Month: December 2014

AIVD admits eavesdropping on Amsterdam-based law firm that defends terror suspects

UPDATE 2015-07-01: the court of The Hague has ruled today that the Dutch government must, in the next six months, change its current policy for interception of privileged communications: ruling (in Dutch) and press release (in Dutch). If the government fails to comply, it has to seize any such interception.

UPDATE 2015-06-26: the Minister of Defense sent a letter (in Dutch) to parliament to explain the relation between privileged (lawyer/client) communications and national security. Here’s a translation of the essence:

(…) First I want to point out that the position a lawyer holds in criminal law is different from the one in context of an investigation by the intelligence & security service, in the course of carrying out their legal tasks on the basis of the Dutch Intelligence & Security Act of 2002. The rules that apply to a lawyer in criminal (procedure) law as holding a privileged position, do not apply one-on-one to in the latter context. Situations can exist in which the interest of national security prevails over the interest of privileged persons (in this case, being able to talk freely with clientele). As I stated during the parliamentary question time of April 21st 2015, the intelligence services can only under strict conditions proceed to use special powers against lawyers. In addition to the safeguards that apply to every use of a special power (necessity, subsidiarity and proportionality), extra criteria apply, including a shorter period of use of the power (one month instead of the normal three months). (…)

UPDATE 2015-03-10: in response (in Dutch) to parliamentary questions following a plead (in Dutch) from the National Bar Council, the Dutch Minister of the Interior stated that he does not believe it is necessary to introduce ex ante court approval for intercepting communications of lawyers.

UPDATE 2014-12-22: NRC Handelsblad published a piece (in Dutch) by Ot van Daalen (@digidefence) in which Ot, citing the case described below, recommends lawyers to encrypt communication with clients.

Today, Dutch newspaper NRC Handelsblad reports (in Dutch) that the Dutch intelligence & security agency AIVD spied on the Amsterdam-based lawyer office Prakken d’Oliveira, that defends terror suspects, among others. Here is a translation of NRC’s report:

AIVD admits eavesdropping on law firm that defends terror suspects

The secret service AIVD admits it eavesdropped on lawyers of the Amsterdam-based law firm Prakken d’Oliveira. The office states so on its own website, revealing a letter [.pdf, in Dutch] from Minister of the Interior, Ronald Plasterk.

The firm had filed a complaints because lawyers had been suspecting for years that they are eavesdropped on by the AIVD. Prakken d’Oliveira defends many terror suspects, among others. In the written answer from the Minister, the Dutch Review Committee on the Intelligence and Security Services (CTIVD) partially confirms the complaint. The Minister states he will follow the CTIVD’s recommendation and says that the AIVD acted “inappropriately” in transcribing the phone conversations, text messages, and emails.

Wiretapped despite policy

The AIVD thereby admits that between January 1st 2003 and July 1st 2014, conversations have been eavesdropped, and text messages and emails from the lawyers where read and transcribed. The CTIVD says it has doubts about the necessity of transcribing communication of the law firm prior to 2007. In that year, the AIVD established a policy concerning wiretapping of phones, among others. But according to the CTIVD, messages have been transcribed unlawfully after that.

The eavesdropping of contact between lawyers and suspects is, in principle, prohibited by the attorney–client privilege [in Dutch: “verschoningsrecht”]. That privilege ensures free consultation between both parties, such that a proper defense can be prepared. Exceptions can only be made in case of imminent threats.

In a statement on its website, Prakken d’Oliveira states that the regulation concerning eavesdropping is “seriously inadequate”. The law firm wants the law to be changed such that wiretapping of communication means is only allowed after prior approval of a court. Currently, the AIVD can eavesdrop if the Minister consents that doing so is necessary.

EOF

Notes on transparency & statistics of use of special powers by intelligence services in NL and BE

UPDATE 2015-07-15: Dutch intel oversight committee (still) seeks to publish statistics on use of special powers, suggests topics for debate on the new bill.

The below is a comparison of (lawful) public availability of statistics about the use of investigatory powers by intelligence & security services in Belgium and the Netherlands; I intend to add more countries if I can find the necessary information (legislation, etc.).

Belgium: ADIV and VSSE

Belgium has a non-military intelligence & security service (VSSE) and a military intelligence and security service (ADIV). Oversight on lawfulness and expediency is carried out by the Belgian Standing Committee I (in Dutch: “Vaste Comité I”), an independent specialist body consisting of three persons, and some staff. The Standing Committee I is established by the Act Governing Review of the Police and Intelligence Services and the Coordination Unit for Treat Assessment of 1991 (hereafter: “Review Act of 1991”). The VSSE and ADIV are established by the Intelligence Services Act of 1998 (hereafter: “W.I&V”). The W.I&V provides the VSSE and ADIV with special investigatory powers. Oversight reports written by the Standing Committee I are not automatically fully published; it is possible to withhold elements from publication.

Article 35-2 of the Review Act of 1991 states that the Standing Committee I reports quantitatively on the use of such powers. My translation of the relevant part in that article:

(…) The report contains the number of warrants, the duration of use of the special methods for data collection, the number of persons [=targets] involved, and, where appropriate, the yields. The report also describes the activities of the Standing Committee I.

There is a restriction, however:

The elements contained in the report may not harm the proper functioning of the intelligence and security services or put the cooperation between Belgian and foreign intelligence and security services at risk. [note: the latter firstly concerns information shared with Belgium by foreign services.]

With that in mind, take note of the statistics in the table below that the Standing Committee I included in its 2013 activity report (.pdf, in Dutch and French): a LOT of transparency, I’d say. The fact that it is published is evidence in support of the hypothesis that this information is not considered to harm proper functioning of the Belgian services.

“Specific” or “exceptional” investigative power (W.I&V 1998): Authorization level # 2013 (ADIV) # 2013 (VSSE)
observation using technical means, in public places and private places accessible to the public or observation, with or without the use of technical means, of private places which are not accessible to the public (Article 18/2, §1, 1°) Head of service + give notice to oversight body 14 109
inspection, using technical means, of public places, private places accessible to the public and closed objects located in these places (Article 18/2, §1, 2°) Head of service + give notice to oversight body 0 0
consulting data identifying the sender or addressee of a letter or the owner of a PO box (Article 18/2, §1, 3°) Head of service + give notice to oversight body 0 0
measures used to identify the subscriber or habitual user of an electronic communication service or the means of electronic communication used; (Article 18/2, §1, 4°) Head of service + give notice to oversight body 66 613
measures used to find call information for electronic communication methods (Article 18/2, §1, 5°) Head of service + give notice to oversight body 15 136
localisation of the origin or destination of electronic communications. (Article 18/2, §1, 5°) Head of service + give notice to oversight body 36 224
observation, with or without the use of technical means, among others in private places which are not accessible to the public, or in premises used for professional purposes or as a residence for a lawyer, doctor or journalist (Article 18/2, §2, 1°) Oversight body (unanimous prior consent) 1 6
inspection, with or without the use of technical means, among others of private places which are not accessible to the public or premises used for professional purposes or as a residence for a lawyer, doctor or journalist and of closed objects found in these places (Article 18/2, §2, 2°) Oversight body (unanimous prior consent) 0 6
setting up or appealing to a legal entity to support operational activities and appealing to officers of the service, under a false identity or in a false capacity (Article 18/2, §2, 3°) Oversight body (unanimous prior consent) 0 0
opening and reading letters, either sent via a postal service or not (Article 18/2, §2, 4°) Oversight body (unanimous prior consent) 0 6
collecting data on bank accounts and bank transactions (Article 18/2, §2, 5°) Oversight body (unanimous prior consent) 5 11
intrusion into a computer system, with or without the use of technical means, false signals, false codes or false capacities (Article 18/2, §2, 6°) [hacking] Oversight body (unanimous prior consent) 0 12
tapping, listening to and recording communication (Article 18/2, §2, 7°) Oversight body (unanimous prior consent) 17 81

Bulk collection: neither ADIV nor VSSE currently (=Dec 2014) have a legal basis for any form of bulk collection; neither via intercepts, nor via requests for traffic/subscriber addressed to telco’s (source).

Netherlands: AIVD and MIVD

The Netherlands has a general intelligence & security service (AIVD) and a military intelligence and security service (MIVD). Oversight on lawfulness is carried out by the Dutch Review Committee on the Intelligence and Security Services (CTIVD), and independent specialist body consisting of three persons. Oversight on expediency resides at the Minister. All three entities are established by the Dutch Intelligence & Security Act of 2002 (hereafter: “Wiv2002”). The Wiv2002 provides the AIVD and MIVD with special investigatory powers.

CTIVD oversight reports are always sent to Parliament and openly published, but may, and often do, contain a classified appendix. The CTIVD can decide for itself what topics it wants to investigate, but also start an investigation at the request of Parliament. In 2008, the CTIVD for the first time looked into the use of interception powers: targeted interception ex Article 25 Wiv2002, and selection from bulk-interception ether communication ex Article 27 Wiv2002. In 2010, the CTIVD decided to make interception an annually recurring topic of investigation.

Several attempts have been made by Dutch media, civil organizations (notably Bits of Freedom) and MPs to obtain interception statistics from the intelligence services. In 2010, Parliament adopted a motion requesting interception statistics. Two statistics were published: the number of targeted interceptions by the AIVD (1,078) and the MIVD (53) during 2009. No statistics from other years are available. In October 2014, a court in The Hague accepted the government’s argument that such numbers, in combination with other information that is already public or will become public in the future, provide insight into the methods and practices used by the AIVD and that this poses a risk to the effective functioning of the AIVD. In December 2014, the CTIVD decided to publish these statistics — but it got censored last-minute by the Minister of the Interior. Interesting stuff.

The table below shows the known statistics for the use of special powers by the AIVD and MIVD over 2013: none. Open question: how should the difference with Belgium be explained?

“Special” investigative power (Wiv2002): Authorization level # 2013 (AIVD) # 2013 (MIVD)
surveillance and monitoring of persons and property (Article 20) Head of service, or delegate (in general); Minister (in case of house/residence); ? ?
deployment of agents (Article 21) Head of service, or delegate ? ?
establishment of legal persons (Article 21) Head of service, or delegate ? ?
searches of private places, including housing and closed objects (Article 22) Head of service, or delegate (in general); Minister (in case of house/residence); ? ?
examination of objects to establish the identity of individuals (Article 22) Head of service, or delegate ? ?
opening letters and packages (Article 23) Court ? ?
intrusion into an automated work (Article 24) [hacking] Head of service, or delegate ? ?
interception of communications, telecommunications or data exchange (Article 25) Minister ? ?
exploring non-cablebound telecommunications (‘searching’) (Article 26) None ? ?
undirected interception and directed selection of non-cablebound telecommunications (Article 27) None (bulk interception); Minister (selecting from bulk intercepts) ? ?
retrieval of traffic and subscriber data from providers (Articles 28 and 29) None ? ?
physical intrusion in support of other powers (Article 30) None ? ?

Bulk collection: yes, via interception (Article 26/27), but only ether. Both AIVD and MIVD have that power, but it is used far more for military tasks (MIVD) than national security. It is carried out by the NSO, which becomes part of the JSCU.  In November 2014, the Dutch cabinet announced it seeks to expand this power to permit bulk interception of cable communication. Legislation is currently (=Dec 2014) being drafted. According CTIVD report 38 (.pdf, in Dutch; see p.39), Article 28/29 do not permit acquisition of bulk traffic/subscriber data from telco’s. Article 24 (hacking) has been used to obtain web forum data in bulk; in cases where many non-targets where involved, the CTIVD judged this did not satisfy the requirement proportionality (although those cases did satisfy the requirement of necessity).

Germany: BND, MAD, BfV and LfV

INFORMATION NEEDED: all information, tips, hints, suggestions, etc. are welcomed: see “Contact me” on the right. I’m both interested in learning whether or not statistics are officially published, and if they are, where I can find them.

UK: GCHQ, MI5, MI6, MoD (RIPA)

INFORMATION NEEDED: all information, tips, hints, suggestions, etc. are welcomed: see “Contact me” on the right.

An aggregate statistic is available of the number RIPA warrants issued to GCHQ, MI5, MI6 and the MoD, combined. Much more statistics are available; see the IOCC’s report (.pdf) over 2013.

EOF

Dutch Data Protection Authority imposes penalty payment to Google re: Google privacy policy introduced in 2012

Today, the Dutch Data Protection Authority (CBP) announced it is imposing an incremental penalty payment to Google of up to 15 million euros:

CBP issues sanction to Google for infringements privacy policy

The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.

Infringements

The results of the investigation by the Dutch DPA, as published earlier, show that Google combines personal data of internet users, amongst others to display personalised ads. This combining not only involves people that are logged in to a Google account, but also people that use the search engine, or people that visit a (third party) website that places or reads cookies from Google.

Data about for example search queries, location data, video’s watched and e-mails can be combined with each other, while those services serve very different purposes. This combining occurs without Google adequately informing the users in advance and without the company asking for consent. This is in breach of the law.

“Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested,” says Jacob Kohnstamm, chairman of the Dutch DPA.

Incremental penalty payment

The Dutch DPA demands that Google:

  • Will ask for the unambiguous consent of users for the combining of personal data from the different Google services. This can be achieved via a separate consent screen. Unambiguous consent can’t be obtained through information about this processing in the general (privacy) terms and conditions.
  • Further clarifies the information in its privacy policy in order to provide clear and consistent information to people on which personal data are used by the different services of Google.
  • Provides clear information about the fact the YouTube is part of Google. With regard to this last point, Google seems to have already taken measures in the Netherlands.

Google has been given until the end of February 2015 to take the measures described above to end the breaches of the Dutch data protection act. After that, the Dutch DPA will verify whether Google has met all demands.

European data protection authorities

In the beginning of 2012, Google announced the introduction on 1 March 2012 of a global new privacy policy, applicable to the users of all services of Google. Following that, the French data protection authority launched an investigation, on behalf of all European data protection authorities. This resulted in the publication of investigation results in October 2012.

After this investigation, 6 data protection authorities, in France, Germany, the UK, Italy, Spain and the Netherlands decided to start national investigations, based on their own national data protection laws.

Google has recently sent a letter to the 6 data protection authorities, in which the company announces a large number of measures to comply with European privacy laws. The Dutch DPA has not yet established whether the proposed measures will end all the violations found by the Dutch DPA.

Related:

EOF

Dutch Parliament in favor of establishing a ‘House for Whistleblowers’

UPDATE 2017-07-11: updates moved to bottom.

On December 12th 2014, Dutch newspaper Volkskrant reported (in Dutch) that a majority of Dutch MPs favor the establishment of an independent “House for Whistleblowers”. There is a bill (.pdf, in Dutch), accompanied by a Memory of Understanding (MoU) (in Dutch), proposing a “House for Whistleblowers Act”.

The bill establishes a House for Whistleblowers (hereafter: the House) as a “zelfstandig bestuursorgaan” (ZBO), the Dutch version of a quasi-autonomous non-governmental organization. The House will consist of an advisory department and an investigatory department. The advisory task and investigatory task are subject to separation of duty. To make the House more independent from the government than normal ZBOs — and thereby deviating from the concept of ZBOs as defined by Dutch law —, the following rules will apply:

  • the Minister cannot appoint, suspend, or dismiss members of the House;
  • the Minister cannot require the House to provide information concerning the substance and methods of specific investigations;
  • the Minister cannot establish policy rules concerning the House’s task performance;
  • the Minister cannot dismantle the House.

Based on data from the National Ombudsman, the Whistleblowers Expert Group and the Advice Centre for Whistleblowers, it is anticipated — according to the MoU — that the House will be processing report from four to six hundred whistleblowers annually, and that 10 percent of the reports, some 50 per year, will result in an investigation. The annual budget for the House is estimated at 3.5 million euro.

The bill provides whistleblowers the protection that they cannot be fired while an investigation by the House is ongoing. The following wrongdoings concerning public interest are explicitly recognized:

  • violation of a statutory provision;
  • a public health risk;
  • a risk to the safety of persons;
  • a threat to the environment;
  • a threat to the proper functioning of a public service or a business as a result of an improper way of acting or negligence.

Concerning whistleblower reports from the public sector, the bill obligates the following parts of government to fully cooperate with investigations carried out by the House:

  • the state;
  • provinces;
  • municipalities;
  • water boards;
  • public bodies for industry and the professions, for instance:
    • the Social and Economic Council of the Netherlands (SER)
    • the Dutch Order of Lawyers (NOvA)
    • the Dutch Institute of Chartered Accountants (NBA)
    • the Dutch Order of the Accountants-Administrator’s consultants (NvOAA)
    • the Royal Notarial Association (KNB)
    • the Royal Association of Bailiffs (KBvG)
  • other public bodies authorized under the Constitution;
  • European Grouping of Territorial Cooperation (EGTC) organizations seated by statutory in the Netherlands;
  • other legal persons established under public law, for instance, from the ZBO register:
    • the Authority for Consumers and Markets (ACM)
    • Staatsbosbeheer
    • National Library of the Netherlands (KB)
    • Netherlands Organisation for Scientific Research (NWO)
    • Royal Netherlands Academy of Arts and Sciences (KNAW)
    • TNO
  • other legal persons not established under public law vested with public authority, with the exercise of that authority being the core activity of the legal person, for instance:
    • Authority for the Financial Markets (AFM)
    • DNB

The House is also granted full physical access to these organizations. Based on Article 9:31 of the the General Administrative Law Act (in Dutch: “Algemene bestuurswet”), officials from these bodies can be required to provide information. Officials are however allowed to refuse, if providing information is contrary to interests of national security, or constitutes a breach of official secrecy or other legal provisions.

Concerning whistleblower reports from private sector, the House can summon any individual and require them to provide information, but the House is not granted full physical access.

It is proposed that the House has a chair person and at most four members, to be appointed by Parliament, and such that “all relevant expertise” to carry out its legal tasks is present. It is proposed that the House is supported by its own agency, employed by the House.

In 2013, opponents of bill included the Dutch Association for Medium and Small Enterprises (VNO-NCW), the Dutch Association for Listed Companies (VEUO), the Dutch Minister of the Interior, the Netherlands Authority for the Financial Markets (AFM) and the DNB. The Minister and regulators expressed worries about potentially harmful interference with investigations that existing authorities are undertaking. Also, the combination of an advisory task and an investigatory task in a single organization was criticized.

Excluded from reporting a suspicion of wrongdoing to the House are magistrates (in Dutch: “rechterlijke ambtenaren”) and officials of the Dutch intelligence and security services AIVD and MIVD, as well as members of the Dutch Review Committee on the Intelligence and Security Services (CTIVD). According to the MoU, the reason for this exclusion is that those organizations have existing procedures for reporting and handling wrongdoing. These officials are however free to contact the House for Whitleblowers to obtain advice.

Lastly, here is my translation of the report by Volkskrant (hyperlinks and parts in [] are mine):

Netherlands first to establish independent House for Whistleblowers

Things usually don’t end well for someone who reports wrongdoing in government or business. A parliamentary majority wants to change that by establishing an independent House for Whistleblowers.

The Netherlands will be the first European country to have an independent House for Whistleblowers that provides legal protection for whistleblowers and investigates reports from whistleblowers.

The objective is to prevent whistleblowers from being isolated, fired, and forgotten without the wrongdoing being addressed.

That is the core of the bill that MPs from seven parties, led by Ronald van Raak (Socialist Party) sent to the Council of State this week. The House for Whistleblowers will be a quasi-autonomous non-governmental organization (in Dutch: “zelfstandig bestuursorgaan”), independent of the central government. It will have an annual budget of approximately 3.5 million euro and will be supporting four hundred to six hundred whistleblowers annually.

‘Whistleblowers are now often left to fend for themselves, while they often render a service to society’, Van Raak states. ‘They will soon be able to go to the House for Whistleblowers. They cannot be fired while an investigation into the wrongdoings they reported is ongoing. The objective is to prevent whistleblowers from being isolated, fired, and forgotten, without the wrongdoing being addressed.’

Van Raak has worked on the bill for over two years, after earlier attempts to regulate the legal position of whistleblowers failed. The reason for Parliament to address this issue was, among others, the fate of Ad Bos, the whistleblower who exposed fraud in the Dutch construction industry [.pdf, 2006]. Bos ended up living in a caravan, years after he had exposed the large-scale collusion of construction companies.

‘I am regularly contacted by whistleblowers, and as an MP I want to do something about the wrongdoings that they report’, says Van Raak. ‘This often could not be done because my sources would then be fired. That situation was very unsatisfactory.’

The bill’s authors expect that in 10 percent of the cases — about fifty times a year — employees of the House of Whistleblowers will themselves carry out research into possible wrongdoings. The House will get extensive powers for that, especially if the wrongdoing involves the government. The public authority involved, such as a Ministry or a water board, must provide the researchers full access, and fully cooperate.

The estimations of the annual numbers of whistleblowers and investigations to be carried out by the House of Whistleblowers are based on data from the National Ombudsman, the Whistleblowers Expert Group and the Advice Centre for Whistleblowers, where most whistleblowers currently turn to. The bill aims to end the fragmentation of policy concerning whistleblowers.

The House will also investigate private sector wrongdoings, but cannot simply walk in there. Investigation into reports from businesses will initially be limited to requesting information and written evidence. In case of suspicion of offenses, the Public Prosecution Service will be contacted.

The driving force behind the improved legal protection of whistleblowers is Gerrit de Wit, chairman of the Whistleblowers Expert Group Foundation. The former detective blew the whistle on fraud and corruption of officials at the Ministry of Housing at the end of the previous century, and has since been fighting for better treatment of whistleblowers.

‘Of course we wanted to have arranged things for whistleblowers even better, but it is an achievement on and by itself that this proposal is now sent to the Council of State’, De Wit says. ‘In the past fifteen years I have talked to hundreds of whistleblowers and saw the majority of them be ostracized. That will change in the near future, which is a victory’.

Own responsibility

Behind the screens, a lot of lobbying was going on up until last week to prevent that whistleblowers would get legal protection. Opponents, including employers’ organizations, fear that the House of Whistleblowers will attract troublemakers and employees threatened with losing their job. They also think companies already are responsible themselves for dealing with wrongdoings in the workplace and that more than enough supervisors and inspection agencies exist.

Professor Leo Huberts (VU University), who specializes in integrity policy, thinks the establishment of an independent organization is a good thing. But, according to Huberts: ‘What I greatly miss, is focus on prevention. Integrity mostly is about awareness, about culture. This proposal also seems unfinished, and the name is quaint. The initiative started off with the right agenda that whistleblowers who report wrongdoings and have to deal with retribution, deserve legal and financial support. The proposal looks like an ambitious building under construction, but as far as I’m concerned, eventually a real nation-wide House for Integrity will exist.’

A large parliamentary majority is in favor of introducing the House for Whistleblowers. An earlier version of the bill was adopted by the Parliament, but got rejected by the Senate.

UPDATES (from new to old)

UPDATE 2018-12-19: Former employees report wrongdoings about the House for Whistleblowers (in Dutch, NOS). One report is about (in)effectiveness of the House for Whistleblowers in general, including its administrative procedures; another report is about about the procedure of the appointment of the current chair, Wilbert Tomesen, who previously was chair of the Dutch Data Protection Authority (in Dutch: “Autoriteit Persoonsgegevens”). The NOS report contains no further details.

UPDATE 2018-03-06: Best Practice Guide voor wetgeving ter bescherming van klokkenluiders (in Dutch, by Transparency Netherlands)

UPDATE 2017-12-20: Nieuwe Eurobarometer onderstreept slechte staat van klokkenluidersbescherming (in Dutch; post by Transparency Netherlands regarding the new Eurobarometer special report on corruption that covers public and corporate activity)

UPDATE 2017-12-14: Herstart Huis voor Klokkenluiders (in Dutch; post by the House for Whistleblowers reporting that the house will be rebooted). Also today, a report on this by Transparency Netherlands: Huis voor Klokkenluiders staat op instorten na kritisch rapport (in Dutch).

UPDATE 2017-10-31: The European Parliament calls for protection of whistleblowers (EDRi).

UPDATE 2017-10-20: Crisis in Huis voor Klokkenluiders (Merijn Rengers, NRC Handelsblad; in Dutch). The director of the House for Whistleblowers, Paul Loven, resigns over inability of the House for Whistleblowers to complete a single investigation in its first sixteen months of existence. Some 30 out of 800 reports received from (possible) whistleblowers were considered worthy of investigation. While the House was established after extensive debates in Dutch parliament and has its own legal basis, a spokesperson states that practice is more complex than expected. Loven requested former top official Maarten Ruys to conduct an investigation into this; it is not yet clear who will be Loven’s successor. The situation reminds a bit of what was observed in the U.S. in Feb 2015 regarding the Occupational Health and Safety Administration (OSHA: OSHA Whistleblower Investigator Blows Whistle on Own Agency.

UPDATE 2017-07-11: Wet Huis voor Klokkenluiders: een update (Linda Schut, Transparency Netherlands; in Dutch).

UPDATE 2017-03-13: NOS reports that since the House for Whistleblowers was opened in July 2016, 530 persons have made reports to it. 70 of them were established to be actual whistleblowers, the remainder reported was is qualified as ‘differences of opinion at work’. Half of the reports were made by persons employed in the private sector, one third of the reports were from persons employed in the public sector. The House for Whistleblowers published its annual report 2016 (.pdf; mirror) and a press statement.

UPDATE 2016-07-04: today, the House for Whisteblowers is officially opened (reports by NRC Handelsblad, in Dutch), and located in the city of Utrecht. Its first director is Paul Loven. It is stated that the House for Whistleblowers, which is established through Dutch national law, is the first of its kind in the world. Organizations that have 50+ employees are, as of now, expected to have (or establish) internal procedures for reporting perceived wrongdoings (and yes, that will come as a surprise to many organizations; for instance, 10% of Dutch municipalities, all of which have 50+ employees, currently have no such procedures). The House for Whistleblowers acts as a safe place to obtain advice and as a means of last resort for carrying out investigations in case internal reporting fails — or in case suspicions are that upper management (C-level) and/or shareholders are involved in fraud. Questions remain: as stated elsewhere in this blogpost, the House for Whistleblowers has both an advisory department and an investigatory department, which are ‘strictly separated’, but what nonetheless means that the ‘lawyer’ and ‘judge’ functions are exercised by people who are part of the same physical organization. Time will tell how this works out in practice. (Note: please do read the remainder of this post for more details; the House for Whistleblowers is deals (only) with reports that affect a public interest, as explained elsewhere in this post. The legal details of whistleblowing are complicated; for more information, refer to e.g. the ‘klokkenluiders’ category at the Dutch website ‘Bijzonder Strafrecht’ and the legal expert book ‘Klokkenluiders in perspectief’ (Q4/2015).)

UPDATE 2016-03-01: today, the Senate adopted (unanimously) the bill (.pdf). Furthermore, the Senate adopted (non-unanimously) a motion (.pdf) intended to also provide protection, against being disadvantaged as result of reporting wrongdoing, to non-employees who report alleged wrongdoing from a work situation, such as interns, volunteers and self-employed persons, who have no labor contract with the organization about which they submit a report to the House of Whistleblowers.

UPDATE 2016-12-xx: Transparency Netherlands published a position paper (.pdf, in Dutch) on the House for Whistleblowers.

UPDATE 2016-02-12: update (in Dutch) on the legislative proposal House for Whistleblowers.

UPDATE 2016-01-11: Dutch piece by Michael van Woerden (KeyCompliance) on the upcoming Senate debate on the legislative proposal (9 & 16 Feb 2016): “Voor klokkenluiders wordt 2016 het jaar van de waarheid

UPDATE 2015-07-06: in-depth article by Rik van Steenbergen (Netherlands Trade Union Confederation, FNV): Whistleblowing Protection in the Netherlands: Latest Developments.

UPDATE 2015-07-01: overview article by M. Verveld-Suijkerbuijk (lawyer at NautaDutilh), in Dutch: “Het wetsvoorstel Huis voor klokkenluiders: Een praktijkgerichte bespreking” (.pdf, 2015)

UPDATE 2015-04-09: new documents available (in Dutch): the advice from the Council of State (.docx), an updated legislative proposal (.docx) that incorporates that advice, and an updated Memorandum of Understanding (.docx).

UPDATE 2015-03-18: meanwhile, at the EU level: CoE Parliamentary Assembly: Call for protection of whistleblowers in national security-related fields ; i.e., the PACE Committee on Legal Affairs & Human Rights adopted the draft report “Improving the Protection of Whistleblowers” (.pdf, Mar 18; mirror). The draft report will be discussed at the PACE summer session in Strasbourg on 22-26 June 2015. (source: Statewatch) Huffington Post has an article about it (Mar 20).

UPDATE 2015-03-02: indeed, a house for whistleblowers might itself need whistleblowing — see this U.S. example: OSHA Whistleblower Investigator Blows Whistle on Own Agency

EOF

Ideas for Change: 100 tactics & principles for privacy campaigning (Simon Davies, Dec 2014)

UPDATE 2018-08-15: some links broke since publishing this post; I fixed them insofar possible. Current version of Davies’ Ideas for Change is here (.odt, March 2017; mirror); the file does not properly open on my system; but maybe it will on yours.

On December 3rd 2014, Simon Davies (@privacysurgeon) presented and published Ideas for Change, a comprehensive guide to privacy campaigning consisting of 100 tactics & principles — also available in one file here (.pdf; mirror). For my own referencing purposes, I hereby list all 100 tactics & principles without Davies’ annotation and explanation.

 

WARNING: to understand the below, read the full original by Simon Davies.

 

The principles

 


General principles of influence

  1. Focus on the ‘Big Five’ emotional triggers: hypocrisy, unfairness, deception, secrecy and betrayal. 
  2. A truly influential campaign will not only disrupt bad initiatives, it will also shift underlying beliefs. 
  3. Your size isn’t as significant as how you use it
  4. The lone maverick can have more punching power than large institutions.
  5. Power is not only what you have, but what your opponent imagines you have.
  6. Imagining the scale of a threat is rarely accurate and can be infinitely manipulated 
  7. The bigger they come, the harder they fall

 


Principles of conduct and integrity

  1. Be scrupulous with the truth
  2. Check your facts until it hurts.
  3. Develop a profile of quiet confidence.
  4. The strength of your argument depends on the integrity of your commentary. 
  5. Lawbreaking must rest on a solid ethical foundation.
  6. Never make a threat you aren’t prepared – or aren’t able – to follow through.
  7. Never breach your own ethos

 


Guiding strategic principles

  1. Robust activism is driven by goals, excited by tactics and calmly guided by strategy. 
  2. The rationale for conflict is rarely self-evident; it must be strategically and ethically tested. 
  3. Risk-assess your strategy to anticipate turbulence. 
  4. Never decide the nature of engagement with an opponent until you’ve looked at all the options.
  5. Your campaign target may not be what you first imagine – and the targeted opponent rarely is. 
  6. Whenever possible, go outside the expertise of your opponent. 
  7. Make the opponent live up to its own book of rules.
  8. A campaign won in the blink of an eye can be lost in a heartbeat 
  9. There is rarely an outright victory, only an outright shift. 
  10. Any criticism by a major opponent can be turned into a campaign endorsement. 
  11. When big organizations respond in frustration, they usually fail.
  12. Engage real people at every opportunity.
  13. Use the legal system, but with caution 
  14. Create win-win situations against your opponent. 
  15. Know your opponent and know their past.

 


Ideas for strategy and tactics

  1. Overload the system
  2. Think global, act local 
  3. Build an ethical framework.
  4. Information is the new gold 
  5. Don’t be afraid to make it personal.
  6. Timing is the most important and least understood factor in campaigning – and often it’s the only factor that matters 

 


 

Specific campaign ideas

  1. Ridicule and satire are potent weapons
  2. Use complaint processes whenever possible
  3. Where possible, create tangible or physical evidence of an assertion
  4. Be a stakeholder manager 
  5. Make your opponent an offer it can refuse 
  6. Re-brand the opposition’s brand
  7. Become a shareholder
  8. My enemy’s enemy is my friend
  9. Never underestimate the power of prayer
  10. Conduct Comparatively good research
  11. Strike an emperor, strike to kill 
  12. The great walk-out
  13. Slur by association
  14. Use the party political system 
  15. Follow the money.
  16. Create strange bedfellows
  17. Leverage the police 
  18. Target influential people
  19. What you don’t know can be as important as what you know
  20. Publish unanswerable technical questions 
  21. Test the system.
  22. Guilt by association 
  23. Find a victim, any victim 
  24. Trap your opponent in a double loss position 

 


Negatives to positives

  1. If you push a negative hard and deep enough, it will break through into its counterside
  2. Plan for a victorious defeat

 


Critical campaign risk factors and risk mitigation

  1. Understand the elastic limit of your supporters.
  2. Don’t risk staking everything on media coverage
  3. Keep your messaging consistent and real. 
  4. Never concede or confess anything to the opponent.
  5. Always respond to an accusation of inaccuracy with a counterclaim of secrecy.
  6. Negative campaigns should conceive a constructive alternative to avoid a perception that they are destructive. 

 


Media and Communications strategy

  1. If your issue can’t be expressed in a nine-word headline, you have a thesis, not a campaign. 
  2. A successful first strike in media offers opportunity to the opponent.
  3. A good media strategy ensures you’ll always be quoted, but a great media strategy hands you the headline.
  4. Use active language and don’t be afraid to speak your mind. 
  5. Images can be more powerful than words.
  6. You are what you write 
  7. Get real about the value of media coverage.
  8. Viral a conspiracy.
  9. Do all the running for media
  10. Make your website more than a soap box.

 


Guiding principles for campaign planning and formation

  1. Strategically brand your public identity 
  2. A good tactic is one your supporters enjoy.
  3. Become academic
  4. Always ensure your campaign lifespan is sustainable.
  5. Create partnerships to empower the campaign 

 


Critical risk factors for the campaign organization

  1. Avoid the hothouse 
  2. Democratising a campaign can lead to dangerous waters.
  3. Build and discreetly support a network 
  4. Maintain humility in leadership.
  5. Protect the organisation from castration 
  6. When planning a campaign, never assume continued support from any quarter unless you’ve considered all possible circumstances for its withdrawal. 
  7. No matter how highly you rate your value as a campaigner, your symbolic worth is greater to the opponent. 
  8. Take full risk and contingency measure to protect your infrastructure.

Guiding principles for managing and sustaining a campaign infrastructure

  1. “Keep the pressure on, 
  2. Do something surprising
  3. Know the difference between the need to keep control for your campaign to win and the need to let go of control for the issue to win. 
  4. Create a project-resource program.
  5. Love your team, but fear them equally.
  6. Do conventionally good things.
  7. Lighten up
  8. Know your technology
  9. Protect your info and your supporters.

EOF