Month: April 2017

Dutch Review Committee on the Intelligence & Security Services (CTIVD) to (self-)assess effectiveness of lawfulness oversight re: large-scale & data-intensive spying

The Dutch Review Committee on the Intelligence & Security Services (CTIVD) has published a press release (in Dutch) about a project it has started to review and uphold the effectiveness of its oversight on the lawfulness of the exercise of special powers by the Dutch intelligence services AIVD (non-military) and MIVD (military). Here is my translation of that press release:

Project Oversight 3.0

News | 25-04-2017 | 13:09

The technological possibilities for the AIVD and MIVD to acquire and analyze data have increased strongly. The Intelligence & Security Bill 20xx contributes to that. As a result of the expansion of the cable interception powers, the bill provides the AIVD and MIVD more possibilities to collect data. At the same time, the bill provides safeguards regarding the analysis of collected data and the deletion of data that is not relevant [to the exercise of the services’ tasks as defined by law]. The CTIVD oversees this. In the parliamentary debate on the bill, the question whether the CTIVD has sufficient in-house technical knowledge to keep pace with the developments. The professional field that the CTIVD must oversee changes, and the CTIVD adapts accordingly.

Objective of the project

Against this background, the CTIVD decided to set up project Oversight 3.0. The objective of this project is to make an inventory of how the organization and procedures of the CTIVD should be structured, so that effective oversight can also be carried out in the future. The emphasis is on the possibilities of (systemic) oversight on the acquisition, analysis and deletion of large amounts of data. Project 3.0 does not include investigation into lawfulness [note: this might have been mentioned because overseeing lawfulness is the normal/default task of the CTIVD, and this project is separate from & additional to that]. The CTIVD will report on this project in its annual report.

Data processing

To uphold effective oversight, the CTIVD must gain more insight into the data housekeeping at the services and the way in which they deal with large(r) data. Project Oversight 3.0 will provide insight into which instruments, organizational changes and technical means must be used by the AIVD and MIVD in support of implementing the new bill. The project also maps the data housekeeping, analysis and administration. The exchange of data/intelligence with national and international partners will be taken into account in this. Furthermore, the project focuses on the way in which the AIVD and MIVD implement safeguards in their systems and enable internal oversight [by the services themselves] and external oversight by the CTIVD [on those safeguards]. These insight will then provide the basis for structuring the CTIVD’s oversight in a way that fits to the new bill and further digitalization of our world.


Project Oversight 3.0 comprises a number of subprojects. There are focuses on topics such as the new power of investigation-oriented interception, the deletion of non-relevant data, and for instance automated data analysis [note: the bill introduces, or rather provides a more specific basis and powers corollary to the acquisition and processing of large data sets].


Oversight 3.0 is a project that will span multiple years. As a first step, an IT adviser has been hired per 1 September 2016. He is responsible for the execution of the project and will advise the CTIVD on what changes are necessary. The IT adviser is also involved in setting up the IT expert unit within the CTIVD. This expert unit will bring together specific technical knowledge. The unit will have various tasks, such as advising and supporting the legal experts, the joint exercise of investigations into lawfulness of the exercise of special powers, and advising the CTIVD on technically complex questions/problems. The unit is expected to consist of three persons.

At the start of 2017, the first subprojects of project Oversight 3.0 have commenced. An annual evaluation will be carried out as part of the project, based on which adjustments can be made to the project if necessary.

One might also recall that in 2014, the CTIVD decided to involve a group of academics in the oversight process. (I personally believe that both that decision, and project Oversight 3.0, are indicators of realism and strength on the part of the CTIVD.)


Dutch gov’t released as open source a research prototype of its Privacy Enhanced Filter (PEF) software for pseudonymizing (large-scale?) traffic captures

The Dutch government — specifically the National Cyber Security Centre in joint work with the Netherlands Forensics Institute — today released its Privacy Enhanced Filter (PEF) research prototype as open source software (under Apache License 2.0). PEF is written in Java and pseudonymizes network traffic captures, thereby limiting the privacy invasion made by traffic analysis (e.g. signature-based or anomaly-based intrusion detection at a nation(-ish)-wide scale). PEF is open to scrutiny by the public, and importantly, ideas and code are welcomed — let me emphasize this last sentence of the press release cited below in full:

This allows other organizations and developers to view and use the source code at no cost. They can also improve PEF or add additional functionality.

The software that is released is a (research prototype) CLI tool that takes a PCAP or PCAPNG file as input, pseudonymizes IP addresses of internet packets containing DNS data (says the, and writes its output as a PCAP file. It is unclear (to me) whether a non-CLI sibling exists (either now, or soon).

This is the full press release from the National Cyber Security Centre:

Privacy Enhanced Filter (PEF) made available as opensource software

News | 25-04-2017

Effective detection and prevention of digital threats and risks are often in conflict with privacy regulations. The Privacy Enhanced Filter (PEF) can remove privacy sensitive information as much as possible from network traffic in such a way that detection and prevention remain possible. This is analogous to the operation of Google Street View, in which persons, license plates, etc. are anonymized, but the road, environment, and obstacles can still be seen. This allows detection measures to work without compromising privacy.

In close collaboration with the Netherlands Forensic Institute and with the NCTV Safety Through Innovation Program, the NCSC has implemented this application. PEF was then made available as open source software [1]. This allows other organizations and developers to view and use the source code at no cost. They can also improve PEF or add additional functionality.


Contents of the (note: in the box below, beware overflows due to long lines):

# Privacy Enhanced Filtering

A research prototype application demonstrating network traffic pseudonymization
using a model-driven engineering approach.

It uses declarative definitions to parse the following data structures:

- Link Layer:        Ethernet 2 Frame
- Internet Layer:    IPv4, ICMPv4, _IPv6 partially_
- Transport Layer:   UDP, TCP
- Application Layer: DNS formatted application data (DNS, MDNS, LLMNR, NBNS)

These are used to find network packets containing valid DNS requests and responses.

Supplied is a Java implementation of a format preserving encryption algorithm
that is used to pseudonymize IP addresses of internet packets containing DNS data.

## Limitations

Here is a list of known limitations of this PEF implementation:

- IPv6 parsing is not fully supported.
  (extension headers are not fully supported and only UDP/TCP/IPv4(IP in IP) are parsed further)
- TCP reassembly in order to recognize DNS payload over TCP is not supported yet. for example,
  large DNS transfers can be segmented over multiple packets)
- Only the protocols stated at the top are supported
- If for some reason packet data is not fully parsed, the packet is left untouched
- At least 8 bits have to be pseudonymized, or none
Limitations of the command line tool:
- Works only on PCAP and PCAPNG files

## Requirements:

- Java Runtime Environment 7
- Maven
- The test suite uses [jNetPcap](, which requires a native PCAP library, such 
  as `libpcap-dev` on Ubuntu or `WinPcap` on Windows.

## Usage

A command line tool is built around this implementation. This tool can can be used to pseudonymize 
DNS packets in PCAP/PCAPNG files.

Build the application:

$ mvn clean package

Show the command line tool usage:

$ java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar -h


An example run could be:

$ java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar -i inputfile.pcap -o anonymized.pcap -4 0123456789ABCDEF0123456789ABCDEF /10 -6 0123456789ABCDEF0123456789ABCDEF /55 -c ipv4,icmp,udp -m 4



- `java -jar target/pef-0.0.1-SNAPSHOT-jar-with-dependencies.jar` - execute the command line tool, pseudonymizes IP addresses of packets with DNS formatted application data
- `inputfile.pcap` - the input file to process (PCAP or PCAPNG)
- `anonymized.pcap` - the output file to write the results to
- `-4 0123456789ABCDEF0123456789ABCDEF /10` - pseudonymize IPv4 source and destination addresses, using format preserving encryption with the given key, but leave first ten bits untouched
- `-6 0123456789ABCDEF0123456789ABCDEF /55` - same as above, but for IPv6
- `-c ipv4,icmp,udp` - recalculate the IPv4 header, ICMP and UDP checksum (another possibility is `-c all`)
- `-m 4` - run across four threads

The pseudonymization parameter specifies the key to use and how much of the original message to transform. The key should be a 32 character hexadecimal string, 
representing 16 bytes, i.e. a 128-bit key. The part of the message to transform is determined by the mask. This value determines how many of the most significant
bits to keep. For example: IP address with /8 mask will pseudonymize to 255.x.x.x, where x are the encrypted values.

## License

Copyright 2015, 2016, 2017 National Cyber Security Centre and Netherlands Forensic Institute

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.