Month: March 2015

Dutch govt: “Dutch citizens, MPs have no need to replace simcards following Gemalto hack”

On February 26th 2015, the Dutch Minister of the Interior responded (.pdf, Dutch; mirror) to a question from MP Ronald van Raak, who asked whether the House’s simcards should be changed, following the media reports about Gemalto being hacked. Here is a translation of that response:

In the debate of February 25th 2015, MP Van Raak, among others, asked whether there is a need to change simcards, following the media reports about the possible hack of the company Gemalto.

This question was asked following an internal mail from the House’s IT department, that offered MPs the possibility to change their simcard. This has not been based on an advice from the AIVD, but at the House’s own initiative.

I currently have no reason to recommend Dutch citizens or MPs to change their simcard. I also refer to statements by both Gemalto and Vodafone on February 25th 2015.

When the National Communication Security Authority [NCSA aka NLNCSA aka AIVD-NBV], the part of the AIVD that is tasked with advising the national government about information security, has reason to assume that a means of communication should no longer be used due to an external threat, the stake-holding parties will be contacted. In consultation with the National Cyber Security Center (NCSC) it can be reviewed whether resilience-enhancing measures need to be taken.

Related:

EOF

Dutch govt response to PACE report “Mass surveillance”

At the request of Dutch MP Gerard Schouw (D66), the Dutch Minister of the Interior on March 3rd 2015 responded (.pdf, in Dutch) to the report Mass surveillance (.pdf, Jan 26) that was written by Pieter Omtzigt, a Dutch member of the Parliamentary Assembly of the Council of Europe (PACE). That report was the basis for a draft resolution (.pdf) of the Committee on Legal Affairs and Human Rights. Here is a translation of the Dutch Minister’s response:

In a letter of January 28th 2015, the government was requested to respond to the report ‘Mass surveillance’ from PACE. Also on behalf of the Minister of Defense I hereby provide that response.

The report provides, among others, an overview of media reports following the revelations by Mr. Snowden. In earlier responses to these reports, the government consistently emphasized that the Dutch intelligence & security services AIVD and MIVD carry out their tasks on the basis of the Dutch Intelligence & Security Act of 2002 (Wiv2002). In the establishment of this law, the requirements that follow from the European Convention on Human Rights and the jurisprudence of the European Court of Human Rights (ECHR). As noted in the government response to the Dessens report that reviewed the Wiv2002, the law is currently being revised. Developments concerning jurisprudence of the ECHR are also involved in that, and the use of special powers by the services will have additional safeguards. The oversight and complaint regimes, too, will be enhanced in accordance with jurisprudence of the ECHR. Furthermore, the new law will provide the possibility of reporting suspected wrongdoings by the services to the Dutch Review Committee on the Intelligence and Security Services (CTIVD) (whistleblower arrangement).

Concerning the cooperation between Dutch services and foreign intelligence & security services, the Wiv2002 provides the legal framework, and this framework will be further developed in the new Wiv. The cooperation with foreign intelligence & security services will be subject to legal review, and will require authorization from the Minister for forms of large-scale data exchange. The CTIVD oversees the legality of the use of the Wiv2002. The CTIVD published multiple reports that involve the cooperation with foreign services, most recently report 38 (2014) about data exchange concerning telecommunications. This report concerns the investigation that the CTIVD carried out at the request of the House following the revelations about the NSA in 2013. According to the CTIVD, no structural acquisition of (personal) data by the AIVD and MIVD takes place outside the legal framework. The Dutch legal system addresses concerns that are brought forward in that report. The recommendations made in the report to the Council can be largely accepted.

The recommendation to only permit collection and analysis of personal data after permission from the data subject or after court approval on the basis of a reasoned suspicion that the subject is involved in criminal activities, cannot be followed. It is necessary, in the interest of national security, such as counterterrorism, investigation into conflict zones, and support of military missions, to infringe on privacy, regardless of whether criminal activities are involved. The Convention and the Wiv2002 explicitly provide for this.

Concerning the recommendation to provide a multilateral “Intelligence Codex”, as proposed, I have serious doubts. A Codex in which signatory countries lay down that they will not exercise investigatory powers against each other for, for instance, political reasons, is not realistic. The intelligence tasks of the AIVD and MIVD — that notably involve intelligence collection concerning covert political and military intentions and activities of other countries — would be limited in an irresponsible manner. The Dutch legal framework, the Wiv2002, and its revision [some details], in my opinion provide the need for safeguards as addressed in the report.

EOF