber security.

Main topics discussed were the strategies of the two countries in the field of cyber security. Both strategies aim to better protect society against cyber attacks and disruptions. They require support from and close cooperation between national and international government agencies, operators of IT infrastructures, scientific institutes and the public. Preventive security measures, information exchange and coordination of actions are the most important topics.

In this context, Ivo Opstelten, Dutch Minister of Security and Justice, and his German colleague Dr. Hans-Peter Friedrich, Interior Minister, agreed on organizing a cross-border bilateral exercise in the area of cyber security. To this end, an exchange is currently taking place between the competent authorities, the German Federal Office for Information Security Technology (BSI) and the National Cyber ​​Security Center (NCSC). The bilateral exercise, which is scheduled for the 1st quarter of 2014, focuses primarily on operational issues.

Related:

• 2013-10-25: Stärkung der Deutsch-Nierländischen Zusammenarbeit

EOF

“GCHQ also maintains strong relations with the two main Dutch intelligence agencies, the external MIVD and the internal security service, the AIVD. ‘Both agencies are small, by UK standards, but are technically competent and highly motivated,’ British officials reported. Once again, GCHQ was on hand in 2008 for help in dealing with legal constraints. ‘The AIVD have just completed a review of how they intend to tackle the challenges posed by the internet – GCHQ has provided input and advice to this report,’ the country assessment said.
‘The Dutch have some legislative issues that they need to work through before their legal environment would allow them to operate in the way that GCHQ does. We are providing legal advice on how we have tackled some of these issues to Dutch lawyers.'”

============ ORIGINAL POST IS BELOW THIS LINE ============

The Dutch Intelligence and Security Act 2002 (WIV 2002) is the legal framework within which the Dutch intelligence and security services AIVD (general) and MIVD (military) operate. On February 1st 2013, a committee was formally established to review the WIV 2002. The committee (‘Dessens Committee’) consists of the following members:

• C.W.M. Dessens MA LLM, chair (former Director-General of Dutch law enforcement);
• former Lieutenant General M.A. Beuving;
• prof. dr. E.R. Muller LLM;
• former Vice Admiral W. Nagtegaal;
• H.J.I.M. de Rooij LLM;
• prof. W.M.E. Thomassen LLM;
• prof. dr. W.J.M. Voermans.

The committee is tasked with addressing the following questions:

• Did the WIV 2002 bring what the lawmakers intended?
• Did the WIV 2002 in practice turn out to be a workable instrument for carrying out the tasks of the services?
• What problems and issues can be identified in the practical application of the law?

And the committee is tasked with giving `particular attention’ to the following topic that is very relevant to the Dutch Joint SIGINT Cyber Unit (JSCU) that was recently established:

• Are the investigative powers of the services adequate, are the safeguards sufficient? Current and future developments, such as in technology and in the area of cyber, must be taken into account.

The publication of the committee’s report was expected to appear in September 2013, but it (still) is overdue. I will update this post when the report is published.

Paragraph 3.2.2 of the WIV 2002 contains Article 18 to Article 33 that regulate all special investigative powers:

• surveillance and monitoring of persons and property (Article 20);
• deployment of agents (Article 21);
• establishment of legal persons (Article 21);
• searches of private places, including housing and closed objects (Article22);
• examination of objects to establish the identity of individuals (Article 22);
• opening letters and packages (Article 23);
• intrusion into an automated work (Article 24); [hacking]
• interception of communications, telecommunications or data exchange (Article 25);
• exploring non-cablebound telecommunications (‘searching’) (Article 26);
• undirected [=bulk] interception and selection of non-cablebound telecommunications (Article 27);
• retrieval of traffic and subscriber data from providers (Articles 28 and 29);
• physical intrusion in support of other powers (Article 30).

In 2009, the Review Committee on the Intelligence and Security Services (CTIVD) published (.pdf, in English) a review report on the application by the AIVD of Article 25 WIV 2002 (wiretapping) and Article 27 WIV 2002 (selection of undirected intercepted non cable-bound [=wireless] telecommunications).
For purposes of international comparison, discussion, etc., I hereby cite from that report the sections that explain Article 25 and Article 27. For better understanding, I recommend reading the entire review report (39 pages) — which also discusses necessity, proportionality and subsidiarity. When the WIV 2002 evaluation report finally appears, I will update this post to include the committee’s opinion on Article 25 and Article 27. It is nearly certain that the SIGINT powers will be extended; notably, that selection of undirected intercepted telecommunications will also be legally possible on cable-bound telecommunications.

2.1 Article 25 WIV 2002

Article 25 paragraph 1 WIV 2002 reads as follows:

“The services are entitled with the aid of a technical device to wiretap, receive, record and listen in on any form of conversation, telecommunication or data transfer by means of an automated work, irrespective of where this takes place. The power, as mentioned in the first sentence, also includes the power to undo encryption of the conversations, telecommunication or data transfer.”

Based on this article the AIVD may for example record conversations using a microphone, wiretap telephone conversations, read email messages and monitor a person’s internet behaviour.

The article is broadly formulated. It involves any form of conversation, telecommunication or data transfer via an automated work. This means, among other things, that not only telephone conversations can be wiretapped, but also that data transfer taking place via a telephone line can be wiretapped [3]. For example, fax messages, or text messages. The advantage of such a broad formulation is that the AIVD can respond to new communication technology .

As shown by the description in the article it does not matter where the conversation, telecommunication or data transfer takes place (‘irrespective of where this takes place’). A microphone may therefore be placed everywhere, including in someone’s dwelling. Whether deployment of a means in a certain place is justified, is assessed on the basis of several assessment criteria including necessity, proportionality and subsidiarity. The assessment criteria are explained in section 4 of this review report.

During the drafting of the WIV 2002 the question was raised whether the words ‘despite where this takes place’ can mean that conversations, telecommunications and data transfer in other countries can be wiretapped from the Netherlands. The government provided the following answer to this:

“First of all we note that the power of these services to wiretap conversations, telecommunications and data transfer as provided in Article 25 among other things, does not extend beyond the jurisdiction of the Dutch State. For the Dutch legislator cannot unilaterally create jurisdiction in other countries. However, this does not alter the fact that application of the power provided for in Article 25, in particular insofar as this concerns the interception of telecommunications as well as application of the powers laid down in the, by memorandum of amendment, inserted Article 25a [Committee: now Article 26] and Article 26 [Committee: now Article 27], can also extend to interception of telecommunications with an origin or destination abroad.” [4]Application of the methods referred to in Article 25 WIV 2002 implies a serious intrusion on a person’s privacy, because cognisance is taken of the content of the communications of persons and organisations in a directed way. By application of this special power, the privacy of the telephone and telegraph laid down in Article 13 of the Constitution is violated. In the drafting of the WIV 2002, it was chosen not to provide a mandate arrangement for the special powers violating the more specifically provided rights of the Constitution, such as the right to inviolability of the home and the privacy of the telephone and telegraph [5]. This means that pursuant to Article 19 in conjunction with Article 25 paragraph 2 WIV 2002, only the Minister of the Interior and Kingdom Relations is competent to grant the AIVD permission for wiretapping. This permission can be given for a maximum of three months (Article 19 paragraph 3 WIV 2002). At the AIVD’s request to this end, the permission may be extended each time by three months.

2.2 Article 27 WIV 2002

Article 27 paragraph 1 reads as follows:

“The services are entitled to receive and record undirected intercepted non cable-bound telecommunications using a technical device. The power referred to in the first sentence also includes the power to undo encryption of the telecommunications.”As discussed in the previous section, Article 25 WIV 2002 provides that the AIVD may wiretap, receive, record and listen in on telecommunications. This provision provides for the directed wiretapping of the telecommunications of a person or an organisation known to the AIVD or of a telephone number known to the AIVD.

Article 27 paragraph 1 WIV 2002 also allows for the AIVD to intercept and records undirected telecommunications. This concerns non cable-bound telecommunications, i.e. ether traffic in the broadest sense of the word. In particular this refers to the interception of telecommunications traffic that takes place via satellites [6]. The AIVD does not intercept all ether traffic. Pursuant to Article 26 WIV 2002 (the so-called “searching”) it is first assessed what frequencies or satellite channels are possibly interesting to keep under observation. If during searching, frequencies or satellite channels are taken cognisance of that may yield interesting intelligence for the AIVD, the AIVD may select undirected intercepted information sent via such frequencies or satellite channels. The term ‘undirected’ is referred to because, beforehand, it is unclear what the yield will be and whether it will contain any information relevant to the AIVD. In case of undirected interception and recording, no cognisance is taken as yet of the contents of the communication. The bulk information is only stored in the computer systems.

The AIVD does not need permission for this undirected interception and recording of information (Article 27 paragraph 2 WIV 2002). However, if the AIVD wishes to take cognisance of the contents of the communication, the AIVD must first ask the Minister of the Interior and Kingdom Relations for permission to select intercepted information on the basis of certain criteria, after which the selected part of the intercepted information, can be taken cognisance of. The power to select has been included in Article 27 paragraph 3 WIV 2002:

“The services can select the data collected by exercising the power referred to in the first paragraph on the basis of:
a. data concerning the identity of a person or an organisation;
b. a number as referred to in Article 1.1, under bb, of the Telecommunications Act, or any technical feature;
c. keywords related to a subject described in more detail.”The selection criteria mentioned under a and b do not require much explanation. These concern, for example, names, address details or social security numbers (sub a) or telephone numbers or IP addresses (sub b). Data collection based on these selection criteria concerns specific persons and organisations, as a result of which the search action is referred to as directed. Therefore for selection based on these data the same regime must be followed as with the application of Article 25 WIV 2002, which means that it is only the Minister of the Interior and Kingdom Relations who can give permission, for a maximum period of up to three months, after which a request for extension for another three months can be submitted.

For the selection based on keywords related to a subject to be described in more detail (sub c) a different arrangement has been formulated. In this case, data collection is not focused on a person or an organisation, but it is important for the investigations the AIVD is involved with (for example proliferations of chemical weapons)7 in a general sense. Here, the keywords do not relate to persons or organisations, but to a specific subject. Upon introduction of this power in the WIV 2002, the following explanation was given:

“A list of keywords related to a subject will as a rule consist of (combinations of) specific technical terms and specifications in various languages. Such a list is drafted in such a way that the selection system is optimally used to find the desired information. For example, a list of keywords in the context of an investigation into proliferation of certain dual-use goods to a specific country or region might consist, among other things, of the names of certain chemical substances and chemical compounds in combination with these countries or regions. A somewhat simplified example concerns the search for messages in which the word sodium (or the Dutch equivalent natrium) is found and also within two positions the word chloride or fluoride. A list of keywords to be used in an investigation into the export of a missile system to certain countries or regions might consist of various names by which the specific missile system is specified, any project names or designations of the various elements that make up part of the system in question.” [8]Because the personal privacy of persons and organisations is not directly at issue here – as the data collection is not directed at persons or organisations – the Minister of the Interior and Kingdom Relations may give permission for a longer period – namely for a maximum of one year – to select intercepted information in the context of the investigation of a certain described topic. Experts within the AIVD subsequently formulate keywords relating to this topic, on the basis of which the selection can be made.. Therefore the Minister of the Interior and Kingdom Relations does not need to give permission for the specific keywords. Legally, the permission regarding the formulated keywords must come from either the Head of the AIVD, or another officer appointed by him. However, the AIVD has opted for having this power exclusively exercised by the Head of the AIVD.

2.3 “Silent tap”

The Committee has established that the AIVD applies a special power – a “silent tap” – under the denominator of Article 28 WIV 2002 (retrieving traffic data) whereas in the Committee’s opinion this method falls under the description of Article 25 WIV 2002 (wiretapping telecommunications).

Article 28 WIV 2002 provides that the AIVD can retrieve (telephone) traffic data from providers of public telecommunications networks and public telecommunications services. This way the AIVD can obtain data about, among other things, the dates and times at which someone called and the telephone numbers used for making the contact [9]. Article 28 WIV 2002 does not serve to take cognisance of the content of the communications that take place via the telephone connection. In that case permission from the Minister of the Interior and Kingdom Relations would be required pursuant to 25 WIV 2002, because this concerns the interception of (any form of) telecommunication. This difference was touched upon briefly during the drafting of the WIV 2002, when the monitoring of military data traffic was discussed:

“In our opinion violation of the privacy of the telephone is involved if taking cognisance of the content of a telephone conversation is aimed at the very content itself. If the content of a telephone conversation is taken cognisance of purely as a brief part of an investigation into the identity of persons or institutions communicating with one another, we do not consider this as a violation of the privacy of the telephone. Rather, the [Committee: monitoring of military data traffic] is comparable with an investigation into traffic data. Such an investigation can indeed be considered as a violation of the right of privacy as laid down in Article 10 of the Constitution, but not as a violation of the privacy of the telephone laid down in Article 13 of the Constitution.” [10]No permission from the Minister of the Interior and Kingdom Relations is required for retrieving (telephone) traffic data (Article 28 paragraph 3 WIV 2002). It is sufficient that the request is made to the telecommunication providers by the Head of the AIVD (Article 28 paragraph 4 WIV 2002).

Article 28 paragraph 1 WIV 2002 provides that the request may pertain both to data already processed at the time of the request and data processed after the request. Therefore the AIVD may ask the telecommunication providers for the data regarding the use of the telephone during, for example, the past month, but the AIVD can also request to keep the service informed of this data in, for example, the next two weeks. In the latter case a technical facility makes it possible that the AIVD has immediate (‘real time’) access to the current data regarding the use of the telephone by a person. This is also referred to as a “silent tap”. Basically, a silent tap is a telephone tap, the difference being that the sound signal in a silent tap is not provided to the AIVD.

The Committee has established that in a silent tap the sound signal may not be forwarded to the AIVD, but that in a number of silent taps applied by the AIVD, the content of (a form of) telecommunication was taken cognisance of as it turned out that text messages were also reaching the AIVD via the silent tap. The Committee has come across a case of a silent tap, whereby the AIVD received approximately 150 text messages in a short period of time. This is an exception. In most cases a much smaller number of text messages are involved. The number of silent taps whereby text messages were received, moreover, involved a minority compared with the silent taps where no text messages were received.

The text messages ending up at the AIVD via a silent tap are (automatically) stored in the AIVD’s digital systems. The AIVD has indicated that at the moment it is impossible to avoid the inclusion of text messages in a silent tap. Nor is it possible at this moment to separate the text messages in the AIVD’s wiretapping room from the information provided to the operational teams. As it does not intend to take cognisance of the content of the communication when applying a silent tap, the AIVD is of the opinion that the received text messages are to be considered so-called by-catch.

The Committee does not share this view held by the AIVD. In Article 2 of the Governmental Decree to Article 28 WIV 200211 text messages are not designated as data that can be retrieved from the telecommunications services pursuant to Article 28. This is not without a reason. The Committee calls to mind the 2000 report of the Committee “Constitutional rights in the digital era”, also referred to – after its chairman,- as the Franken Committee. This report noted the following on traffic data:

“Traffic data does not concern the content of the data traffic.
Because Article 13 of the Constitution [Committee: inviolability of the privacy of correspondence, telephone and telegraph] has the very intention of protecting the content of the communication, traffic data is not protected by this Article. This data is however protected by Article 10 of the Constitution [Committee: respect for and protection of the personal privacy].” [12]The Franken Committee describes various data that will also become visible in traffic data due to ongoing technological developments, an example being that in using the internet not only traffic data is recorded that pertains to the telephone traffic between user and dial-in access point of the provider of internet services, but it is also registered which websites have been visited [13]. In the Franken Committee’s report no examples are provided of data that actually provides an idea of the content of the communications, such as text messages.

In the government’s response to the report it shares the position of the Franken Committee that traffic data does not fall under the protection of Article 13 of the Constitution.

“In the Committee and government’s view there exists insufficient justification to bring traffic data under the specific protection of Article 13. This conclusion is related to the fact that traffic data may tell much about persons in our information society, but that the same applies for much more sensitive data that do not fall under the scope of Article 13. No proper arguments can be put forward to make a distinction in the constitutional protection level between categories of personal data based on the fact that it is or is not related to a content that, independently, is subject to constitutional protection.” [14]The Review Committee agrees with the view that in itself traffic data does not necessarily fall under the scope of the specific protection of Article 13 of the Constitution. However, as the text messages included when current traffic data is sent do themselves contain confidential communication, these messages are not “related to a content enjoying independent protection”, but are in themselves a content enjoying constitutional protection. The fact that a text message involves confidential communication has been phrased by the government in its response to Parliamentary questions on the report as follows:

“Electronic data traffic between individual citizens via email and text messaging falls under the scope of the proposal for Article 13 of the Constitution because it concerns confidential communication. The protection of confidential communication is not limited to communication actively protected, for example by means of encryption of the message. As mentioned, the nature of the channel chosen, the (manner of) addressing and the nature of the communication may serve as a guideline in determining the confidentiality.” [15]The text messages included in a silent tap therefore, in the Review Committee’s opinion, fall under the protection of Article 13 of the Constitution. This is in line with what the government has also included in its position on the traffic data:

“Insofar as taking cognisance of traffic data coincides with taking cognisance of information concerning its content, content-related information is involved..This content-related information falls under the stricter regime of Article 13.” [16]

For wiretapping, interception, recording and listening in on (any form of) telecommunication – as a result of which the privacy of the telephone laid down in Article 13 of the Constitution is violated – a special provision has been included in the WIV 2002, namely Article 25, the application of which has been surrounded by extra safeguards as it is only the Minister of the Interior and Kingdom Relations who can give permission for the application of this method. The Committee is of the opinion that, as long as it is technically unfeasible to avoid text messages being sent along with a silent tap or to ensure that text messages are separated in the wiretap room, a silent tap falls under the description of Article 25 paragraph 1 WIV 2002, namely under ‘any form of telecommunication’, because as a result of text messages being sent along, cognisance is taken of the content of the communication. Therefore the Committee urgently recommends that the request for permission to apply a silent tap must be made to the Minister of the Interior and Kingdom Relations in the way set out in Article 25 WIV 2002.

[0-2] (not used)
[3] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 41.
[4] Parliamentary Documents II 1999/2000, 25 877, no. 8, p. 65.
[5] Parliamentary Documents II 1999/2000, 25 877, no. 8, p. 45-46 and Parliamentary Documents II 2000/01, 25 877, no. 59, p. 7-8.
[6] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 44.
[7] Parliamentary Documents II 1997/98, 25 877, no. 3, p. 45.
[8] Parliamentary Documents II 2000/01, 25 877, no. 14, p. 33.
[9] A full listing of the data that can be retrieved has been included in the Governmental Decree to Article 28 paragraph 1 WIV 2002, to be referred via http://wetten.overheid.nl.
[10] Parliamentary Documents II 2000/01, 25 877, no. 14, p. 35.
[11] See footnote 9.
[12] Report Committee on Constitutional rights in the digital era, May 2000, p. 159.
[13] Report Committee on Constitutional rights in the digital era, May 2000, p. 160.
[14] Parliamentary Documents II 2000/01, 27 460, no. 1, p. 27.
[15] Parliamentary Documents II 2000/01, 27 460, no. 2, p. 59.
[16] See footnote 14.

Related:

• 2013-11-09: Oversight on Dutch SIGINT is still broken (blog).
• 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002 (blog)
• 2013-09-24: Project Symbolon completed: the Dutch Joint SIGINT Cyber Unit (JSCU) is born (blog)

EOF

UPDATE 2013-10-29: added link to article on TorRAT by Tanya Shafir posted on April 22nd 2013.

On October 24th, the Dutch Public Prosecution Service announced the following:

Hackers plunder back accountsOctober 24, 2013 – Public Prosecution Service

Hackers are suspected of looting bank accounts and making hundreds of fraudulent transfers by installing malicious software on the computers of Dutch bank account holders.

On Monday, the police arrested four men from Alkmaar, Haarlem, Woubrugge and Roden on suspicions of involvement in large-scale digital fraud and money laundering case.

Fake email messages were sent containing a link that activates the so-called banking malware, giving the hackers access to the computers of unwitting account holders. It invading `TorRAT’ manipulates the online banking by adding, modifying or deleting data. The malware adds new payments, or changes existing payment orders without the account holder being able to see it.

TorMail

To protect their criminal activities the suspects made ​​use of TorMail, a free service that allows users to anonymously send and receive messages.

The fraudulent transfers have ended up in bank accounts of moneymules. They were recruited to make their bank accounts available or to open new bank accounts and handing off their credentials. To channel the stolen money, domestic and foreign companies were created and business bank accounts were opened.

Bitcoins

Moreover, the defendants exchanged money that was supposedly criminally obtained for bitcoins, a form of electronic currency. One of the men managed itself a bitcoin exchange service where (cash) money can be converted into bitcoins. The Public Prosecution Service seized 56 bitcoins, which have been exchanged for more than 7700 euros.

The police investigation focuses on the period from spring 2012 to the present, and on more than 150 fraudulent transactions. Several banks and companies have reported cybercrime. The extent of the damage is possibly around one million euros.

The suspects are taken into custody for twee weeks by ​​the magistrate in Rotterdam.

Related:

• 2013-04-22: Twitter Malware: Spreading More Than Just Ideas (=about TorRAT malware)

EOF

UPDATE 2015-03-17: US DHS also performs PIAs and has an excellent page on what a comprises a PIA in their context and how they carry it out; including guidance and template documents.

UPDATE 2013-11-03: regarding the EU-proposed PIA, the UK Deputy Information Commissioner David Smith stated: “It might sound scary, but it should help organisations to design systems that respect individuals’ privacy and so command the confidence of customers and the wider public.” That’s exactly right!

In 2011 the Dutch government published the “I-Strategy 2012-2015” document; see Trust, Privacy & Security in Dutch Govt “I-Strategy”. The I-Strategy describes the Rutte-cabinet coalition agreement on information strategy for the period 2012-2015. One of the topics covered in the strategy is that the requirements for the content of project plans (including legislative proposals) for large IT projects (26 643, nr. 135) would be “supplemented with the demand to state whether the project involves privacy-sensitive data and linkage or data enrichment. The project plan will state, with arguments, whether a Privacy Impact Assessment or a similar instrument applies.”

As of September 1st 2013 in the Netherlands, a new rule applies to all `large’ (?) ICT proposals initiated by the national-level government entities (Ministries, etc.): ICT project proposals must now include a Privacy Impact Assessment (PIA). In June 2013, the Dutch administration proposed a PIA model (.pdf, in Dutch).

Within two years (before September 2015), it will be evaluated to what extent the PIA supports:

1. improvement of legislative quality;
2. realization of the I-Strategy.

For purposes of international comparison, discussion, etc., I hereby provide an English translation of the entire PIA model drafted by the Dutch government. For clarity of exposition I do not include the original Dutch text in-line.

Please send corrections / suggestions for improvement to @mrkoot (Twitter) or to koot at cyberwar dot nl (e-mail).

On July 9th 2013, the Dutch Senate responded (.pdf, in Dutch) to the proposed PIA model and points out that improvements are needed. First, here’s my translation of the Senate’s response:

The members of the Senate Committee for Security and Justice (V&J) received the letter dated June 22nd 2013 on the proposed model for Privacy Impact Assessments (PIA). This template is an elaboration on and implementation of the coalition agreement, the motion of Senator Franken et al. (EK 31051, D), the commitment to further development of a PIA (T01516) and the measures announced in the I-Strategy 2012-2015 to strengthen the attention to privacy in large ICT projects. The members of the committee have a few questions.

These members note that the proposed PIA model only covers the risk-identification part of a PIA is addressed. This is a good and appropriate step, but a full PIA must also covers the next stage. The proposed European privacy regulation [0] assumes a full PIA. Can the government explain how they see the relationship of the proposed Dutch PIA model with the PIA of Article 33 of the proposed European privacy regulation? The third paragraph of the proposed Article 33 requires that the PIA also includes an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to reduce the risks and ensure security, and mechanisms that ensure the protection of personal data and that proof compliance with this European regulation. These requirements are not automatically covered in the PIA model proposed by the Dutch government. These members would like to receive a response from the government on this point.

The proposed model is based primarily on the Dutch Data Protection Act (DPA) anyhow and new elements of the proposed European privacy regulation are not included, such as the requirement to apply principles of “privacy by design” and “privacy by default”. Although the text of the proposed European privacy regulation is not yet final, the expectation is justified that such mandatory application of these principles will also be included in the final text. Why has the government not been able to include such obligations in the PIA, and is the government willing to do so now?

Furthermore, the committee members questioned whether the government sufficiently considered the consequences of answering the questions in the PIA model. It is by no means in all cases clear what impact a particular answer has. For example, the first question of part II.1 reads: “Did you establish the specific purpose(s) for the intended processing of personal data?” This is an important question. However, the meaning of a “no”-answer is left open and no consequences are attached. Does this then mean that a risk is only identified? What are the consequences? The key questions seem to be designed to apply the current Dutch DPA, rather than to the examination of privacy risks of those whose personal data is processed. What is the government’s perspective on this? Is the government willing to make a next revision of the proposed model more in agreement with the intended purpose of a PIA, as well as with the requirements in the expected European privacy regulation?

The members of the committee are looking forward to your answers to these questions within four weeks. An identical letter was sent to the Secretary of Housing.

[0] 2012-01-25, European Commission, COM(2012)11 final, E120003, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (.pdf, in English)

The government did not yet respond to the letter, except for stating (.pdf, in Dutch) that it would not be able to respond with four weeks to due summer recess.

I will update this post when the government has responded to the Senate’s questions.

Finally, here is my translation of the proposed Dutch official PIA model to which the Senate’s criticism still applies. Hyperlinks and parts in [] are mine. (Note: Google Translate was remarkably accurate in translation of some paragraphs.)

WARNING: this is an unofficial translation.

Dutch national govt Privacy Impact Assessment (PIA) model

[FIRST DRAFT; JUNE 2013]

A. Introduction

1. What is a PIA?

1. A Privacy Impact Assessment (PIA) is a tool for identifying, in a structured and clear way, privacy risks in policy development, and the associated legislation or construction of ICT systems and construction of databases. The PIA model is specifically aimed at the [Dutch] national government and intended to be used in all areas of policy and in all areas of law.

2. The PIA is in the form of a test model / questionnaire. It includes both factual and technical questions and questions that are based on national and European legal requirements. It is aimed at establishing, at an early stage, attention to all parts of the intended processing of personal attention that require attention and elaboration.

3. A PIA is not voluntary survey. In particular, the questionnaire content is intended to be both direction-giving and corrective. In addition, the answering process as such should stimulate awareness of the various privacy issues that need to be considered when developing legislation and policy, and the development of ICT systems and databases in that context.

4. A PIA is direction-giving in the sense that the (exhaustive) series of questions may indicate relevant privacy risks that (perhaps yet) have not been identified in the early stages of policy or system development. If that is the case, the relevant question must be understood as a necessity to take these aspects into consideration.

5. A PIA is also corrective. By the order of the questions it will often be necessary to reconsider provisional answers to previous questions and consider an alternative (less privacy-invasing) solution. It will frequently happen that the considerations and decisions made at an earlier stage of policy or system development cannot be substantiated well enough on closer inspection due to the associated privacy risks.

6. Because of the direction-giving and corrective character of a PIA, filling in the questionnaire will often a dynamic process, where draft (policy) solutions or concept-functional system designs are gradually tightened.

7. A PIA should be used in addition to, and in coordination with, other tools for development of legislation and policy, and associated construction of ICT systems and construction of databases. Hence, a PIA does not replace these existing instruments, and is not intended to overlap with those.

8. If the PIA is performed in the context of developing policies that will result in legislation, the `Guidelines for alignment with Dutch DPA’, included in the IAK, must be used.

9. If the PIA is performed in the context of developing policy that (also) provision the construction of data files or the construction of ICT systems, attention should also be given to the control measures described in the `handbook portfolio for Dutch govt projects with a large ICT component’.

10. Answering the PIA questionnaire results in a written document.

2. When is the processing of personal data by the Dutch national govt, including independent administrative bodies [=Dutch “ZBO’s”], necessary? (and is a PIA relevant at all)?

1. Use of personal data, including use by the government, is in many cases a limitation of the fundamental right to protection of privacy (Article 10, paragraphs 2 and 3 Constitution, Article 8 of the ECHR, Article 8 EU Charter of Fundamental Rights).

2. Once this comes into consideration in the context of development of policy and legislation, and the associated construction of ICT systems and construction of databases, it must first be determined whether processing of personal data is necessary for the intended goal. This concerns both subsidiarity and proportionality.

3. With regard to the subsidiarity, the (pre-)question is: is it only through processing of personal data possible to achieve the desired policy outcome? Are there any practical or effective technical alternatives that do not intervene in privacy? (This may, for example, include considering not handling personally identifiable information for aspects of the proposal that only capture general trends or patterns.) If alternatives to processing of personal data with the same policy results are available, those should be chosen.

4. For the development of policy and legislation, the answering of the questions of subsidiarity of personal data processing can be done using the `Guidelines for alignment with Dutch DPA’, included in the IAK, on alignment with (international) (classical) fundamental rights.

5. If the (preliminary) finding is that alternatives to processing of personal data do not exist, it is important to use the PIA model. Thus, all questions related to proportionality of the processing of personal data are clearly mapped and solutions can be formulated that do not go beyond what is necessary to achieve the desired outcome. These may include, for example, differentiating measures (is the processing of same data needed for all aspects of the policy proposal?), or allowing the possibility of an “opt-out” to those involved in certain specific circumstances.

6. A PIA must thus be used as early as possible in the process of developing policy that provisions processing of personal data, whether or not accompanied by legislation or construction of ICT systems.

3. How should a PIA be used?

1. Policy initiatives and legislative initiatives within the national government to process personal data have many forms. On the one hand, it may be an entirely new database or system in which a new set of data for a new purpose will be processed. On the other hand, it may involve adding a new type of personal data to be processed in an existing IT system, or linking several existing databases or systems to achieve a new purpose. It may also involve new forms of distribution, exchange, disclosure and (multiple) use of data.

2. The PIA questionnaire was prepared for the entire spectrum of new forms of data processing. The privacy risks to be identified using the PIA questionnaire will however greatly depend on the nature of the policy or bill or proposed IT system or database. It will therefore differ from case to case which of the PIA questions must be answered.

3. It is not necessary to complete the full questionnaire when the following is involved:
– Expansion of the database within an existing IT system (it suffices to answer the questions in Sections I and IV)
– Using an existing database or ICT system for additional or new goals (it may suffice to answer the questions in section II and IV)
– Linking various existing databases or ICT systems for existing or additional or new  new purposes (sufficient answering the questions in sections II-V)
It goes without saying that in the performance of such a “PIA-light”, it is sensible to refer to any previous pieces (previous PIAs, other impact assessments, explanations).

4. In all other cases, given the relationship between the aforementioned questions, and the direction-giving and corrective nature of the PIA, the entire questionnaire should be completed.

5. The final answers to the PIA questions will have to serve as the basis and source for technical, policy-related and legal justification of choices (see further below at 5).

4. Who? Implementation and coordination

1. The PIA questionnaire must be completed by the staff members or legal drafter of the Minister who, or independent administrative body [=Dutch “ZBO’s”] that is or will be “responsible” for the processing of personal data within the meaning of the Dutch DPA.

2. “Responsibility” exists, in terms of the DPA, if this department of the national government is the entity that determines the purposes and means of the processing of personal data.

3. A PIA does not have to be performed by policy makers and legal drafters of the Ministry or the part of the national government that only acts as “processor” within the meaning of the DPA, i.e., if only at request of a responsible party. In case of uncertainty, please contact the legal department of your Ministry.

4. The Data Protection Officer (DPO) within your department is responsible for the independent supervision of implementation and compliance with the DPA. You can contact the DPO for advice when answering the questionnaire or on the results of the answer. The DPO can identify issues and help identify risks.

5. If your policy or legislative proposal relates to the construction of an ICT system or the creation of a data file, please also contact your departmental Chief Information Officer (CIO) at an early stage. The CIO gives an opinion at the start of a project or interim change, as stated in I-Strategy. Part of this is the examination of whether the project plan states whether the project includes the collection of privacy sensitive data or linking or enriching of data, and whether it is argued whether a PIA is required.

5. Use and accountability of PIA results

1. A seriously performed PIA will have worked direction-giving and corrective. Plans are focused and developed. This means that in the preparation of legislation, policies and government ICT systems, privacy aspects as such have become part of the deliberation process. Considering that adjustments based on decisions in the PIA process will already be included in the final answer to the PIA questions, only the final answers are used in the further development of policies and systems.

2. The considerations and choices reflected in the final answers will vary by legislative or policy proposal or IT system. To account for the final use of personal data, ??previous policy choices and solutions in other contexts will have to be referenced. In addition, new aspects or elements that deviate from the choices (e.g., more data than before, a different system than before, etc.), will require further consideration.

3. Results of a PIA should be sent to the involved DPO and the CIO. Depending on the context in which the PIA is performed, the results are processed in different ways.

4. Where policies are involved that provision the construction of ICT systems or the construction of databases, the DPO on this basis can provide advice in determining the necessary measures and safeguards to be set out in policies, instructions, manuals and procedures. In addition, the CIOs can use the results for advising on information security and system design. Also, the PIA results provide input for any notice of the proposed processing to the Dutch Data Protection Authority [=CBP] or the DPO, which are made ??public according to the relevant rules.

5 . In legislation, a passage is included about PIA results in the Explanatory Memoranda. It can be a summary of the main considerations and choices. This passage can be added to the already required considerations of the constitutional framework and the review of the Data Protection Act (see above, under A) . Although a fully standardized accountability section can therefore not be given, a model-element of the Explanatory Memoranda can be:
“Given the nature of this proposal, a Privacy Impact Assessment is carried out at the stage of policy development (see also Kamerstuk I 2010/11, 31051, No. D , motion-Franken) . Using this, the necessity of data processing is reviewed, and the implications of the measure(s) are identified in a structured manner. In particular, attention is given to the principles of data minimization and purpose limitation, the requirement of a good security, and to the rights of those involved. <Description of specific aspects and the judgments made in this case>”

B. Questionnaire

Processing of personal data has a strong legal framework. On the other hand, the text of the DPA is often experienced to be abstract and inscrutable. In this light, the questionnaire below contains both practical questions and questions of legal nature. The practical questions are meant to map the entire trajectory of data processing, and the agencies involve. When it comes to legal questions, the wording of the questions is crucial. In that case, it is attempted insofar as possible to explain this, and to add examples. If uncertainty exists about the content of the question, it is sensible to contact the DPO at your Ministry or the legal department.

I. Basic information: type of personal data, type of processing and necessity / data minimization

1. Do you, as responsible party, intend to use personal data for provisioned data processing? If so, what type of personal data?

Notes: Definition of `personal data’: any information relating to an identified or identifiable person (Art. 1 of Dutch DPA) .
Definition of `particular (sensitive) personal data’: data on religion or belief, race, political opinions, health, sexual life, trade union membership, criminal record; Cf . definition in Art. 16 of Dutch DPA: A representative is a natural person, legal person or any other person who or the governing body that alone or jointly with others determines the purposes and means of the processing of personal data.
Note: If your organization only acts as a processor (the one who processes data at request of the responsible party, without being subject to his direct authority), this questionnaire must be completed not by you, but by the responsible party.
Definition of `processing’: any operation or set of operations performed upon personal data, including at least the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, interrelation, blocking, exchange or destruction of personal data.

2. Other specific personal data?
2a. Will data be processed about the financial or economical situation of those whose data is processed, or other data that might lead to stigmatization or exclusion?

Notes: this includes, for example, data about  (problematic) debts, gambling addiction, school performance, or problems at work or in a relationship.

2b. Will data be processed about vulnerable groups or persons?

Notes: this includes, for example, minors, mentally disabled, people who are dealing with stalking, whistleblowers or informants for police and prosecution.

2c. Will usernames, passwords and other credentials be processed?

Explanation: The possible consequences for those involved depend on the processing of personal data and where the credentials grant access to. It should be taken into account that many people reuse passwords for different purposes.

2d. Will uniquely identifying information be processed, such as biometric data?

Explanation: This type of data is not formally classified as `sensitive data’ in the EU Data Protection Directive 95/46 or in the Dutch DPA, but has become to be treated as such in the national and European legal and practical context. Pending European proposals for adjustment of data protection regulations continue this trend by categorizing the processing of biometric data as a specific risk.

2e. Will the SSN [=”BSN” in Dutch] or another personal number be processed?

Explanation: The Dutch DPA (Art. 24) provides that a law-prescribed number for identification of a person in the course of data processing is only processed for the purpose of implementing the law or the purposes determined by law. If necessary, refer the `Decree on use of SSN and Dutch DPA’ of 15 August 2001.

3. For each of the types of personal data specified in answer to question I.1 and I.2, can it be substantiated that its processing is technically or by policy directly relevant and indispensable for achieving the intended outcome of the policy? What exactly would not be clear if deciding not to process certain information? Explain for each type of personal data.

Explanation: The Dutch DPA provides the so-called `principle of data minimization’. Personal data may only be processed if a necessity exists (Art. 8). Art. 11, paragraph 1 also provides that personal data may only be processed if it is, given the purposes for which they were collected or subsequently processed, adequate, relevant and not excessive (relevance requirement). It is also important that the processing of sensitive personal data is, in principle, prohibited (Art. 16-23), and only permitted under strict(er) conditions.

4. When it comes to sensitive personal data, can the same policy effect or technical result be achieved in one of the following ways: (a) through (combined) use of normal data, (b) by using anonymous or pseudonymous data?

Notes: Anonymization means removal of all direct and unique identifying data. Pseudonymization means systematic replacement of directly identifying personal data, for instance by a code that permits certain authorized parties to still add data, but that does not allow identification of a person. This can e.g. be done by processing data through a specific algorithm directly after collection, where analysis and comparison remains possible but the source of the data themselves cannot, in principle, be traced.

5 . In what broader legal, policy and technical framework is the policy / database / information system to be developed and what kind(s) of  processing of personal data is going to be part of the planned trajectory? Are ?(new) technology or information systems used?

Notes: Enumerate all processing of personal data, and responsibilities, and clearly display the entire trajectory, for example by means of a visualization, so that the entire trajectory of data processing is transparent.

II. Purpose limitation, linkage, quality and profiling

Purpose limitation and linkage

1. Did you decide, in detail, on the specific purpose(s) for which you intend to process personal data? Is it one and the same specific purpose?

Explanation: The Dutch DPA (Art. 7) provides that personal data may only be collected for specific, explicit and legitimate purposes. For example, it can be indicated in legislation that personal data are processed for the limited purpose of combating illegal immigration. The processing must be justified based on grounds of the DPA (Art.). If multiple objectives are pursued by the collection of personal data, then those must all be made explicit, and for each objective it must be substantiated why the (entire) set of data is necessary to reach it.

2. Does the project/system involve the use of new data for an existing objective, or existing objectives within existing systems? (scenario of addition of new data).

Explanation: The Dutch DPA provides the so-called `principle of data minimization’. Art. 11, paragraph 1 provides that personal data may be processed only insofar they are, given the purposes for which they were collected or subsequently processed, adequate, relevant and not excessive. This means that if the data to be processed in an existing system is expanded, justification must exist for each of the new personal data to be processed. For a review of the data to be added, also see questions I.1-4 above.

3. Does the project/system involve the pursuit of new/additional objectives by using, comparing, sharing, linking or otherwise further process existing personal data, or collections thereof? (scenario of addition of purposes) . If so, do all persons/agencies/systems involved in processing have the same objective with processing of the personal data, or may tension exist, considering their position or interest? Do the same objectives apply to the entire trajectory?

Explanation: The Dutch DPA (Art. 9 , paragraph 1) states that data may not be processed (e.g. in the form of linkage or comparison with other data, or adding other data to achieve a specified goal) in a manner that is incompatible with the objective(s) for which they were obtained initially. Walk through the entire planned trajectory of the personal data, and state for each part whether an objective exists other than the objective for which the data was collected.

4. If you have answered positively to questions II.2 and II.3, how is such intended use (i.e., addition of new personal data to existing systems or use of existing personal data for new purposes) reported to: (a) the DPO, or (b) the Dutch Data Protection Authority [=”CBP” in Dutch] if there is no DPO?

Explanation: The Dutch DPA (Art. 62) provides the possibility to appoint a DPO. This officer supervises the processing of personal data. The supervision by that official extends to the processing of personal data by the controller who appointed him. The officer may make recommendations to the responsible party for better protection of the processed data. According to Art. 27, paragraph 3, planned processing of data shall be reported to the DPO. If no DPO exists, this should be reported to the CBP.

5. If you have answered positively to questions II.2 and II.3, what (further) controls are foreseen on such use (i.e., use of new data in existing systems or use of existing personal data for new purposes)?

Notes: see notes to questions II.2 and II.3. An example could be the planning an internal review, or an external evaluation.

Quality

6. Which periodic and occasional checks are provided for examining the correctness, accuracy and timeliness of the data processing foreseen in the policy proposal, the bill, or IT system?

Explanation: The Dutch DPA (Art. 11, paragraph 2) states that measures should be taken to ensure that personal data are correct and accurate, given the purposes for which data were collected or further processed.

Profilering

7. Will the collected/processed data be used to identify and/or asses and/or predict the behavior, presence or performance of people? Are the subjects whose data is processed aware of this? Do the data originate from different (possibly external) sources, and were they originally collected for other purposes?

8. Does this analysis/assessment/prediction involve the use of technically automated comparison of personal data (i.e., is it not performed by humans)? If so, what procedure is in place to ensure that concrete action is only taken after the intervention and (second) control of (human) staff?

Explanation: The Dutch DPA (Art. 42, paragraph 1 ) states that no one may be subjected to a decision that carries legal consequences if that decision is taken solely on the basis of the automated processing of data intended to evaluate certain aspects of his/her personality.

III. Relevant authorities/systems and responsibility

1. What internal and external body/bodies and/or systems is/are involved in the data processing foreseen in each of the various phases identified under I.5? Which providers are there, and which recipients? What files or partial files, and which infrastructures?

2. Is it clear, at every stage, who is responsible for the processing of the personal data? If yes, is this person or organization adequately prepared and equipped to respect the necessary provisions and measures, including resources, policies, responsibilities, procedures and internal control?

Explanation: The Dutch DPA (Art. 1d) appoints as responsible party the natural or legal person or any other person or the governing body which alone or jointly with others determines the purposes and means of the processing of personal data.

3. Who exactly within your organization, and each of the other organizations involved, get access to the personal data? Is it possible that use of the data could result in the data becoming accessible to unauthorized parties?

4. Does a restriction apply to one or more of the authorities involved on the ability to process data due to confidentiality obligations (related to function/law)?

Explanation: The Dutch DPA (Art. 9, paragraph 4) states that the processing of personal data is omitted insofar as a duty of confidentiality by virtue of office, profession or legal provision is in the way. Such a duty of confidentiality may for instance apply to physicians and (youth) aid workers.

5 . Are all stages of processing, meaning the data types and exchanges, mapped or possible to be mapped, such that to those whose data is processed it is clear who, why and how personal data are processed?

Explanation: The characteristics of the processing should always be available as a condition for being “in control” as a responsible party, in particular with regard to the notification and information obligations of those whose data is processed (Art. 27, first paragraph, and Art. 30, paragraph 3 of Dutch DPA).

6. Are policies and procedures foreseen that provide for the creation and maintenance of a collection of the personal data that you want to use? If so, how often and by whom will the processing be monitored? Does the processing include a collection that is performed on your behalf (e.g. by a subcontractor)?

7. Is there a transfer of personal data to a (government) agency outside the EU/EEA involved? Does this country have an adequate level of data protection as decided by the European Commission or the Dutch Minister of Security and Justice? Are all or is a part of the data transfered?

Explanation: The Dutch DPA (Art. 76) provides that personal data may be transferred only to a country outside the EU/EEA if that country ensures an adequate level of data protection. As for the U.S., the European Commission states that organizations that have obliged themselves to comply with the so-called `safe harbor’ principles are also supposed to guarantee adequate protection. A complete list of Commission’s decisions on the adequacy of protection in other third countries (such as Israel, Argentina and Australia) can be found at the following website: http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm

IV. Security and retention/destruction

Security

1. Is the policy on data security in your organization in order? If so, who/which department(s) is/are responsible for making, implementing and enforcing of that policy? Is this policy specifically focused on data protection and data security?

Explanation: The Dutch DPA (Art. 13) requires that organizational and technical measures are taken to protect against any form of unlawful processing of personal data.

2. If (a part of) the processing takes place at a processing party, how you will ensure the data security, and supervision thereof, at that processing party?

Explanation: The Dutch DPA (Art. 14, paragraph 1) requires the responsible party to ensure that a processing party, if it takes upon itself (a part of) the processing, takes sufficient technical and organizational measures. In accordance with paragraph 2, a processing contract must be drawn up. Based on the DPA, compliance with the measured must the supervised (Art. 14, paragraph 1) .

3. What technical and organizational security measures are taken to prevent unauthorized or unlawful processing/abuse of (a) data that exists in an automated format (e.g., password protection, encryption) and (b) data that are recorded manually (e.g. putting locks on cabinets)? Does a higher level of protection exist for protection of sensitive data?

Explanation: To determine the appropriate level of risk, see the “Guidelines for Security of Personal Data”, 2013, at: http://www.cbpweb.nl/Pages/pb_20130219_richtsnoeren-beveiliging-persoonsgegevens.aspx

4. What procedures exist in the event of breaches of security regulations, and to detect such breaches? Does an emergency plan exist to deal with an unforeseen event in which personal data are lost, or exposed to unlawful processing?

Retention/destruction

5. How long will the data be stored? Does the same retention period apply for each of the types of personal data collected? Is the project subject to any statutory/sectoral requirements regarding retention?

Explanation: The Dutch DPA (Art. 10, paragraph 1) states that personal data are not kept in a form which permits identification than is necessary to achieve the purposes for which the personal data are collected and processed.

6. Which policy-related and technical reasons require this storage period?

7. What measures are planned to destroy the data after the retention period expires? Are all personal data, including log data, destroyed? Is the destruction supervised, and by whom?

V. Transparency and rights of data subjects

Transparency

1. Is the purpose of the data processing known to those whose data is processed, or can it be made known? What is the procedure for informing the subjects, if needed, about the purpose of the processing of their personal data?

Explanation: The obligation of transparency provided here is distinct from (and is in addition to) the legal knowability requirement (reporting on the purpose of a data in legislation itself). The purpose of this transparency obligation is to inform subjects about the processing at a place/time related to the (proposed) processing. For example, does the form include information about the purposes of the data collection? Or are roadside signs provided that announce video surveillance?

2. If you obtain the data directly from the data subject, how do you inform them about your identity and the purpose of the processing prior the processing it?

Explanation: The Dutch DPA (Art. 33) lays down specific rules for this type of notification to subjects. The transparency obligation referred to here is distinct from (and is in addition to) the legal knowability requirement (reporting on the purpose of a data in legislation itself). The purpose of this transparency obligation is to inform subjects, whether or not at their request, at a place/time related to the (proposed) processing.

3. If you obtain the personal data via another (government) organization, how will the data subjects be notified about your identity and the purpose of the processing at the time of processing?

Explanation: The Dutch DPA (Art. 34) lays down rules for notification of subjects. The transparency obligation referred to here is distinct from (and is in addition to) the legal knowability requirement (reporting on the purpose of a data in legislation itself). The purpose of this transparency obligation is to inform subjects, whether or not at their request, at a place/time related to the (proposed) processing.

Rights of data subjects

4. If you ask the subject’s consent for processing personal data (opt-in), can the person revoke his/her consent at a later time (opt-out)? In case the subjects refuses or revokes consent, what is the implication for that person?

Explanation: In accordance with the Dutch DPA (Art. 8, paragraph 1 ), unambiguous consent of the data subject is one of the possible justifications for processing personal data. Such consent must be specific, informed, and given freely.

5 . What procedure exists for the data subjects to ask the responsible party to inform them whether their personal data is processed?
How are third parties, who may have objections to providing that information, given the opportunity to give their view on this?

Explanation: The Dutch DPA (Art. 35, paragraphs 1 and 2) provides the data subject the right to freely, and with reasonable intervals, ask the responsible party to state whether their personal data are processed. The responsible party must inform the subject within four weeks. Article 35, paragraph 3 states that third parties who may have objections to such a notice, must be allowed to give their views in advance  unless this would require a disproportionate effort.

6. How can a request from a data subject for correction, addition, deletion or blocking of personal data be treated?

Explanation: The Dutch DPA (Art. 36) provides a right of correction or blocking, and also a right to object to processing in connection with special personal circumstances (Art. 40).

EOF

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-07: Automatisering Gids reports (in Dutch) that AMS-IX evades the PATRIOT Act in its expansion to the U.S.:

“AMS-IX has found a legal structure to operate in the U.S. without having to deal with the PATRIOT Act in the Netherlands.

AMS-IX is setting up a fully independent company in Delaware which will manage the exchange nodes in the United States. This also means that employees and directors cannot be exchanged between the two organizations. The U.S. company is a subsidiary of AMS-IX BV, that acts as the sole shareholder. The U.S.-based entity will be granted access to the necessary intellectual property through licensing.

This structure is devised with the international law firm Jones Day and aims to protect the Dutch AMS-IX BV and the AMS-IX Association against U.S. laws such as the USA PATRIOT Act.

Earlier the plans of AMS-IX for expansion into the United States were opposed because of the possible interference of the U.S. justice and security services in the Dutch establishment of AMS-IX.

AMS-IX takes into account a possible extension of the PATRIOT Act that would allow the construction to still become subject to U.S. jurisdiction. In that case, an independent Dutch foundation can be set up within a week to further separate the activities. AMS-IX chooses the current structure because the benefits from economy of scale.”

This is the provisional end of the story.

UPDATE 2013-11-06: AMS-IX USA Inc. to Deploy an Open-IX Internet Exchange in New York  

On October 15th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions concerning planned AMS-IX expansion to U.S. in the light of U.S. spying. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers to Parliamentary questions by Members of Parliament Van Raak (SP party) and Oosenbrug (PvdA party)Questions by Van Raak (SP party) to the Secretary of the Interior and Kingdom Relations concerning the danger of the Amsterdam internet exchange AMS-IX being required to hand over data to the U.S. National Security Agency (NSA) (submitted September 24th 2013).
Original Dutch: “Vragen van het lid Van Raak (SP) aan de minister van Binnenlandse Zaken en Koninkrijksrelaties over het gevaar dat het Amsterdamse internetknooppunt AMS-IX gegevens moet afstaan aan de Amerikaanse National Security Agency (NSA) (ingezonden 24 september 2013)”

Do you remember your remark that the Amsterdam Information [sic] Exchange (AMS-IX) is `the most important internet-exchange of the Netherlands and the second-biggest exchange in the world’?Yes
Original Dutch: “1 Herinnert u zich nog uw opmerking dat de Amsterdam Information Exchange (AMS-IX) ‘het belangrijkste internet-knooppunt van Nederland en het op één na grootste ter wereld’ is? [0]
Ja.”

Is it true that AMS-IX is considering expanding its activities to the U.S.?
That is known from media reports. Meanwhile it has become clear that on September 27th, the majority of members of the AMS-IX association voted in favor of the establishment of a legal entity in the U.S., during an extraordinary general meeting. The Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S.
Original Dutch: “2 Klopt het dat deze AMS-IX overweegt haar activiteiten uit te breiden naar de Verenigde Staten?
Dit is bekend uit de mediaberichten. Inmiddels is ook bekend dat op 27 september jongstleden in een buitengewone algemene ledenvergadering van de vereniging AMS-IX een meerderheid van de leden voor de opzet van een juridische entiteit in de VS heeft gestemd. De Raad van Bestuur van de vereniging AMS-IX zal de formatie van een juridische entiteit in de VS verder onderzoeken.”

Do you share our concern that the AMS-IX, by expanding to the U.S., risks becoming subject to U.S. legislation and can be forced to hand over information to the NSA?
If a company conducts activities on U.S. territory, these activities are subject to U.S. legislation, such as the Patriot Act and the Foreign Intelligence and Surveillance Act. Under this U.S. legislation, the provider can be forced, if mandated so by a U.S. court, to comply with requests of the U.S. authorities. The scope of the U.S. legislation and the possible violations of privacy are discussed in the joint EU-US expert group that was established following the revelations by Mr. Snowden. This group discusses the protection of privacy and electronic data of citizens, with the aim of understanding each other’s programs and how they are anchored in the rule of law.
The operating company of AMS-IX, AMS-IX B.V., has reported on its website that it explores the legal possibilities and the risks of expansion to the U.S. AMS-IX B.V. has sought legal advice from various parties on the applicability of U.S. law.
Original Dutch: “3 Deelt u de vrees dat de AMS-IX door deze uitbreiding de kans loopt onder de Amerikaanse wetgeving te vallen en gedwongen kan worden informatie af te staan aan de NSA?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Are you willing to request advice on this from the Dutch National Cyber Security Center (NCSC)?
No. The NCSC is the knowledge and expertise center on cyber security, implemented the so-called computer emergency response task, and is responsible for crisis coordination in the event of a cyber crisis. Advising on the expansion of a Dutch legal entity to the U.S. is not a task of the NCSC.
Original Dutch: “4 Bent u bereid het Nationaal Cyber Security Centrum advies te vragen over deze kwestie?
Nee. Het Nationaal Cyber Security Centrum is het kennis- en expertisecentrum op het gebied van cyber security, geeft invulling aan de zogeheten computer emergency response-taak en is verantwoordelijk voor de crisiscoördinatie in het geval van een cybercrisis. Adviseren over de uitbreiding van een Nederlandse rechtspersoon in de VS behoort niet tot de taken van het Nationaal Cyber Security Centrum.”

Can you ensure that the AMS-IX will not conduct activities in the U.S. before the Parliament has full certainty that the data of Dutch citizens are safe at all times?
No. Dutch companies are free to expand abroad. Dutch companies that conduct activities in the U.S., must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “5 Kunt u verzekeren dat de AMS-IX geen activiteiten in de Verenigde Staten gaat ontplooien voordat de Kamer volledige zekerheid heeft dat gegevens van Nederlandse burgers te allen tijde veilig zijn?
Nee. Het staat Nederlandse bedrijven vrij om zich in het buitenland te vestigen. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

[0] Aanhangsel Handelingen, vergaderjaar 2012-2013, nr. 2649

Questions by Van Raak (SP party) to the secretaries of Economic Affairs, and Security and Justice concerning the possible expansion of the AMS-IX to the U.S. (submitted September 30th 2013)
Original Dutch: “Vragen van het lid Oosenbrug (PvdA) aan de ministers van Economische Zaken en van Veiligheid en Justitie over een mogelijke uitbreiding van de AMS-IX naar de Verenigde Staten (ingezonden 30 september 2013)”

Are you aware of the intention of the AMS-IX to set up shop in the U.S.?
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het voornemen van de Amsterdam Internet Exchange (AMS-IX) om een filiaal in de Verenigde Staten te openen? [2]
Ja.”

Can you give us insight in the risks of expansion the the U.S. for the protection of data exchanged over the AMS-IX? How can the U.S. government use its Patriot Act and FISA in this?
[Same answer given to first question by Van Raak. See above.]
Original Dutch: “2 Kunt u inzicht geven in de risico’s van uitbreiding naar de Verenigde Staten voor de bescherming van gegevens die over de AMS-IX uitgewisseld worden? Op welke wijze kan de Amerikaanse overheid haar Patriot en FISA wetgeving hierbij gebruiken?
Indien een bedrijf activiteiten op het grondgebied van de VS uitvoert, dan vallen deze activiteiten onder de Amerikaanse wetgeving, waaronder de Patriot Act en de Foreign Intelligence and Surveillance Act. Op basis van deze Amerikaanse wetgeving kan de aanbieder, na tussenkomst van een Amerikaanse rechter, verplicht worden mee te werken aan verzoeken van de Amerikaanse autoriteiten. De reikwijdte van de Amerikaanse wetgeving en de mogelijke schendingen van de persoonlijke levenssfeer zijn onderwerp van gesprek van de gezamenlijke EU-VS-expertgroep, die naar aanleiding van de onthullingen van de heer Snowden is ingesteld. Deze groep bespreekt de bescherming van de persoonlijke levenssfeer en elektronische gegevens van burgers, met als doel inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat.
De werkmaatschappij van AMS-IX, AMS-IX BV, heeft op haar website gemeld de juridische mogelijkheden en de risico’s van de uitbreiding naar de VS te verkennen. AMS-IX B.V. heeft bij diverse partijen juridisch advies ingewonnen over de toepasselijkheid van de Amerikaanse wetgeving.”

Do you see a difference between the protection of personal data in the U.S. concerning U.S. citizens and others? If so, do you see it as a reason to restrict the full provisioning of data to U.S. authorities?
Yes. The U.S. Constition, particularly the Fourth Amendment, only applies to U.S. citizens. The Fourth Amendment requires judicial review in order to permit search and seizure.

Under Article 76 of the Dutch DPA,personal data may only be transferred to countries outside the EU that provide a so-called adequate level of protection. In other cases, transmission is only possible under a legal exception or a license from the Dutch Ministry of Security and Justice. Dutch companies operating in the U.S. must be aware that in the case of seizing or provisioning of data, the requirements of the Dutch Data Protection Act (DPA) must be met regarding the provision of data to third countries that lack adequate data protection. Under the DPA, the responsibility for assessing the circumstances in which data can be passes to such countries firstly lies on the company that is responsible for the data processing (Article 76 DPA).
Original Dutch: “3 Ziet u ook een verschil in bescherming van persoonsgegevens in Amerika, tussen de gegevens van Amerikaanse ingezetenen en anderen? Zo ja, ziet u daarin reden om het volledig ter beschikking stellen van gegevens aan de Amerikaanse overheden te beperken?
Ja. De Amerikaanse grondwet, in het bijzonder het Vierde Amendement, is alleen van toepassing op Amerikaanse burgers. Het Vierde Amendement vereist een rechterlijke toets bij bevelen tot doorzoeking en inbeslagneming.
Op grond van artikel 76 van de Nederlandse Wet bescherming persoonsgegevens mogen persoonsgegevens alleen worden doorgegeven aan landen buiten de EU die een zogeheten passend beschermingsniveau bieden. In de overige gevallen is doorgifte alleen mogelijk op grond van een wettelijke uitzondering of een vergunning van de Minister van Veiligheid en Justitie. Nederlandse bedrijven die ook in de Verenigde Staten actief zijn, dienen er op bedacht te zijn dat in het geval van vordering van gegevens of doorgifte van gegevens, de verstrekking daarvan dient te voldoen aan de eisen die de Nederlandse Wet bescherming persoonsgegevens (Wbp) stelt aan de verstrekking van gegevens aan derde landen waar naar Europees recht geen passend niveau van gegevensbescherming bestaat. De Wbp legt de verantwoordelijkheid voor het beoordelen van de omstandigheden waaronder gegevens naar een derde land kunnen worden doorgegeven in de eerste plaats bij het bedrijf dat voor de verwerking verantwoordelijk is (art. 76 Wbp).”

To what extent do you see an increase in the risk of people being prosecuted by U.S. companies, such as information law professor Van Eijk expected?
At present, there only is consensus on the establishment of a legal in the U.S. It is not yet clear what legal form that entity will get. The Board of Directors of the AMS-IX association is doing further research into the possible structure.
Original Dutch: “4 In hoeverre ziet u een vergroting van het risico dat mensen vervolgd worden door Amerikaanse bedrijven, zoals hoogleraar informatierecht Van Eijk verwacht?
Op dit moment is er alleen sprake van instemming met de opzet van een juridische entiteit in de VS waarbij het nog niet duidelijk welke juridische vorm die entiteit zal krijgen. De Raad van Bestuur van de AMS-IX Vereniging doet nader onderzoek naar de mogelijke structuur.”

Is it true that on September 27th, members of the AMS-IX association decided on the desirability of expanding into the U.S.? If so, what is the next stage that the AMS-IX will follow in the development of the expansion to America?
Yes. AMS-IX has consulted its members on September 27th (also see the website www.ams-ix.net). A majority approved of the expansion to the U.S. AMS-IX states the following: “With the approval of our members, the Board of Directors of the AMS-IX association will further examine the formation of a legal entity in the U.S. The best possible structures for the establishment of a legal entity will be further examined and shared with our members. The structure should protect the current operational activities of the AMS-IX, and the customers and members, against commercial, legal, financial and technical risks, and most specifically interception activities by U.S. authorities.” The options for this legal entity are now being developed and the members will be informed about this by the AMS-IX.
Original Dutch: “5 Is het correct dat de leden van de AMS-IX op 27 september beslissen over de wenselijkheid van uitbreiding naar de Verenigde Staten? Zo ja, wat is het vervolgtraject dat de AMS-IX zal volgen in de ontplooiing van de uitbreiding naar Amerika?
Ja. AMS-IX heeft haar leden op 27 september geraadpleegd. (zie ook de website www.ams-ix.net) Daarbij heeft een meerderheid ingestemd met de uitbreiding naar de VS. AMS-IX meldt daarbij het volgende: “Met de goedkeuring van onze leden, zal de Raad van Bestuur van de AMS-IX vereniging de formatie van een juridische entiteit in de VS verder onderzoeken. De best mogelijke structuren voor het opzetten van deze juridische entiteit zullen worden bekeken en met onze leden worden gedeeld. De structuur dient de huidige operationele activiteiten van de AMS-IX BV en de klanten en leden van de AMS-IX vereniging te beschermen tegen commerciële, juridische, financiële en technische risico’s en meest specifiek tegen interceptie- activiteiten door de overheidsinstanties in de VS.” De opties voor deze juridische entiteit worden nu uitgewerkt en de leden worden hierover door AMS-IX nader geïnformeerd.”

Do you agree that the AMS-IX is vital infrastructure that is of national importance? How is the public interest in the AMS-IX guaranteed, and do you see reasons to reinforce this assurance?
AMS-IX is an important link in the Dutch ICT infrastructure. As the largest internet exchange in the world [sic] and more than 600 connected networks, AMS-IX contributes to a more attractive business climate for ICT companies in the Netherlands. AMS-IX is of economic importance to the Netherlands as Digital Gateway to Europe. This is recognized in the Digital Agenda [2] of the Dutch administration. AMS-IX is currently not considered to be vital infrastructure. Sufficient built-in guarantees exist concerning continuity. Currently we are working on an interdepartmental review of the vital sectors, including a review the position of AMS-IX.
Original Dutch: “6 Deelt u de mening dat de AMS-IX vitale infrastructuur vormt, die van nationaal belang is? Hoe is het publieke belang dat de AMS-IX dient op dit moment geborgd en ziet u reden om deze borging te versterken?
AMS-IX vormt een belangrijke schakel in de Nederlandse ICT-infrastructuur. Als grootste internetknooppunt (internet exchange) ter wereld met meer dan 600 aangesloten netwerken draagt AMS-IX bij aan een aantrekkelijker vestigingsklimaat van ICT-bedrijven in Nederland. AMS-IX van economisch belang voor Nederland als Digital Gateway to Europe. Dit wordt onderkend in de Digitale Agenda [1] van het kabinet. AMS-IX is op dit moment niet aangemerkt als vitale infrastructuur. Er zijn overigens voldoende waarborgen ingebouwd ten behoeve van de continuïteit. Momenteel wordt gewerkt aan een interdepartementale herijking van de vitale sectoren, waarbij ook de positie van AMS-IX wordt bezien.”

Does the AMS-IX currently conduct activities abroad, or does it have plans to do so? How are these activities legally and technically organized?
Yes. AMS-IX is a private company of which the AMS-IX association is sole shareholder. The voting rights rest with the members. These are various providers of Internet traffic [sic]. AMS-IX is involved in three internet exchanges abroad. These activities are managed directly by AMS-IX B.V., that has contracts with local partners.

1) AMS-IX Caribbean (Curacao). This internet exchange is organizationally and legally placed directly under AMS-IX B.V., which is registered in the local chamber of commerce. Parties that exchange Internet traffic at this point have a contract with AMS-IX B.V. and are not members of the AMS-IX association.

2) AMS-IX Hong Kong. This internet Exchange is a collaboration between AMS-IX B.V. and Hutchison Global Communications (HGC). AMS-IX B.V. designs, builds and manages the technical platform. HGC carries out customer relations. Customers enter into a contract with HGC and are not members of AMS-IX association. AMS-IX B.V. receives a fee per connection.

3) AMS-IX East Africa (Mombasa, Kenya) . This internet exchange is under construction. It is a collaboration between AMS-IX B.V., the Kenya Internet Exchange Point (KIXP) and the company Seacom. AMS-IX redesigns and rebuilds an existing exchange and will manage it. KIXP provides technical personnel. Seacom provides the data center and acts as a seller. Parties that connect directly to the exchange are customer of AMS-IX B.V..
Original Dutch: “7 Ontplooit de AMS-IX op dit moment al andere buitenlandse activiteiten, of zijn hier plannen voor? Op welke wijze zijn deze activiteiten juridisch en technisch georganiseerd?
Ja. AMS-IX is een besloten vennootschap waarvan de vereniging AMS-IX enig aandeelhouder is. Het stemrecht binnen de vereniging berust bij de leden. Dit zijn diverse aanbieders van internetverkeer. AMS-IX is betrokken bij drie buitenlandse internet exchanges. Deze activiteiten vallen rechtsreeks onder AMS-IX BV die contracten heeft met lokale partners.
1) AMS-IX Caribbean (Curaçao). Deze internet exchange valt organisatorisch en juridisch rechtstreeks onder AMS-IX BV, die plaatselijk ingeschreven staat in de kamer van koophandel. Partijen die op dit punt internetverkeer uitwisselen hebben een contract met AMS-IX BV en zijn geen lid van de vereniging AMS-IX.
2) AMS-IX Hong Kong. Deze internet exchange is een samenwerking tussen AMS-IX BV en Hutchison Global Communication (HGC). AMS-IX BV ontwerpt, bouwt en beheert het technisch platform. HGC behandelt het klantcontact. Klanten gaan een contract aan met HGC en zijn geen lid van de vereniging AMS-IX. AMS-IX BV ontvangt een vergoeding per aansluiting.
3) AMS-IX East Africa (Mombasa, Kenia). Deze internet exchange is in opbouw. Het is een samenwerking tussen AMS-IX BV, het Kenya Internet Exchange Point (KIXP) en het bedrijf Seacom. AMS-IX herontwerpt en herbouwt een reeds bestaande exchange en zal deze beheren. KIXP levert technisch personeel. Seacom levert het datacentrum en treedt op als verkoper. Partijen die direct aansluiten op de exchange worden klant van AMS-IX BV.”

Are you willing to advise the AMS-IX Board of Directors on how to Dutch interests can be best served through a robust legal and technical construction between the Dutch and foreign branches?
Dutch companies are free to expand abroad. It is not reasonable that the government advises in this. AMS-IX stated that it examines the further legal development abroad with the aim of establishes a robust legal and technical construction. Moreover, the Ministry of Economic Affairs immediately contacted the AMS-IX after publication of the intention to expand to the U.S. and concerns about that.
Original Dutch: “8 Bent u bereid om het bestuur van de AMS-IX te adviseren over de manier waarop de Nederlandse belangen optimaal gediend kunnen worden door een robuuste juridische en technische constructie tussen de Nederlandse en buitenlandse vestigingen? Zo ja, op welke wijze wilt u dit doen?
Het staat Nederlandse bedrijven vrij om in het buitenland te ondernemen. Het ligt niet in de rede dat de overheid daarin adviseert. AMS-IX heeft overigens aangegeven de verdere juridische uitwerking in het buitenland verder te verkennen om te komen tot een robuuste juridische en technische constructie. Overigens heeft het ministerie van Economische Zaken direct na bekendmaking van het voornemen en de zorgen daarover contact gelegd met AMS-IX.”

[2] http://nos.nl/artikel/553680-nederland-opent-deur-voor-nsa.html

[3] Zie voor de meest recente actualisatie d.d. 4 februari 2013 Kamerstukken 29515, nr 346

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-11: Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic
• 2013-09-26: SURFnet: ‘AMS-IX should not set up shop in U.S.; we ought to deliberate on U.S. spying capabilities’

EOF

UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.

UPDATE 2013-11-01: also see Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde 

On October 11th, the Dutch cabinet responded (.pdf, in Dutch) to Parliamentary questions about the NSA intercepting international phone traffic via telecom providers. The response is only available in Dutch; here is my English translation. Hyperlinks are mine.

WARNING: this is an unofficial translation.

Answers by the Dutch Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice to questions by Dutch ParliamentQuestions by Members of Parliament Schouw and Verhoeven (D66 party) to the secretaries of the Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Ministry of Security and Justice about the U.S. National Security Agency (NSA) wiretapping telephone communications via telecom providers (submitted September 18th 2013).
Original Dutch: “Vragen van de leden Schouw en Verhoeven (beiden D66) aan de ministers van Binnenlandse Zaken en Koninkrijksrelaties, van Economische Zaken en van Veiligheid en Justitie over het bericht dat de Amerikaanse National Security Agency (NSA) via telecomaanbieders het internationaal telefoonverkeer afluistert (ingezonden 18 september 2013)”

Are you aware of the news that the U.S. intelligence service NSA has been eavesdropping since 2011 on telephone traffic that is routed via the Belgian telecom provider Belgacom? [0]
Yes.
Original Dutch: “1 Heeft u kennisgenomen van het bericht dat de Amerikaanse inlichtingendienst NSA zich sinds 2011 toegang verschaft tot telefoonverkeer dat via de Belgische telecomprovider Belgacom verloopt? [0]”
Ja.
What is your response to the fact that the U.S. intelligence service NSA has gained access to one of the largest telecom companies in a direct neighbor country of the Netherlands?
The article in De Standaard (English translation) states, among others, that no certainty exists about who is responsible for the compromise of the infrastructure of the Belgian company Belgacom. Covert activities of state actors can not be ruled out, in principal.
Original Dutch: “2 Wat is uw reactie op het gegeven dat de Amerikaanse inlichtingendienst NSA zich toegang heeft verschaft tot een van de grootste telecombedrijven in een direct buurland?
Het bericht in De Standaard meldt onder meer dat niet zeker is wie verantwoordelijk is voor de inbreuk op de infrastructuur van het Belgische bedrijf Belgacom. Heimelijke activiteiten van statelijke actoren zijn in beginsel niet uit te sluiten.”

Did similar security breaches on communication infrastructure of Dutch telecom providers occur in the last two years? If so, what was the nature of the breach, how often did it occur and did it involve placement of malware by a foreign intelligence service?There are no indications for a similar breach of the infrastructure of Dutch providers of telecommunication services. The General Intelligence and Security Service (AIVD) is running an investigation as a result of the news. There are no indication yet that the Netherlands is a direct target of the attack. The breach of KPN in early 2012 was, by the way, no activity of an state actor. KPN has taken additional security measures as a result of that breach.
The AIVD has repeatedly highlighted the vulnerabilities of the Dutch IT infrastructure and the threat of digital espionage. The Dutch society and economy is highly dependent on IT, and the IT infrastructure is highly vulnerable. In addition, digital attacks are increasingly complex and advanced. The impact of digital attacks on the national security and the economic well-being of society can be particularly strong.
Original Dutch: “3 Zijn er afgelopen twee jaar vergelijkbare veiligheidsinbreuken geweest op de communicatieinfrastructuur van Nederlandse telecomaanbieders? Zo ja, wat was de aard van de inbreuk, hoe vaak heeft het zich voorgedaan en was er sprake van malware geplaatst door een buitenlandse inlichtingendienst?
Er zijn geen aanwijzingen voor een vergelijkbare inbreuk op de infrastructuur van Nederlandse aanbieders van telecommunicatiediensten. De AIVD doet onderzoek naar aanleiding van de berichten. Er zijn vooralsnog geen aanwijzingen dat Nederland een direct doelwit is van de aanval.
De inbreuk bij KPN in het voorjaar van 2012 was overigens geen activiteit van een statelijke actor. KPN heeft naar aanleiding van die inbreuk aanvullende veiligheidsmaatregelen genomen.
De AIVD heeft herhaaldelijk gewezen op de kwetsbaarheden van de Nederlandse ICT- infrastructuur en de dreiging van digitale spionage. De afhankelijkheid van de Nederlandse samenleving en de economie van ICT is aanzienlijk, en de kwetsbaarheid van de ICT is hoog. Digitale aanvallen worden daarnaast steeds complexer en geavanceerder. De impact van digitale aanvallen op de nationale veiligheid en het economisch welzijn van de samenleving kan bijzonder groot zijn.”

Do you know whether Dutch telecom providers commissioned an examination for very advanced malware on their communications infrastructure in the last three years? If so, what is the outcome? If not, do you intend to insist that these companies commission such an investigation, considering the U.S. practice and possible hacks by other nations?
Private parties, including the providers of public electronic communication services, are responsible for the security of their own infrastructure. The Telecommunications Act obliges the providers to ensure the integrity and security of their networks and services, and the confidentiality and availability of services. This involves technical and organizational measures. The major provides structurally use their own capacity. If they deem it necessary, they involve expertise of third parties. Recent media reports underline the importance of these measures. If necessary, the government can require the provider to take certain technical or organizational measures or to commission a security examination by an independent party (fifth and sixth paragraph of section 11a of the Telecommunications Act). Following the news reports, KPN commenced additional investigations.
The AIVD and National Cyber Security Center (NCSC) support vital sectors in securing IT infrastructure. The AIVD has, among others, developed a method for the analysis of vulnerability to espionage. Digital espionage is one of the areas of interest. This method has been brought to the attention of vital sectors to support them in eliciting vulnerabilities.
Original Dutch: “4 Is u bekend of Nederlandse telecomaanbieders afgelopen drie jaar een veiligheidsonderzoek hebben laten uitvoeren naar zeer geavanceerde malware op hun communicatie-infrastructuur? Zo ja, wat is daarvan de uitkomst? Zo nee, bent u in het licht van de Amerikaanse praktijken en mogelijke hacks door andere landen, voornemens om bij telecomaanbieders aan te dringen op een dergelijk onderzoek?
Private partijen, waaronder aanbieders van openbare elektronische communicatiediensten, zijn zelf verantwoordelijk voor de veiligheid van hun infrastructuur. De Telecommunicatiewet (Tw) bevat voor deze aanbieders verplichtingen voor de borging van de integriteit en de veiligheid van hun netwerken en diensten, waaronder het waarborgen van de vertrouwelijkheid van de telecommunicatie en de beschikbaarheid van de dienstverlening. Het gaat daarbij om technische en organisatorische maatregelen. De grote aanbieders zetten hiervoor structureel eigen capaciteit in. Indien zij dat nodig achten, zetten zij hiervoor expertise van derden in. De recente berichten in de media onderstrepen het belang van deze maatregelen. Indien daar aanleiding voor is, kan de aanbieder worden verplicht bepaalde technische of organisatorische maatregelen te nemen of een veiligheidscontrole door een onafhankelijke deskundige te laten uitvoeren (art. 11a vijfde resp. zesde lid van de Telecommunicatiewet).
Naar aanleiding van de berichtgeving is KPN gestart met het uitvoeren van aanvullende onderzoeken.
De AIVD en het NCSC ondersteunen de vitale sectoren bij het beveiligen van hun ICT- infrastructuur. De AIVD heeft onder meer een methodiek ontwikkeld voor de analyse van kwetsbaarheden voor spionage. Digitale spionage is daarbij één van de aandachtspunten. Deze methodiek is bij de vitale sectoren onder de aandacht gebracht om hen te ondersteunen de eigen kwetsbaarheden inzichtelijk te maken.”

Have you, or have the Dutch telecom providers, in recent years received requests from the U.S. intelligence service NSA or other foreign intelligence services to provide access to international phone traffic? If so, how did you respond?
The government does not know whether foreign powers approached Dutch telecom providers. No public statements are made about contacts between the Dutch intelligence and security services and foreign services.
Original Dutch: “5 Heeft u of Nederlandse telecomaanbieders afgelopen jaren verzoeken ontvangen van de Amerikaanse inlichtingendienst NSA dan wel andere buitenlandse inlichtingendiensten, om toegang te verschaffen tot internationaal telefoonverkeer? Zo ja, wat was daarop de reactie?
Het is de regering niet bekend of buitenlandse mogendheden Nederlandse aanbieders van telecommunicatie hebben benaderd. Over contacten tussen de Nederlandse inlichtingen- en veiligheidsdiensten en buitenlandse diensten worden in het openbaar geen mededelingen gedaan.”

Did you bring up the topic of hacks on European, and Dutch communication systems in particular, with the U.S. government? If so, what was the outcome of those conversations? If not, do you intend to bring up the privacy violation of Dutch citizens with the U.S. government?
Are you willing to actively put the infringements by the U.S. and possibly other countries on the agenda of the next Council of Justice and Home Affairs (JHA Council) and to plead for a joint European stand against these violations of the privacy of European citizens?
The European Commissioners of Justice and Home Affairs have consulted the U.S. Attorney General on June 14th following the media reports. An EU-US expert group is currently addressing the protection of privacy and of electronic data of citizens, with the aim of mutual understanding of each other’s programs and how those are anchored in the rule of law. The Dutch government supports this initiative. It is expected that the expert group will complete its final report this fall. PRISM was discussed in the margins of the JHA Council of October 7th.
Original Dutch: “6 Heeft u de hacks op Europese, en Nederlandse communicatiesystemen in het bijzonder, aan de orde gesteld bij de Amerikaanse regering? Zo ja, was de uitkomst van die gesprekken? Zo nee, bent u voornemens de privacyschending van Nederlandse burgers aan de orde te stellen bij de Amerikaanse regering?
7 Bent u bereid de inbreuken door de VS en mogelijk ook andere landen, actief te agenderen in de eerstvolgende Raad van Justitie en Binnenlandse Zaken (JBZ-Raad) en te pleiten voor gezamenlijk Europees optreden tegen deze schendingen van privacy van Europese burgers?
6 & 7: De Eurocommissarissen van Justitie en van Binnenlandse Zaken hebben naar aanleiding van mediaberichten op 14 juni jl. overleg gevoerd met de Amerikaanse minister van Justitie. Inmiddels buigt een EU-VS expertgroep zich over de bescherming van de persoonlijke levenssfeer en van elektronische gegevens van burgers, met als doel wederzijds inzicht in elkaars programma’s en de wijze waarop deze zijn verankerd in de rechtsstaat. De Nederlandse regering steunt dit initiatief. Naar verwachting voltooit de expertgroep dit najaar zijn eindrapport. Het onderwerp PRISM is besproken en marge van de JBZ-raad van 7 oktober jl.”

[0] http://www.standaard.be/cnt/dmf20130915_00743233 (English translation)

Related:

• 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
• 2013-10-28 (updated 2013-11-01): Dutch govt position concerning U.S. spying for economic purposes + answers to Parliamentary questions re: Snowden/Le Monde
• 2013-09-14: Dutch govt response to revelations by Edward Snowden

EOF