Dutch intel oversight committee (still) seeks to publish statistics on use of special powers, suggests topics for debate on the new bill

(This is an addendum to a lengthy post on the new Dutch intelligence bill.)

In December 2014, the Dutch Review Committee on the Intelligence & Security Services (CTIVD), the independent expert committee that oversees lawfulness of Dutch intelligence practices, decided to publish statistics on the use of specific interception and on the use of the power to select from bulk-intercepted ether communication — but got censored by the Minister. While the CTIVD operates independently (it has its own million-euro budget, has full access to information, buildings and personnel, and can decide for itself what it wants to review), its reports are published via the Minister. The CTIVD can make recommendations, but those recommendations are not legally binding.

Other countries do publish some form of statistics, including Belgium (the Belgian ‘Standing Committee I’ publishes very detailed annual statistics for both VSSE and ADIV — see here), Germany, and the UK (the UK Interception of Communications Commissioner publishes aggregate statistics on interception warrants issued to MI5+MI6+GCHQ+MoD).

The CTIVD was, and still is, not amused about the Minister’s decision to censor. In June 2015, the CTIVD in its annual report upheld its opinion that statistics about the use of special intelligence powers should be openly published — notwithstanding the fact that in October 2014, in a court case brought forward by Dutch investigatory journalists, a Dutch court ruled in favor of the governments arguments to keep interception statistics secret. Here is what the CTIVD says about this on page 32 of its annual report (original translation):

The transparency pursued by the Committee in the review year was not achieved without a struggle. Publication of its findings was often preceded by discussions with the intelligence and security services and the responsible ministers, respectively. At these meetings the parties frequently achieved a satisfactory balance, but not always. Under current law the minister concerned has final say by virtue of his responsibility for national security.

In the review year, for instance, the Committee wanted to publish with respect to how many persons and organisations GISS [=AIVD] had exercised the power to intercept, in order to give society some understanding of the scale of these privacy-infringing activities. The minister of the Interior and Kingdom Relations, however, blacked out these figures in the Committee’s review report and thus made them illegible. The minister held that these figures provided insight into the current method used by GISS and must therefore be classified state secret. The Committee did not and still does not agree. The figures give an idea of the scale at which these special powers were exercised, while the outside world cannot deduce from them against which (categories of) persons and organisations the power was actually exercised. Moreover, publishing figures happens in neighbouring countries on an annual basis.

Another point of debate is how much can be disclosed to persons who complain about conduct of GISS or DISS [=MIVD]. Situations are conceivable (and have occurred) in individual cases where the interest of public accountability and awareness must take precedence over the regular policy of secrecy. The Committee discussed this above in §4.3.

An overstrong culture of secrecy not only creates scope for unacceptable practices, it may also give rise to myths and misunderstandings. As Snowden’s revelations have shown, this may eventually come to work against the intelligence and security services themselves. The Committee will continue its efforts to achieve a good balance between openness and secrecy.

In other words, it is imperative that the public debate on the new intelligence bill (details here) addresses statistics transparency as well. As far as I’m concerned, the new Dutch law should by law require statistical reports — ideally following the Belgian example. In Belgium, the oversight committee has the legal task to report statistics of special powers, but still has the legal possibility to withhold data if necessary to protect national security. The latter does however not seem to ever occur: the committee annually publishes detailed statistics. (Note: unlike the Dutch oversight committee, the Belgian oversight committee is also tasked with overseeing efficacy; I don’t know whether that may be a relevant factor here.)

The CTIVD also indicates how it intends to contribute to the public consultation of the new intelligence bill, and suggests topics for debate:

During the internet consultation process the Committee will contribute its comments on the concrete legislative texts and explanatory notes. In preparation for these comments and having regard to all the aforementioned publications and international developments in the field of intelligence and security services and their oversight, the Committee raises the following questions and issues.

1. Is the house now sufficiently in order?

In the course of its investigations the CTIVD has noticed that GISS and DISS are very much aware of the importance of privacy protection. In this sense the house is reasonably in order. There has been no systematic collection of data in disregard of the law. Nevertheless, the quality of the substantiation of the need to exercise special powers and of the reporting on such exercise is a recurring cause for concern. In fact, under the current ISS Act 2002 [=Wiv2002, the present law] the services have not yet been able to establish a procedure that ensures their consistent compliance with the statutory safeguards when selecting from untargeted interception (sigint). The Committee therefore wonders how the government thinks the services can achieve such compliance in the case of their having new and wider powers.

2. To what extent is increasing the interception powers effective and necessary?

The Committee considers it a shortcoming that up to the present there has been almost no debate on the necessity of increasing the powers of the services. The main focus of the debate is placed too readily on the lawfulness of the acts of the services and less on the efficiency or effectiveness of the interception powers. The discussion may thus never go beyond the finding that nowadays 90 percent of communications goes via the cable and that therefore the ‘traditional’ power of untargeted interception of satellite communications (the remaining ten percent) is no longer enough. But can this finding alone and by itself carry the conclusion that the powers of the services must be increased? Is it not necessary, before one can come to this conclusion, to have a picture of the effectiveness and/or the lack thereof of the existing powers? On the international level, too, this is a question which continues to be a matter of concern, without however eliciting any definite answers. The starting point should be that it must first be convincingly demonstrated that new powers are necessary because the present powers are insufficient before considering an increase of the statutory powers. The test of effectiveness also finds support in the test of legitimacy which article 8 of the European Convention on Human Rights prescribes for reasons of privacy protection. This test must not only assess the damage to national security that will be prevented, but also the harm that the powers of interception will cause to individual persons.

3. How can the privacy of innocent citizens be protected as much as possible?

The government wishes to increase the powers of untargeted interception. This means that the services will on a larger scale intercept communications of persons who are not targets of the intelligence and security services. This calls for additional obligations and safeguards. In spite of being untargeted, the interception should be ‘targeted’ as much as is possible. The data should be filtered right from the first phase of interception. The separation of relevant and non-relevant communications should be made as soon as possible after interception. Storage periods of non-relevant communications must be short and must be specifically laid down by law. Destruction of such communications should mean that the data is really and definitely destroyed. And access and use of the intercepted data must be made subject to conditions and restricted by both organisational and technical means.

4. What are the minimum requirements that must apply to the oversight of the (increased) powers of interception?

The Dessens evaluation committee makes the increase of powers conditional on reinforced oversight. It recommends in particular that the Committee’s findings of lawfulness or unlawfulness must be given binding force. The government is explicitly not following this recommendation. Notably, it puts its faith in broadening the scope of the current requirements that the ministers responsible for the performance of their tasks by the services must themselves grant permission for interception, and not in strengthening independent assessment of applications. The position and powers of the Committee are strengthened only in the field of complaints handling. International judgments appear to indicate, however, that this does not suffice to meet human rights standards in the area of privacy protection. In order to settle the issue the Committee has commissioned Leiden University to conduct a scientific study of the minimum requirements set by international law on oversight in this field. The results of the study will be published on the Committee’s website in May 2015.