UPDATE 2014-09-05: this page is also available in Dutch.
Yesterday I blogged about the new oversight report (.pdf, in Dutch) concerning the activities of the Dutch General Intelligence & Security Service (AIVD) involving social media, such as acquiring the databases of web forums through hacking, human sources and/or exchange with foreign partners. The (non-classified) appendix to that report provides an overview of the legal framework that the oversight committee applied in the course of writing the report. Here is my translation of that overview, including links to the relevant parts of the Dutch Intelligence & Security Act of 2002 (Wiv2002). Feel free to ask questions (bear in mind that I’m not a legal expert, though).
Passive investigation on social media
Requirement |
Implementation |
Legal basis |
Articles 6 and 12 Wiv 2002 |
Definition |
Investigation through open sources |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source or reliability (12) |
Limitation |
– only use third party data if necessary (13) |
|
– in case of more than small infringement on rights, review the intent and the nature of the methods and data collection |
|
– systematic targeted investigation (20) |
|
– operating under a cover (21) |
Observation of persons on social media
Requirement |
Implementation |
Legal basis |
Article 20 Wiv 2002 |
Definition |
Person-focused investigation which, considering duration, location, intensity, frequency or tools must be qualified as systematic |
Approval |
By team leader |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source or reliability (12) |
|
– motivation (20) |
|
– reporting (33) |
|
– only use third party data if necessary (13) |
Limitation |
– only use third party data if necessary (13) |
|
– necessity, proportionality and subsidiarity (18, 31, 32) |
Active investigation by agents on social media
Requirement |
Implementation |
Legal basis |
Article 21 Wiv 2002 |
Definition |
Operating with agents on social media, possibly using a cover |
Approval |
By director or head of unit, extension by team leader |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source of reliability (12) |
|
– motivation |
|
– reporting (21, sixth member, 33) |
Limitation |
– necessity, proportionality and subsidiarity (18, 31, 32) |
|
– prohibition on unacceptable incitement: ‘Tallon criterium’ (21, fourth member) |
|
– safety of the agent (15) |
|
– criminal offenses exist only with approval and instruction (21, third member) |
Acquisition of social media databases
Requirement |
Implementation |
Legal basis |
Articles 17, 21, 24, 59 Wiv 2002 |
Definition |
The collection of (parts of) databases from social media |
Approval |
Depends on authority |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source of reliability (12) |
|
– motivation (21, 24) |
|
– reporting (33) |
Limitation |
– only use third party data if necessary (13) |
|
– proportionality and subsidiarity (31, 32) |
|
– necessary for the a-task [national security] or d-task [foreign intelligence], unless article 17 is the legal basis (18) |
Using and storing social media databases
Requirement |
Implementation |
Legal basis |
Articles 6 and 12 Wiv 2002 |
Definition |
Analyzing, using, storing the data |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source of reliability (12) |
|
– data security, among others against unauthorized processing (16) |
|
– authorization policy (16, 35) |
Limitation |
– removing and destroying when data loses meaning (43) |
|
– the Commission previously recommended regulating retention periods by law, as well as regulating the processing of metadata |
|
– only use third party data if necessary (13) |
|
– necessary for the a-task [national security] or d-task [foreign intelligence], unless the data were acquired on the legal basis of article 17 (18) |
Exchanging social media data collections
Requirement |
Implementation |
Legal basis |
Articles 36 or 59 Wiv 2002 |
Definition |
Providing data collections to a foreign service and/or receiving data collections from a foreign service |
Approval |
By team leader, or head of unit (36) of minister (59) |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source of reliability (12) |
|
– keep notes (42) |
|
– third-party rule (37) |
Limitation |
– necessary for its own task (36) or |
|
– in the interest the foreign service represents (59) |
Person-focused querying of social media data collections
Requirement |
Implementation |
Legal basis |
Articles 17, 21 and 59 Wiv 2002 |
Definition |
Person-focused searching in databases through human sources or foreign services |
Requirements |
– use for a specific purposes, only insofar necessary (12) |
|
– appropriateness, diligence, making note of source of reliability (12) |
|
– writing down the instruction to agents (21, sixth member) |
|
– motivating if comparable to article 28 |
Limitation |
– proportionality and subsidiarity (31, 32) |
|
– necessary for the a-task [national security] or d-task [foreign intelligence], unless article 17 is the legal basis (18) |
Related posts:
EOF