UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

UDPATE 2015-01-30: answers (.doc, in Dutch) to Parliamentary questions from MP Verhoeven, Schouw, Van Tongeren and Gesthuizen about the illegality of the Dutch telecommunications data retention act.

UPDATE 2014-12-19: handy table (.pdf, by the Open Rights Group in cooperation w/EDRi) showing status of data retention in various EU Member States following the ECJ ruling.

UPDATE 2014-12-16: Dutch government: Let’s keep data retention mostly unchanged (Bits of Freedom)

TL;DR: the Dutch government upholds the existing Dutch implementation of the EU Data Retention Directive and proceeds with its proposal for ANPR data retention. The Dutch government does, however, cater to the ECJ’s ruling through some cosmetic changes.

On November 17th, the Dutch government responded (.pdf, in Dutch) to the ECJ’s rejection of the EU Data Retention Directive in April. The response addresses consequences of the ruling for the current telecommunications data retention legislation in the Netherlands, as well as for the ANPR data retention bill that is being prepared.

The remainder of this post consist of a translation of the entire 18-page response as sent to Parliament by the Minister of Security and Justice, Ivo Opstelten. Translation was done as literal as possible; interpretation is limited to phrases that necessitate non-literal translation to avoid confusion. Questions and suggestions for correction/improvement are welcomed. Hyperlinks and parts in [] are mine.

Relevant reading: Evaluation report on the Dutch implementation of the EU Data Retention Directive (post of July 17th 2014 on evaluation report published at the end of 2013).

WARNING: this is an unofficial translation.

1. Introduction and background

On April 8th 2014, the Court of Justice of the European Union (hereafter: Court of Justice) in the cases of Digital Rights Ireland and Seitlinger ruled on the validity of directive 2006/24/EC (hereafter: data retention directive). This concerns court cases C-293/12 and C294/12 [sic; latter should be “C-594/12”]. The data retention directive was ruled invalid by the Court of Justice.

Following this ruling, the Dutch State Secretary for Security and Justice during the parliamentary Question Time on April 8th stated that Parliament would be informed as soon as possible, to be expected within eight weeks, about the consequences of this ruling for the data retention law in the Netherlands (Handelingen Tweede Kamer 2013/2014, nr. 72, item 2).

On April 10th 2014, through letter 2014Z06389/2014D13189, the Permanent Committee for Security and Justice asked me to respond to this ruling of the Court of Justice, and more specifically to address the following questions:

• Which (Dutch) laws are based on this directive? What does the ruling mean for the binding and execution/implementation of these laws?
• Does the Dutch law on retention of telecommunications data need to be updated?
• Does the ruling have consequences for telecommunications companies operating in the Netherlands and for other companies subject to this Dutch law? If so, what consequences?
• What consequences does the ruling have for broad methods of storage of personal data by the government that currently exist and/or that the government intends to introduce?
• What are the consequences of the ruling for the secret services?

On April 23rd 2014, through letter Kamerstukken I, 2013/14, 31 145, Y, the Permanent Committee for Immigration and Asylum / JHA Council [in Dutch: “vaste commissie voor Immigratie en Asiel / JBZ-Raad”] expressed that it considers the retention and storage of traffic and location data in accordance with the data retention directive to be a very extensive and severe infringement in fundamental rights, and asked the State Secretary for Security and Justice to state what measures will be taken, and when revocation or suspension of the data retention law concerning traffic and location data will take place.

During the General Meeting on the processing and protection of personal data on April 24th 2014, the Permanent Committee for Security and Justice and the Permanent Committee for European Affairs requested that the Dutch Data Protection Authority (CBP) and the Council of State be asked for advice about the ruling of the Court of Justice. The State Secretary for Security and Justice responded by stating that can not be ruled out that the eight week term would not be met (Kamerstukken II 2013/14, 32 761, nr. 64, pages 14-15 and 20). During the General Meeting on the JHA Council of June 4th 2014, the State Secretary of Security and Justice stated that some delay occurred and that he hoped to be able to provide more clarity by July (Kamerstukken II 2013/14, 32 317, nr. 246, pages 19 and 23).

On behalf of the government, the present letter addresses the consequences of the ruling of the Court of Justice in the cases of Digital Rights Ireland and Seitlinger for the data retention law concerning telecommunications data, and the Parliamentary questions following that ruling.

For the purpose of careful decision-making I have, through a letter dated May 20th 2014, requested the Vice President of the Council of State, on the basis of Article 21a, first member, of the Law on the Council of State, to provide me information about the question what the possible consequences of this arrest are to the national legislation on retention of telecommunications data for the purpose of investigation and prosecution of offenses. On July 17th 2014 I received a letter with this information from the Advisory Division of the Council of State. In the course of establishing the present response, this information has been taken into account. On the basis of this response, a draft bill has been developed, that will be submitted to the CBP for advice. The CBP’s advice will thereby be sought on the consequences of the ruling of the Court of Justice for the data retention law in the Netherlands. This offers the opportunity to currently inform you, the Parliament, about the government’s response following the aforementioned ruling of the Court of Justice, and to publish the information from the Advisory Division of the Council of State. The latter information has been added as an appendix to the present letter. The draft bill for changing the Telecommunications Act [official English translation available here] and the Code of Criminal Procedure concerning providing public electronic communication services has also been added to this letter for information.

2. The data retention directive

The data retention directive concerns the retention of telecommunications data. The directive was intended to harmonize Member States’ national regulations, and to establish requirements for providers concerning the retention of data generated or processed by them, so as to ensure that those data were available for investigation and prosecution of serious crime, as defined in national legislation of the Member States. This concerned so-called traffic data: data about the use of telecommunication by individuals. The data retention directive required Member States to ensure that certain categories of telecommunications data were retained for a minimum of six months and up to two years. The categories of data to be retained were listed in the directive. It concerned data about the number of the caller and the called party, time, duration, and location of the start of the connection. The contents of a conversation or text message were not included in the directive. Historic traffic data about internet concerned, among others, the email address of the sender and recipient, and the traffic data of digital telephony. The contents of conversations, messages or emails, keywords that have been entered in a search engine and IP addresses of internet pages [sic] that were visited, were not included in the directive. The data retention directive established that Member States would implement regulations to ensure that data retained under this directive are only provided to competent authorities in certain well-defined cases, in accordance with national law (Article 4).

3. Dutch legislation implementing the data retention directive (current law)

The data retention directive was implemented in the Netherlands by means of the Telecommunications Data Retention Act of 2009 [in Dutch: ” Wet bewaarplicht telecommunicatiegegevens”, Stb. 2009, 333], that got enacted per September 1st 2009, and the Telecommunications Bill of July 6th 2011 that changes the retention period for telecommunications data concerning internet access, internet-based email and internet-based telephony. Furthermore, the implementation of the data retention directive was followed by a change of the Decision Telecommunications Data Security of 2009 [in Dutch: “Besluit beveiliging gegevens telecommunicatie”, Stb. 2009, 350].

The Telecommunications Data Retention Act of 2009 provides an extension and change of Section 11 (protection of personal data) and Section 13 (lawful interception) of the Telecommunications Act (Tw). Providers of public telecommunication networks and services retain data, insofar these data are generated or processed within the context of the offered networks or services, for the purpose of investigation and prosecution of serious crime. The retention period is twelve months for data about telephony from a land-line or mobile network. For certain forms of internet-based telephony, such as VoIP, the functionality is so coherent with traditional telephony that the same retention period applies to such services. For internet data (internet access, internet-based email and other forms of internet telephony), the retention period is six months (Article 13.2a, third member, Tw). The categories of data to be retained are equal to those of the European directive. Following that directive, the retention period for so-called location data is increased from three to twelve months (Article 13.4, third member, Tw). This is for the purpose of data analysis to be able to trace data of holders of so-called prepaid cards (Decision Special Number Data Collection; in Dutch: “Besluit bijzondere vergaring nummergegevens”).

General criminal investigatory powers

Access to retained data is regulated in the Code of Criminal Procedure (and the Intelligence and Security Act of 2002). The Code of Criminal Procedure grants a public prosecutor [in Dutch: “officier van justitie”] the power to demand traffic data (Article 126n and Article 126u Sv). The use of this power requires suspicion of a crime for which remand is possible, or a reasonable suspicion that offenses are planned or committed in organized context that comprise a serious breach of the law. Besides the prosecutor, the investigating officer is itself authorized to demand so-called user data; this concerns data about name, address, place, number, and type of service. This concerns a far more limited category of data than the category of data that can be obtained on the basis of the power to demand traffic data. The use of this power is therefore not limited to cases involving serious offenses. The use of this power requires suspicion of an offense or a reasonable suspicion that offenses are plannen or committed in organized context (Article 126na and Article 126ua Sv).

Special powers for counter-terrorism

Lastly, the prosecutor and investigating officer have special powers concerning counter-terrorism. In case of indications of a terrorist offense, the prosecutor is authorized to demand traffic data (Article 126zh Sv). Besides the prosecutor, the investigating officer is itself authorized to demand user data in case of indications of a terrorist offense (Article 126zi Sv).

If an exploratory investigation is aimed at preparing the investigation of terrorist offenses, the prosecutor can, in support of the investigation, demand data files from public and private institutions for the purpose of having the data therein processed (Article 126hh Sv). The data files can be searched for certain profiles and patterns of act of individuals that are of importance to counter-terrorism. The use of this power requires a written warrant from the judge [in Dutch: “rechter-commissaris”]. This concerns a general power that can also be used on providers of telecommunication services or networks.

Data retained on the basis of the Telecommunications Data Retention Act are subject to the Dutch Data Protection Act [in Dutch: “Wet bescherming persoonsgegevens”, or “Wbp”] and Section 11 of the Telecommunications Act. The personal data that can be requested by the police and that are then processed for the purpose of investigation into offenses, are subject to the Police Data Act [in Dutch: “Wet politiegegevens”]. The oversight on compliance with the rules is exercised by the Telecom Agency (AT; in Dutch: “Agentschap Telecom”) of the Ministry of Economic Affairs and the Authority for Consumers and Markets (ACM), in cooperation with the Dutch Data Protection Authority (CBP). Providers are required to take suitable technical measures to protect the retained data from unauthorized use, to ensure that the data is only accessed by specially appointed persons, and that the data are immediately destroyed after the retention period (Article 13.5, second and third member, Tw). The Decision Telecommunications Data Security provides further rules concerning the protection of retained data. This concerns the requirement to take security measures to prevent unauthorized access, the screening of persons that have access to the data, and the destruction of data after the retention period.

4. The ruling by the European Court of Justice

In the ruling of April 8th 2014, the Court of Justice — at the request of the Irish High Court and the Austrian Verfassungsgerichtshof — examined the validity of the European directive, in particular in the light of two fundamental rights of the Charter of Fundamental Rights of the European Union [hereafter: “Charter”], namely the right to privacy (Article 7 of the Charter) and the right to family life (Article 8 of the Charter). These rights build on human rights and fundamental rights (ECHR). The Court of Justice finds that the European data retention directive is retrospectively invalid. The Court of Justice thereto considers that the data to be retained can provide very accurate clues about the private life of those whose data are retained, such as habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. It is not inconceivable that this eventually affects the right to freedom of speech that is laid down in Article 11 of the Charter (item 28). The infringement of the rights by the directive is wide-ranging and particularly serious (item 37).

The Charter requires that every infringement of rights and freedoms laid down in the Charter must be provided for by law and, subject to the principle of proportionality, limitations of these rights and freedom may be made only  if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others (item 38). The principle of proportionality requires that a EU regulation is “appropriate” to pursuing legitimate objectives of that regulation, and does not exceed limits to what is appropriate and necessary. According to the Court, the retaining of telecommunications data can be considered appropriate to pursue the objective of the directive (item 49).

The Court of Justice then examines whether the EU regulation lays down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data. The review of certain paragraphs of the data retention directive leads the Court of Justice to find that the directive does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (item 65). It was concluded that the EU legislator exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter (item 69). The considerations underlying this ruling will be discussed below, in the discussion of the cabinet’s response concerning the consequences of this ruling for national legislation. The European Commission left open the possibility to propose a new directive till after the formation of the new commission. It is yet uncertain whether the new European Commissioner will take an initiative on this.

5. Consequences of the ruling to the Dutch legislation concerning data retention of telecommunications data

The precise meaning of the potential consequences of the ruling of the Court of Justice for the Dutch legislation concerning the retention of telecommunications data requires a diligent analysis. The Court of Justice first finds that retention of telecommunications data for the purpose of preventing offenses and fighting crime in fact serves an objective of general interest (item 44). Taking into account the increasing importance of electronic means of communication, the retention of these data are a valuable instrument to authorities in criminal investigations. The retention of such data is therefore appropriate for attaining the objective pursued by the data retention directive (item 49). The Court of Justice then considers that the regulation does not lay down clear and precise rules governing the scope and application of the measure in question, and does not impose minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data (item 54). The Court of Justice finds that the directive entails a wide-ranging and particularly serious interference with the fundamental rights laid down in Article 7 and 8 of the Charter, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary (item 65).

The consequences of the ruling by the Court of Justice will now be discussed, as well as Parliamentary Questions  that followed the ruling.

5.1. Can the Dutch legislation concerning retention of telecommunication data be upheld?

The first question is whether the Telecommunications Data Retention Act can be upheld, now that the data retention directive has been ruled invalid. The government answers that question in the affirmative. The Dutch law was established legally, on the basis of applicable procedures. The Advisory Division concludes that the mere fact that the Court of Justice found the data retention directive to be invalid, does not imply that national legislation that implements that directive is invalid. The Dutch legislator has a general authority to establish rules. The Dutch law already contains safeguards that exceed those of the data retention directive, such as the rules in the Code of Criminal Procedure about access to retained data. The established legislation must however be, or made to be, in accordance with the (new) explanation of existing fundamental rights concerning the protection of private life and the protection of personal data. This will be discussed later.

5.2. Is mandatory retention of telecommunications data necessary?

The government is convinced of the importance and indispensability of telecommunications data retention. Data retention ensures that certain telecommunications data are available to investigate and prosecute serious offenses. Existing powers in the Code of Criminal Procedure also allow demanding data from providers of telecommunication services, but without legally required data retention, it is not certain that those data are available at the provider. Rapid technological developments in communication technology make it uncertain whether the data, that are important to investigation and prosecution, are being processed by the providers for their own business operations and whether such data is available for investigation and prosecution. In addition to the data retention, the specific retention period is of vital importance, because the length of data retention directly affects the availability of data for investigation and prosecution. Specifically at a later stage it can turn out that certain telecommunications data are of importance to an investigation, without it being clear at the time of retention of the data that individuals are involved in serious offenses. Numerable examples can be given. One concerns an accomplice to two violent robberies in Rotterdam, in which the accomplice was not identified until ten months later. Another example concerns a rape in which the long-term investigation eventually led to the perpetrator, partially thanks to traffic data that proved that the suspect was in proximity of the victim at that time. Yet another example concerns international investigation into child abuse, in which children younger than ten years old were very severely abused. More than hundred IP addresses belonged to Dutch persons. But none of these cases could be investigated because the retention period had expired, meaning that the IP address could no longer be associated with an individual. A reference can be made to the publication [.pdf] by the European Union about the necessity of data retention in the European Union.

5.3. Does the Dutch legislation concerning retention of telecommunications data need to be changed?

The next question is whether the Telecommunications Data Retention Act must be changed, given the ruling by the Court of Justice. The government also answers this question in the affirmative. National rules on retention of telecommunications data are relevant to the free movement of services within the European Union and are, now that the data retention directive has been ruled invalid, within the scope of directive 2002/58/EC (ePrivacy Directive). On the basis of this directive, Member States can establish rules for retention of telecommunications data, if so necessary, reasonable and proportional in a democratic society to safeguard legitimate interests, including the prevention, investigation and prosecution of offenses. Member states can thereto take measures to retain data for a limited period for those aims. These measures must be in accordance with the community law, including the principles, as meant in the Charter and the ECHR. Because data retention is within the scope of the ePrivacy Directive (Article 15(1), ePrivacy Directive) and thus within the scope of European Union law, it also is within the scope of the Charter.

The Advisory Division finds that the Telecommunications Data Retention Act transposes the rules disputed by the Court of Justice, and that review of the Telecommunications Data Retention Act against the Charter leads to the concludes that this law, as well as the data retention directive, violate Article 7 and Article 8 of the Charter. It follows that national legislation must be changed insofar it is not in accordance with the Charter. The Dutch government subscribed to this view. Later on I will discuss the various requirements established by the Court of Justice for retention of telecommunications data, and point out on which aspects the Telecommunications Data Retention Act needs to be changed to meet the requirements of the Charter.

5.3.1. Requirements to the legislation

The Court of Justice considers that a legitimate objective is pursued through data retention, namely the fight against serious crime (item 44 and 51). This, by itself, does not mean that the directive is in accordance with the Charter. The data retention must, according to the Court of Justice, be limited to what is strictly necessary (item 52) and clear and precise rules must exist. Then the Court considers that the data retention directive applies to all persons, all means of electronic communication and all traffic data,  without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (item 57). The Court of Justice thereby considers that the data retention directive even applies to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime (item 58).

Based on these considerations of the Court of Justice, the Advisory Division concludes that a European regulation must clearly and precisely describe which categories of data, of which historic means of communication, of which persons are strictly necessary for prevention, investigation or prosecution of crime and must thus be retained by providers of telecommunication. Herein, clues must exist that a relation exists between the behavior of persons whose data are retained and serious crime. Following this, I note that legally required data retention serves to ensure that historic telecommunications data are available, if in hindsight it turns outs that such data is relevant to investigation and prosecution. If a crime is committed, it can be important to determine whom the victim or suspect has been in contact with prior to the crime, such that the perpetrators and accomplices can be identified. If the data of these persons can not be retained prior to the crime, there would be no point in asking such a question. The retention of certain data about all citizens is thus necessary, as it is not possible to differentiate between suspected and unsuspected citizens beforehand. Unlike the Advisory Division, the government is of the opinion that such considerations by the Court of Justice should be interpreted in their interrelationships/coherence. If the view of the Advisory Division would be true that each of the safeguards mentioned by the Court of Justice must be met separately, then the mere fact that data of citizens is retained, without any indication that their behavior relates to serious crime, would be sufficient to invalidate the data retention directive. The Court of Justice, however, rules that taking all considerations into account (“Having regard to all the foregoing considerations”), the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter (item 69). The ECHR jurisprudence also does not support the view that such data storage is not permitted. That consideration of the Court of Justice must, according to the Dutch government, be explained in that the fact that the directive does not require a link between data retention and personal behavior can be a very serious limitation of personal life of those involved, but that the seriousness of that limitation can be mitigated by appropriate guarantees and safeguards for careful methods of storing, processing and accessing the data. The required mitigation can be achieved through some mutually reinforcing changes of the law. The seriousness of the infringement on personal life necessitates very critical review of the nature and extent of data retention based on the Telecommunications Data Retention Act, as well as the applicable guarantees and safeguards. These aspects will be discussed later. Successively, the questions whether retention periods and categories of data must be changed will be discussed, and whether the rules concerning access to the data and protection and security need to be changed.

5.3.2. Retention periods and categories of data to be retained

The Court of Justice considers that the data retention directive, having a minimum retention period of six months, does not differentiate between the categories of data set out in Article 5 of the directive on the basis of their possible usefulness for the purposes of the objective pursued (item 63). Furthermore, the directive does not state that the determination of the period of retention — set at between a minimum of 6 months and a maximum of 24 months — must be based on objective criteria in order to ensure that it is limited to what is strictly necessary (item 64).

The Advisory Division notes that the Court of Justice requires that the retention period is differentiated to the various categories of data on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned. Such distinction is not made in the Telecommunications Data Retention Act of 2009, which only differentiates between data about telephony and data about internet, email and internet telephony.

Following this, the retention periods for telecommunications have been reconsidered. The framework provided by Article 15 (1) of the ePrivacy Directive was taken into account. Indeed, now that the data retention directive has been ruled invalid, a national telecommunications data retention law can only be determined within the framework of the ePrivacy Directive. That directive does not define the meaning of “limited period”, as meant in Article 15 (1). The measures must be appropriate for, and strictly necessary within a democratic society, and must include adequate safeguards conform the ECHR (preamble of the ePrivacy Directive, item 11). This implies a change of Article 13.2a, third member, and Article 13.4, third member, of the Telecommunications Act. In determining the retention period, both privacy and necessity to prosecution must be taken into account. The government thus finds that the retention periods should remain unchanged. That is, a retention period of six months for internet data and twelve months for telephony data. To limit the infringement on personal life resulting from data retention as much as possible, it is proposed that the rules concerning access to the data and protection and security be changed. This will be elaborated on later. The requirement that on the basis of objective criteria it must be clearly and precisely described per category of data for what period it must be retained by telecommunications providers ignores the purpose of the essence of data retention. That essence is that certain telecommunications data must be available for the investigation of serious crime. If the data are strictly necessary for that objective, then retention of them is applicable. If the data are not strictly necessary for that objective, then this is not the case. Differentiation between categories of data is irreconcilable with this. The requirement can however be met in other ways. Distinction can be made in the period of availability of data for the investigation of serious crime, in the sense that the period of access increases depending on the seriousness of the crime. Thus an objective criterion, namely the seriousness of the crime, can be used to differentiate in availability of data for crime prevention. This implies change of Article 126n and Article 126u of the Code of Criminal Procedure.

5.3.3. Access to retained data

The Court of Justice considers that the directive does not provide an objective criterion that limits access to the data by competent authorities. The directive refers to serious crime, as defined by each Member State in its national law (item 60). The directive does not contain contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use. That is left up to Member States (item 61). In particular, the directive does not provide an objective criterion to limit the number of persons who have access, the subsequent use of the data, to what is necessary in the light of the objectives pursued. Above all, the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body following a reasoned request of those authorities (item 62).

In the Netherlands, direct access to the database is already strictly regulated. Only authorized employees of the providers have access to the retained data. The provisioning of the data by providers of public telecommunications networks and services for the investigation and prosecution of crime is governed by the rules laid down in the Code of Criminal Procedure. On the basis of those rules, the public prosecutor can, in case of suspicion of a crime that permits remand or in case of a reasonable suspicion that crimes are being planned or committed in organized context that constitute a serious breach of the law, request traffic data in the interest of the investigation. A list of crimes that permit remand is included in Article 67(1) of the Code of Criminal Procedure. Hence, unlike in the data retention directive, access to the retained data for investigation and prosecution is limited to cases involving serious crime. Following the ruling by the Court of Justice, the government intends to add new safeguards aimed at further limiting of access to retained data. Firstly by the introduction of a system of differentiation in access to the data,and by introducing advance judicial review.

The system of differentiation is designed to establish that the full retention period, unlike now, is only used in case of the most severe category of offenses that carry very long prison sentences. In lighter offenses, for which remand is possible but that do not carry very long prison sentences, the data can be requested during a shorter period. In the latter case, data may be subject to data retention, but the public prosecutor can not request the data for investigation of a certain offense because the offense is not serious enough to justify access to the data.

In addition, a judicial review is proposed. Currently, as said, the authority to request traffic data is reserved for the public prosecutor. By making access to retained data subject to advance judicial review, it is better ensured that the data are only used in cases where sufficient reason exist to do so, and that the privacy of citizens is protected. To that end, the Code of Criminal Procedure will lay down that the demand for retained data depends on an advance authorization from a judge [in Dutch: “machtiging van de rechter-commissaris”].

Furthermore, in case of suspicion of a crime or a reasonable suspicion that crimes are planned or committed in organized context that constitute a serious breach of the law, the investigating officer can, in the interest of the investigation, request historic user data (Article 126na and Article 126ua Sv). A similar power applies in case of indications of a terrorist offense (Article 126zi Sv). This involves data concerning name, address, postal code, place, number and type of service of a user of a communication service. Here, “type of service” means the type of telecommunication service that is used, such as land-line or mobile telephony, internet, or types within these services, such as telefax. The use of these powers is possible in case of suspicion of a crime, and is not limited to cases of serious crime. The government believes that the category of user data, as mentioned, constitutes a far more limited category of data. From these data, no precise conclusions can be drawn about the private life of the persons about whom the data is retained, as the Court of Justice finds to be the case for retention of traffic data based on the data retention directive (item 27). The government believes that the retention of user data must be assessed different from retention of traffic data, and sees no reason to change the current legislation concerning this.

5.3.4. Data protection and data security

The Court of Justice considers that the data retention directive does not provide sufficient guarantees for effective protection against the risk of abuse and against any unlawful access and use of that data. The directive does not provide specific rules adapted to the vast quantity of data that must be retained, or to the sensitive nature of these data and the risk that they will be used unlawfully. The directive does not lay down a specific obligation on Member States to establish such rules (item 66). The directive does not ensure that a particularly high level of protection and security is applied by providers by means of technical and organizational measures, but permits those providers in particular to have regard to economic considerations when determining the level of security which they apply, as regards the costs of implementing security measures. In particular, the directive does not ensure the irreversible destruction of the data at the end of the data retention period (item 67). The data retention directive also does not require the data in question to be retained within the European Union,  with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured (item 68).

Following these considerations, the government notes that the Dutch Data Protection Act (Wbp) and the Telecommunications Act (Tw) already have safeguards and rules, on the basis of which provides must take appropriate technical and organizational measures for safety and security of the networks and services they offer (Article 13 Wbp and Article 11.3 Tw). These norms implement European rules. Providers can take the state of the art of technology and the economical costs into account, but paramount is that the measures are appropriate, considering the risks involved in the processing of the data that is to be protected. Hence, the safety and security of the networks and services must be ensured at all times. The Data Protection Authority (CBP) monitors compliance with Article 13 Wbp and Article 11.3 Tw. Besides the CBP, also the ACM is tasked with monitoring compliance with Article 11.3 Tw. In addition to those requirements, the providers must take appropriate technical and organizational measures to protect the data against destruction, loss, change, unauthorized storage, processing, access or disclosure, to ensure that only specially authorized persons access the data, and to destruct the data after the retention period (Article 13.5, second member, Tw). Providers have no possibility to take economic costs into account. The Decision Telecommunications Data Security [in Dutch: “Besluit beveiliging gegevens telecommunicatie”] lays down rules for the security of access to the retained data. Moreover, the Telecommunications Act, as noted by the Advisory Division, provides an obligation for immediate destruction of the data (Article 13.5, third member, Tw). The Telecom Agency (AT) [in Dutch: “Agentschap Telecom”] monitors compliance with Article 13.5 Tw. The Minister of Economic Affair has sent the report “Measurement data retention 2013” [in Dutch: “Meting dataretentie 2013”] to the Parliament in a letter dated May 16th 2014 (Kamerstukken II 2013/14, 26 643, nr. 313). This report aims to provide insight into compliance with the Telecommunications Data Retention Act. From the periodic and individual reviews of the providers it is apparent that they generally comply with the legal regulations concerning the storage of data and privacy of their customers. In the light of the legal regulations and the experiences with those regulations in practice, the government believes that the Dutch regulation in general meets the requirements of the Court of Justice concerning protection and security of retained data. On some aspects the governments considers it necessary to make changes.

Further rules on the security of retained data have been included in the Decision Telecommunications Data Security. The retained data may only be accessible for a limited number of employees of the provider. Given the sensitivity of these data, it stands to reason that data retained for the purpose of investigation and prosecution are fully protected from unauthorized access. The government will investigate whether encryption of these data can take place.

The Advisory Division pointed out that Dutch law, like the data retention directive, does not provide an obligation to store retained data within the European Union, and therefore it is currently not fully ensured, as the Court of Justice requires, that the CBP can oversee security and protection of retained data.The Court of Justice explicitly links to the purpose thereof: to ensure that the data are sufficiently secured and protected. In response to this, the government intends to change the regulation in the Telecommunications Act, such that providers are obliged to retain and process the data within the European Union. Monitoring of compliance with the norms concerning protection and security of retained data, that to a large extent follow from European rules, can thereby be improved.

Monitoring of compliance with Section 13 of the Telecommunications Act is done by the Minister of Economic Affairs and the CBP. The Minister therefore uses officials of the Telecom Agency. The supervisory task of the Minister of Economic Affairs in no way limits the supervisory powers of the CBP concerning personal data. Supervision by the Telecom Agency is currently designed as supervision of the system. That means that the Telecom Agency assesses business processes and their guarantees. On the basis of the Telecommunications Act, the Telecom Agency is however not authorized to request traffic data that must be retained by providers on the basis of the Telecommunications Data Retention Act. The Telecom Agency thus lacks a useful instrument to be able to carry out this part of the supervisory task. The government intends to change the Telecommunications Act, such that the Telecom Agency, as a supervisory authority, can get access to telecommunications data retained or provided by providers, if and insofar that is necessary for oversight. That change will allow better oversight on lawful and careful processing of the retained data, including the actual destruction of it. Better monitoring of compliance with the legal rules will cater to the ruling of the Court of Justice.

6. Consequences for telecom companies operating in the Netherlands and other companies

The measures proposed in section 5 of this letter will have consequences for the business operations of internet and telecom providers operating in the Netherlands. The obligation to store data within the European Union can have consequences for the business operations and costs of the providers. The precise effects and costs will be investigated in cooperation with the private sector. From the perspective of the internal market, it is not to be expected that the presently proposed measures will carry disproportional obstacles. It must also be taken into account that the requirements following from the ruling of the Court of Justice apply to all Member State, such that these will have an equal consequence to the national laws concerning data retention for the purpose of investigation and prosecution of serious crimes.

In the letter to Parliament sent by the Minister of Economic Affairs on May 16th 2014 concerning the report “Measurement data retention 2013”, it was noted that besides six large telecom providers, 337 SME providers have obligations concerning data retention and privacy. It was stated that the number of request of investigative services address to these group of smaller parties is limited (ca. 2 percent). This group carries, considering its limited business size, relatively more costs and efforts to meet the requirements concerning data retention and privacy. The application and compliance with rules concerning data retention proved complex especially for this group of providers. It will thus be considered in what way this group of providers can be spared, by providing ways to comply with Telecommunications Data Retention Act as efficiently as possible.

It will be discussed with providers what possible practical solutions exist to comply with the legal obligations in a way that avoids disproportionate costs and efforts wherever possible.

7. Consequences of the ECJ ruling to the Dutch intelligence and security services

The data retention directive left Member States the necessary room for regulating access to retained telecommunications data. The Member States were to ensure that retained data would be provided to competent national authorities only in well-defined cases and in accordance with national law.

On the basis of Article 28 of the Dutch Intelligence & Security Act of 2002 (Wiv2002), the AIVD and MIVD are authorized to request data about a user and their traffic data from providers of public telecommunication networks and services. On the basis of Article 13.4, first member, of the Telecommunications Act of 2009, these providers are obliged to immediately comply with such requests. Nothing changes in this. In the context of renewal of the Wiv2002, the government will further discuss possible consequences of the Court of Justice for the activities of the intelligence and security services.

8. What consequences does the ruling have for broad forms of storage of personal data currently carried out by the government and that the government still intends to introduce?

Following questions from the Permanent Committee for Security and Justice, I note that “broad forms of storage of personal data” apparently refers to legal rules concerning the storage of data for criminal purposes about persons about whom (at that time) no indications exist of involvement in crimes. Such storage exists in the proposal to change the Code of Criminal Procedure concerning the regulations of the recording and storing of ANPR data by the police (33 542), also known as the ANPR bill. The ANPR bill provides a legal basis for storing certain license plate data of all vehicles passing a camera. This concerns license plate number, a photo of the vehicle, the time and location. The retention period is four weeks. The data can be used for investigation of a criminal offense that permits remand and for arresting of a fugitive or convict. The data can only be used by an authorized investigating officers, for the purpose of the investigation. Linking retained ANPR data to databases outside the police, to identify persons for the purpose of investigation (‘data mining’), is not possible. The text of the proposed Article 126jj of the Code of Criminal Procedure excludes this.

The ANPR bill has an important similarity to the data retention directive, as license plate numbers are retained of all passing vehicles, including those of persons who’s behavior at the time of recording is not linked to serious crime. The Advisory Division points this out and notes that it is up to the legislator and, eventually, the judge, to provide a definitive judgement of this proposal, but to take into account the possibility that this sort of data storage will be considered to be a violation of proportionality or as irrelevant and excessive, assuming the criminal purpose of the storage. However, significant differences exist between the data retention directive, which is subject of the ruling of the Court of Justice, and the ANPR bill. This firstly concerns the nature of the data to be retained. Different from telecommunications data, that can provide a more all-encompassing of citizen behaviors, license plate data cannot provide very accurate indications about the private life of those whose data is retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. The license plate data only provide insight into where a vehicle at a certain date and time was registered by a camera. Although on the basis of license plate data insight is possible into the location of a vehicle on certain dates or times, no insight is obtained in relations between persons. The nature of these data makes them less invasive to personal life. It is of vital importance that the ANPR bill provides a retention period of four weeks, which is significantly shorter than the retention period included in the data retention directive of up to two years for telecommunication traffic data. In addition, license plate data are collected at public roads. Drivers of vehicles can know and expect that their vehicle can be registered by the police at public roads for the purpose of law enforcement. Also taking into account the principle of “reasonable expectation of privacy” of those involved, the collection and retention of license plate data must be assessed differently than the collection and retention of telecommunications data.

Unlike the retention of telecommunications data, the access to retained ANPR data does not require advance review by a court or an independent administrative body, as meant by the Court of Justice (item 62). I believe that, now that the infringement on personal life is less serious than the retention of telecommunications data, it is not strictly necessary to also provide such a safeguard in retention of ANPR data. As with telecommunications data, ANPR data is retained specifically for the purpose of investigation and prosecution of crime. Considering that similarity, I intend to require advance approval from a public prosecutor for access to retained ANPR data. The requirement of advance authorization from a public prosecutor also applies to the use of other special powers, such as systematic observations, the systematic collection of information, and infiltration. Because the use of these powers constitute a breach on the privacy of those involved that is greater than the retention of ANPR data — a warrant for observation can for instance permit observation of a person’s behavior for three months — I believe that such a requirement amply satisfies the requirements following from the Charter. The Code of Criminal Procedure will thus regulate that the request of retained ANPR data requires advance approval from the public prosecutor. This means that the proposed Article 126jj of the Code of Criminal Procedure will be changed, such that an authorized investigating officers can only request retained ANPR data after obtaining approval from the public prosecution, for the purpose of investigating a serious crime of arresting a fugitive.

Access to retained ANPR data for the purpose of investigation and prosecution of crimes is limited to cases involving a suspicion of a crime the permits remand, or reasonable suspicion that crimes are being planned or committed in organized context that constitute a serious breach of the law. In the light of the requirements set by the Court of Justice to access to retained telecommunications data, the government finds that this regulation meets the requirements to be set based on the ECHR or — insofar applicable — the Charter of Fundamental Rights of the European Union.

As I stated earlier, in a letter dated April 10th 2014 (Kamerstukken II, 2013/14, 33 542, nr. 13), I firmly believe the legislative proposal — certainly with a further limitation of access to the data — is well within the limits of Article 8 of the ECHR and — insofar applicable — Article 7 and 8 of the Charter.

9. In conclusion

The government thus intends to change the national legislation concerning retention of telecommunications data, such that:

• the public prosecutor can only issue a warrant to obtain telecommunications data following advance approval from a judge. This means that Article 126n/u of the Code of Criminal Procedure will be changed;
• access to the data for the purpose of investigation and prosecution of serious crimes will be differentiated based on the seriousness of the crime. This means the Article 126n/u of the Code of Criminal Procedure will be changed;
• it will be examined whether telecommunications data retained for the purpose of investigation and prosecution of serious crimes can be encrypted so that they are protected from unauthorized access. This can result in a change of the Decision Telecommunications Data Security;
• providers will be obligated to retain data within the European Union. This means that Article 13.2a and Article 13.5 of the Telecommunications Act will be changed;
• the Telecom Agency, as a supervisory body, can get access to telecommunications data that are retained or provided by providers, with the objective of better oversight on the processing and destruction of the retained data. This means that Article 18.7, second member, of the Telecommunications Act will be changed;

These changes will be included in a proposal to change the Telecommunications Act and the Code of Criminal Procedure, that will soon be released for public consultation.

Furthermore, the government intends to change the ANPR data retention bill, such that:

• the authorized investigating officer can only access retained ANPR data following advance approval from the public prosecutor, for the purpose of investigating a serious crime or arresting a fugitive. This means that the proposed Article 126jj of the Code of Criminal Procedure will be changed.

This change will be included in an Amending Letter for the ANPR bill, that will soon be sent to Parliament.

EOF

UPDATE 2016-04-15: an additional NOS report states that the existing (targeted) interception power and (targeted) hacking power, too, will be subject to ex ante and binding oversight. The newly to be established oversight committee is entitled ‘Toetsingscommissie Inzet Bevoegdheden’ (TIB), and will consist of persons that have a background in the judicial branch.

UPDATE 2016-04-14: NOS reports that according to unnamed sources, the Dutch government will, with regard to the upcoming cable interception power, consider ex ante oversight by a new independent committee. (Note: ‘new independent committee’ presumably means it’s not about the CTIVD, the existing independent expert committee that has been carrying out ex post non-binding oversight since 2002.) Furthermore, requiring prior court approval for the interception of communications of lawyers and journalists will also be considered. The report states these topics will be discussed in the cabinet. The cabinet changed “purpose-oriented interception” (my translation from the Dutch word “doelgericht” used previously) to “investigation-bound interception” (my translation of “onderzoeksopdrachtgericht”). It’s just different words for the same thing: interception that is carried out in the context of an intelligence task, but that is not targeted/limited to specific known persons or organizations.

UPDATE 2015-07-02: the Dutch government released their draft intelligence bill into public consultation. Details here.

UPDATE 2015-06-01: changed “goal-oriented” to “purpose-oriented” everywhere, including in the (translated) diagram; it’s a better, less confusing translation (credits to A).

UPDATE 2015-02-11: the existing law contains the word “ongericht” (untargeted, unselected, bulk, mass). Yesterday it became clear that the bill, that Minister of the Interior expects to appear in April 2015, will no longer contain that word. Only the new word “doelgericht”, which I tentatively translated as “goal-oriented”, will be used. Goal-oriented does not exclude bulk interception, but aims to limit it to what’s necessary for specific investigations. An investigation can be long-running. The permitted (un)specificity of the definition of a “goal” depends on the phase of interception. If you permit me to speculate: I think it is very likely that an investigation can involve interception of all Tor traffic for the goal of identifying persons associated with terrorist use of the internet, such as public provocation (radicalisation, incitement, propaganda or glorification), recruitment, training (learning), planning and organizing terrorist activities).

UPDATE 2014-12-09: I translated the Dutch word “doelgericht” as “goal-oriented”. Someone suggested a better translation would be “targeted”. The reason I chose “goal-oriented” over “targeted” is that the latter, as perceived by my brain, suggests “targeted to a person or organization”, which is not how the notion of “doelgericht” is explained. For instance, it may very well  be considered “doelgericht” to intercept as much Tor traffic as possible if doing so is necessary to achieve to the — hypothetical — goal/objective “deanonymize online extremism”. The notion of “doelgericht” could make indiscriminate surveillance a bit more discriminate, but there will be bulk interception nonetheless. In Dutch, “doel” means “goal” or “objective”; and “gericht” means “oriented”, “aimed” or, the word that I try to avoid, “targeted”. Assuming this notion will make it into law, which is still a long way ahead, we’ll have to wait and see how it will in practice be used to justify (AIVD/MIVD) and review (CTIVD) activities carried out in each of the three interception phases (collection, pre-processing, processing).

UPDATE 2014-11-28: an example use of bulk cable-intercept power would be to intercept all cable-transmitted phone calls to and from Syria, as part of current counter-terror efforts. The existing bulk ether-intercept power can only be used insofar phone calls are routed through the ether at some point and the intelligence services are able to intercept it there. The existing targeted (i.e., non-bulk) cable-intercept power can only be used on specific phone numbers are require that the identity of a person or organization is known prior to getting approval to intercept.

A first version of the below was posted on Cryptome.

In the Netherlands, interception powers of the intelligence & security services AIVD (historically focused on internal security) and MIVD (military) are regulated by the Dutch Intelligence & Security Act of 2002 (“Wiv2002”).

The AIVD and MIVD both have the power of (targeted) interception of communications in any form (cable, wireless, spoken, etc.) of specific persons or organizations. Exercise of this power requires advance approval of either the Minister of the Interior (in case of the AIVD) or the Minister of Defense (in case of the MIVD).

The AIVD and MIVD both also have the power of (untargeted) bulk interception of communications, but only for non-cablebound (i.e., wireless) communications. Under the current law, the AIVD and MIVD can carry out Sigint search against any wireless communications they want as long as that communication has at least a foreign source or foreign destination. (The latter restriction does not apply to Sigint selection; if authorization has been granted to select on the basis of identities, keywords or (other) characteristics, bulk interception for the purpose selection may also be performed on domestic communication; but there’s probably not a lot of it.)

In 2013, the a temporary committee named “Dessens Committee” reviewed that law, and concluded that in today’s world, the distinction between cable and non-cable communications can/should no longer be made. That committee then recommended, among others, to change the law and make it ‘technology-neutral’, i.e., to also allow bulk interception of cable communications.

In October 2014, the Dutch senate adopted a motion requesting the Dutch government to abstain from “unconditional, indiscriminate and large-scale” surveillance.

On November 21st 2014, the Dutch government published its response (.pdf, in Dutch) — accompanied by this diagram (.pdf, in Dutch) — to the recommendations of the Dessens Committee, and it turns out the Dutch govt indeed seeks to grant the power of bulk interception of cable communications to the AIVD and MIVD. Translation of said response and diagram are below. But first, here is a translation of a post (Nov 21, in Dutch) by the AIVD about the Dutch govt’s response (suffices as TL;DR):

Modernization of the Dutch Intelligence & Security Act of 2002, extra safeguards for privacy

The cabinet will modernize the Dutch Intelligence & Security Act of 2002. Minister Plasterk of the Interior and Minister Hennis-Plasschaert of Defense have explained the general ideas in a letter to Parliament.

The Intelligence & Security Act is nearly 15 years old and no longer suits current technology. 90 percent of telecommunications is transferred over cables. In the changed law, the AIVD and the MIVD are granted the power to also recognize terrorist threats, counter espionage, protect against digital attacks, support the Dutch security interests and military missions via the cable.

Interception of raw telecommunications data will be divided in three phases: collection, preprocessing and processing. Every phase requires separate approval from the Minister. In every phase, data may only be intercepted aimed at a specific purpose, after a review of proportionality, subsidiarity and necessity. In every phase, explicit retention and destruction periods apply. The intercepted raw data are only accessible by specific employees and for specific tasks. The approval from the Minister is subject of independent oversight by the Dutch Review Committee on Intelligence and Security Services (CTIVD). This framework ensures that the security services cannot search the collected raw data without restrictions.

The Wiv2002, that was established in the late 90s and applies since 2002, still makes distinction between ether and cable. The Dessens Committee reviewed the law and concluded at the end of last year that this distinction is outdated as result of ongoing technological developments. Nearly all telephony, internet, email, social media, apps and chat programs communicate over cables. Terrorist and combat groups also use this a lot, for instance for recruiting and command and control.

The cabinet therefore want to permit the intelligence and security services to intercept raw cable telecommunications under conditions. This concerns larger amounts of data, from which the services can select data of adversaries. An example is telephone communications to conflict areas. The safeguards in every phase of interception and processing of the data ensure that the government cannot spy on random email conversations of citizens, or eavesdrop on phone conversations. The privacy will thus be better protected.

The oversight will also be strengthened. If the CTIVD concludes, after review, that approval was given illegally, the Minister is required to reconsider that approval. When the Minister upholds his/her decision, it must be reported to the CTIVD and to the Parliamentary Committee for Intelligence & Security Services (CIVD), which can hold the Minister accountable.

These general ideas are developed in legislation.

The “legislation” refered to at the end is still being developed.

Here is an unofficial translation of the Dutch government’s diagram that outlines the new interception framework (click picture for larger image; also available as .pdf here):

Here is an unofficial translation of the full Dutch government response (note: non-italic parts in [] are mine; some phrases are ambiguous, that is sic, and I wasn’t confident to disambiguate):

1. Introduction

During the General Meeting of April 16th 2014, the government promised to establish the cabinet opinion about the advice by the Dessens Committee concerning special powers in the digital world. This opinion is presently provided. The Dessens Committee concludes that technology-dependent interception regulation that distinguishes between ether communications and cable communications can no longer be uphold, considering the fast technological developments concerning data traffic and communication. The committee found that change is necessary of regulations in the Intelligence & Security Act of 2002 (Articles 25 to 27). In the cabinet’s response to the Dessens report, submitted to Parliament on March 11th 2014, the cabinet stated it would study how this distinction can be replaced by a relevant norm that keeps safeguarding the privacy of Dutch citizens. Taking all things into account, the cabinet agrees with the Dessens Committee that this distinction is outdated and must be withdrawn, provided that a clear normative framework is provided that has adequate safeguards.

2. Developments in the digital domain and the necessity of a technology-neutral interception framework

In recent years, also as result of the great development of the internet, transmission of communication via cable infrastructure has increased explosively. In the Wiv2002, which was established in the late 90s and applies since 2002, this development was not taken into account. The current regulation of interception of telecommunication codified the then-current practice of the services, notably the former Military Intelligence Service (MID), in which interception of radio and satellite traffic was central. Different from the special power of targeted interception (Article 25 Wiv2002), which was formulated technology-neutral, the regulation of bulk interception was not formulated technology-neutral. The Dessens Committee thus concludes that the regulation of bulk interception in the Wiv2002 is outdated and does not reflect today’s necessary powers in the context of national security.

Besides an explosive growth of the amount of data that are produced globally (and that doubles every two to three years), it must be established that approximately 90% of all telecommunication is transmitted via cable networks. Nowadays, all electronic communication networks (ether and cable) comprise a communication network with global coverage.

For the (inter)national security interests of the Netherlands, and the deployment of the armed forces, a strong Dutch intelligence position is of vital importance, whether it concerns preventing terrorism, countering espionage, protecting against digital attacks, insight into threats for the international rule of law, understanding the intentions of some countries, insight into capabilities of risk countries, or proliferation of WMDs. Moreover, the services must be able to know about the threats that the society and the state are exposed to in the digital domain, in order to effectively arm against them, and allow others to take measures. This is of vital importance in the context of the National Cyber Security Strategy and in the light of the endeavors of the cabinet towards the digital government. The technical threats and possibilities manifest themselves both on cable and in the ether. The (potential) impact of cyber threats has become increasingly clear as result of various incidents. This not only concerns threats that can disrupt our cyber infrastructure, but also threats concerning integrity, availability and confidentiality of the information that all of us digitally record, use and exchange. To get insight into these threats, the services depend on adequate access to telecommunications.

The services must therefore have sufficient intelligence means and methods to collect, analyze, and report timely in the digital domain. Special powers that — under strict conditions — allow interception in the cable domain are indispensable. The use of these special powers by definition infringes upon citizens’ right to privacy. Considering the responsibility and task of the government to ensure security of its citizens, it is inevitable that the services collect and process personal data. This does not means that security and privacy are opposing interests. Through proper and purpose-oriented exercise of these powers, the government aims to support a secure society of fundamental rights, including the right to privacy. The goal-oriented character of the exercise of these powers based on legally defined tasks of the intelligence services ensures that “normal” telecommunications of citizens will not be infringed upon by the intelligence services. In other words: citizens need to fear that the government views arbitrary email conversations or eavesdrops on phone conversations. A right balance must continuously be found between the use of these powers and the ability to exercise fundamental rights. Necessary infringements on the right to privacy must be accompanied by adequate safeguards. In all cases, the CTIVD can review whether the requirements of proportionality, subsidiarity and necessity have been met.

3. Elaboration of cabinet opinion: new normative interception framework with adequate safeguards

3a Outline of new interception framework

The cabinet agrees with the Committee Dessens that a new balance must be found between security and privacy.

The cabinet concludes that a technology-neutral and thereby future-proof rephrasing of the powers of interception (as meant in Article 26 and 27 Wiv2002) is needed, albeit under simultaneous tightening of existing safeguards and introduction of new safeguards. The current law already exhaustively defines how the services are permitted to infringe upon the right to privacy through the use of their powers. The requirements of necessity, proportionality and subsidiarity must always be met. Moreover, the use of this power is only permitted if it is necessary in the interest of national security, as further defined in the tasks of the services.

Historically, the assumption was made that the closer the contents of telecommunications are involved, the greater the infringement on fundamental rights is. The distinction between content and non-content is, however, not the only defining element in determining the seriousness of the infringement and the approval regime that should be used. Also of importance are the scale on which data are collected and the methods used for (further) processing of the data.

Considering the above, the new framework for interception of telecommunication (“bulk”) is outlined in three phases. This outline will — as replacement of current Article 26 (exploration of communication) and Article 27 (bulk interception of non-cablebound telecommunications) — be further developed and explained in the bill that is to be prepared.

The phases are:

1. purpose-oriented collection [in Dutch: “doelgerichte verzameling”] of telecommunications,
2. preprocessing of intercepted telecommunications, and
3. (further) processing of the telecommunications.

For clarification, these phases in the interception framework are depicted in a diagram that is appended to this letter. The diagram briefly denotes which activities each phase entails, and the safeguards that will be laid down in the new legal framework.

The following can be noted. Each phase has a well-defined purpose. In the first phase — collection — purpose-oriented relevant data are intercepted and made accessible (for instance by decryption), after advance approval from the Minister based on an investigative purpose defined as accurately as possible. Preparatory technical activities aimed at purpose-oriented collection of data and making the data accessible, can be part of this phase. Individuals or organizations are not yet being investigated in this phase, meaning that the infringement on privacy is limited. The second phase — preprocessing — is aimed at optimizing, in broad sense, the interception process, in the context of ongoing, approved investigatory assignments using the collected data. As this optimization can require metadata analysis or briefly taking a look at the contents of telecommunication , the infringement on privacy is greater than in the first phase. In the third phase — processing — selection of relevant telecommunications takes place, and selected data are used to gain insight into the intentions, capabilities and behavior of individuals and organizations that are subject of investigation. In this phase, subject-oriented investigation takes place, in which the contents of telecommunications and metadata are analyzed to identify individuals or organizations, and to recognize patterns.

An increasing insight into the personal life is thus obtained from phase to phase. The safeguards that will be laid down in legislation, must be stronger as the infringement on privacy is greater. Safeguards will be built in for all phases, which requires that both the use of the interception power (collection) and the processing of intercepts depend on (a) predetermined and time-limited approval from the Minister (a “warrant”, including a review of necessity, proportionality and subsidiarity), (b) purpose-oriented use [in Dutch: “doelgericht gebruik”] [Footnote: The term “purpose-oriented use” will be defined for the involved phase. In the collection phase, references can be made to investigation tasks as included in, for instance, the Foreign Intelligence Decision [in Dutch: “Aanwijzingsbesluit Buitenland”] or the Intelligence and Security Requirements Defense [in Dutch: “Inlichtingen- en Veiligheidsbehoefte Defensie”]. The further down the process, the more specific the purpose will need to be formulated.] , (c) retention and destruction periods concerning the intercepted data, and (d) a (combined) framework of separation of jobs and duties, c.q. compartmentalization concerning the access to data in various phases and outside the interception process. These safeguards not only apply to interception of cable telecommunications, but also to the interception of non-cablebound telecommunications as meant in Article 27, first member, Wiv2002.

The latter currently does not require approval from the Minister. In addition to said safeguards, reporting will take place both for purposes of internal control and oversight by the CTIVD.

Through this framework of measures with purpose-oriented use of weighing of proportionality, subsidiary and necessity in the advance approval, the privacy of Dutch citizens is protected.

3b. Cooperation network providers

To exercise the power to intercept cable telecommunications as meant here, cooperation is in practice required from a network provider. This form of interception is always bound to a certain investigative purpose. The Ministerial approval to intercept (“warrant”) will be a mandatory legal assignment to a network provider to provide support for the interception. The most important condition that is to be laid down in legislation, is the obligated consultation between the services and network provider, prior to exercise of the interception power approved by the Minister. The services will not have unrestricted and independent access to Dutch telecommunication infrastructure. The mandatory cooperation will be supported by a requirement for providers to obtain relevant information if so asked.

3c. Metadata analysis

Use of intercepted telecommunications for the intelligence process can both concern use of metadata and use of contents. Currently, approval from the Minister is only required for the latter. The intercepted metadata can be subjected to a mere technical metadata analysis. and to more involved analysis, in attempt to identify subjects and recognize patterns. Both forms of metadata analysis are currently based on Article 12 etc. Wiv2002 and do not require approval from the Minister. In the new legal framework, the form of metadata analysis that aims to identify subjects and recognize patterns will be subjected to Ministerial approval. Here, too, requirements will apply of purpose-oriented use, necessity, subsidiarity and proportionality. In addition, a retention period and destruction period will be included.

3d. Enhanced approval regime

The approvals from the Minister that will be needed in the new framework, will be subjected to the system of reconsideration outlined during the General Meeting of April 16th 2014. That means that if the CTIVD, in the course of its legal oversight, concludes that an approval from the Minister was illegal, the Minister will be obliged to reconsider it. If the Minister upholds the approval, the CTIVD and the CIVD must be informed immediately. The CIVD can hold the Minister accountable if it desires to.

4. Data exchange with foreign services

The cabinet has earlier stated that the exchange of large amounts of raw data (“bulk data”) by the AIVD and MIVD with foreign services will be subjected to Ministerial approval. The Wiv2002 will be changed accordingly. Considering that international cooperation between intelligence and security services also involves exchange of other data, this legislation will not be limited to telecommunications data, but more generic.

The exchange of this sort of data will be safeguarded as follows:

a. Evidently, only data can be shared that was collected legally, with the criteria being met;
b. For every (intended) cooperation, a review will take place of criteria for cooperation with foreign services. These criteria involve the democratic setting of the service, the human rights policies in the country involved, and the professionalism and reliability of the services. The outcome of this review partially determines what form of cooperation, if any, is considered permissible, such as data exchange. If, according to these criteria, a cooperation with a foreign service involves risks, approval will be required from the Minister.
c. In the provisioning of data, it will always be required that the data will not be shared further.
d. Exchange of “bulk data” (large amounts of raw data) will require approval from the Minister.

5. Concluding remark

The cabinet outlined the new interception framework and safeguards. In further development, the relevant providers of communication networks will be consulted. The outcome will be laid down in law and is currently being prepared. Evidently, this outcome will take into account not only the requirements from our own Constitution (Article 10 and 13), but also the relevant human rights treaties, notably the ECHR and European jurisprudence concerning interception of telecommunications and processing thereof. Combined with a stronger framework of oversight and complaints, as announced earlier, the cabinet is of the opinion that legislation as such will meet the constitutional requirements.

As a reminder: collection through interception and hacking, as well as some of the activities that the Dutch govt’s diagram lists under the preprocessing and processing phases, is carried out by the Joint Sigint Cyber Unit (JSCU) that is currently located at the AIVD’s building in Zoetermeer, and tasked as follows:

Article 1: Task description
The JSCU is a joint supporting unit of the AIVD and the MIVD that, commissioned by and under the responsibility of the AIVD and MIVD, is tasked with:

a. the collection of data from technical sources;
b. making accessible data from technical sources such that the data are searchable and correlation within and between these sources is possible;
c. supporting the analysis, notably in the form of data analysis, investigation into cyber threats and language capacity;
d. delivering Sigint and Cyber capability in support of the intelligence requirements of the AIVD and the MIVD, potentially on-site;
e. innovation and knowledge development on the task areas of the JSCU.

Some things that come to mind based on all of the above (or rather: what’s missing):

• From CTIVD oversight reports 19, 26, 28, 31, 35 and 38 it is evident that for years, the AIVD and MIVD often fail to substantiate the use of their existing bulk interception power. For instance, the legally required motivation is lacking or insufficient, or necessity/proportionality/subsidiarity are not discussed — the CTIVD once observed reasoning that boiled down to “necessity implies proportionality” (which it does not). Said reports proof that it is a tenacious problem. Will the (oversight on) legality of the use of bulk interception powers improve with this new framework?
  
• Will the existing restriction that Sigint search is only permissible concerning communication that has either a foreign source or destination be upheld? Put differently, will that restricted be lifted, which would be a plausible move in the internet age, and (hypothetically) allow domestic-domestic bulk sigint search for whatever the Minister agrees to be “purpose-oriented” — a new term that is yet ill-defined and suggested will be defined relative to the phase / level of privacy infringement — and to meet necessity/proportionality/subsidiarity?
• Will the intended legal requirement for network providers to cooperate only involve passive taps, or also the possibility for the services to exercise their hacking power ex Article 24 via access to the provider’s network? (e.g. to carry out packet injection and, for instance, infect via fake or manipulated software updates, or infect or capture credentials via spoofed/MitM’d websites)
• Could it be “purpose-oriented”, proportional, necessary and subsidiary to collect all Tor traffic they can, for exchange with foreign services as part of “the multi-national effort” towards deanonymization of Tor traffic meant here? Note that (1) interception of bulks of encrypted communication may, by itself as something preceding preprocessing/processing/analysis, not be considered very privacy-invasive, and that (2) under current law, encrypted traffic can be stored indefinitely (Art.26 Wiv2002) until decryption (and decrypted traffic can be stored for up to 1yr). Furthermore, it is stated that the word “purpose-oriented” is to be defined relative to the phase — collection, preprocessing, processing — and that the intelligence services must specify the purpose “as accurately as possible”. Would a specification such as “deanonymize Tor traffic in support of national security or foreign intelligence” be accepted? If further limited as “for counter terrorism purposes”, would that in practice indeed ensure that deanonymization bycatch concerning other topics (crime, espionage, activism, etc.) will be ignored/destructed, and not exchanged with foreign services? [It should be noted, though, that perhaps other technical methods exist or will be developed aimed at deanonymizing Tor traffic that don’t rely on bulk intercepts, but that for instance rely on having control over certain and/or enough entry nodes, relays and exit nodes, or can be carried out without intercepting the full packet stream (e.g. only characteristics of the traffic; for example through netflows). Of course, for hidden services, successful deanonymization via browser exploits has been observed in the FBI’s “EgotisticalGiraffe” codename thing to deanonymize visitors of the Freedom Hosting .onion; successful use of traditional intelligence methods such as infiltration and stings seems to be observed in the arrest of drug dealers on Silk Road; successful use of leveraging OPSEC failures of an individual hosting a hidden service was observed in the arrest of the person behind Silk Road. Also, fake, manipulated versions of the Tor Browser have been observed here and here.]
• The govt states that the intelligence services will not have “independent” (in Dutch: “zelfstandig”) access to provider networks, i.e., they will not be granted the power to obtain access without consulting the provider networks (i.e., clandestine access to cables). But: don’t existing powers, which include access to private places and closed objects (Art. 22 Wiv2002), physical intrusion (Art.30 Wiv2002), the use and placement of technical eavesdropping equipment (part of Art. 25 Wiv2002), and hacking (Art.24 Wiv2002) already allow this? Also, the word “network providers” is, AFAIK, not well-defined in Dutch law, unlike, for instance, “provider of public electronic communication networks or services”. “Network provider” seems to include that category (i.e., the usual internet access providers and mobile telecom providers) but potentially also non-public networks such as the SURFnet NREN, and other closed user-group networks. Although there will be cases where traffic pertaining to such networks is exchanged via an upstream provider that is legally a “provider of public electronic telecommunication networks or services”. The latter of course applies to Google, Twitter, Skype etc., which are not “telecommunication services” under Dutch law.
• Could the new distinction between collection (considered by govt to be relatively little privacy-invasive) and preprocessing/processing (considered to be more privacy-invasive) in any way, to any extent, yield a situation similar to the U.S. government defining “collect” not to be “collect” until a human looks at what is collected?
• Will the Parliamentary CIVD committee, that is suggested should hold the Minister of the Interior and/or the Minister of Defense accountable for illegal approval, actually carry out that task adequately? Note that it is very likely that that process will take place in secrecy, because much of the information shared by the government with the CIVD is subject to NDAs.
• It is very premature, but: what will the Dutch senate’s opinion be on this proposal (note: an actual legislative proposal / bill does not yet exist, it is still being prepared at the time I’m writing this), considering that the Dutch senate in October 2014 adopted a motion requesting the government to abstain from “unconditional, indiscriminate and large-scale” surveillance? Put differently, will the proposal be sufficiently conditional, discriminate and small-scale, in the senate’s view?

Final note: it remains to be seen whether granting the bulk cable-intercept power will lead to a Dutch equivalent of GCHQ’s Tempora and/or to (unrestricted?) participation in the NSA’s Special Source Operations (SSO) that feed PRISM by hosting U.S. equipment for cable access (also see DANCINGOASIS / RAMPART-A (.pdf)). Factors of budget, capabilities, culture, law and the (quid pro quo) politics of intelligence exchange with foreign services will come into play. The Netherlands is a member (.pdf) of the SIGINT Seniors Europe (SSEUR) in relation with the U.S. government, but that does not mean that anything goes in NL->US data sharing. For instance, Dutch academics Beatrice de Graaf and Constant Hijzen in a book chapter on the Dutch intelligence community in a transatlantic context state (2012) that different privacy laws, human rights concerns and legal standards of the Dutch services “put a brake on their relationship with American services and agencies”. A historic anecdote from Dutchbat (Dutch battalion under U.N. command during UNPROFOR in Bosnia 1994-1995) that seems to illustrate this can be found on page 239-242 of Srebrenica: a ‘safe’ area — Appendix II — Intelligence and the war in Bosnia 1992-1995: The role of the intelligence and security services (.pdf, Cees Wiebes, 2003/2004):

A secret request to the MIS: a suitcase for Dutchbat

The MIS would have been able to acquire a good intelligence position if a secret American offer had been accepted. Staff of American, Canadian, British and Dutch intelligence services confirmed that the NSA intercepted only few conversations in Eastern Bosnia. The Americans had problems with their Comint coverage, although they intercepted fairly large quantities of information. Communications via walkie-talkies presented a problem however, as described in the previous section. This provided an opportunity for the Netherlands. The Head of the MIS/CO Commander P. Kok – he occupied this post from 1 January 1994 to 25 June 1995 – was approached by the CIA representative in The Hague immediately after Kok took up his post at the start of 1994. Dutchbat I was then about to leave for Srebrenica and the CIA made an offer ‘which you cannot refuse’.

Kok was told the following. The NSA, it appeared, had a serious problem: the service was unable to intercept communications via Motorola walkie-talkies in and around the eastern enclaves. The range of such communications equipment was no more than about 30 km. The Americans wanted to set up an interception network at various points in the Balkans, and envisaged Srebrenica as one of these points. They proposed setting up a reception and transmission installation at a number of OPs in the enclave. This involved equipment with the format of two ‘samsonite’ suitcases. One suitcase was for interception of the traffic, and the other provided a direct link to an Inmarsat satellite. The intercepted messages would be shared with the MIS. In exchange for this cooperation the MIS was also offered other ‘broad’ intelligence, taken to mean also Imagery Intelligence.

[…]

The CIA, also acting on behalf of the NSA, is said to have asked five or six times between March 1994 and January 1995 whether the MIS would cooperate in this project. Kok always had to reply in the negative. Kok was to try five times to get approval from the MIS/Army for this idea. He tried again with Bosch’s successor as Head of MIS/Army, Colonel H. Bokhoven. According to Bokhoven, Kok passed this request to him just once; he could not recall that Kok said that he had been approached by the CIA several times. Kok presented this to Bokhoven as a ‘spectacular’ proposal, but Bokhoven considered that the MIS should not cooperate in this project. He viewed it as an offensive intelligence task that did not fit the context of UNPROFOR, and also felt it was more suitable for the intelligence services of other countries. Bokhoven confirmed to the author that he had refused to cooperate in the installation of these Comint devices in the enclave.

[…]

Related posts:

• 2014-10-22: The Dutch Defense Cyber Command: A New Operational Capability
• 2014-10-16: New Dutch intelligence oversight report: the (il)legality of SIGINT carried out by the AIVD in 2012-2013
• 2014-10-03: Sigint: definition, qualities, problems and limitations (quotes from Aid & Wiebes, 2001)
• 2014-09-25: [UPDATED] Dutch Senate requests govt to abstain from legalizing cable SIGINT in a way that permits “unconditional, indiscriminate and large-scale” surveillance
• 2014-09-05: Overview of legal framework used to assess Dutch intelligence activities involving social media
• 2014-09-04: The (il)legality of hacking, acquisition, exchange of social media, webfora by Dutch intel agency in 2011-2014
• 2014-07-03: June 15th 2014: Dutch Joint Sigint Cyber Unit (JSCU) officially started
• 2014-06-30: Citing increased threats, Dutch govt partially reverses budget cuts on intelligence & security service AIVD
• 2014-05-06: Chairman of Dutch intel oversight to Dutch Senate: ‘I want to oversee ex ante (before the fact), not just ex post (afterwards)’
• 2014-03-03: [Dutch] Enkele gedachten bij ongerichte interceptie door IVD’s
• 2014-02-15: [Dutch] Meer context bij toezicht op selectie na ongerichte interceptie door AIVD uit CTIVD-rapporten 31 en 35
• 2014-02-14: [Dutch] Metadata: de cie-Dessens had het min of meer al begrepen!
• 2014-02-08: Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
• 2013-12-28: [Dutch] Afluisteren en SIGINT door AIVD/MIVD: toestemmingsverzoeken en normering
• 2013-12-04: Outcome of official review of Dutch Intelligence & Security Act of 2002
• 2013-12-02: Report of EU-US Working Group established re: NSA surveillance involving EU citizens
• 2013-11-09: Oversight on Dutch SIGINT is still broken

EOF

Jos Baijens van Uitgeverij de Wereld (@wereldboeken) vroeg aan, ik citeer, “ruim 100 mannen en vrouwen, denkers, schrijvers, kunstenaars, ondernemers en wetenschappers van Nederlandse en Vlaamse universiteiten” kort te beschrijven wat volgens hen het beste idee is van 2014. Die exercitie heeft de fascinerende bundeling Het beste idee van 2014 opgeleverd, die in november 2014 verscheen. Het is de tweede keer dat zo’n bundeling verschijnt: in 2013 verscheen Het beste idee van 2013.

Uitgeverij de Wereld stelt alle ideeën openbaar beschikbaar, maar ik raad iedereen aan het drukwerk aan te schaffen, en dat zeg ik niet alleen als WC-Eend die een bijdrage heeft mogen insturen: zelden vind je zo’n diverse verzameling aan ideeën beschreven in één publicatie — die misstaat in niemands boekenkast. NRC Next en NRC Handelsblad, Fokke en Sukke incluis, besteedden er aandacht aan: zie hier en hier fragmenten.

Voor het boekje van 2013 schreef ik over het idee van dr. Karst Koymans, opleidingsdirecteur van de UvA-masteropleiding OS3/System and Network Engineering, om tot een “internetwiskunde” te komen, en het internet opnieuw uit te vinden op basis van c.q. begeleid door wiskundige principes. Huidige internetprotocollen zijn gespecificeerd in natuurlijke taal (Engels); die is vaak niet ondubbelzinnig, en als gevolg van interpretatieverschillen kunnen dan kwetsbaarheden of (ander) onverwacht gedrag ontstaan.

Voor het boekje van 2014 schrijf ik over het consensusbesluit van de Internet Engineering Task Force (IETF), vastgelegd in RFC 7258, om alomtegenwoordige monitoring op internet (door overheden, big data, criminelen, enz.; maar denk in het verlengde ook aan het manipuleren van internetverkeer door marketingbedrijven zoals het Britse Phorm en, recenter bekend geworden, het Amerikaanse Verizon) als een technische bedreiging te beschouwen waarover bij ontwikkeling van nieuwe internetprotocollen verplicht moet worden nagedacht:

Verplicht nadenken over alomtegenwoordige internetsurveillance

Hoe alles op internet met elkaar “praat” is grotendeels afgesproken in technische internetstandaarden. Een internetstandaard begint met een idee voor verandering of nieuwe functionaliteit. Onder de paraplu van de Internet Engineering Task Force (IETF) wordt dat idee uitgeschreven in een “Request for Comments”-document (RFC), dat door experts onderling wordt besproken en bijgeschaafd. Dit proces is volledig open: iedereen met relevante kennis en inzichten kan aanschuiven. Nadat softwaremakers het idee implementeren kan het idee volwassenheid bereiken, en de status van internetstandaard krijgen. Op deze manier, ruwweg, is het internet in de afgelopen decennia steeds een stukje verder uitgebouwd tot wat het nu is.

Vanwege zorgen over gebrekkige beveiliging is in 1993 besloten (RFC 1543) dat bij nieuwe standaarden verplicht een paragraaf “Security Considerations” moet staan. Deze bevat een discussie over mogelijke bedreigingen en aanvallen op het protocol dat in de standaard wordt beschreven. Nadat enkele jaren ervaring is opgedaan met het schrijven van dit soort paragrafen, is in 2003 verduidelijkt (RFC 3552) wát er dan precies in die paragraaf moet staan: er moet worden beschreven welke digitale aanvallen relevant zijn voor het communicatieprotocol dat wordt beschreven, welke niet, en waarom. Van de relevante aanvallen moet worden beschreven of het protocol ertegen beschermt, of er kwetsbaar voor is. Er moet onder meer verplicht aandacht worden besteed aan afluisteren (vertrouwelijkheid), aan het injecteren, wijzigen of verwijderen van gegevens (integriteit), en aan denial-of-service-aanvallen die diensten gebaseerd op het protocol kunnen verstoren (beschikbaarheid). Zo’n paragraaf zal initieel nooit 100% dekkend zijn, maar leidt wel tot verbetering van veiligheid op internet. Bovendien zijn RFC’s levende documenten en kunnen updates gemaakt worden.

De onthullingen van Snowden hebben laten zien dat inlichtingendiensten, vooral de Amerikaanse NSA en Britse GCHQ, op grote schaal met uiteenlopende methoden actief zijn op het internet om inlichtingen te verzamelen. Binnen IETF-kringen bestaat consensus dat er sprake is van “alomtegenwoordige monitoring” en dat dat een bedreiging vormt voor internetgebruikers.

Inlichtingendiensten horen zoveel mogelijk gericht te werken, niet met ongerichte sleepnetten.Het beste idee van 2014 is wat mij betreft het besluit van de IETF om alomtegenwoordige monitoring als een bedreiging te beschouwen (RFC 7258), en een aanpak te ontwikkelen hoe bij nieuwe standaarden met dit complexe onderwerp om te gaan. Bij alle nieuwe standaarden moet hierover worden nagedacht en worden aangegeven hoe wordt beschermd (of niet) tegen alomtegenwoordige monitoring. Dit kan potentieel leiden tot een aanzienlijke verbetering van internetstandaarden ten aanzien van deze bedreiging. Het momentum dat nu als gevolg van Snowden bestaat is de sleutel tot een meer privacyvriendelijk internet.

Concreet heeft het idee er al toe geleid dat HTTP 2.0, de nog in ontwikkeling zijnde nieuwe versie van het protocol dat wordt gebruikt als je websites bezoekt, standaard versleuteld zal zijn. Het “slotje in de browser” wordt dan de norm in plaats van de uitzondering. Beter drie decennia te laat dan nooit.

De verplichting ergens over na te denken is natuurlijk geen garantie op een goed resultaat. Over dat slotje in de browser en de nadelen en kwetsbaarheden van het centralistische PKI CA-model is van alles te zeggen. Maar een verplichting over dit thema na te denken is een stap in de goede richting. Het IETF-proces is een open proces, waarbij in beginsel iedereen die nuttige inzichten en kennis/kunde heeft, kan aanschuiven en meedenken, en dus ook kritiek leveren.

Tot slot, hierbij de volledige inhoudsopgave van “Het beste idee van 2014”:

EOF

UPDATE 2017-04-17: perhaps there’s some renewed relevance to having the Chinese text below translated: Anti-Espionage: A New Mass Line Campaign in China? Anti-espionage appears to be the most important theme of this year’s “National Security Education Day.” (The Diplomat)

UPDATE 2017-04-10: not specifically related to the text below, but still relevant: a new approach to counterintelligence – China reportedly offers cash rewards between USD 1,500 and USD 72,400 to encourage residents in Beijing to provide information on infiltration, subversion and theft of information by foreign spies inside the country. The rewards depends on the importance of the reported information.

Does anyone understand Chinese more reliably than Google Translate does and care to translate the 9000-word “China Folk Counterespionage Manual” quoted below? It quite an effort, but I’d be happy to return the favor, for instance by carrying out a Dutch to English translation and/or by making a donation to a charity of your choice. The manual was posted in 2008 on a Chinese internet forum. Didi Kirsten Tatlow blogs that it is a manual on how to recognize foreign spies. China recently adopted new counterespionage legislation; this is the context/frame in which said report discusses this manual. The Chinese populist news paper Global Times spent attention on this topic on September 18th 2014:

Be wary of espionage trap surrounding us
(Global Times) 08:37, September 18, 2014

According to foreign media outlets, Ma Jisheng, who served as Chinese ambassador to Iceland, was allegedly arrested by the Ministry of State Security earlier this year on suspicion of passing intelligence to Japan. In recent years, we have frequently witnessed vicious incidents where top Chinese diplomats, military officers and senior research fellows of think tanks have been involved in espionage and selling intelligence. If Ma is confirmed to be involved in this case, that will be startling news.

China has become one of the most powerful strategic competitors with incredible strength, rapid development and a self-contained decision-making mechanism, which has made it a key target of the world’s major intelligence agencies. Meanwhile, given the relatively low vigilance in Chinese society, authorities have failed to effectively convey their judgments and understandings to the public. Among the high-risk groups easily eyed by overseas intelligence services, some lack both sufficient knowledge in this regard and a capacity of discernment.

There have been no contemporary spy dramas made in China for a long time, as directors will find it hard to acquire materials, and even if they do, such screenplays would not gain approval. Therefore literary creation in this area seems like a forbidden zone, despite continuous information warfare.

Plus, there are few news stories involving espionage and Chinese officials. A number of major cases that startled the Chinese elite were not released to the public through the media. In actuality, reporting such incidents will educate many people by letting them know how close those manipulators of overseas intelligence agencies are to us.

Officials and scholars accused of espionage did not fall into the trap overnight. Most of them developed distorted values and indulged themselves, hankering after cash and a life of luxury, so they were easily targeted by foreign intelligence services. They were treated to dinners and offered gifts, which gradually induced them to sell national intelligence.

Owing to a lack of public education in this field, ordinary Chinese have a quite shallow understanding of espionage.

Some people feel that everything is secret and become panicked about contact with foreigners, while others are adverse to rules on classified information and regard certain necessary measures as formalism.

Although information warfare is a common phenomenon around the world and almost every big power has once been mired in espionage cases, China has obviously suffered more losses in recent years. Ma Jisheng is not the first top diplomat caught for spying.

With advanced technologies in the modern era, there is an increasing possibility that those selling intelligence will be caught. And all the potential high-risk groups should recognize this point, which may help them refrain from selling information when they are about to cross the red line.

If it is confirmed that Ma has been caught, we hope that his story will one day appear on media to serve as a warning for others.

Globaltimes.cn also published the following infographic:

Here is the manual (NEEDED: full translation Chinese->English):

中国防间谍不完全手册:里面的很多内容不光对留学生有用，对国内的网友来说也是非常有用的。一、间谍做什么？
二、谁会成为反华势力的间谍？
三、现实生活中策反/造谣类间谍的表现
四、网络上策反/造谣类间谍的表现
五、借信仰之名，行策反之实的假基督徒间谍(省略)
六、初级间谍拉人入伙的最初识别(省略)
七、总结情报工作无孔不入，情报人员其实就出没在我们的周围，他们看起来绝对不像是JamesBond那么酷，他们其实就和你的朋友没什么两样——说不定你的朋友 中就有情报人员。一个好的情报人员，一定是低调的，一定是能和群众打成一片的，一定是让你甚至连想都不会往这方面想的——一句话，扔到人堆里你绝对找不出 来的。而这些普普通通的情报人员，却在为各自的目的，为各个政治集团做着默默或者张扬的工作。一、间谍做什么？狭义的情报人员是服务于某政治集团的一些比较特殊的人员，他们的工作性质、工作内容也各不相同。通常的“间谍”一词所指的，只是其中的一部分。下面，我们看一看一般我们在国内外能够遇到的情报人员，一般都有哪些任务。1、刺探。这是情报人员最古老的工作之一。这项工作的目的是主动刺探敌方军情或者政治秘密，为我方采取战术或者战略反制措施提供决策依据。比较常见的是在军事基地附近拍照的间谍，以及发展第五纵队从敌方军政机构里面获取涉密信息的间谍。2、分析。如果说刺探是主动出击收集信息，那么分析则是被动地收集信息。例如专门分析报刊杂志上面政经信息的驻外文官（情报分析员），以及坐在某军工研究所附近餐馆 吃饭的常客（听研究人员吃饭时无意透露的最新武器研制信息）。其实不一定要专业的情报人员才能做这样的事情，许多平民也有这方面的惊人才能，例如在希特勒 闪击波兰前几个月，德国的一个平民就根据几年来收集到的公开报刊杂志分析出了希特勒闪击波兰的全部作战计划，连时间、编制、战役细节都推测得八九不离十。 他把分析结果出版，引起了希特勒的震惊与恼羞成怒，于是不久便派盖世太保将其暗杀。希特勒不得不重新调整战役部署，然而泄漏过多，难以完全达到战争的突然 性。幸而波兰国内的耶和华见证人（邪教）多方阻挠波兰人民抵抗，希特勒才没有在闪击波兰的过程中遇到太大的麻烦。3、窃取。间谍古已有之的任务。一般是使用技术手段获取敌方的技术图纸、数据、图片、录音等秘密信息，以及偷窃对方的某些技术装置（如特种合金碎片、芯片、导弹制导装置等部件，甚至是整架战斗机）。4、策反。这也是情报人员最古老的任务之一。顾名思义，策反就是通过各种心理战手段，将敌方人员从思想上转化为我方人员，从而削弱敌方力量，增强我方力量。被策反的 敌方人员，往往可以继续发展成我方间谍，或为我方提供特殊的技术能力，以使得情报工作效果最大化。这也是“和平演变”的核心所在，乃“兵不血刃”之高招。5、造谣。由于人民从广泛意义上比较缺乏专门的知识和辨识能力，容易倾向于相信一些他们所希望相信的东西，因此情报人员用造谣的方法，可以将人民群众拉拢支持己方政 治集团，反对敌方政治集团。以削弱敌方政治集团的民意基础，给敌方政治集团的执政带来很大困难，造成敌方政权管辖范围内的动荡，等等。同样，造谣也可以用 于攻击敌方个人，以诋毁其声誉。6、传递。这是一类比较特殊的情报人员，他们不单独行动，他们的任务是将信息情报在前线情报人员和后方总部之间进行有效而秘密的传递。二、谁会成为反华势力的间谍？中国人所要面对的，基本上全是反华势力的间谍了。因此，我们以下的讨论将仅仅局限于反华势力。西方每个国家都有不同的反华势力，他们各有不同，其中美国反华势力流派最多、经验最老到、势力也最大。在西欧（原北约成员国），反华势力的基本做法都和美国相去不多，因此下面仅讨论美国反华势力。美国反华势力主要可分为政府级别和民间级别.其中民间级别的包括臭名昭著的轮子、民运等，由于其自身的问题而不得势。然而政府主导的情报工作，却是力度很大、成效颇丰的。美国的情报机构，对外主要是CIA，对内主要是FBI。其中CIA尤其注重在留学生中进行情报工作。 经过几十年的实践总结，CIA已经形成了一整套招募发展外国间谍的行之有效的方法。概括起来可以用4个字母表示：MICE。（老鼠的复数？）M= money，即金钱。这个其实没什么好说的，许多人见钱眼开，给奶便是娘。I= ideology，意识形态。这个在冷战时期非常管用，那些极端厌恶共产党的社会主义路线的人，在本国受挫后，常常在反华势力“自由”、“民主”的旗号的煽动之下，主动投靠反华势力，充当其走狗。C即个人表现。比方说，CIA会跟你说，你给他们当间谍，你就可以成为007那样受到万人追捧的明星；你给他们当间谍，你就可以实现人生的最高价值，等等。

E即道德压力，就是常见的利用美色或者经济问题来引人上钩，抓到把柄，然后以此来要挟人为自己当间谍。

CIA的这个“老鼠”法，可谓屡试不爽。因此，符合这四条中任何一条很显著的人，都很有可能被美国反华势力发展成为间谍。比方说：

见钱眼开者，削尖脑袋也要享受资本主义奢侈糜烂生活的人。

那些如平可夫这种“对共产主义毫无兴趣”，对共产党恨之入骨的反共反华者。

那些个人成就动机极其强烈，尤其是希望得到万众瞩目的人。

还有就是那些贪官污吏啦，以及个人生活作风有问题的人。

由此，如果你发现有人对政治特别感兴趣，其政治倾向为反共反华，又符合上面四条中的任何一条（甚至几条），就要高度注意了。这样的人很可能不是自己头脑发热，不是自己真的要愤世嫉俗，而是为了反华集团而卖命。

三、现实生活中策反/造谣类间谍的表现

在现实生活中，与我们这些学生接触较多的反华势力的间谍，通常以学生的身份出现，这样对于我们这些普通的学生而言，无疑具有更大的亲和力，也可以避免我们的警惕与防范。

1、台湾中情局派出的“职业学生”

根据中国国家安全局的数据，在欧美的台湾留学生中，每5个人中就有一个是由台湾中情局直接进行经济支持的策反类间谍，这是台湾政府的内部规定。于是在台湾 学生中间就有了这么一个名词：职业学生。这些学生以在大学里面学习为职业，他们只要继续读书，就可以从中情局拿到不菲的薪水（当然通常来说都是不会让朋友 知道的）。他们的任务只有两个：1、策反大陆学生；2、防止台湾学生被大陆人策反。中情局对这些“职业学生”的要求，就是尽可能拖延毕业、多多组织台湾学 生的活动、多多接触大陆人。

根据这些特点，我们可以总结出这些台湾的策反类间谍的识别方法：

(1)持鲜明反共立场，有可能持台独立场，经常表示政治立场

(2)长期不毕业

(3)不好好学习，社会活动多，常组织社会活动

(4)故意拖延毕业时间

(5)频繁与台湾人/大陆人接触

(6)不需要打工，经济条件却很宽裕

(7)他们的家人不大出国（因为被政府看着做“人质”防止间谍叛逃。起码以前是这样，不知道现在是否在“民主诉求”之下还有这一条）

其中，6和7这两条若不用间谍来解释，就是互相矛盾的。若家庭经济条件好，不需要打工，则其家人一般来说出过探亲旅游的倾向性很高；若家庭经济条件不好，家人没钱出国旅游，则一定需要打工才能生存。这是台湾“职业学生”的一大软肋所在。

要特别注意的一点是，台湾中情局所豢养的这些间谍，并不一定都是台湾人，也有许多是被策反了的大陆学生，他们也基本符合上面的1-6条。

有些间谍因为某些原因洗手不干了，这个时候就会被中情局威胁。当然，实际上一般情况下中情局不可能对他们的家人做出多么不利的事情，顶多就是以后办理出国 手续的时候卡一下。不过，中情局停掉工资是肯定的。我还真的看到过有的台湾“职业学生”洗手不干之后的悲惨日子。一般来说这样的间谍会突然遇到非常严重的 经济困难（目前尚不清楚中情局是否会阻止他们的台湾家人给他们汇款），于是得外出打工等。在学生签证满了10年之后，无法继续延签（许多欧洲国家规定学生 签证最多只能给10年）——如果这个间谍工作成效比较好的话，中情局会想办法让他继续服务的，签证便也就不成问题。如果发现你的朋友中有这样的情况，要特 别的当心。

2、为美国或欧洲反华势力工作的学生间谍。

姜还是老的辣，美国的情报工作历史悠久、经验丰富，比台湾的中情局强不知道多少倍。因此，想要有那么几条简单的比较统一的判断标准，也非常的困难，甚而至于比较精确的推断都非常不容易。我们只能根据长期情报工作所总结出来的经验规律，从侧面大致来推断。

(1)愤世嫉俗。

这一点是肯定的，他们如果想要开展社会政治策反工作，反共反华，一定要愤世嫉俗，否则便不可能造成社会影响力。上面说过，他们具体的表现就是一味攻击谩骂中国和共产党而无意提出理性的解决方案，也无意投身于建设祖国的事业中。

(2)崇美恐美情绪明显。

任何事情，美国的观点总是正确的，中国相类似的事情，就算没有问题也要鸡蛋里面挑骨头出来批判。

(3) 经济状况。

大陆学生一般而言都比较穷（那些贪官子弟当然另当别论），在国外读书一般都必须靠奖学金或者打工过活。如果你发现你的某个朋友的支出明显高于他的明面上的 收入，就得小心了。情报部门所给的经济资助，一般相当丰厚，每月少则几百，多则几千美元。而且，如果你发现你的朋友在收入一事上对不同的人有不同的说法， 也需要特别小心。

(4)社交圈子相对独立。

情报部门一般来说也会要求基层间谍与他的朋友保持一定距离，即使有几个表面上的“密友”，也只是用于掩护的。仔细观察可以发现，这些间谍与他们的“密友” 之间仍然保持着相当大的距离，比方说不轻易邀请密友到家中做客，几乎不参加密友所组织的较大型的活动，也不带密友和他的其他社交圈子中间的朋友一同参加活 动、彼此认识。总而言之，就是他试图保持几个社交圈子之间的隔离性。

(5)比较典型的美式逻辑：“深刻的偏激优于平庸的全面”。

美国历史上在这种偏激的哲学思想之下，诞生出了一代又一代的偏激大师，如佛洛伊德、布热斯津等。然而既然是偏激，就很不全面，虽然言语非常的震撼，却绝对不代表真理。

(6)言论与其专业训练明显不符。

通常而言，文科生比理科生容易策反，工科学生被策反的不确定性很大（视专业不同有很大的区别）。

在理科生中，有较强不确定性、今后在国外工作前景较为乐观（例如生物、化学）的学生，策反起来,比要求严谨逻辑和事实观察、今后工作前景不那么乐观的学生（例如数学、物理）,相对要容易。

如果你发现一个学数学或物理的高才生居然在言论中逻辑性很差，不注重事实，盲目崇美恐美，这就与他的专业训练背景相抵触，其背后必有隐情。这样也就可以大致对某些人进行推断。

(7) 原创观点明显偏少，大量引用他人的观点与论证方法，甚至语言形式。

这些被策反的间谍所说的言论，虽然具体阐释上面可以自己发挥，但基本论点和论证形式一般来说都由上家指导甚至直接确定。其实这一点本不是情报机构的首创， 而是古老的邪教的惯用手段，就是由总部来培训邪教传教士，教他们如何歪曲宗教经典，用似是而非的诡辩方法来赢得人心。至今，我们还可以从耶和华见证人、东 方闪电和**功那里,明显地看到这种策略。把它套用到政治观点上面，由于出国留学的学生总体认知水平比较高，如果关心政治，应该有自己的观点（要么就是完 全不关心政治，这种人一般来说也很少会谈论政治），因此，自己的观点明显偏少，却大量引用他人的观点与论证方法，甚至连具体的语言形式都似曾相识，这就是 比较明显的受上家操控的标志。比较典型的语言特征例如以柴玲为代表的“民运”式，以**等人为代表的“FL功”式，等等。

(8)刻意歪曲中国的事实，将特定历史的事件反复拿出来以孤立的方法进行曲解。

现在中国的总体情况是令人乐观的，虽有争论之处，却正在稳步改进过程中。然而反华分子们唯恐中国不乱，唯恐中国发展，即便现在抓不到什么，也要刻意歪曲事实找事情来批判。

例如饿死人问题,及强调89年天安门有大屠杀（连当年民运四君子之一的侯德健都站出来澄清清场的时候根本就没有屠杀），说现在共产党仍然在迫害基督徒（事 实上90年代以后共产党中央政府就一直没有与基督徒为敌，反而在逐步放松对宗教的管制，也在试图发挥基督教在国家生活中的重要作用，见胡锦涛温家宝的公开 讲话），等等。

他们把一些特定的历史环境之下的事情孤立起来，高举某些反对共产党、又被共产党打压的人，而不管这些人自己有什么问题，就把这些人当作是“（反共）义 士”，例如解放之初一些无政府主义、自由主义、宗教极端主义的人士被当成右派打击，就被反华势力抓住当作把柄，把这些无政府主义者当成反共义士大家抬举， 全然无视当时的情况，以及美国当年也在大力打击无政府主义者的历史。

(9)片面反战，主张中国应该解除武装。

其实这是美国政府从朝鲜战争到越南战争所吃的最大的苦头。如果不是国内反战浪潮过于猛烈，朝鲜战争美国如果在李奇微将军的带领下以范弗利特弹药量继续战斗，历史很有可能改写；越南战争也是因为美国政府顶不住国内的反战压力，才被迫撤军。

然而美国政府聪明地发现，这片面反战的力量，却是瓦解敌国抵抗意志的良方。其实片面反战并不是美国人民的首创，著名的邪教耶和华见证人就是极力强调片面反 战的，他们认为一切战争都是不好的，敌人打过来了，我们也只能束手就擒，任人宰割。他们不仅自己不抵抗，还想方设法地阻挠其他的人民抵抗。二战时原东欧地 区的快速陷落，少不了耶和华见证人的“贡献”。

这些“功绩”至今仍然记录在这个邪教组织所定期发行的杂志《守望台》上。因此美国政府在1990年的海湾战争、2003年的伊拉克战争中，下了很大力气去 打击国内的反战人士（许多被监禁、被殴打，甚至被逼迫公开承认反人民的罪行）。然而在美国国外，他们却大力推行片面反战的观点，并加上“中国威胁论”，认 为中国有核武器、有先进的战机军舰就是地区和平的威胁。典型的“只许州官放火，不许百姓点灯”。

(10)偷偷摸摸进行改名改址活动

如把人民解放军改为国民军,人民军队改为国家军队,人民大会堂改为国民会议堂.

借各种理由,把首都迁往他处,把开国元勋人民领袖纪念堂迁往什么什么地方.

三八国际妇女节/五一国际劳动节/六一国际儿童节都要改.

等等这些,无不暗藏”颜色革命”动机.

以上当然只是中美在长期的情报斗争中总结出来的一些经验规律。美国毕竟经验老到，因此单独一个方面拿出来看，问题都不是很大，都有其他的方法可以解释。但是，如果一个人同时具有上面许多点特征，他是美国反华势力的间谍的可能性就非常大了。

四、网络上策反/造谣类间谍的表现

现如今，网络成为年轻一代主要的信息传播与获取渠道。反华势力很早就注意到网络的特性，非常有利于展开策反/造谣工作，因此早在十几年前互联网刚刚普及的时候，他们就在紧锣密鼓地部署网络策反与造谣的工作。

具体说来，网络适合于策反/造谣工作的特性，可以归纳如下：

1.影响面大。

不需要耗巨资组织大型的活动，不需要耗巨资去电视台演讲，只要轻敲键盘鼠标，在网络论坛上发文章，便可以吸引世界各地数以万计的眼球。而且可以跨越国界，逃避政府的管制

2.隐蔽。

网络上，没有人知道你是一条狗。网络上都为化名，谁也不知道他真正是谁。因此，这也就给策反与散布谣言者以逃避法律追究的便利。

3.信息真假难辨。

由于网络世界没有主控机构，更没有新闻审查，真假信息鱼龙混杂，什么东西更震撼，什么东西更噱头，什么东西就能够更吸引眼球，即便它是假消息。

4.管制困难。

网络上流传的信息，很难被管制。一方面，现在国际互联网的流量非常大，要在这么大的流量之中进行实时关键词搜索本来就已经需要耗费无数台超级计算机的计算 能力了，只要在敏感关键词中加一个空格，便可轻易逃过检查。即便是超级计算机，也对大量加密的语音和图像信息难以做到有效的过滤筛查。

网络上的间谍活动，由于更加隐蔽，而且信息渠道单一，因此容易伪装得良好，更具威力。这些间谍广泛分布于中国国内国外，有大张旗鼓的，也有默默无闻的。在网络上活跃的主要有这么几种间谍：

1.刺探军政情报的间谍

这类间谍活跃在军事和国政类论坛上，为的是从网友那里套取最新的军政情报。其惯用手法为：

(1)故意诋毁贬低中国的军政实力，引来爱国人士的反击。在此过程中，间谍会故意引诱爱国人士透露一些绝密情报。

(2)故意说一些错误的信息，例如部队的番号、导弹的射程等，引起一些真正知道这些情报的人士的不满，又喜好表现自己知识渊博，于是将正确的数据说出来。

(3)展示自己收集得一些装备的照片，诱使其他网友贴出他们自己拍摄的装备、军营等照片。一张船坞的照片就可以分析出中国新建造的军舰的大致性能，以及中国是否在准备十年以内建造航母等非常重要的战术和战略信息。

2.打击人民安全感的间谍。

这类间谍通常也活跃在论坛上，他们的共同手法是用许多似是而非的东西来攻击中国军队和政府，其目的就是让人民觉得中国军队非常腐败，技术也远不如人，因此无力保家卫国。

(1)歪曲历史，以刻意贬低中国军队的形象，打击人民对军队的信任感和自豪感。最常见的例子例如抹杀中国人民志愿军抗美援朝的意义，胡说什么当时不进行抗美援朝更好，云云。

(2)以一些子虚乌有的所谓“内部数据”来证明中国的武器根本无法与美国武器相抗衡，鼓吹美国制胜论。

(3)揭露所谓的“军队内的腐败黑幕”，试图让大家相信中国军队已经非常腐败，如当年清朝军队一样，不堪一击。殊不知90年代末期以后军队大整肃，大大提高了战斗力，腐败分子被内部处理了很多，军队经商问题得到了极大的遏制。

3.以亦真亦假的谣言煽动反政府情绪的间谍

这类间谍常活动与时政、强国等类型的论坛上，主要是以亦真亦假的社会事件的“内幕”，煽动人民的反政府情绪。

这类间谍属于最隐蔽的一种，因为他们的表现和一般的愤青以及不满现实的持改良政见者不容易分开，而且信息渠道单一（仅仅通过网上的言论）。然而，专业的反 间谍人员在长期的监控中，也发现了一些迹象。虽然对于这样的间谍，即便是专业的反间谍人员也需要透过专业技侦手段才能最终确认，我们普通老百姓就更难以分 辨，然而我们可以靠着一些蛛丝马迹，有一个倾向性的判断，就不容易被他们的言论迷惑，更可以和这些间谍在现实生活中保持距离。

这些间谍，其言论内容具有[三.2.(1),(2),(5),(7),(8),(9),(10)]的特征。仅凭这些言论特征，还不足以让我们高度怀疑他是一个间谍。专门从事网络策反煽动的间谍，还有其它的一些特征。

(1)IP/MAC地址常变，但网段变动不大。

尤其在中国国内，间谍由于要在网络上保护自己，不易被技侦手段锁定，常常变换上网发帖所用的计算机。在公共场合，例如网吧、学校这样的地方，是他们活动的 好战场。如果配合一些黑客手段，在这样的公共场合即便被技侦部门跟踪，也很难抓到其人。当然在国外，由于不用担心被中国安全部门监视（其实还是有的，只是 大部分人不知道而已），在家里一直使用自己电脑的也不在少数。

(2)煞有介事地报道一些热门社会事件的“内幕消息”，夸大政府、军警的残忍，突出上访、游行、抗议者被抓、被打、被抄家、被酷刑折磨等悲惨遭遇，突出在中国生活的胆战心惊。

对引起这样社会事件的复杂背景、历史等仅作非常简略的偏向性介绍，从不谈及上访、游行、抗议者自己的任何行动过激、不当之处。其内容真真假假.

比较专业的间谍通常采用“美国之音”的策略：90%的真话加上10%的假话。由于普通群众根本没有可能性去详细核实，因此大家在听信90%的真话的同时， 也把那10%的假话听进去。有些比较露骨的，会自称诸如“人权观察协会”、“国际大赦组织”的观察员，这些组织表面上是民间非政治机构，然而了解历史和国 际政治的人都知道，这些组织都是受美国等政府的支持和操纵，借口人权等问题攻击敌对国的傀儡组织。但由于这些组织有来自于他们主子政治集团的强大舆论与经 济支持，帮他们混淆视听、浑水摸鱼，因此这些间谍中的有些人敢于明目张胆，即便是在中国国内。

(3)发帖争议性大，往往引得众多网友互相辩论。

而贴主（也有可能注册另一个用户名）所作的回应和引导，不是为了平息争论、得到共识，反而是有意加剧争论，以吸引更多的眼球。常用的手法是作人身攻击，激 怒持反对意见的网友；不正面回答网友的质疑；玩弄文字游戏，设逻辑陷阱。经过培训的间谍往往有更加专业的诡辩技巧，其逻辑漏洞隐蔽，没有系统地学过逻辑或 研究过辩论的人，极易上当。

(4)比较初级的间谍常采用的手法是在论坛上注册一个新的用户名ID，发几个帖子之后就消失，以为这样不容易被跟踪上。

但经过专门培训的间谍就经常不采用这种容易被网友识破的方式，他们会很有耐心地用相当长一段时间进行“树立威信”的工作，即用好几个月甚至数年的时间在一 个固定的论坛上用一个固定的用户名ID，表现出一副儒雅风范，很平静地参与讨论，树立道德高度，以博得大家的喜爱与拥戴，甚至成为版主。然后，才开始逐步 地在讨论中涉及敏感话题。这种逐步的转换由于历时甚长，不易被普通网友所发觉。然而如果通过论坛搜索功能一次调出其在一两年甚至更长时间内的文章总汇，就 可以比较清楚地看到这种人的话题、论点和态度的转变。尤其在局势紧张的时候，这种转变尤为明显。在下一点中将详细谈到。

(5)局势紧张的时候，间谍的反共反华言论突然大量增加。

这是非常合理的举动，因为每当局势紧张（例如台海、东海、南海方向）时，各方面的信息和观点都会大量增加，人民对时局的关注程度也会大幅度增加，这些间谍 的主子便会要求他们加大策反力度，(比如最近的格俄问题),制造更多的反华反共言论，以“增加与共产主义不相合的精神因素”（原美国驻华大使司徒雷登 语），削弱海内外中华民众对中国政府的支持与信任，借机培养第五纵队，在可能到来的激烈的政治军事斗争中，为中国增加内乱的可能性。如果我们发现原先比较 温和的网友在局势紧张时不顾一切地大幅度增加反共反华言论，甚至被众人唾骂也在所不惜，这种违反其常规、也违反通常人常规的做法，显示出他背后有操纵者， 也是一个比较明显的间谍的标志。

通常来说，在时局变换的时候，各类间谍的活动普遍会加剧，从而很有可能产生情报机构过度使用某一条间谍线的情况，而使得这条线被暴露。各国反间谍部门都视 这个时候为排查、收网的好时机。在上次台海危机中，被中国国家安全局破获的最大的在中国大陆的台湾间谍网，一次抓获各类间谍470余人，其中90%以上是 从未到过台湾也从未出过国的大陆人。而在这排查抓捕的行动中，据称网络监控发挥了重要的作用。

(6)采用明显的美国政府式舆论边缘化操纵策略。

这是一种非常厉害、非常专业的手法，不是搞情报的一般人很难做到，除美国以外也绝少能够见到这种策略，因为这种策略的产生与发展，与美国文化和历史的发展密切相关。因此，如果大家能够看到使用这种手法的人，多半是受过美国情报部门专业训练的间谍。

其实这种手法讲起来本身并不复杂，就是不太理会反对者的意见，而用海量的己方观点去冲淡反对者的意见，使得反对者意见被边缘化。同时，变换不同的方式一再重复己方观点，使得“谎言重复一千次就成了真理”。

(7)对持反对意见者一般仅仅进行人身攻击，避而不谈观点、论据等本身。

这一条是辅助识别标志，因为间谍在论坛上讨论仅仅是要推广他们的观点、吸引眼球(点击率)、企图树立个人知名度，并不顾及到其观点的正确性和论证的严密 性.对反对者进行人身攻击，将反对者描绘成“坏人”，是最行之有效的方法。而这种方法常常也能够引来反对者的情绪反弹，拼命要证明自己不是“坏人”，从而 让争论愈加复杂和激烈，更能吸引眼球，却离讨论的问题本身越来越远。

五、借信仰之名，行策反之实的假基督徒间谍(省略)

六、初级间谍拉人入伙的最初识别(省略)

七、总结

事实上，作为危险性比较大的策反/造谣类工作，本国资深情报人员是不轻易去直接做的，他们策反中国人为他们卖命，就是为了保护他们自己。外国情报机构不会 顾及中国间谍的死活，给这种“初级”中国间谍的培训也是极为有限的，因为绝大多数中国人对情报工作的知识几乎为零，因此间谍通常也用不着高级培训。

其实，一般的人只要认真想一想，就可以总结出一些间谍的手法来。为什么这么说呢？俗话说得好：“要想抓贼，必先做贼”，如果我们能够设身处地地想一想，如 果有这么一个间谍任务交给我们做，我们会怎么隐藏我们的真实意图，就能够发现实际上间谍能用的手段并不多。加上一些情报机构长期总结出的规律，我们每个都 能够具备基本的识别间谍的能力。

我们的祖辈父辈，在新中国成立之后都受过相当的军事和情报训练，有着基本的反间谍的知识。建国初30年，大部分的间谍都是被人民群众发现并报告给国家安全 部门的。弱小的共和国之所以能够平安走过那环境险恶的年代，情报战线的人民战争起了决定性的作用。今天，情报战争的烈度不减当年，仅靠国家安全部门的专业 人员，难免挂一漏万。我们对这些斗争无幸参与，虽不一定把这些间谍揪出来扭送安全部门，但至少可以做到自己不被这些间谍的言论所蛊惑，不参与到他们的反华 行动中去。

反华势力亡我之心不死，任何时候都在紧锣密鼓地策划和实施着“以华人制华”的策略（美国CIA解密文件和兰德公司公开发表的战略白皮书中都有明确提及）。 为了祖国的繁荣富强，为了中国人在世界各地能够不受欺侮，为了我们每个人以及我们亲友的幸福生活，请大家保持警惕，远离间谍。

 签名档

纸上得来终觉浅 绝知此事要躬行

不为浮云遮望眼,要拿魂魄碾冰霜!

(h/t @spybusters)

EOF