Month: November 2013

Oversight on Dutch unspecific/untargeted/bulk SIGINT is still broken

UPDATE 2015-07-02: the Dutch government released their draft intelligence bill into public consultation. Details here.
UPDATE 2014-08-07: last May, I submitted a FOIA request to the AIVD seeking any of their (work/legal) instructions related to the legal requests for permission to use special powers — specifically also including selection from bulk-intercepted non-cablebound (=ether) communications. Today I received a standard “request denied” letter citing grounds of national security as motivation for denying the request. No explanation specific to the request was given; nor why it was denied altogether as opposed to disclosing partially redacted information.
UPDATE 2014-03-11:
today, a new CTIVD oversight report was published, together with the Dutch cabinet’s response to the Dessens report. The report covers exercises of various telecom-related powers by the AIVD and MIVD. Concerning the undirected (bulk) collection of phone metadata from ether sources, the CTIVD has now established that it has not been motivated as required by law: nothing is known about necessity, proportionality or subsidiarity of such collection. IMHO the new report — which only exists as a result of Snowden’s revelations — reemphasizes that up until today, oversight on Dutch SIGINT is broken. 

UPDATE 2013-12-16: the Minister responded (.pdf, in Dutch) today. Here is the relevant part:

“The cabinet thinks, as does the Parliament, that it is very important that the CTIVD can assess the legality of SIGINT selection activities [carried out by the AIVD and MIVD]. Measures have been taken, and are being taken. These are aimed at enabling the CTIVD to assess legality of SIGINT selection activities in future reports.”

Original Dutch: “De regering hecht er, evenals de Kamer, zeer aan dat de CTIVD ook tot een rechtmatigheidsoordeel kan komen over de selectie van sigint. Op dit vlak zijn en worden maatregelen getroffen. Deze zijn erop gericht de CTIVD in staat te stellen in toekomstige rapporten tot een oordeel te komen.”

Unfortunately, nothing is stated about what measures have been taken.

UPDATE 2013-12-04: on December 2nd, the Dessens Committee published their final report — I’m blogging about it here.
UPDATE 2013-11-28: the below was brought up (in Dutch) by MP Gerard Schouw (D66 party) during yesterday’s Parliamentary debate on the FY2014 budget for the Ministry of the Interior & Kingdom Relations. My translation of Schouw’s words:

“Today I want to talk about political responsibility. We have the CTIVD, that oversees the legality of information collection by the AIVD and MIVD. A close look at their reports shows that the CTIVD regularly or even systematically withholds from making a statement about the general picture of legality of the activities of the AIVD and MIVD. The legality of the AIVD and MIVD activities concerning Article 27 [SIGINT selection, mk] cannot be established by the CTIVD, as we can read in CTIVD reports 19, 26, 28, 31 and 35. These span the years 2008 to 2013. In those five years, the CTIVD has not been able to assess the legality. I’d like to know what the successive Ministers of Internal Affairs have done about that. I mentioned the reports. The Minister should be able to find his way with that. What did the previous Ministers do? What has this Minister done? How does this relate to the statement of the Minister that both services comply with the law? Isn’t that very difficult if the CTIVD says it can not assess the legality?

Original Dutch: “Ik wil het vandaag hebben over de politieke verantwoordelijkheid. Wij hebben de CTIVD, die de rechtmatigheid van de informatiewinning van de AIVD en MIVD controleert. Wie echter goed naar de verslagen kijkt, ziet dat de CTIVD zich regelmatig of zelfs stelselmatig onthoudt van een oordeel hierover. De rechtmatigheidstoepassing van de AIVD en de MIVD rondom artikel 27 is door de CTIVD niet vast te stellen, zo lezen wij in verschillende rapporten met de nummers 19, 26, 28, 31 en 35. Dat zijn de jaargangen 2008 tot en met 2013. In die vijf jaar heeft de CTIVD de rechtmatigheid niet kunnen vaststellen. Ik wil weleens van de minister weten wat achtereenvolgende ministers van Binnenlandse Zaken daaraan hebben gedaan. Ik heb de rapporten genoemd. De minister zal daarmee dus wel weg weten. Wat hebben zij daaraan gedaan? Wat heeft deze minister daaraan gedaan? Hoe verhoudt zich dit tot de opmerking van de minister dat beide diensten zich aan de wet houden? Dat kan toch heel moeilijk als de toezichthouder zegt dat hij de rechtmatigheid niet kan beoordelen?”

Let’s see how the Minister (Ronald Plasterk) will respond. A big Parliamentary debate on surveillance is scheduled for January 2014.

====== START OF ORIGINAL BLOGPOST FROM 2013-11-09 ======

In this previous post I explained the following about the Dutch Intelligence and Security Act 2002 (WIV2002):

  • the WIV2002 is the legal framework for Dutch intelligence & security services;
  • Article 25 regulates wiretapping powers, Article 27 regulates SIGINT powers;
  • the use of either power requires explicit prior permission from the Dutch Minister of the Interior and Kingdom Relations (in case of the AIVD) and/or the Minister of Defense (in case of the MIVD);
  • unlike wiretapping, SIGINT is legally restricted to non-cablebound communications (i.e., radio and satellite). SIGINT on cablebound communications is illegal.
  • the WIV2002 is being reviewed by the Dessens Committee, and it is expected that one change they will propose is to extend the SIGINT power to cablebound communications. I don’t know what changes, if any, will be proposed concerning safeguards and oversight.

The Review Committee on the Intelligence and Security Services (CTIVD) was born in 2003 by means of Article 64. The CTIVD is tasked with oversight on legality of the operations of the Dutch intelligence & security services; providing solicited and unsolicited advice to the relevant Dutch Ministers about the CTIVD’s findings; handling complaints; and providing solicited and unsolicited advice regarding the Article 34 notification to former subjects of investigation.

The CTIVD has three members (including the chair person) who are appointed for a period of 6 years by royal Decree and nominated by the relevant Ministers. (Yes, it is the Ministers who nominate the persons that will perform oversight on their Ministries. This is not necessarily a problem, but worth noting.)

The CTIVD has published some 35 oversight reports so far. In 2009, the first oversight report specifically aimed at legality of the use of wiretapping and SIGINT powers was published (CTIVD Nr. 19). In 2010, the CTIVD decided that SIGINT and wiretapping would become topics of an annually recurring in-depth examination.

Based on the method of oversight and the contents of the oversight reports, I am convinced that the CTIVD is generally doing a good job. The CTIVD can and does access the highest level of classified information `Stg. ZEER GEHEIM’ (TOP SECRET), consult intelligence personnel, etc. The oversight reports on SIGINT and wiretapping are primarily based on the requests for permission sent by the AIVD/MIVD to the relevant Ministers.

Below are some observations from CTIVD oversight reports on SIGINT and wiretapping CTIVD Nr.19 (.pdf, in Dutch), CTIVD Nr.26 (.pdf, in Dutch), CTIVD Nr.28 (.pdf, in Dutch), CTIVD Nr.31 (.pdf, in Dutch) and CTIVD Nr.35 (.pdf, in Dutch).

WARNING: for full context, read the original documents. 

The general picture according to the CTIVD regarding the use of Article 25 (e.g. microphone, phone tap, internet tap; more specifically: wiretapping, receiving, recording and monitoring any kind of conversation, telecommunication or datawiretapping; where `telecommunication’ in Dutch law means any transmission, emission or reception of signals of any kind by means of cables, radio, by optical means or by other electromagnetic means):

  • Nr.19 (2008-2009): AIVD operates carefully (Dutch: `zorgvuldig’ and `doordacht’);
  • Nr.26 (2010-2011): AIVD operates carefully;
  • Nr.28 (2011-2012): MIVD operates unlawfully in that it (also) intercepts `generic identities’
    • e.g. types of persons instead of identified persons. (Note that for MIVD, use of Article 25 mainly means interception of HF frequencies, e.g. by the Dutch National SIGINT Organization (NSO), which recently became a part of the new Joint SIGINT Cyber Unit, and military SIGINT detachments in Dutch military missions abroad.)
  • Nr.31 (2011-2012): AIVD operates carefully;
    • the CTIVD noted that in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. One motivation was classified as `Stg. GEHEIM’ (SECRET), the other as `Stg. ZEER GEHEIM’ (TOP SECRET). The stated explanation involved practical difficulties of working with `Stg. ZEER GEHEIM’-classified information. The CTIVD strongly rejected this m.o.;
    • the CTIVD noted that the quarterly bundled requests-for-permission (Dutch: `driemaandelijkse verzamelbeschikkingen’) concern a large number of taps and microphones, and are insufficiently motivated. The Minister of the Interior and Kingdom Relations does not have departmental support in judging the requests.
  • Nr.35 (2012-2013): AIVD operates carefully;
    • the CTIVD noted that again, in one instance, the AIVD used two differently-classified motivations where used to get Art.25 permission for the same operation. CTIVD rejected that.
    • the CTIVD noted that in one instance, the AIVD used the line of reasoning “necessity implies proportionality”. CTIVD rejected that.
    • the CTIVD noted that in five operations, the use of Article 25 powers was not proportional and therefore unlawful. (Although not specified in the report, I believe these involve some instances where Dutch journalists were wiretapped.)
    •  the CTIVD noted that in one instances, Article 25 powers were exercised based solely on a comment posted on the internet. The CTIVD stated that that is insufficient ground for the use of Article 25 powers. In addition, the wiretapping had already seized after one period (max. three months).

The general picture according to the CTIVD regarding the use of Article 27 (SIGINT selection; restricted to non-cablebound communications; unencrypted intercepted data can be retained for a period of one year; encrypted intercepted data can be retained indefinitely until the encryption has been undone, the unencrypted outcome can, again, be stored for a maximum of one year (Article 26, paragraph 10)):

  • Nr.19 (2008-2009): legality unknown.
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
    • the CTIVD noted that it is `not careful’ that it is not explained whom the numbers or technical characteristics belong to that are used to select SIGINT;
  • Nr.26 (2010-2011): legality unknown.
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.28 (2011-2012): legality unknown.
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.31 (2011-2012): legality unknown.
    • requests for permission are insufficiently motivated, withholding the CTIVD from making a statement about the general picture of legality.
  • Nr.35 (2012-2013): legality unknown.
    • the CTIVD noted that a single operation was examined in-depth, and unlawful activities were found related to lack of adequate motivation.
    • the CTIVD noted that the use of Article 27 is modest when compared to Article 25 powers.

To me it seems that the above warrants the conclusion that the Netherlands has a structural problem regarding the oversight on (and hence democratic control of) the use of Article 27 powers. Given the expectation that an (overdue) proposal for change of the WIV2002 will emerge that will extend SIGINT powers to cablebound communications, there’s some scrutiny to be done by the Dutch Members of Parliament.

Furthermore, from the 2011 report CTIVD Nr. 28 (concerning the MIVD, not the AIVD), I translate the following part (note: `searching’ is done to identify the radio/satellite channels to include in bulk data collection; then `selection’ can be done within the collected data, which requires Ministerial permission. under WIV2002, searching is only allowed if at least either the receiver or sender of communication is outside the Netherlands, i.e., the Dutch services are not permitted to search domestic-only communication):

“The CTIVD notes that the reason for and purpose of conducting a SIGINT search focused on SIGINT selection can vary. At least the following common practices can be distinguished:

  1. The searching of the bulk of communication to determine whether it is possible to generate the desired data using the selection criteria for which permission has been granted;
  2. The searching of the bulk of communication to identify targets;
  3. The searching of the bulk of communication for data from which, in the context of an expected new area of investigation, future selection criteria can be derived. “

Original Dutch: “De Commissie constateert dat de aanleiding voor en het doel van het uitvoeren van een searchactiviteit gericht op selectie gelegen kunnen zijn in meerdere zaken. Zij onderscheidt in ieder geval de volgende gangbare praktijken:
1. Het searchen van de bulk aan communicatie om te bepalen of met de selectiecriteria waarvoor toestemming is verkregen de gewenste informatie kan worden gegenereerd
2. Het searchen van de bulk aan communicatie om potentiële ‘targets’ te identificeren of te duiden;
3. Het searchen van de bulk aan communicatie naar gegevens waaruit, in het kader van een verwacht nieuw onderzoeksgebied, toekomstige selectiecriteria kunnen worden afgeleid.” 

The CTIVD stated that (1) is permissible and that (2) and (3) are not permissible (hence: unlawful). Interestingly, CTIVD hinted at changing the law rather than changing the practice:

“The CTIVD leaves it to be considered whether, in accordance with privacy protection, it is necessary that wider powers be granted that better reflect this (desired) practice at the MIVD (and AIVD).”

Original Dutch: “De Commissie geeft in overweging te bezien of het, met inachtneming van de privacybescherming, noodzakelijk is dat aan de MIVD (en de AIVD) ruimere bevoegdheden worden toegekend die beter aansluiten op deze (gewenste) praktijk.”

While the CTIVD also stated the following:

The CTIVD has noticed that not all individuals who are daily engaged in Sigint processing appropriately estimate the infringement associated with Sigint.”

Original Dutch: “Het is de commissie opgevallen dat niet alle personen die zich dagelijks bezighouden met de verwerking van Sigint de inbreuk van dit middel op waarde schatten.”

Lastly, I refer Dutch readers to Tot het lachen ons vergaat – Over de noodzaak van parlementaire aandacht voor inlichtingen- en veiligheidsdiensten (.pdf, 2013), an excellent piece by @ConstantHijzen who is a PhD student at Leiden University.
I welcome anyone with relevant insights or information to contact me.

Related:

Related in U.S. (let’s learn from what is happening there):

EOF

Viviane Reding: “The NSA needs a counterweight. My [proposal is] to set up a European Intelligence Service by 2020.”

UPDATE 2015-12-08: now, following the 11/13 Paris attacks, Belgian PM Charles Michel calls for a European CIA.

UPDATE 2015-03-30: unrelated but similar: on January 22nd 2015, Belgian MEP Guy Verhofstadt stated (in Dutch) in newspaper NRC Handelsblad that he believes that a European equivalent should be created of the CIA. Today, in response to questions, the Dutch Minister of Security & Justice states (in Dutch) the Dutch cabinet opposes this idea.

UPDATE 2015-02-09: the Draft Council Conclusions on Counter-Terrorism (.pdf, Feb 6) states: “Reinforcing, within the existing parameters, the role of EU INTCEN as the hub for strategic intelligence assessment at EU level, including on counter-terrorism”. I.e., no new mandate for EU intelligence centre.

UPDATE 2015-01-13: EU Observer reports that following the attack on Charlie Hebdo, the EU Commission stated it has no plan for an EU spy agency.

UPDATE 2014-01-13: Simon Davies on this matter: EU Justice Commissioner Reding wants an EU spy agency. Has she lost her mind or her morals?

According to this article on EUobserver.com the Vice President of the European Union, Viviane Reding, said:

“What we need is to strengthen Europe in this field, so we can level the playing field with our US partners. (…) I would therefore wish to use this occasion to negotiate an agreement on stronger secret service co-operation among the EU member states – so that we can speak with a strong common voice to the US. The NSA needs a counterweight. My long-term proposal would therefore be to set up a European Intelligence Service by 2020.”

According to an official cited in the article, setting up a European Intelligence Service would require a EU treaty change and would have to be dealt with after EU elections in 2014 (and thus exceeding Reding’s current appointment that expires in 2014).

Reding is also the EU Commissioner for Justice, Fundamental Rights and Citizenship, which also covers data protection. In that role, Reding visited the United States in October and called for strong data protection rules to restore trust. Although it might be possible that intelligence services and adequate privacy protection are not mutually exclusive, the Snowden revelations might be interpreted as indications a different reality today. Depending on one’s perspective, there is irony in Reding both calling for better data protection and suggesting that a new intelligence agency be set up.

As stated in the article at EUobserver, the EU currently has the EU IntCen (formerly SitCen), a branch of the EU foreign service where classified information on conflicts and terrorist threats are shared. In Secret Truth. The EU Joint Situation Centre (.pdf, in English, 2009), Jelle van Buuren concluded that:

“[SitCen] suffers from a profound lack of transparency – and therefore is not as accountable as could be expected in democratic societies.”

I’ve been told that the situation has not really improved since then, and that Van Buuren’s conclusions still apply. Some supporting evidence: the 16 July 2013 meeting report (.pdf) and the September 12th 2013 meeting report (.pdf) of the Terrorism Working Party refer to classified information, making it difficult for outsiders to judge the policy decisions — which some may interpret as a lack of transparency.

I don’t know whether Reding would propose to expand IntCen or to establish a new entity. Either way, considering that IntCen produces intelligence-based classified assessments, IntCen may be a reasonable indicator of what to expect. I therefore cite Van Buuren’s entire concluding remarks about SitCen (now IntCen):

“What do we know of the EU Joint Situation Centre? How does it operate? In other words: how transparent is the EU Joint Situation Centre? These were the central questions of this paper. The answer has to be that SitCen suffers from a profound lack of transparency – and therefore is not as accountable as could be expected in democratic societies. Documents available in the public domain make it possible to reconstruct the trajectories of SitCen, its tasks and its position within the EU counterterrorism field. It is however impossible to assess the substance of the work of SitCen and the influence SitCen has on the development of the EU as a security actor, the securitization of the EU and the constitution of threats and solutions. It is only through informal ways that it was possible to shed for the first time some light on the substance of the work of SitCen regarding its internal security dimension and remove partly the blanket of mystery SitCen is shrouded in. It seems obvious that further research on SitCen is needed, as it is an organization that has developed almost outside the political and public spotlights from an ‘empty shell’ into a crossroad of internal, external and military intelligence cooperation in the EU. SitCen is also an organisation that stands in the centre of the merger between horizontal and vertical networks of intelligence and security agencies; an ‘in-security field’ that is in transformation and the outcome of this transformation will subsequently determine partly the future of the EU as a security actor and the constitution of threats. ‘Secret truth’ of security and intelligence agencies is determining partly the European response to the terrorist threat and can have a great impact on citizens and the formation of the future political and social order of the EU. For instance, the European Council Strategy for combating Radicalisation and Recruitment to Terrorism (Council of the European Union 2005d) has according to De Goede (2008: 170-171) created ‘an extra- legal sphere of intervention’, where a wide array of functionaries, including teachers, prison workers and community workers, are authorized to intervene in people’s lives in the name of preventing radicalization. According to De Goede, the Council Strategy thus authorizes functionaries to decide on rights of travel and internet use, rights of worship and education, for an undefined group of citizens who may be thought prone to radicalization. ‘In this manner, the Strategy enables far-reaching practices of bio-political governing, which distinguishes some population groups for exceptional monitoring and treatment.’

Further research is needed to analyze the way intelligence influences European and national policy making. It will be a real challenge, in view of the level of transparency of SitCen, to research if and how the list of SitCen reports we have revealed, have been translated in political recommendations; if and how the transformation of the ‘in-security field’ is changing the relations, culture, power and influence of intelligence and security services, law enforcement agencies, customs and border agencies; if and how these European transformation is affecting the security relations ‘at home’; how the ‘uncertain and controversial’ discussions supported by SitCen assessments proceeded within Council structures, Commission structures and national structures and which positions were taken by the different member states; how SitCen assessments are structuring and directing the emerging European foreign and military policy; how the difference between the member states that are ‘insiders’ of SitCen and member states that are ‘outsiders’ influence the securitization of the European Union; how the emergence of SitCen is influencing the position of other security actors in the EU like Europol; and if and how the essentially contested and precarious relationship between the political/executive level and the intelligence community is being shaped by the emergence of SitCen. Hopefully this paper can contribute a little to the realisation of this research agenda.”

Related:

EOF.