UPDATE 2016-10-31: in case anyone wonders: the Dutch gov’t statement on encryption was made with consent of the Dutch General Intelligence & Security Service (AIVD) and the Dutch Nat’l Counter Terrorism Coordinator (NCTV) — notwithstanding the recent call of the head of the AIVD called [Volkskrant article, in Dutch] for ways to access encrypted WhatsApp (etc.) chats.
UPDATE 2016-10-04: the Dutch House of Representatives today voted in favor of a motion that requests the government to uphold its standpoint on encryption made in January 2016 (see the remainder of this post), and to actively advocate that standpoint internationally and within the EU. The motion was filed by Kees Verhoeven, MP for the D66 party (social-liberal / progressive) during the (extended) General Meeting on privacy and the topic of (not) weakening encryption, that took place on of September 27th. An official but uncorrected stenogram, in Dutch, from that meeting is available here (.docx).
UPDATE 2016-01-20: during a General Meeting on cyber security, the state secretary for Security & Justice, Klaas Dijkhoff, confirmed (in Dutch) that the Dutch government does not seek weakening encryption: “yes, we are serious about that”.
TL;DR: on January 4th 2016, the Dutch government stated that it will, at this time, not take restrictive legal measures considering the development, availability and use of encryption within the Netherlands. Some things to keep in mind:
- they explicitly state ‘at this time’ — the possibility remains that their position changes in the future;
- current Dutch law provides some forms of compelled decryption:
- first, two provisions exist in intelligence law regarding targeted hacking and targeted interception.
- The targeted interception power requires prior approval from the minister: if the minister approves a request for targeted interception, the services can then themselves compel “anyone” to help decrypt the intercepted communication;
- The targeted hacking power (currently) does not require prior approval from the minister; the services can themselves decide to hack a system and to compel “anyone” to help decrypt data;
- Note: the law does not forbid the use of the compelled decryption powers against a target, but for obvious reasons — e.g. maintaining operational secrecy — it seems likely the compelled decryption powers will typically only be used against third parties, for instance a provider, a roommate, etc.;
- second, one provision exists in the code of criminal procedure (criminal law) regarding access to a secured computer as part of a criminal investigation. The law forbids the use of this power against a suspect (because of nemo tenetur, i.e., the right to not self-incriminate);
- first, two provisions exist in intelligence law regarding targeted hacking and targeted interception.
- in July 2015, the Dutch government proposed compelled decryption for untargeted (bulk) interception in a draft intelligence bill (intelligence law). The draft bill is currently being revised and is expected to be submitted to the House of Representatives by the end of Q1/2016. AFAIK it is expected that the final bill, that will be debated in the House of Representatives, will still include the new decryption provision. The status of the bill can be viewed here;
- in December 2015, the Dutch government stated they cancelled the decryption provision in the final version of a cybercrime bill (more) (part of criminal law) which would have granted LE the power to, after approval from a magistrate (but not a court), compel suspects of certain “very serious criminal offenses” to decrypt their data under penalty three years imprisonment or a fine of up to ~20k euro. The stated reason for the cancellation: incompatibility with nemo tenetur. Why the government initially included this provision in the draft cybercrime bill — notably following a rather critical study by professor Bert-Jaap Koops — but now cancelled it in the final cybercrime bill, is not clear (to me). The status of the bill can be viewed here.
On January 4th 2016, the Dutch government released a statement on encryption. It is covered by El Reg. Here is a full, unofficial translation of that statement (~1600 words; hyperlinks and parts in  were added by me):
Government position on encryption
We hereby submit the government position on encryption. This fulfills promises made during the General Meeting of the Telecom Council of June 10th 2015 (Parliamentary Papers 2014-2015, 21501-33, nr. 552) and the General Meeting of the JHA Council of October 7th 2015.
Encryption is increasingly easy to obtain and use, and increasingly common in regular data communication. The government, the private sector and citizens increasingly use encryption to protect the confidentiality and integrity of communication and stored data. That is important for public trust in digital products and services, and for the Dutch economy, in the light of the rapidly developing digital society. At the same time, encryption obstructs access to information necessary for prosecution services and intelligence & security services when malicious persons (such as criminals and terrorists) use it. The recent attacks in Paris, where the terrorists possibly used encrypted communications, lead to the justified question what is needed to provide these services with proper insight into attack planning, and to maintain that insight.
The duality described in the previous paragraph was also heard in the public debate in the past months about the dilemmas of the use of encryption. The House [of Representatives; i.e., the lower house] has also discussed this. During the General Meeting of the Telecom Council it was asked what the government intends to do regarding the promotion of strong encryption. Besides that, the House requested the government to establish a position on encryption.
Next, the importance of encryption for the system and information security of the government and the private sector, and for the constitutional protection of privacy and confidential communication, will be discussed. The importance of prosecution of serious criminal offenses and the protection of national security will be laid down. Finally, after weighing of the interests, a conclusion is drawn.
The Dutch situation can not be discussed without taking into account the international context. Software for strong encryption is increasingly available world-wide, and is already integrated in products or services. Considering the broad availability and use of advanced encryption techniques, and the cross-border nature of data traffic, options to act at a national level are limited.
Importance of encryption for the government, private sector and citizens
Cryptography plays a key role in technical security in the digital domain. Many cyber security measures in organizations depend strongly on the use of encryption. Secure storage of passwords, the protection of laptops against loss or theft, and the secure storage of backups are more difficult without the use of encryption. The protection of data transferred via the internet, for instance during internet banking, is only possible through the use of encryption. Due to the connectedness of systems and the global branches and various paths that communication can travel, the risk of interception, breach, access or manipulation of information and communication is always present.
The government increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged, such as the use of DigiD [a national authentication system that Dutch citizens can use to log in to the IRS, the cadastre, their municipality, etc.] or declaring taxes. As stated in the coalition agreement of 2012, citizens and companies should be able to carry out their interactions with the government entirely digitally by 2017. The government has the responsibility to ensure that confidential data is protected against access by third parties: encryption is indispensable for this. The protection of communication within the government also depends on encryption, such as the security of the exchange of diplomatic messages, and military communication.
For companies, encryption is essential to store and transfer business information securely. The ability to use encryption strengthens the international competitiveness of the Netherlands, and promotes an attractive climate for businesses and innovation, including startups, data centers and cloud computing. Trust in secure communication and storage of data is essential for the (future) growing potential of the Dutch economy, that mainly resides in the digital economy.
Encryption supports the protection of privacy and the confidentiality of citizens’ communications, because it provides them with a means to protect the confidentiality and integrity of personal data and communications. This is also important for exercising the right to free speech. It enables citizens, but also persons who hold an important democratic profession, such as journalists, to communicate confidentially.
Encryption thus enables everyone to ensure the confidentiality and integrity of communication, and defend against, for instance, espionage and cyber crime. Fundamental rights and freedoms, as well as security interests and economic interests, benefit from this.
Encryption, prosecution services and intelligence & security services
The investigatory powers and means available to the services, must be equipped for the present and future digital reality. Effective, lawful access to data promotes the security of the digital and physical world. Encryption used by malicious persons hinders access to data by the prosecution services and intelligence & security services. The services experience these barriers for instance when they investigate the distribution and storage of child pornography, while supporting military missions abroad, while countering cyber attacks, and when they want to gain and maintain insight into terrorists who are planning attacks. Criminals, terrorists and opponents in armed conflicts are often aware that they can attract attention of the services, and also posses advanced encryption methods that are difficult to circumvent or break. The use of such methods requires little technical knowledge, because encryption is often integral part of the internet services that they too can use. That complicates, delays, or makes it impossible to gain (timely) insight in communication for the purpose of protecting national security and the purpose of prosecuting criminal offenses. Furthermore, court hearings and the providing of evidence in court for a conviction can be severely hindered.
The right to privacy and confidentiality of citizens’ communication
As mentioned before, the use of encryption supports citizens in ensuring privacy and confidentiality of their communication. Said lawful access to data and communication by prosecution services and intelligence & security services constitutes a breach of the confidentiality of citizens’ communication.
Confidentiality of communication involves the constitutional protection for privacy and the right to protection of correspondence [letters, snail mail], telephone communication and telegraph communication (hereafter: ‘confidentiality of communications’). These constitutional rights are laid down in, respectively, Article 10 and Article 13 of the Dutch constitution. Besides that, these fundamental rights are laid down in Article 8 ECHR and Article 7 and Article 8 of the Charter of Fundamental Rights of the EU (insofar EU law is affected).
The protection of constitutional rights applies to the digital world. Said constitutional regulations and international regulations provide the framework to counter unlawful breaches. Said rights are not absolute, meaning that limitations can be established insofar they meet the requirements set by the Dutch constitution and the ECHR (and insofar European Union law is affected, the EU Charter). A limitation is permissible when it serves a legitimate purpose, is established by law, and the limitation is foreseeable and cognizable [=transparent]. Furthermore, the limitation must be necessary in a democratic society. Finally, the infringement must be proportional, which means that the government’s purpose of the infringement must be proportional in relation to the infringement on the right to privacy and/or the right to confidentiality of communications.
These requirements provide the framework for weighing the interests involved in encryption, such as the right to privacy and the right to confidentiality of communications, public and national security, and the prevention of criminal offenses. This framework, insofar it involves the special powers of the intelligence & security services, is also laid down in the Intelligence & Security Act of 2002 (‘Wiv2002’, Article 18 and Article 31). The obligations [for third parties] to cooperate with decryption laid down in the Wiv2002 (Article 24, third paragraph, and Article 25, seventh paragraph) and in the Code of Criminal Procedure (‘WvSv’, Article 126m, sixth member) can be invoked if the related special powers are exercised after such weighing.
Discussion and conclusion
Nowadays it is increasingly less often possible to break encryption. Furthermore, it is increasingly less often possible to demand unencrypted data from service providers. Increasingly often, modern uses of encryption mean that data is processed by the service providers only in encrypted form. Considering the importance of investigation and prosecution, and the interests involved with national security, these developments necessitate the search for new solutions.
Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption. For instance by introducing a technical doorway [=backdoor, exceptional access] in an encryption product that would enable prosecution services to access encrypted files, digital systems can become vulnerable to criminals, terrorists and foreign intelligence services. This would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.
In carrying out their legal tasks, prosecution services and intelligence & security services are partially relying on cooperation from providers of IT products and services. Given this dependence, consultation is necessary with providers regarding effective data provisioning in case of the use of their services by malicious persons, while taking into account everyone’s role and responsibilities, as well as the legal frameworks.
Given this discussion, we draw the following conclusion:
The government has the duty to protect the security of the Netherlands and to prosecute criminal offenses. The government emphasizes the necessity of lawful access to data and communication. Furthermore, governments, companies and citizens benefit from maximum security of digital systems. The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.
Therefore, the government believes that at this time it is not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands. The Netherlands will propagate this conclusion, and the arguments that underlie it, internationally [recall: the Netherlands holds the Presidency of the Council of the EU in the first half of 2016; priorities (see slide 2) for the JHA Council include cybersecurity and efforts to tackle cybercrime, and priorities for the EU-US ministerial JHA meeting include data protection, PNR data, counterterrorism and jihadism]. Regarding the promotion of strong encryption, the Minister of Economic Affairs will follow-up on the intent of the amendment (Parliamentary Papers 2015-2016, 34300 XIII, nr.10) on the budget of the Ministry of Economic Affairs [=grant EUR 500k to OpenSSL].
(signed by the Minister of Security & Justice and the Minister of Economic Affairs)
- 2018-02-15: Five million euro for Europol’s “decryption platform” (blog by Matthias Monroy / @matthimon).
- 2017-10-19: EU Commission says it does not seek crypto backdoors, will propose legal framework in early 2018 for Member States to help each other access encrypted devices (this blog)
- 2016-xx-xx: from the U.S.: Exploring Encryption and Potential Mechanisms for Authorized Government Access to Plaintext: Proceedings of a Workshop (NAP, Open Access; regards a workshop that took place in June 2016)
- 2016-01-14: French government rejects crypto backdoors as “the wrong solution” (Ars Technica)
- 2016-01-06: The Father of Online Anonymity Has a Plan to End the Crypto War (Wired). Wired is reporting on David Chaum’s plan to end the crypto war with PrivaTegrity, a backdoor scheme that requires cooperation between nine server administrators from nine countries. Chaum reportedly developed it “as a side project for the last two years along with a team of academic partners at Purdue, Radboud University in the Netherlands, Birmingham University and other schools”. Recall this sentence in the above translation of the Dutch gov’t statement on encryption: “Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption“. It is unclear (to me) whether the authors of the Dutch gov’t statement were aware of Chaum’s idea at the time they wrote that sentence. For details on Chaum et al.’s “cMix” scheme, see cMix: Anonymization by High-Performance Scalable Mixing (.pdf, 2016). [UPDATE 2016-01-08: here is a critical view on PrivaTegrity that suggests such a system will fail, due to the human/geopolitical problems surrounding the use of it.]
- 2015-12-08: The second crypto war is not about crypto (Jaap-Henk Hoepman aka @xotoxot)