The (il)legality of hacking, acquisition, exchange of social media, webfora by Dutch intel agency in 2011-2014

UPDATE 2014-12-21: it is somewhat remarkable that CTIVD did not address this topic — especially hacking of web fora — in earlier publications, e.g. in 2011, 2012 or 2013. Possibly the CTIVD viewed hacking as less infringing because it does not require prior approval from the Minister, and the CTIVD rather spent its limited resources on investigating the use of interception powers, which do require prior approval from the Minister.
UPDATE 2014-09-05: addendum: Overview of legal framework used to assess Dutch intelligence activities involving social media 

Remember the media report “Dutch intelligence agency AIVD hacks internet forums” by NRC Handelsblad in November 2013? The oversight report (.pdf, in Dutch) released today by the Dutch Review Committee on the Intelligence and Security Services (CTIVD) concludes that in the period January 1st 2011 to January 1st 2014, certain activities carried out by the AIVD related to social media, including webfora, were carried out unlawfully. The general picture is certainly not one of lawlessness abound at the AIVD — all cases of hacking were found to have been carried out lawfully —, but various instances of unlawfulness were found related to lack of (legally required) reporting, lack of (legally required) approval, lack of (legally required) motivation, and violation of (legally required) proportionality.

Translation of the summary (emphasis is mine):

Social media play a large role in social interaction in the present time. For the AIVD, social media have thereby become an important source of intelligence. Because of the extent of communication on social media and the ease of participating, the meaning of messages cannot always be quickly determined: is a threatening tweet a serious indication of profound radicalization or a desperate expression of an angry teenager? Society may expect from the AIVD that the service responds appropriately to developments on social media in the course of carrying out its tasks. Concerning these activities, in the present investigation, the Commission inquired into whether the AIVD acts in accordance with the law.

Given the tasks of the AIVD, it is important that it remains secret whom is investigated and how. This secrecy allows room for speculation, especially since in 2013 information has come out about the activities of some foreign services. In relation to the AIVD, media reports and public discussions were often about the following questions:

  • how does the AIVD use social media?
  • what is the AIVD allowed to do concerning social media, and does the AIVD respect the law?
  • what does the AIVD do with data collected from social media?
  • how does the AIVD cooperate with foreign services?

The Commission has taken these questions into account on the basis of factual research and file research at the AIVD and the legal framework of the Dutch Intelligence & Security Act of 2002. The research was focused on the period between January 1st 2011 and January 1st 2014.

When the Dutch Intelligence & Security Act of 2002 was written, the Internet did not have the role it currently has, and social media were still emergent. The application of “classical” powers in the “new” digital context, such as the use of agents and observation on internet, forces the AIVD to think about how the national security must be guaranteed in relation to privacy protection and the legal safeguards therefore. The service must, after all, act strictly in accordance with the law. This means, among others, that every infringement on privacy rights must be based on law, and can only be made if it is necessary. This infringement should be in a reasonable proportion to the purpose and no less infringing means must be available. In the development of new techniques, the AIVD must be constantly aware of this, and fundamental questions need to be recognized timely.

The Commission notes that the Dutch Intelligence & Security Act of 2002 provides, on most aspects, a sufficient legal framework to assess legality of the use of social media. In addition, the Commission notes that the AIVD undertakes many efforts to maintain the technical developments on the area of social media. The policy of the AIVD that describes the safeguards for privacy protection has, however, lagged behind in some areas. Notably the motivation of the use of powers and the reporting of operations (instructions, yields) lags behind of what may be expected of a lawfully operating service. The Commission understands that in the pioneering phase, it was not immediately clear how these essential safeguards had to get a permanent place in practice, but now that the AIVD is beyond the pioneering phase, it can be expected that the applied methods are embedded into solid procedures.

The interaction between users of social media partly takes place in the public domain. Just like everyone else, the AIVD can take note of that. The AIVD may collect this data on the basis of its general powers. An important boundary to this data collection is the degree of invasion of privacy. Once an activity constitutes an infringement of privacy, a specific legal basis must be present. In addition, this activity should also increasingly be surrounded with safeguards as the infringement is more severe. The Commission has in its investigation into data collection on the basis of the general powers not found any wrongdoing.

Because of the gravity of the infringement of privacy, in this investigation focus was mostly given to some special powers, such as the use of agents. On social media, communication takes place that is relevant to the tasks of the AIVD. The AIVD responds to this by deploying agents on these media. They may use fictitious identities in this. Agents also may, under strict conditions, commit crimes, for example in order to remain in sync with the circle in which the agents are deployed.

The Commission has studied several agent operations. Concerning external agents, the Commission finds that the AIVD acts carefully and heedfully. However, concerning the AIVD’s own employees, the operations often lack proper reporting. In five agent operations involving AIVD employees using a virtual [sic?] identity on social media, the lack of reporting is such that those operations are found to have been carried out unlawfully. For the security of the agents, the internal accountability and the external oversight by the Commission, the reports are of crucial importance. The lack of reporting is also found in operations that involve an approval to commit crimes. The Commission finds that hereby also this approval has been executed unlawfully. Recently, however, the AIVD has recognized several problems in the guidance and support of the agents operating online, and started efforts to improve on this.

Providers of social media often store metadata or content of communications in data sets. This also happens with web forums. The AIVD can perform targeted queries on such data sets through various methods. When necessary, the AIVD may also attempt to acquire the entire data set. This can be achieved through various methods, such as human sources, hacking, or a foreign service. The more generic a data set is, it can be said that its collection is less targeted. In that case, more stringent requirements apply to the advance motivation, specifically a heavier assessment of proportionality. In these cases, data are collected about persons that are not relevant to the tasks of the AIVD.

The Commission finds that the motivations for the collection of a large number of web forums are insufficient. Concerning five agent operations in which webfora have been collected, the Commission finds that the motivations are such insufficient that the approvals for this were given unlawfully. In most cases, however, the Commission is convinced that the collection of these webfora was necessary and fits within the tasks of the AIVD. In four (other than aforementioned) cases, the Commission finds that the collection of certain webfora was not proportional, and therefore unlawful. This concerned larger webfora for which the expected yield is not proportional to the infringement of privacy of users of the webfora that were not targeted as part of ongoing investigations.

Data collected by the AIVD through the use of special powers in the context of the security task or intelligence task of the AIVD, can be used for other tasks as well, such as carrying out security screenings. The Commission is of the opinion that this only applies to evaluated data; data that, after (metadata) analysis, have actually been found to be relevant to an operational investigation. Making the unevaluated (raw) data of webfora accessible for the purpose of security screenings is unlawful. The law does not provide an adequate legal basis for this.

As the Commission has stated in a previous oversight report, the law does not prescribe a retention period for unevaluated (raw) data. The Commission recommends the AIVD, in anticipation of a possible change of the law, to establish retention periods itself. In the current investigation it was examined whether the acquired webfora can be retained of good grounds. The Commission finds that the AIVD was allowed to retain the data concerning the webfora studied, insofar it was lawfully acquired.

Because communication via social media is hardly bound to national borders, the investigations of the AIVD related to social media often touch upon the interests and legal systems of other countries. On the one hand, the targets of the service are often active internationally. On the other hand, operating in an online context, such as by an AIVD agent, often involves data collection that are (also) relevant to other countries. The mutual interest of working together can hardly be overestimated. Web forums can contains very large amounts of data that are not only important to the Netherlands. The Commission emphasizes the importance of good agreements with foreign services in order to reduce the risk that relevant data are overlooked.

The Commission has found no indications that the AIVD circumvents its own powers through cooperation with foreign services. Furthermore, the Commission has found no unlawfulness in respect of operations that the AIVD has conducted. Here, in general, the AIVD acts carefully and thoughtfully, and sufficient reporting is done.

Finally, the Commission has paid particular attention to the AIVD sharing acquired webfora with foreign services. In nearly all examined cases, the AIVD acted lawfully. The following exceptions were found to that general picture. The AIVD has acquired a number of webfora at the request of foreign services. If a webforum is acquired for a foreign service while that forum is not important to an ongoing investigation of the AIVD, that constitutes the provision of support to the foreign service. The Commission finds that the AIVD acted unlawfully in four cases, because Ministerial approval was lacking. In a fifth case, the AIVD shared a webforum with a foreign service while the Commission finds that its acquisition by the AIVD was not proportional. The acquisition and then sharing of this forum thus was unlawful.

What’s next in the Netherlands? This:

  • the Dutch government still needs to respond responded (Nov 2014) to the EU Court of Justice’s rejection (Apr 2014) of the EU Data Retention Directive;
  • the Dutch Cybercrime III bill, that among others would legalize LE hacking, has been approved by the Dutch cabinet and the Council of State of the Netherlands is currently being consulted for advice. The bill will then be treated in our Parliament and, later on, our Senate;
  • the Dutch government is expected to propose a bill in 2014 to change the Dutch Intelligence & Security Act of 2002. The current law was reviewed in 2013, and one of the reviewers’ recommendations is to extend the SIGINT power from only non-cable communications (e.g. satellite, radio) to all communications. That could make it legally possible for the Dutch intelligence agencies, specifically by their Joint Sigint Cyber Unit (JSCU), to carry out programs such as seen in GCHQ’s Tempora and NSA’s DANCINGOASIS, or participate in NSA’s RAMPART-A. The Dutch intelligence agencies can currently only carry out SIGINT on non-cable communications such as radio and satellite. Considering that the motivation for the use of the existing SIGINT powers has been structurally insufficient for years, I’m a bit worried;
  • the CTIVD is expected to publish three more oversight reports in 2014:
    • the use of SIGINT powers by the AIVD in the period September 2012 to August 2013 [now available];
    • the cooperation between the AIVD and foreign services;
    • the cooperation between the MIVD (=military) and foreign services.

Related posts:

EOF

Leave a Reply

Your email address will not be published. Required fields are marked *