Month: February 2015

CBP argumenteert inzake cijfermatige transparantie intercepties & bevragingen van verkeers- en gebruikersgegevens

In het CBP-advies (.pdf; meer) inzake de retentie van telecommunicatiegegevens dd 16 februari 2015 argumenteert het CBP over openbaarmaking door private partijen van anonieme en geaggregeerde statistieken over aantallen intercepties en bevragingen van verkeers- en gebruikersgegevens:

Het CBP heeft kennis genomen van initiatieven van marktpartijen om anonieme en geaggregeerde statistieken openbaar te maken over aantallen intercepties en bevragingen van verkeers- en gebruikersgegevens. Hun doel is maatschappelijke transparantie te verschaffen over het gebruik van deze ingrijpende bevoegdheden door de overheid. De Minister van Veiligheid en Justitie heeft de telecom- en internetaanbieders, in beantwoording van Kamervragen hierover, ernstig ontraden om dergelijke statistieken openbaar te maken. De minister verwijst daarbij naar een eerdere uitspraak van de staatssecretaris “dat de verstrekking van geaggregeerde informatie de belangen van opsporing en vervolging ernstig in de weg kan staan. Een dergelijke verstrekking kan namelijk inzicht geven in de werkwijzen van de politie en het openbaar ministerie en kwaadwillenden zouden op basis hiervan hun werkwijze kunnen aanpassen.”

De minister neemt in het jaaroverzicht van het ministerie van Veiligheid en Justitie een overzicht op van het totale aantal vorderingen ‘historische gegevens’ door het OM. Dit jaarlijkse totaalaantal biedt echter geen inzage in de bevragingen door inlichtingen- en veiligheidsdiensten, en is bovendien moeilijk te interpreteren, omdat niet gespecificeerd is om hoeveel personen het gaat, over welke termijnen het gaat, en om wat voor soorten criminaliteit. WODC schrijft hierover: (…) het opvragen van telecomgegevens in Nederland wordt geregistreerd per telefoonnummer, IMEI- nummer, IP-adres of ‘paallocatie’, waarover gegevens worden opgevraagd. Omdat mensen vaak meerdere telefoons gebruiken, geven deze cijfers geen inzicht in het aantal personen van wie er jaarlijks telecomgegevens worden opgevraagd of van het aantal opsporingsonderzoeken of de aard van de opsporingsonderzoeken waarvoor deze gegevens worden opgevraagd.” Ook bij het vorderen van mastgegevens gaat het om meer betrokken personen, omdat dan informatie wordt verkregen over alle mobiele gesprekken die op een bepaald tijdstip via een bepaalde mast zijn gevoerd. Bovendien betreffen de statistieken ook vorderingen van gegevens die niet onder de Wet bewaarplicht vallen.

De stelling dat personen hun werkwijze zouden kunnen aanpassen op grond van anonieme, geaggregeerde statistieken, is niet onderbouwd. De regering gaat zonder toelichting voorbij aan het advies van het WODC om meer inzicht te bieden “door de vorderingen zodanig te registreren dat zichtbaar wordt over hoeveel personen er jaarlijks telecommunicatieverkeersgegevens worden opgevraagd, in hoeveel zaken dit gebeurt en voor welke soort zaken deze gegevens worden opgevraagd.” Het ontbreken van transparantie op dit punt staat democratische controle op de (effectiviteit van de) uitoefening van bevoegdheden in de weg, en biedt ook geen inzicht aan burgers over de inzet van dit instrument.

EOF

Dutch DPA opinion about post-ECJ data retention bill: “disproportionate infringement of private life”

UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

On February 16th 2015, the Dutch Data Protection Authority (DPA) published its advice (.pdf, in Dutch; mirror) about a bill that the Dutch government announced in November 2014 to change the Dutch Telecommunications Data Retention Act of 2009 to take into account the ECJ’s April 2014 invalidation of the EU Data Retention Directive (2006/24/EC). More about the announced Dutch bill here. In short: the DPA finds the proposal of the Dutch government to (still) violate necessity, proportionality and subsidiarity. The DPA published the following press release:

The Dutch Data Protection Authority (Dutch DPA) at the request of the minister of Security and Justice has issued its advice on a draft bill containing amendments to the existing data retention obligations for telephony and internet communications data. The Dutch DPA finds the need to retain all telephony and internet data in the Netherlands is insufficiently substantiated. The Dutch DPA therefore recommends that the bill shall not be presented to Parliament.

The draft bill is proposed following a decision from the Court of Justice of the European Union in April 2014, annulling the European data retention directive. The Court ruled that a general retention obligation for telecommunications data is in contradiction with the fundamental right to data protection as laid down in European law.

Content of the draft bill

The draft bill proposes amendments on several points, including:

  • the introduction of a prior check by an examining judge of requisitions by public prosecutors to obtain historical telecommunications data;
  • the introduction of a distinction between a retention period of twelve months for telephony data and the consultation period of these data of between six and twelve months, depending on the nature of the crime.

Necessity

The retention of the historical telephony and internet data of virtually all Dutch citizens for 6 to 12 months is a far-reaching measure, requiring an irrefutable demonstration of necessity.

The Dutch DPA notes that the substantiation of this necessity in the draft bill falls short, even though law enforcement authorities have been able to gain experience with using retained telecommunications data in the 4,5 years since the entry into force of the Data Retention Law.

Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result.

Disproportionate infringement of private life

The Dutch DPA notes the government holds on to a general data retention obligation. The Dutch DPA therefore concludes the infringement of the private life of virtually all Dutch citizens is too big and disproportionate.

It furthermore finds that 3 other preconditions have not been met that remain important, even if the data retention obligation were to be restricted. These are:

  1. the need to inform people that their data have been accessed after a criminal investigation has been finalised;
  2. transparency on the use of retained data, for example through the release of statistics on the number of times data have been accessed;
  3. the need to introduce exemptions for those bound by a duty of professional confidentiality.

Distinction between collection and use

Finally, the Dutch DPA has assessed the distinction between the retention of data and the subsequent use of these data, as envisaged by the government. This distinction does not alter the disproportionality between the purpose of the data collection and the infringement on the private life of virtually all citizens. Therefore, this general data retention obligation is unlawful.

Notably, in November 2014, the Dutch government provided the following argument to justify upholding the existing indiscriminate data retention:

If the data about these persons [i.e., persons without known links to serious offenses] cannot be retained before the offense is committed, such a search query would not be useful. The retaining of certain data about all citizens is thus necessary, as it is not possible to distinguish suspects and non-suspects in advance.

Considering the large privacy infringement and insufficient safeguards, the DPA rejects this argument. The DPA wraps up its advice as follows:

In conclusion, the DPA finds that the proposed changes of the Telecommunications Data Retention Act of 2009 do not meet the requirements of necessity, proportionality and subsidiarity, and that the bill remains in violation of three specific aspects of proportionality, as laid down in Articles 7 and 8 of the Charter and in Article 8 of the ECHR.

We’ll now have to wait and see the Dutch government’s response to this advice.

Lastly, the DPA wrote the following about openly publishing annual statistics about interception and about requests for traffic data and user data (emphasis is mine):

The DPA has taken notice of initiatives from private parties to publish anonymous and aggregated statistics about interceptions and requests for traffic data and user data. Their objective is to provide transparency about the government use of these invasive powers. The Minister of Security & Justice in has seriously discouraged telecom and internet providers to publish such statistics. The Minister references an earlier statement made by the Secretary of State made, namely “that the provisioning of aggregated information can seriously harm the interest of prosecution. Such information can provide insight into the methods of police and the public prosecution service, and adversaries could change their behavior based on that.

In the annual report of the Ministry of Security & Justice, the Minister includes an overview of the total number of requests for ‘historical data’ by the public prosecution service. This annual total does however not provide insight into requests by intelligence & security services, and moreover, is difficult to interpret, because the number of persons is not specified, nor what periods, nor what types of crime. The Scientific Council for Government Policy (WODC) states: “(…) in the Netherlands requests for telecom data are counted by phone number, IMEI number, IP address or cell tower location that data is requested about. Because people use multiple phones, these numbers do not provide insight into the annual number of persons about whom telecom data is requested, or of the number of criminal investigations, or the nature of these investigations”. In requesting cell tower data requests, more persons are involved, because information is obtained about all mobile conversations that took place on a certain time via a specific tower. Moreover, the statistics also include requests for data that are not part of the Dutch Telecommunications Data Retention Act.

The proposition that persons could change their behavior on the basis of anonymous, aggregated statistics, is not substantiated. The government ignores, without explanation, the WODC’s advice to provide more insight “by counting the requests in a way such that it becomes visible about how many persons telecommunications traffic data is requested annually, in how many investigations, and what type of investigations.” The lack of transparency about this aspect hinders democratic oversight on the (effectiveness of the) use of powers, and also does not provide insight to citizens into the use of this instrument.

Related:

EOF

DNI: Principles of Intelligence Transparency for the US Intelligence Community

Cryptome tweeted a link to the US Director of National Intelligence’s updated poster (.pdf, Jan 12; mirror) entitled “Principles of Intelligence Transparency for the Intelligence Community”. The poster contains the following text (I added emphasis to parts I find interesting):

The Principles of Intelligence for the Intelligence Community (IC) are intended to facilitate IC decisions on making information publicly available in a manner that enhances public understanding of intelligence activities, while continuing to protect information when disclosure would harm national security. These Principles do not modify or supersede applicable laws, executive orders, and directives, including Executive Order 13526, Classified National Security Information. Instead, they articulate the general norms that elements of the IC should follow in implementing those authorities and requirements

The Intelligence Community will:

  1. Provide appropriate transparency to enhance public understanding about:
    1. the IC’s mission and what the IC does to accomplish it (including its structure and effectiveness)
    2. the laws, directives, authorities, and policies that govern the IC’s activities; and
    3. the compliance and oversight framework that ensures intelligence activities are conducted in accordance with applicable rules.
  2. Be proactive and clear in making information publicly available through authorized channels, including taking affirmative steps to:
    1. provide timely transparency on matters of public interest;
    2. prepare information with sufficient clarity and context, so that it is readily understandable;
    3. make information accessible to the public through a range of communications channels, such as those enabled by new technology;
    4. engage with stakeholders to better explain information and to understand diverse perspectives; and
    5. in appropriate circumstances, describe why information cannot be made public.
  3. In protecting information about intelligence sources, methods, and activities from unauthorized disclosure, ensure that IC professionals consistently and diligently execute their responsibilities to:
    1. classify only that information which, if disclosed without authorization, could be expected to cause identifiable or describable damage to national security;
    2. never classify information to conceal violations of law, inefficiencies, or administrative error, or to prevent embarrassment;
    3. distinguish, through portion marking and similar means, classified and unclassified information; and
    4. consider the public interest to the maximum extent possible when making classification determinations, while continuing to protect information as necessary to maintain intelligence effectiveness, protect the safety of those who work for or with the IC, or otherwise protect national security.
  4. Align IC roles, resources, processes and policies to support robust implementation of these principles, consistent with applicable laws, executive orders, and directives.

As a courtesy reminder (source):

The National Intelligence Strategy identifies and explains the IC’s objectives – what the IC intends to accomplish (mission objectives) and how the IC will accomplish them (enterprise objectives).

The seven “mission objectives” are:

  1. strategic intelligence;
  2. anticipatory intelligence;
  3. current operations;
  4. cyber intelligence;
  5. counterterrorism;
  6. counterproliferation; and
  7. counterintelligence.

The six “enterprise objectives” are:

  1. integrated mission management;
  2. integrated enterprise management;
  3. information sharing and safeguarding;
  4. innovation;
  5. our people; and
  6. our partners.

For the first time, The National Intelligence Strategy includes the seven “Principles of Professional Ethics for the Intelligence Community,” which were published in September 2012:

(now citing from source)

  1. Mission
    We serve the American people, and understand that our mission requires selfless dedication to the security of our Nation.
  2. Truth
    We seek the truth; speak truth to power; and obtain, analyze, and provide intelligence objectively.
  3. Lawfulness
    We support and defend the Constitution, and comply with the laws of the United States, ensuring that we carry out our mission in a manner that respects privacy, civil liberties, and human rights obligations.
  4. Integrity
    We demonstrate integrity in our conduct, mindful that all our actions, whether public or not, should reflect positively on the Intelligence Community at large.
  5. Stewardship
    We are responsible stewards of the public trust; we use intelligence authorities and resources prudently, protect intelligence sources and methods diligently, report wrongdoing through appropriate channels; and remain accountable to ourselves, our oversight institutions, and through those institutions, ultimately to the American people.
  6. Excellence
    We seek to improve our performance and our craft continuously, share information responsibly, collaborate with our colleagues, and demonstrate innovation and agility when meeting new challenges.
  7. Diversity: We embrace the diversity of our Nation, promote diversity and inclusion in our work force, and encourage diversity in our thinking.

Related:

EOF

Highlights of Dutch parliamentary debate about upcoming bulk interception bill

The current Dutch Intelligence & Security Act of 2002 (Wiv2002) only permits bulk interception of ether communications (e.g. satellite and radio), but not of cable communications (e.g. fiber, copper). The Wiv2002 codified the interception practice as it had existed for decades, which did not include bulk interception of cable communications. In August 2014, the Dutch government sent a letter to parliament that describes the development of the bill that will change the law (more). Yesterday, February 10th 2015, the Dutch parliament discussed these plans. A summary of highlights was published (in Dutch) on news site Tweakers by Joost Schellevis. Here is a translation of his article (hyperlinks and parts in [] are mine):

Plasterk: AIVD will not intercept everyone

By Joost Schellevis

The secret service will not wiretap everyone if the powers of the secret services will be expanded. That was promised by Minister of the Interior, Ronald Plasterk, in the House. “I rule out that AMS-IX will be tapped entirely”, stated to Plasterk.

Tuesday evening, the House debated on the expansion of powers of the AIVD and MIVD. The cabinet wants to permit the services to carry out untargeted [e.g. in mass]; they are now only permitted to wiretap specific internet connections, but cannot collect large amounts of data seeking for patterns.

This does not mean that everyone will be eavesdropped on without a reason, Plasterk states. “I rule out that AMS-IX will be tapped in its entirety”, he states, referencing the largest internet exchange of the Netherlands, and one of the largest exchanges in the word. The Minister, who is responsible for the AIVD, does not exclude that the AMS-IX will be wiretapped. According to Plasterk, untargeted wiretaps can only be used for a “limited goal”. Eavesdropping of all Dutch citizens does not qualify for that, he says. “I cannot imagine a limited goal for which that is acceptable”, according to the Minister. MP Jeroen Recourt (PvdA) questioned how that promise will be laid down in law.

“Concerning the impression that the Netherlands is mass-wiretapped: that’s not true”, states his colleague, Minister of Defense Jeanine Hennis-Plasschaert, who is responsible for the MIVD. Without the new powers, the MIVD would be “deaf and blind”, according to the Minister. Where the AIVD focuses on threats within the Netherlands, the MIVD deals with threats abroad, such as areas where Dutch military personnel operate.

Plasterk gave an example of the use of the new powers: the services will be able to gather who calls certain numbers in Syria. “Then we can map those networks”, according to Plasterk. This only involves metadata, i.e., who calls who; not the contents of the communication. Next, certain phone numbers can be intercepted. Although Plasterk mentioned phone numbers, he later added that this could also involve internet traffic.

Coalition partners VVD and PvdA, who have a joint majority in the House, earlier already stated they will support the plans. According the MP Jeroen Recourt (PvdA) the cabinet has found a good balance between privacy and security. “Privacy must be guaranteed, but the secret services must also be able to do their work”, according to Recourt prior to the debate. Recourt finds the word “untargeted wiretapping” misleading. “It suggests that a large dragnet will be used, but that is not the case.”

MP Klaas Dijkhoff (VVD) agrees, he says to Tweakers. “The image that ‘untargeted’ suggests is a US-like system in which we intercept the entire internet, and search it for something interesting afterwards”, according to Dijkhoff. He notes that the power cannot be used without a reason, and that the Minister must approve it.

Nonetheless, resistance emerged in the rest of the House. “I want the cabinet to first prove why this is necessary”, according to MP Gerard Schouw (D66) prior to the debate. “Furthermore, oversight must be improved. Otherwise, no expansion of powers should take place, in our opinion. The effectiveness must also be justified in a better way.” Schouw also plead for a privacy impact assessment [more] of the proposal legislation.

The Socialist Party (SP) was even more critical; MP Ronald van Raak asked why the cabinet thinks this power is necessary at this time. The Christian Union thinks the premise of the law to be “good”, but made several remarks. “Why is no judge involved in placing a tap?”, asked MP Gert Jan Segers.

The PVV and SGP were more positive about the legislation. “The law must be modernized”, stated MP Roelof Bisschop (SGP). MP Martin Bosma (PVV) was more sure: “If you sit behind your desk at the editors of Charlie Hebdo and don’t come home, that is an infringement on privacy too”, stated Bosma, referencing the attacks in Paris.

GroenLinks was not present during the debate, but earlier stated to be critical of the plan. “This plan is very awkward”, stated MP Liesbeth van Tongeren. According to GroenLinks, it has not been proven that data collection leads to more arrests. The Party for Animals (PvdD) was also absent.

The bill will appear in April, or so promised Minister Plasterk during the debate. The cabinet will attempt to carry out an internet consultation, in which interested parties can provide their feedback to the bill. Plasterk could however not guarantee it. The cabinet hopes that the bill will be implemented next year.

Whether the law will indeed become reality, is difficult to predict. The Senate currently opposes it: in a motion filed by Senator Hans Franken (CDA), the Senate asked the cabinet to renounce ‘untargeted and large-scale surveillance of cable communications’. The motion was co-signed by Senators of the Socialist Party, PvdA, D66 and GroenLinks. Next month, however, provincial elections are held, as a result of which the composition of the Senate changes. 

On February 6th, prior to the debate, Bastiaan Goslings, Governance and Policy Officer at AMS-IX, expressed (in Dutch) concern that expansion of powers will harm the digital economy:

The necessary trust that foreign parties must have to do business here, will disappear as a result of these plans. The Netherlands will lose its key role in the global internet. (…) Lots of safeguards are emphasized in rhetoric language, but I am seriously concerned about the extent of this law. (…) It fundamentally deteriorates our integrity.

During the debate, the Dutch Minister of Defense mentioned the following justifications for the new law, in terms of consequences of not having that law:

  • cyber threats cannot be identified timely;
  • Dutch military personnel abroad is probably less protected and supported (the Minister added that cable networks are increasingly used in mission areas and conflict zones);
  • terrorist activities may not be identified timely;
  • the true intentions of risk countries who may be seeking WMDs will remain hidden (the Minister added, with strong seriousness in voice and facial expression, that we lost insight into activities of countries possibly seeking WMDs, because those countries changed to cable communications);
  • we are not able to quickly build an information position in upcoming crises abroad;
  • theft of intellectual property, vital economical information, and state secrets goes unnoticed.

Two days after the debate, Prime Minister Mark Rutte stated (in Dutch) that freedom and democracy are at stake with jihad.

Privacy First, a Dutch privacy advocacy organization, announced (in Dutch) that they will go to court if the bulk interception law will be adopted.

Reflecting on the debate, kudos for useful questions and tenacity go to opposition MPs:

  • Gerard Schouw (D66) for questions about proportionality, effectiveness, insisting on a privacy impact assessment for this law, asking for transparency (e.g. interception statistics such as published in Belgium (more) and Germany, but not in the Netherlands) and for referencing previous findings by the oversight committee CTIVD of unlawfulness and carelessness in the use of existing powers;
  • Ronald van Raak (SP), for his persistence in questioning whether the law won’t simply be bypassed by the bulk interception that is already being carried out by foreign states.

And to a lesser extent, kudos for questions asked by two MPs of the two political parties representing the government:

  • Jeroen Recourt (PvdA) for asking how the Minister plans to lay down in law his promise concerning proportionality, e.g., that not all citizens will be wiretapped;
  • Anouchka van Miltenburg (VVD) for questioning the contradiction of requiring “untargeted interception” to be “goal-bound”, and asking whether raw bulk intercepts (i.e., from the acquisition phase, the first phase in the new interception framework; successive phases will be subject to heavier safeguards and oversight) can be exchanged with foreign states.

In April 2015, the Global Conference on CyberSpace (GCCS) 2015 takes place in the Netherlands. We’ll see whether the new interception bill will be available by then, whether the government will have submitted to the House its pending proposal to grant hacking powers to the police, and, hopefully, to what extent the Dutch government follows the recommendations on internet freedom made in December 2014 by the Advisory Council on International Affairs (AIV). Furthermore, the Minister of Foreign Affairs, Bert Koenders stated in a speech that the Dutch government will launch a “new, large initiative” to improve cyber security and prevent cyber crime:

We will launch a large new initiative for capacity building in cyber, open to states and private companies in order to assist countries to create sufficient capacity to improve cyber security and prevent cyber crime.

The latter will be likely be announced at GCCS 2015. [UPDATE: …and it indeed was (April 2015): the Global Forum on Cyber Expertise.]

EOF

[Dutch] Algemeen Overleg over IVD-aangelegenheden: di 10 feb 16:30-19:30

UPDATE 2015-02-11: Highlights of Dutch parliamentary debate about upcoming bulk interception bill

Op dinsdag 10 februari 16:30-19:30 vindt een Algemeen Overleg over IVD-aangelegenheden plaats met Hennis en Plasterk. De agendapunten beloven een interessante discussie:

  1. Convenant Joint Sigint Cyber Unit (JSCU);
  2. Toezichtsrapport CTIVD inzake onderzoek door de AIVD op sociale media (rapport nr. 39);
  3. Afschrift van een brief aan de Algemene Rekenkamer over de gewijzigde motie van de leden Schouw en Van Toorenburg (t.v.v. Kamerstuk 30977, nr. 99) over de effecten van de bezuinigingsvoorstellen op het werk van de AIVD (Kamerstuk 30 977, nr. 105);
  4. Aanbieding van het toezichtsrapport van de Commissie van Toezicht betreffende de Inlichtingen- en Veiligheidsdiensten (CTIVD/Commissie) inzake de inzet van de afluisterbevoegdheid en van de bevoegdheid tot de selectie van sigint door de AIVD (nr.40);
  5. Kabinetsstandpunt over het advies van de Commissie evaluatie Wiv 2002 (commissie Dessens) inzake bijzondere bevoegdheden in de digitale wereld;
  6. Reactie op het verzoek van het lid Van Raak over geheime malware;
  7. Afschrift van een gelijkluidende brief aan de voorzitter van de Eerste Kamer betreffende een motie van het Eerste Kamerlid De Vries c.s. over kwetsbaarheden op internet;
  8. Reactie op het verzoek van het lid Van Tongeren, gedaan tijdens de regeling van werkzaamheden d.d. 18 december 2014, inzake het bericht dat een advocatenkantoor door de AIVD is afgeluisterd;
  9. Aanbieding CTIVD toezichtsrapport nummer 41 inzake het onderzoek naar de activiteiten van de BVD jegens de heer R.H.G. van Duijn;
  10. Reactie op de interviews van de heer Snowden in Nieuwsuur en De Volkskrant.

Live video en live audio is beschikbaar.

Ook relevant, maar geen agendapunt voor het AO van 10 februari, is het overleg van de Europese ministers van Justitie & Binnenlandse Zaken over terrorisme tijdens een informele meeting op 29/30 januari, in Riga. In het Nederlandse verslag (.docx, Feb 9) van die vergadering zien we het volgende:

De EU Contraterrorisme-Coördinator (CTC), de heer De Kerchove, gaf aan dat de Verklaring van Parijs een goed startpunt is. Hij hoopt dat de Commissie de daar genoemde onderwerpen opneemt in de nieuwe Interne Veiligheidsstrategie. De CTC gaf aan dat internet een belangrijke rol speelt. Er moet nadrukkelijk aandacht komen voor encryptie op het internet, encryptie maakt het namelijk moeilijk illegale inhoud te onderscheppen.

(…)

(…) Belangrijke aanvullende maatregelen zijn o.a. het tot stand brengen van de publiek-private samenwerking met internetproviders met het oog op het detecteren en verwijderen van illegale inhoud. Van belang hierbij is het opstellen van een tegenboodschap en het kunnen lezen van berichten die worden geplaatst (encryptie).

Publiek-private samenwerking met internetproviders met het oog op detecteren en verwijderen van illegale inhoud is één van de 13 best practices die voortvloeien uit het Clean IT-project (2011-2013), dat was gericht op het terugbrengen van “terrorist use of the internet”. Dat beleid is al geruime tijd in ontwikkeling, en betreft een vorm van quasi-vrijwillige censuur zonder rechterlijk toezicht. Ten aanzien van encryptie per se heeft Nederland nog geen beleid of standpunt. De IVD’en mogen reeds hacken en versleuteling ongedaan maken, en het kabinet heeft gezegd het parlement begin 2015 te vragen om goedkeuring voor een hackbevoegdheid voor politie, maar het is de vraag of men verwacht met die middelen alle gegevens te kunnen ontsleutelen die men wil ontsleutelen. Alternatieve (maar extreme) middelen zouden — in theorie — kunnen zijn het verplicht afstaan van sleutels door internetbedrijven en/of het verbieden van cryptografie die de overheid niet kan omzeilen/kraken. Idealiter kunnen veiligheidsbelangen voldoende worden beschermd door bestaande bevoegdheden beter of anders in te zetten (wie het antwoord heeft, mag het zeggen).

EOF