Month: July 2014

The Hague district court: ‘exchange of telecommunications data between Dutch intel/security services and NSA is permissible’

UPDATE 2014-07-25:  I incorrectly stated it was a Supreme Court ruling. It is a ruling by the district court in The Hague. The plaintiffs will appeal the ruling. The ZDNet article (still) incorrectly mentions Supreme Court. Kudos to MV and @privacyfirst for correcting.

UPDATE 2014-07-24: article about it on ZDNet. (Note: its headline is unwarranted IMHO.)

After the news or PRISM broke, a bunch of Dutch individuals, represented by lawyers of Bureau Brandeis, filed a joint civil suit against the Dutch government concerning the exchange of telecommunications between the NSA and the Dutch intelligence & security services. One of the important issues in this case was the question whether the Dutch services should be allowed to use data intercepted by foreign partners in ways that would violate the ECHR or Dutch national legislation. Notably, the Dutch national legislation does not permit bulk interception of cable communications. (Bulk interception of wireless communications is permitted.)

Dutch news site Nu.nl reports (in Dutch), as does Bits of Freedom, on today’s ruling in that case by the Supreme Court district court in The Hague. The full ruling is here (in Dutch). The plaintiffs will appeal this ruling.

Here is my translation of the summarized ruling:

The Hague, July 23rd 2014

The exchange of telecommunications between the Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) and the U.S. National Security Agency (NSA) is acceptable. The possibility exists that the Dutch services,in exchanging telecommunications data with foreign services such as the NSA, receive data that are collected in foreign countries by foreign services using legal powers that are not available to the Dutch services. The mere possibility of this does not mean that the Netherlands violates international treaties and national legislation by receiving and possibly using that data. That has been decided by the court in The Hague in a civil case between a number of individuals, the Dutch Association of Criminal Defense Lawyers (NVS), the Dutch Association of Journalists (NVJ), the Internet Society Netherlands and the Privacy First Foundation.

Respect of privacy versus national security

The issue in this case is the relationship between the interests of individuals and of “everyone” whose interests the plaintiffs defend, including the interest in respecting the privacy of the individual, and the public interest of international cooperation for national security.

Exchange of telecommunications data

The court found that the Dutch intelligence & security services exchange data collections with the NSA, among others. It concerns data sets that contain both metadata (data about communication, such as who is calling and for how long, when and from what location) and data concerning the content of the communication.

Considering the practice of exchange between the intelligence and security services, the Dutch services in general do not know how the data sets that they receive from foreign partners and then possibly use, are collected. Therefore it cannot be ruled out that these data are collected in violation of international treaty obligations incumbent on the Netherlands, such as the respect to privacy of the individual, under the European Convention of Human Rights (ECHR).

The Dutch services themselves are not legally allowed to intercept telecommunications data from cable infrastructure in bulk and use it. The U.S. authorities are. This does not mean that the reception and possible use of such data are automatically impermissible.

Cooperation with foreign partners

Under Dutch law, the Dutch authorities can, considered in itself, cooperate with the U.S. and also receive data from them and use it. The U.S. is bound by its own regulations, which in general are not in conflict with the requirements of the ECHR concerning the protection of the right to respect for private life. Also to the extent that that regulation provides, in some ways, less protection to persons who are not citizens of the U.S., the activities of the Dutch government in general are not contrary to the ECHR or national regulations.

In the context of international cooperation, given the nature of the exchange, namely “in bulk” and without being assessed on importance, the reception of such data does not need to satisfy the strict requirements that the plaintiffs are considering. In addition, there is a difference between receiving data, and using it in individual cases. The general requirements of the ECHR have been satisfied.

National security

The court held that the Dutch government rightly states that it can not be expected of them that they jeopardize the urgently necessary cooperation with foreign services, such as those of the U.S., merely because of unfamiliarity with their methods and the possibility that the Netherlands receives information in a way that is not permitted in our country [sic]. The overriding importance of national security is decisive here.

Assessment of individual interest

The important interests of claimants should, according to the court, be expressed in the protection offered to them on the basis of national regulation, namely by relying on the Dutch Review Committee on the Intelligence and Security Services (CTIVD), the National Ombudsman or national civil or administrative courts. The plaintiffs’ claims in this case were formulated in general terms. The court therefore limited itself to a review of the actions of the Dutch government in general.

As stated here, the Dutch Joint Sigint Cyber Unit (JSCU) is now operational. After the Parliamentary summer recess that ends on September 1st 2014, the Dutch government will send a proposal to the Dutch Parliament for changing the Intelligence & Security Act of 2002. Notably, it is expected that the proposal will include a broadening of interception powers such that the AIVD and MIVD are permitted to perform undirected (i.e., bulk/mass) interception of cable communications. That would allow the Dutch intelligence services to carry out programs such as GCHQ’s Tempora and NSA’s Special Source Operations (SSO), that feed PRISM. Our legislative regime and oversight mechanism is different from that in the U.S. and the U.K., but one thing is the same: the oversight on existing SIGINT powers in the Netherlands is broken too. It is still unclear how that problem will be addressed by the government.

EOF

“Secret Trade in Digital Vulnerabilities” (opinion by prof. Corien Prins / Tilburg University)

UPDATE 2014-09-23: today the Dutch Senate requested (.pdf, in Dutch) the government to create safeguards concerning the decision-making on the disclosure or non-disclosure of vulnerabilities found by the Dutch intelligence & security services (notably by the employees of the JSCU). The Senate states that the decision to disclose or not disclose a vulnerability cannot be made by the services themselves, because the interest of all internet users has to be taken into account (thus implying that the services cannot be relied upon to take the interest of all internet users sufficiently into account).

In April 2014, professor Corien Prins (Tilburg University) published a piece on the trade in computer vulnerabilities in the Dutch law magazine “Nederlands Juristenblad”. The original piece is here (.pdf, in Dutch) and carries the title “Geheime handel in digitale lekken”. Here is my translation of Prins’ original text:

Secret trade in digital vulnerabilities

Last month, the European Court of Justice made clear that the authority of law enforcement agencies to request so-called ‘traffic data’ (which phone number is called which phone number, from what location and for how long?) must be used proportionally [1]. The Court found that the collection of traffic data can contribute to the fight against serious crime and terrorism, but that the way in which this is currently happening is contrary to the proportionality requirement.

Commentators immediately pointed out that the decision fits into a change of thinking about the importance of privacy. But more or less at the same time that the European Court reinforced the privacy interest, it became clear that the NSA has been using a internet security vulnerability labelled `Heartbleed’. Instead of reporting it to relevant parties, such that they could implement the necessary changes in the systems, they kept secretly peeking through the crack and thereby violated the privacy of many people worldwide.

This report got ample media attention. But those familiar with the world in which companies such as Vupen (vupen.com) and ReVuln (revuln.com) operate, were not surprised. In this world, lots of money is made by trding vulnerabilities. The minimum privacy for a so-called `zero-day exploit’ is around 50.000 dollar. In short, a zero-day exploit is a software application that is specifically developed to abuse a vulnerability in, for instance, an internet service. Using a zero-day exploit, the IT system can be penetrated without knowledge of its provider. Whoever has an exploit can covertly observe, wiretap data, install viruses, et. The term zero-day exploit is derived from the age of the software application that uses the vulnerability. It is inherent to the application that it abuses the vulnerability before the first day (day 0) that the provider of the system is aware of the vulnerability. From that day on, after all, the provider has the opportunity to distribute a patch to users and hence the exploit loses its value.

Little is known about the trade in zero-day exploits, but an analysis worth reading of this shady market by Reuters makes it clear that the intelligence services are major customers [2]. Interesting is the mafia-like arrangement (having your cake and eating it too) of various suppliers [3]: they present themselves as defenders against dangerous exploits, while at the same time developing exploits to offer from the stance (whether or not commercially motivated): ‘if you do not pay, we put your door wide open’.

The economic and social dependence on crosslinked digital systems combined with the growing uncertainty about cyber terrorism and digital ‘warfare’, brings both security services and the military to previously unknown strategies. Whether and to what extent zero-day exploits are part of the new instruments, is unclear. The Annual Report 2013 of the AIVD presented last week does not mention it. But from the letter sent by the Minister of Defense to the Parliament on March 17th 2014 it becomes clear that “the development of the capability to carry out offensive cyber operations” is a spearhead in the Defense Cyber Strategy [4]. Furthermore it states: “Offensive cyber capabilities are digital means that have the purpose of influencing or render impossible opponent action” These capabilities can be deployed in a military operation to support conventional military capabilities. The use falls under the relevant mandate and the applicable Rules of Engagement. The legal frameworks are no different from those that apply to the use of conventional means.”

In case our country uses zero-day exploits: what exactly are the implications of the simple observation that “applicable Rules of Engagement” apply? Which assessment framework does one use, now that the use of zero-day exploits by definition puts the safety of citizens and businesses at stake? According to Richard Clarke, the former cyber security adviser to the Obama administration, the U.S. government used zero-day exploits without a solid assessment framework [5]. Of course it is very difficult to formulate criteria here, but what arguments, then, underly the choice to use an offensive strategy (using the vulnerability to influence the action of opponents) or rather a defensive strategy (preventing malversants form using the vulnerability and inform IT providers)? And how transparent can and will they be regarding the extent to which this means is used?

The head of the AIVD, Rob Bertholee, states in his forward to the Annual Report 2013: “We are a secret service, but we do not want to be secretive. Our tasks and responsibilities are laid down in the law, our actions are publicly accounted for. This Annual Report is a part of that. Only a part of what we do is secret and secret for a reason: the protect sources or prevent unauthorized persons from taking note of our activities. The control over that secret part of our work is fortunately also properly organized” [6]. Possibly the use of zero-day exploits is part of the secret part of the activities of the AIVD and the Ministry of Defense. There will be good reason for that. At the same time, society should be confident that considerations and control over the use this new instrument will function properly, so as befits the rule of law.

[1] Judgment of the Court (Grand Chamber) April 8th 2014, in joined cases C-293/12 and C-594/12, requests for a preliminary ruling under Article 267 TFEU from the High Court (Ireland) and the Verfassungsgerichtshof (Austria), made by decisions of 27 January and 28 November 2012, respectively, received at the Court on 11 June and 19 December 2012.
[2] J. Menn, U.S. cyberwar strategy stokes fear of blowback, Reuters, May 10th 2013.
[3] For an overview of these companies, see: http://wikileaks.org/the-spyfiles.html
[4] Letter to Parliament about offensive cyber capability, Dutch Ministry of Defense, March 17th 2014
[5] J. Menn, U.S. cyberwar strategy stokes fear of blowback, Reuters, May 10th 2013.
[6] AIVD: Dutch persons committed suicide attacks.

These are some of the companies associated with buying and/or selling vulnerabilities/exploits:

Further reading:

EOF

Evaluation report on the Dutch implementation of the EU Data Retention Directive

UPDATE 2014-11-26: Dutch govt response to ECJ’s April 2014 ruling on the EU Data Retention Directive: the Dutch Telecommunications Data Retention Act of 2009 will be upheld, but some (minor) changes are introduced concerning access to retained data to cater to the ECJ’s ruling.

In July 2014, the official English translation (.pdf) was published of the report that evaluates the storage and use of Dutch telephone and internet traffic data for crime investigation purposes. The Dutch version became available earlier, at the end of 2013. The report was written by Odinot, De Jong, Bokhorst and De Poot and covers the Dutch implementation of the EU Data Retention Directive. The remainder of this post consists of the summary of that report (hyperlinks and parts in [] are mine). [UPDATE 2014-10-31: note that in April 2014, the European Court of Justice rejected the EU Data Retention Directive as “invalid”; this does not necessarily mean that Member States will delay or revoke national data retention legislation. For instance,  in October 2014, the ECJ’s ruling notwithstanding, the Swedish telecoms regulator decided to force ISPs to carry out data retention for law enforcement purposes.]

The study: background, research questions and data collection

On the storage and use of telephone and internet traffic data for crime investigation purposes

Background to the research questions

The Dutch implementation of the [EU] Data Retention Directive was adopted on the 1st of September, 2009. The main reason for the storage of call detail records of telephone and internet traffic data is its potential in the aid of the investigation and prosecution of serious crimes. For example, this type of data can be used to ascertain the time and place at which a particular mobile telephone was used to make a call. The data also makes it possible to find out whether and when a computer or mobile telephone made an internet connection. Telecommunication traffic data can be used in cases involving a crime that merits pre-trial detention, a reasonable suspicion of a crime being planned or committed in an organized context and indications of a terrorist offence.

However the fact that this data has to be stored for a certain period of time is a recurring point of debate. There is a need both in the Netherlands and at European level (EU 18620/11 [.pdf]) for a clearer understanding of how the police and judicial authorities use the data kept under the Telecommunications Data Retention Act (referred to below as ‘the Act’).

The purpose of this study is to clarify how the Act works in practice. This study extends beyond the scope of an evaluation process (cf. Wartna, 2005; Nelen et al., 2010), because there is a need not only for an understanding of how the Act has been shaped in practice but also of how the data to be kept available under this Act is actually used for criminal investigations in practice.

However, it is not possible – as it would be in a product or effect evaluation – to ascertain how the introduction of the Act has affected the use of traffic data in criminal investigations. The telecommunication data at issue here was already available for criminal investigation purposes before the Act was introduced, and was already being used in criminal investigations into serious crimes prior to the introduction of the Act.

Although the Act has resulted in the retention periods being harmonised, the fact that other changes have taken place in the meantime means that it is only barely possible to measure and identify any possible effects thereof. Changes in how telecommunication data is used in practice can be attributed primarily to the emergence of mobile and ‘smart’ telephones and to the increased accessibility of internet communication. It is thus easier to look into the use of telecommunications data in criminal investigations than it is to relate the findings to the introduction of the Telecommunications Data Retention Act.

This study focuses both on questions about how the Act has taken form and questions about how the retained data is used in practice.

In this context, there are various organisations and parties involved in the storage, maintenance, and use of telephone and internet traffic data. The providers are required to retain and secure the data, keep it available for investigative purposes and to destroy it at the prescribed time. This process is regulated by the Telecom Agency (Agentschap Telecom). The Dutch Data Protection Authority (College Bescherming Persoonsgegevens) has the more general task of regulating the use of privacy sensitive data. The Police and the Public Prosecution Service use this data for the investigation and prosecution of serious crimes, and the judiciary uses it in the legal decision-making process. The emphasis of this report lies on how the retained data is used in practice, thus providing a clearer understanding of the usefulness and necessity of the retention obligation. The complexity of how the Act works in practice is reflected in the descriptions of how the various parties perform their tasks. This report provides fairly detailed information about how the stored data is used in practice. Other parties are touched upon, but do not form the main focus of this study.

Data collection

Various methods have been used to answer the research questions. In addition to conducting an extensive review of the literature (national and international), both qualitative and quantitative data on the use of historical traffic data was collected from organisations such as the National Interception Unit (Unit Landelijke Interceptie) of the national police services, the Dutch National police, the judiciary (Public Prosecution Service) and the legal profession. A desk study was also carried out involving the examination of legal texts and their explanatory notes, secondary legislation, parliamentary papers, implementing agencies’ written documents, and scientific literature. Also, 17 face-to-face interviews and 16 telephone interviews were conducted for the study, which involved speaking to a total of 41 people in the period from June to October 2012. Finally, court judgements were analyzed to ascertain how the Dutch courts used retention data as evidence in criminal trials.

Remote communication, developments and implications

In recent years the mobile telephone has been replaced by the smartphone, and many people are online 24/7 these days. The use of smartphones means that people are much more likely to communicate in the form of short messages via apps and email, and phone calls are being made increasingly online as well.

Technological innovations and the accompanying fragmentation of communication and the use of various online services makes it difficult to keep track of all of a person’s remote communication. Additionally, not all traffic data that is generated is covered by the law. Many internet users have email accounts with webmail services such as Hotmail, Gmail or Yahoo, which are provided by a foreign company. Consequently, the data is not necessarily retained for Dutch criminal investigation purposes. The same applies to providers of services in the cloud. In cases where investigative services want to obtain traffic data from foreign suppliers nonetheless, they need to submit a request for legal assistance and have to wait and see whether the data is still available.

The legislative history and European regulations on the Data Retention Directive

Partly in response to the terrorist attacks in Madrid in 2004 and in London in 2005, 3 May 2006 was the introduction date of the EU Directive aimed at guaranteeing that certain telecom and internet data are retained and kept available for the investigation and prosecution of serious crime.

Retained data

Section 5 of the Directive stipulates the categories of data to be retained with regard to aspects including the designation, the date, the time and the duration of the communication. It is not permitted to retain data from which the content of the communication can be derived. The Member States were required to convert the Directive into national legislation by 15 September 2007; an extension was given until 15 March 2009 for the obligation to retain internet data. Not all the Member States have converted the directives into legislation. The term ‘serious crime’ has not been defined in the directives. This is reflected in the various grounds laid down in the legislation of the Member States that facilitate access to the retained data for criminal investigation and prosecution purposes. As with the duration of the retention period, the harmonisation envisaged by the EU legislation has only been achieved to a limited extent.

Privacy

The Act affects the privacy of members of the public. In the first place, the storage of telecommunication data involves a risk of unauthorised persons – such as hackers – gaining access to that data. A second, different type of breach takes place as soon as the police and judicial authorities are granted access to retained data in the context of an investigation. According to the ECHR(2008, 30562/04) it is permissible to limit the right to privacy only if provided for by law and necessary in a democratic society.

The Dutch Code of Criminal Procedure (CCP) stipulates who has access to the retained telecom and internet data and under which conditions. The Public Prosecutor can claim the issue of traffic data (Article 126n and 126u CCP) if there is a suspicion of an offence that merits pre-trial detention or a reasonable suspicion that crimes are being planned or committed in an organised context. An investigating officer can claim identifying data (Article 126na, 126ua CCP). The details that can be obtained are what are known as the user details (name, address, place of residence, number and type of service). If there are indications of a terrorist offence, the Public Prosecutor can obtain traffic data (Article 126zh CCP) and an investigating officer can claim user data (Article 126zi CCP). For an exploratory investigation into terrorist offences the Public Prosecutor can also claim databases of public and private bodies in order to have their details processed (Article 126hh CCP).

The retention and securing of the data in practice

The regulatory authorities

Compliance with the rules is supervised by the Telecom Agency Netherlands, which operates as an independent regulatory authority and supervises compliance with the Act. The Telecom Agency is a division of the Ministry of Economic Affairs and reports directly to the Minister of Economic Affairs. Additionally, the Dutch Data Protection Authority regulates all statutory regulations concerning the retention, use and processing of personal data.

The providers

Meetings were held with four providers in order to gain an understanding of how they approach the obligations under the Act. Prior to the retention obligation being introduced the retention periods varied between companies. Despite the Act’s long start-up period, its implementation proved to be a sizeable project for the large providers.

The two large providers interviewed for this study, maintain a database filled with data to be retained under the Act. This data is automatically destroyed when the retention period ends. A small provider interviewed for this study only recently actively started operating the retention periods because the quantity of data to be retained became too large. When they receive a request, the data applied for has to be taken manually out of the system by an employee.

The government has reached an agreement with the large Dutch suppliers concerning compensation for the personnel needed to issue data retained under the various Acts and government regulations. Small providers are not covered by this arrangement.

The owners of a fourth interviewed supplier recognise themselves in the documentation of the Telecom Agency as parties obliged to retain the traffic data of the email services they offer, but indicate that they do not comply with this for idealistic reasons. The researchers have asked the Telecom Agency whether the services offered by this company are subject to the retention obligation. According to the Telecom Agency they are not, but it acknowledges that certain parts of the legislation have become unclear owing to technological innovations.

Regulatory authority

The Telecom Agency also oversees the implementation of operational processes. The supervision is provided for in a monitoring cycle in which the data suppliers are questioned about how they retain, secure and destroy the data. However, the Telecom Agency does not have the instruments and powers to monitor the content of the retained and delivered data. Section 18.7 (2) of the Dutch Telecommunications Act expressly stipulates that the regulatory authority is not authorised to retrieve traffic or location data retained by the providers under Section 13.2a of the Telecommunications Act.

The use of historical traffic data in practice

The Act makes a clear distinction between telephony and internet traffic data. To be perfectly clear, this report maintains that distinction. But in practice the distinction has virtually faded away and experts feel that the Act operates an incorrect division into two categories.

What is retained?

The appendix to Section 13.2a of the Telecommunications Act contains a summary of the telephone data to be retained. This data includes the number of the caller and the party called, the time and duration of the call and the location. This data must be kept for a period of one year. The content of a call or an SMS is not subject to the retention obligation. The traffic data of the sent or received message is subject to that obligation. Attempted calls in which no connection is made fall under the retention obligation as well.

What is at stake?

According to crime investigation professionals historical traffic data is retrieved in virtually all larger criminal investigations in which suspects or victims may have used their telephone. In 2012 the number of claims for the disclosure of telecommunication data totalled to 56,825.

These claims were used to obtain information about the use of the telephone and possible IP-traffic, such as: the number that was used to make the call, when the call was made, the duration of the call and from which location, and whether there was any online contact. This information plays an important and highly valued role in criminal investigations. If an investigating team wants to obtain traffic data, it has to obtain the approval of the Public Prosecutor. The investigating team has to indicate what it is seeking to achieve with the information, and obtaining the information must be proportional and observe the principle of subsidiarity. The intentions of the investigating teams in obtaining traffic data can be placed in a number of categories: (1) to identify a user, (2) to establish contacts, (3) to determine a location, (4) to trace an IMEI number, and (5) to make a decision on capacity before wire tapping.

Relevance and retention period of telephony data

All of the interviewed professionals and experts said that they found historical data on telephone traffic to be highly relevant. A number of interviewed crime investigation professionals indicated that they not only wanted to obtain the start location (first cell) of a telephone call, but also the end location (last cell). However, the location where a call ends, i.e. the final connection with a transmission tower, is not stated in the appendix to Section 13.2a of the Telecommunications Act.

It emerged from the interviews that most of the professionals and experts among the police felt that the one-year retention period is sufficient for the work that they do.

Historical internet traffic data

What is retained?

Historical traffic data concerning internet and email usage can yield information about matters such as the IP addresses someone has used, and the email contacts of the sender and receiver. The content of calls, messages or emails and search terms entered in a search engine and the IP addresses of searched internet pages are not covered by the retention obligation.

Relatively little deployment

During the interviews conducted for this study, it became clear that the criminal investigation professionals had little or no knowledge of how historical data concerning internet traffic could be used for crime investigation purposes. Additionally, the work related to internet matters is often carried out by experts because the digitisation of today’s society does not yet form part of the day-to-day work of many investigating officers. At the same time we established that technological developments move at a very fast pace. So fast that it is difficult even for the scarce experts to keep up with them.

Historical internet traffic data is often retrieved in response to a crime or offence committed with the aid of or via the Internet, such as sending threatening emails, internet fraud, human trafficking and the distribution of images of child sex abuse. The most important reason given for retrieving data is to identify a user or a connection. Fixed IP addresses usually remain unchanged for longer periods and the use can easily be traced either at the provider or at the Telecommunications Research Information Centre (Centraal Informatiepunt Onderzoek Telecommunicatie). However, identifying a mobile internet user on the basis of historical traffic data is a laborious process and in many cases not possible.

The relevance and retention period of internet data

According to various experts the majority of data described in the appendix to Section 13.2a of the Telecommunications Act is out-dated. The regulation is no longer in keeping with today’s internet usage or with the technological developments that have taken place in this area since the Telecommunications Act was introduced in 2009. This has led to the retention of data of members of the public that is not or is only barely used by the criminal investigation services. A meticulous review of the regulation governing IP traffic and the retention of IP data therefore appears appropriate.

The professionals and experts interviewed for this study, who are familiar with the internet traffic data, all believe that the six-month retention period is too short; there is clearly a need for IP traffic data that goes back further in time for criminal investigations into offences for which this data is retrieved.

The retrieval of transmission tower data

Retrieving traffic data based on a location yields information about all mobile telephones which, in the indicated time frame, have been called, have made calls or had an internet connection via the tower location in question. For permission to retrieve transmission tower data there must be a suspicion of an offence as specified in Article 67 (1) of the Code of Criminal Procedure and the use of the data must be in the interest of the investigation.

Transmission tower data is retrieved mainly for serial offences. In such cases the data of various locations are compared, with the intention to pinpoint a recurring number. Of course, this investigation method only has a chance of success if the suspect used his telephone around the time of the offence.

Alternative?

Opponents of the retention obligation regard the targeted freezing of data as being a less privacy-violating solution because this involves a specific data set that is retained for longer, rather than retaining all the data of all of a provider’s customers. None of the experts we spoke felt that freezing data was a comparable or equivalent alternative to a general retention obligation because this would rule out the possibility of retrieving data retained a longer time ago. To be able to use this data it is necessary to know in advance – while the data is still available and can be frozen – what data will be needed at a later date. Given that it is sometimes not until later that offences come to the knowledge of the police, and suspects are sometimes not identified until long after a crime has been committed, it is necessary to retain this data for later use in the criminal investigation process.

The use of traffic data in figures

The Telecommunications Act makes it compulsory to annually publish the number of data requests about telecommunications traffic data made by criminal investigation services (Section 13.4 (4) of the Telecommunications Act). In 2012 a total of 56,825 claims for the disclosure of traffic data were made. However the number of claims announced by the Minister also includes data not covered by the Telecommunications Data (Retention Obligation) Act.

It should also be noted that the retrieval of telecom data in the Netherlands is registered by telephone number, IMEI number, IP address or ‘transmission tower location’ on which data is retrieved. These figures do not provide an insight into the number of people whose telecommunication data is retrieved each year, or the number of criminal investigations or the nature of the investigations for which the data was retrieved. Neither do the figures provide any insight into the extent to which a claim has actually resulted in data being issued.

Court rulings

This report also provides an insight into the use and value of traffic data in court rulings. A total of 74 rulings dating between July 2012 and February 2013 were found in which the term historical traffic data concerning telephony occurred. This data was generally used in the rulings to demonstrate ‘contact between suspects’ and ‘locations’.

A search of court rulings in which IP traffic data was used in the judgement, yielded 26 rulings in the period from January 2009 to February 2013. This IP data was mentioned mainly in the rulings concerning criminal investigations into child pornography. More than half of the judgements concerned the downloading and/or distribution of images of child sex abuse. The retrieval of this data is not so much about where the suspect was and with whom he communicated, but rather whether the suspect could be linked to the internet address that was used or other user data.

 

EOF

Cyber Security Assessment Netherlands #4

On July 10th 2014, the Dutch government published the fourth edition of the “Cyber Security Assessment Netherlands” trend report, aka “CSBN-4”. The Minister of Security & Justice responded (.pdf,in Dutch) to it. For me, these were some key takeaways:

  • The Dutch central government will include security by design and privacy by design in its tenders, and calls upon other parts of government to also do that (we will have to see how this materializes);
  • The government is building a National Detection Network and launched a National Response Network (some FOIA’d documents are here);
  • The National Detection Network currently consists of five partners, including:

    1. the National Cyber Security Center (NCSC), which is part of the Ministry of Security & Justice;
    2. the General Intelligence & Security Service (AIVD), which is part of the Ministry of the Interior;
    3. the Military Intelligence & Security Service (MIVD), which is part of the Ministry of Defense.
  • Several other parties have signed up for the National Detection Network; based on this document I believe these could potentially include private sector parties;
  • The government asked Scientific Council for Government Policy (WRR) for advice on three questions (this advice will probably take a few months):
    1. Is a stronger distinction needed between the access to and use of data in Big Data?
    2. How can it be ensured that the process of profiling, “datamining” and other analytical techniques for the purpose of security are sufficiently transparent?
    3. What does the advent of quantum computers mean for the process of data processing for the purpose of security?

Here is my translation of the four key findings in CSBN-4 as described by the Minister (emphasis is mine):

1. Potential impact of digital attacks and disruptions increases due to fast digitization

In CSBN-3 it was found that the dependence on ICT is significant and increasing due to development such as hyper-connectivity and cloud computing. In CSBN-4 it is evident that this trend continues unabated. This increases the potential impact of attacks and disruptions. Preventing social disruption caused by a disruption or failure of vital products and services has the constant attention of the government.

  • In the context of preventing social disruption as a result of the failure of vital goods and services, the governments maps, in collaboration with vital organizations, which ICT-based services and processes are vital. This involves a program that, based on risk analysis, establishes basic requirements concerning the safety of vital services and processes. In addition, a training program or module is developed for response in major ICT incidents.
  • In European context, among others, the improvement or development of standards is pursued that promote the safety of ICT products. The Global Conference on Cyber Space 2015, which takes place in the Netherlands next year, will also focus on this.
  • For its own system, the (central) government takes ‘security by design’ along in tendering processes, to make systems more secure and limit the impact of a possible disruption. Other parts of government are called upon to do the same.
  • An exploration is ongoing of the feasibility of separate ICT networks and services for public and private vital processes.
  • 100% security does not exists. But we can pursue a strengthened commitment and cooperation in detection, analysis and response capabilities so that cyber attacks can be quickly detected and the damage is as limited as possible due to a rapid and adequate response.
  • In April 2014, a pilot started in the government in the context of the development and expansion of the National Detection Network (NDN). This pilot will run for six months. At the end of 2014 there will thus be a tested and robust set-up for detection. The experiences in the pilot are leading for the next step, namely connecting new partners outside the real of the (central) government.
  • The National Response Network (NRN) was launched in April 2014. The five partners agreed on cooperation covenants governing mutual assistance in case of incidents. In the fall, these partners will deliver proposals to establish joint risk assessments, exercises and reciprocal internships. From the National Cyber Security Center (NCSC), several organizations are currently supported in the design of their own response capacities to contribute to the NRN. Also a number of new potential partners signed up. Thus the NRN will be further expanded.
  • The capacities and position of the NCSC are strengthened. Also, the research and analysis capacities of the NCSC, the National Police, the General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) will be strengthened to improve the understanding of threats and risks in the digital domain.
  • The potential for the deployment of digital capabilities of the Ministry of Defense in preventing and fighting off attacks on critical infrastructure, under civil authority and within the applicable legal frameworks, are developed further.

2. Lack of ICT sustainability and increasing interconnection pose risk to public safety

In CSBN-4 it is again noted that the vulnerability of ICT is high due to the discovery of new vulnerabilities and the development of new services and innovative equipment. The sustainability of ICT also poses a risk to public safety as a result of the increasing interconnection of ICT. This is especially a major concern when it comes to preventing social disruption caused by the disruption of vital products and services.

  • Legacy systems and other potential risks in the critical infrastructure are being mapped. These include systems where the risks related to ICT sustainability plays a role. The results will be included in the broad approach towards critical infrastructure.
  • As indicated above, digital security will be considered in the approach to critical infrastructure, in which the government along with vital organizations maps risks and, among others, a program is started that establishes (basic) requirements for safety.
  • The sector regulators are consulted in the establishment of security requirements for supervision. The risks related to ICT sustainability will be included in this process.
  • In the third national Alert Online campaign from October 27 to November 6, attention is paid to the issue of ICT sustainability. It will also be aimed at individual users who can equally be faced with this problem. An example is the cessation of support for Windows XP, for which security updates are no longer provided. It is important that people are aware of digital risks so they can take their own responsibility for the sake of personal digital safety. In this context, the website Veiliginternetten.nl will also be launched. During the Alert Online campaign, users will be informed about the risks of using the internet. The website is a collaboration between the Ministry of Economic Affairs, the Ministry of Security and Justice and ECP platform for the information society.

3. The threat posed by criminals and state actors remains high

The number of digital espionage attacks has increased, as well as their complexity and impact. Almost every foreign intelligence service has invested in its digital capabilities in recent years. Dutch public and economic interests may be seriously harmed by digital espionage. The Netherlands should continue to be a ‘safe place to do business’.

  • The government is investing in an increase in the overall digital defensibility, partly to increase defensibility against digital espionage. So this investment involves strengthening capacities aimed at the detection, fighting off and mitigation of attempts at digital espionage, such as detection, analysis and response capabilities. Also the research and analysis capabilities of the NCSC, National Police, AIVD and MIVD will be strengthened in order to gain insight into threats and risks in the digital domain such as digital espionage.

In the field of cybercrime, an increasing professionalization and internationalization is observed. This makes available (complex) digital attacks to less (digitally) experienced or resourced criminals.

  • Cybercrime is vigorously addressed. For this purpose, (criminal) legislation is strengthened. Important, in this context, is the Computer Crime Act III that gives the National Police more strength in the area of cybercrime. Internationally, the strengthening of cooperations and the harmonization of legislation is pursued.
  • In addition to strengthening (criminal) legislation, the capabilities of the National Police will be strengthened quantitatively and qualitatively so that more cybercrime cases can be addressed.
  • The use of botnets will be addressed as well. About this approach I recently separately informed the Parliament during the General Meeting of March 27th 2014.

4. Privacy pressured by technical possibilities to collect data

In CSBN-4 it is found that due to technical possibilities to collect data, privacy is under pressure. The trend of in which increasingly more aspects of our daily lives, such as search and consuming behavior music preferences that are directly or indirectly digitally recorded will continue in the coming years. It is a development that is closely related to the business model of many popular (free) products and services. A tension exists between freedom, social growth (including economic development) and safety. This tension is also described in NCSS-2, the note “Freedom and security in the digital society, an agenda for the future” (Parliamentary Papers 26643, No.298) and the vision on e-privacy (Parliamentary Papers 32761, No.49). This trend is thus explicitly on the agenda of the government. I have asked the Scientific Council for Government Policy (WRR) for advice in relation to these issues.

  • The WRR has been asked for an opinion that elaborates on three main questions:
    1. is a stronger distinction needed between the access to and use of data in “big data”;
    2. in the use of “big data”, how can it be ensured that the process of “profiling”, “datamining” and other analytical techniques for the purpose of security are sufficiently transparent; and
    3. what does the advent of quantum computers mean for the process of data processing for the purpose of security.
  • In addition, initiatives focused on privacy by design have received additional priority:
    1. The (central) government takes “privacy by design” into account for its own systems, systems in which privacy aspects have been taking into account during the design, during tendering processes. Other parts of government are called upon to do the same.
    2. In European context, among others, the improvement or development of standards is pursued that promote privacy in ICT products.

EOF

June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started

UPDATE 2015-07-02: the Dutch government released their draft intelligence bill into public consultation. Details here.

UPDATE 2014-09-30: example JSCU/MIVD vacancy: scientific researcher on cryptanalysis for the JSCU’s Decryption and Crypto Development Bureau (in Dutch: “Bureau Ontcijfering en Crypto Development”, or BOCD).

UPDATE 2014-07-08: correction: JSCU officially started on June 15th, not on July 3rd; the latter was the date the Parliamentary Papers appeared. Kudos to @electrospaces for the correction.

The Dutch Joint Sigint Cyber Unit (JSCU) was officially launched today on June 15th 2014. My translation of the JSCU’s tasking according to the covenant (.pdf, in Dutch):

Article 1: Task description
The JSCU is a joint supporting unit of the AIVD and the MIVD that, commissioned by and under the responsibility of the AIVD and MIVD, is tasked with:

a. the collection of data from technical sources;
b. making accessible data from technical sources such that the data are searchable and correlation within and between these sources is possible;
c. supporting the analysis, notably in the form of data analysis, investigation into cyber threats and language capacity;
d. delivering Sigint and Cyber capability in support of the intelligence requirements of the AIVD and the MIVD, potentially on-site;
e. innovation and knowledge development on the task areas of the JSCU.

My translation of the announcement (in Dutch) of the launch (I translated as literally as possible):

With the launch of the Joint Sigint Cyber Unit (JSCU), the General Intelligence & Security Service (AIVD) and the Military Intelligence & Security Service (MIVD) take an important step in better protecting the national security and our digital networks against threats, and at the same time better support our soldiers on missions. A successful cooperation requires proper arrangements. These arrangements are laid out in a covenant [.pdf, in Dutch] that is signed by the Minister of the Interior and the Minister of Defense.

The joint unit is specialized in Signals Intelligence (Sigint) and Cyber. Sigint includes information collection from (tele)communications. Cyber is a collective term for various activities related to computer networks and data streams. Think of mapping the internet landscape in a (new) mission area, informing partners about a dangerous computer virus or hacking a terrorist website that threatens national security.

The government is committed to further cooperation between the AIVD and the MIVD. One major reason for this is the bundling of scarce knowledge and resources. Considering the speed of technical developments in the field of Sigint and Cyber, pooling of knowledge and resources within the JSCU is not only desirable, but a necessity.

The JSCU is a logical consequence and intensification of the ongoing cooperation on the area of Signals Intelligence in the National Sigint Organisation (NSO). Together with other specialist parts of the AIVD and the MIVD, the NSO is merged in the new partnership. The JSCU is not an independent entity, but part of the AIVD and MIVD.

Like the other tasks of the two services, the task performance of the JSCU is bound by the Intelligence & Security Act of 2002. Oversight is carried out by the Review Committee on the Intelligence and Security Services (CTIVD).

The announcement was accompanied by two infographics:

Earlier this week the Dutch government partially reversed budget cuts on intelligence & security service AIVD, citing increased threats. One category of threats concerns the promotion of jihad through social media by Dutch jihadists and the threat of Dutch persons returning from jihad in Syria. This is described in the report Transformation of jihadism in the Netherlands: swarm dynamics and new strength that accompanied the announcement that the budget cuts will be partially reversed. The AIVD states that since 2012, some 130 Dutch persons went to Syria, of which 14 got killed.

After the Parliamentary summer recess, which ends on September 1st 2014, the Dutch government will send a proposal to the Dutch Parliament for changing the Intelligence & Security Act of 2002. Notably, it is expected that the proposal will include a broadening of interception powers such that the AIVD and MIVD are permitted to perform undirected (i.e., bulk/mass) interception of cable communications. That would allow the Dutch intelligence services to carry out programs such as GCHQ’s Tempora and NSA’s Special Source Operations (SSO), that feed PRISM. Our legislative regime and oversight mechanism is different from that in the U.S. and the U.K., but one thing is the same: the oversight on existing SIGINT powers in the Netherlands is broken too. It is still unclear how that problem will be addressed by the government.

The Netherlands is a member of the SIGINT Seniors Europe (SSEUR). Whether it should be expected that the Netherlands will participate in the NSA’s RAMPART-A (.pdf, 2010) program, i.e., allow the NSA unrestricted (?) access to cable communications intercepted by the Dutch services, I don’t know. In their article Bound by Silver Cords — The Dutch Intelligence Community in a Transatlantic Context (2012), Dutch academics Beatrice de Graaf and Constant Hijzen suggest that different privacy laws, human rights concerns and legal standards of the Dutch services “put a brake on their relationship with American services and agencies”.

EOF