In May 2013, the Dutch government proposed legislation — specifically this document (.pdf, in Dutch) — that would grant Dutch law enforcement the power to break into “automated works” (computers, smartphones, etc.), for instance using FinFisher. The Dutch intelligence agencies already have that power since 2002. The Dutch LE agencies do not. But lack of legal authority notwithstanding, some hacking by Dutch police has been seen in practice: for instance to take down Bredolab (2010) and to fight child porn on Tor (2011). This is confirmed by the finding that the Dutch police indeed has currently active FinFisher licenses; and by yesterday’s answers (in Dutch) to Parliamentary questions on this topic (h/t @rejozenger).

The proposed legislation is flawed, as is apparent from the contributions to the public consultation that closed in July 2013, and from this post by Bits of Freedom. The legislation also proposes granting the law enforcement the authority to force suspects of certain crimes (such as terrorism & child porn) to decrypt their data, under penalty of three years imprisonment or a fine of the fourth category (some 20k euro). Prior to the proposal, professor Bert-Jaap Koops was commissioned by the Dutch govt to carry out a study (.pdf, 2012, in Dutch) of infringement on nemo tenetur (the right not to self-incriminate) in other countries. Koops established three possible ways forward; the Dutch govt chose the toughest of the three.

In February 2014, Dutch Data Protection Authority (CBP) published (.pdf) a critical advice that addresses issues concerning necessity and proportionality of the proposed hacking power. The CBP recommends the government to not submit the proposal to Parliament in its current form. The report contains a few considerations that are interesting also to anyone unfamiliar with the proposal or even Dutch law.

Here is my translation of the interesting parts from the CBP’s advice (TL;DR: the proposal is insufficiently substantiated; there are flaws concerning necessity and proportionality):

1.4 Review of necessity, proportionality and subsidiarity

Necessity

With regard to the need to demonstrate necessity, the proposal argues on the basis of the technological developments that existing investigative powers are insufficient and necessitate more power. Although it is argued that law enforcement is in urgent need of this new power, and some scenarios are brought forward that existing powers provide no solace, insufficient concrete evidence is provided that demonstrates an urgent need for society to introduce these infringing measures. The considerations underlying the proposed powers are indeed largely based on a number of concrete scenarios, but those do not in itself sufficiently justify granting new powers. The urgency referred to in Article 8 of the ECHR also requires an independent contemplation and substantiation that transcends casuistry. The necessity (“pressing social need”) for the introduction of this new authority should be established conclusively in objective terms, and is currently insufficiently substantiated. The Dutch Data Protection Agency recommends including the missing considerations. Furthermore, the CBP considers the following.

Insufficient distinction is made between encryption of files and data by suspects, encryption of communication flows in transit, and the fact that people store data elsewhere, in the cloud. This distinction is essential to determine to what extent the power is necessary, and whether no other means exist to achieve the same goal that make a lesser infringement on privacy of those involved. In the Netherlands, all providers of public electronic communication networks and services are required to provide decrypts of communication they themselves encrypt. In case an investigation requires urgent access to data that are managed by foreign providers such as Google, Skype or Facebook, it is insufficiently substantiated that these data would not cooperate with legal requests. The fact that they have or can provide access to the decrypted content of email and files on their servers, or can be asked to cooperate with intercepting the communication of a specific suspect. In case the suspect has encrypted data himself using software such as PGP or TrueCrypt, the investigators could use existing authorities, or use the proposed authority to force the suspect to decrypt the data. The necessity of exercising the power of breaking into computers is insufficiently substantiated, considering the size and severity of the privacy infringement it produces. Considering the use of Tor networks to encrypt communication in transit, it needs to be substantiated why other often-used methods of fighting serious crime are not effective (the requirement of subsidiarity).

When fighting botnets, scenarios are conceivable that command-and-control servers are located abroad, or that their location cannot be determined. In those cases, the existing powers do not suffice, and making the systems inaccessible through remote intrusion of an automated work may offer a solution. Also in case of specific scenarion, for instance an ongoing DDoS attack on a bank or another essential service, it is conceivable that this combination of powers can offer a solution. Also in case of bulletproof hosting providers, other means are insufficient. However, the reasoning that insufficient means are available in the case of bulletproof hosting providers, does not warrant the conclusion that law enforcement needs to have access to all data stored in the cloud.

Proportionality

Concerning proportionality, the proposal ignores the size of the privacy infringement that will result from the introduction of this power. That infringement concerns the large amount and the nature of the personal data on the one hand, and on the other hand the large circle of persons whose right to privacy is infringed upon. The mandatory consideration of whether the severity of the privacy infringement is proportional to the objectives sought is missing in the proposal. According to the proposal, the power to carry out investigation in an automated work can only be used for the objectives mentioned under a to e. The objective under a (establishing the presence of data or determining the identity or location of the automated work or the user) is characterized as non-far-reaching, but once access has been obtained, the result will be far-reaching, and law enforcement has unlimited access to all available digital data. That also holds for the other objectives. After access is obtained through the use of spyware, that access cannot be restricted to the objectives stated in the warrant. This is not only disproportional, but also results in excessive processing of police data (Article 3, second paragraph, Police Data Act).
1.5 Safeguards

Given the extent of the power and the severity of the privacy infringement, the use of the power must have strict safeguards. The proposal provides several safeguards, including a clause that restricts the use of the power to suspects of crimes of a certain severity, the clause that the power can only be used for specific objectives, the mandatory specification of the grounds for the warrant, and the requirement of prior approval from the prosecutor by the magistrate. In addition to these safeguards, the CBP also considers the following safeguards to be essential.

Controls and logging

An important safeguard is the verifiability of the exercise of the power throughout the entire process, from requesting approval to using the power. Article 4, third paragraph of the Police Data Act, requires that adequate technical and organizational measures are taken, requires that a comprehensive auditing system be set up for accountability during the entire process. In addition, knowledge of and insight into the used software is necessary. Quality and reliability, as well as possibly hidden vulnerabilities must be subject of constant evaluation. Besides the “regular” journaling and reporting, logging is important. Considering logging, it is argued that at all times it can be checked what technical actions were taken, such that at a later moment there can be no doubt about the nature and consequences of the actions that have been taken [6].

However, logging can as of yet not always result in showing all relevant actions [7]. It als holds that useful logging requires that the precise way in which the software works must be known, including the source code.

Legal protection; criminal system

This new power is placed in Title IV concerning any special coercive measures. These coercive measures are characterized by a certain knowability of its application to the person involved. The proposed power, on the contrary, is characterized by covert application, and therefore undeniable has the character of a special investigatory power. The special investigatory powers are placed in separate titles in the Code of Criminal Procedure, since the introduction of this system in 2000 by the Special Investigation Powers Act. The basic principle of this law is that investigation powers that carry a large risk to the integrity and verifiability of the investigation, or infringe upon fundamental rights of citizens, require a specific basis in the Code of Criminal Procedure. The interests and fundamental rights at stake require this. The title of general provisions that applies to all special investigatory powers contains specific safeguards that — at least partially — are withheld by the proposed placement in the title of coercive means.

Notification of individuals, oversight and review of effectiveness

Notification afterwards to the individual is, also considering the flawed current practice in which the mandatory notification often does note take place, a scant safeguard for the required accountability of use of the power. Taking into account the implications of the exercise of the power, it is also recommended that the proposal provides a control instrument, that allows direct and effective oversight on the way the power is used, among others through means of a requirement to regularly provide statistics and overviews. In this regards, the inclusion of a sunset clause is indispensable.

We are yet to see what the government will do with this advice. The government submitted its proposal to the Dutch Council of State for (other) advice. After that, it may or may not be submitted to Parliament.

Some related topics: Europol recently published a report that warns of the risks of encryption and anonymity to law enforcement, and Bruce Schneier observed that the crypto wars are back.

EOF

UPDATE 2014-10-16: turns out one of the stories mentioned in Aldrich’s book is a hoax. Thanks to Nick R for pointing me to this comment left at Bruce Schneier’s blog. I removed the story from the below post and apologize for spreading false information.

I’m reading Richard J. Aldrich’s book GCHQ – The Uncensored Story of Britains Most Secret Intelligence Agency (2010). Earlier I quoted a few of Aldrich’s paragraphs that discuss TEMPEST in the 1960s. I’m currently reading Chapter 24 (“The New Age of Ubiquitous Computing”) and think the following two examples by Aldrich of criminal use of computers in the 1990s are interesting to share here.

Aldrich’s first example is of a drug cartel using an IBM AS400 mainframe to analyze phone records to discover informants:

Second and last, Aldrich cites cyber attacks on banks in the City of London by blackmailers:

In 1995 GCHQ also found itself investigating cyber attacks on banks in the City of London. Working with the Department of Trade and Industry and the Bank of England, it began to probe crimes which the banks were extremely anxious to hide. Outwardly, they claimed to be secure, but in fact they had paid out millions of pounds to blackmailers who had gained entry to their systems and threatened to wipe their computer databases. GCHQ was hampered by limited cooperation from the banks, which were reluctant to admit the extent to which they had been damaged, for fear of undermining the confidence of investors. Nevertheless, GCHQ was able to identify forty-six attacks that had taken place over a period of two years, including attacks on three British banks and one American investment house. One of the questions GCHQ was asking was how the blackmailers had gained access to ‘hacking’ technologies that had been developed by military scientists. [Footnote 4: Insight Teilm, ‘Secret DTI Inquiry Into Cyber Terror’, Sunday Times, 09.06.96.]

EOF

Below are a few quotes on sigint from Introduction: The Importance of Signals Intelligence in the Cold War ($) by Matthew M. Aid & Cees Wiebes, published in 2001 in the journal Intelligence and National Security Vol 16 Issue 1 (pages 1-26). The quotes cover the definition, qualities, problems and limitations of sigint.

First, here’s how Aid & Wiebes explain sigint, comint, elint and fisint (consistent with today’s technical definition of sigint on Wikipedia):

WHAT IS SIGNALS INTELLIGENCE?

An US Army publication defines Sigint as intelligence derived from the intercept, analysis, and parametric exploitation of foreign communications and non-communications radio-electronic emissions. An US Marine Corps manual defines Signals Intelligence (Sigint) as ‘intelligence gained by exploiting an adversary’s use of the electromagnetic spectrum with the aim of gaining undetected firsthand intelligence on the adversary’s intentions, dispositions, capabilities, and limitations’.

Sigint is composed of three separate but interrelated intelligence collection techniques: communications intelligence (Comint), electronics intelligence (Elint), and foreign instrumentation signals intelligence (Fisint). Communications Intelligence (Comint) is intelligence information derived from the intercept and processing of voice, Morse code, radioteletype, facsimile, multichannel (or microwave radio relay), and video signals. Comint does not include the interception of unencrypted written communications (mail), the monitoring of foreign public media or propaganda broadcasts, the interception of communications obtained during counterintelligence investigations, or wartime censorship activities.9

For example, during the 1950s and 1960s NSA intercept operators around the world spent most of their time monitoring and transcribing radio traffic concerning the day-to-day routine activities at foreign military bases around the world, such as communications from airfield control towers or ground stations directing aircraft movements, the radio traffic of ground forces manoeuvring in the field, ship-to-ship and ship-to-shore naval radio traffic, foreign military and civilian weather broadcasts, and air-to-ground civilian airline communications.10 During the Cold War, a typical American Comint target was the routine activity at Soviet airfields in East Germany and elsewhere. NSA voice intercept operators monitored the early morning radio checks from the air base, followed by radio traffic among the control tower, the firing range controller, the taxi strip monitor, the bombing range controller, the weather station, the aerial intercept controller, the ground safety crews, and the radar operators. The intercept operators then tracked the routine training flights of the base’s combat aircraft as they practised aerial intercepts or bombing attacks at ranges near the airfield. This required listening to hours of mundane air-to-air and/or air-to-ground radio chatter, which in turn required further hours to transcribe and process every day.

Electronics Intelligence (Elint) is concerned with the interception and analysis of emissions from foreign electronic devices. The most common Elint targets are the wide variety of radar systems used around the world for early warning, missile detection, ground control intercept, missile targeting, fighter target vectoring, and altitude determination. Through Elint, these radar systems can be identified by their function and type, their range and capabilities assessed, and their locations precisely fixed. This intelligence information is principally of interest to the military because, as a recently declassified US Air Force document put it: ‘By counting radars, specifying their precise location, determining their ranges, and evaluating their operational systems, analysts and engineers could develop countermeasures capable of jamming offensive surface-to-air missile radars and other defensive radars. Other Elint targets include navigation aids and radio beacons which provide geographic position information to ships, aircraft and other vehicles; air-to-air and air-to-ground identification signals, such as Identification, Friend or Foe (IFF) transponders, repeaters and interrogators; emissions from countermeasures equipment and radio jamming devices; radiation from missile guidance systems and artillery fuses; and emissions from meteorological devices, diathermy, radio heating, and research and development laboratories and field testing stations working on electronic devices.

[Foreign instrumentation signals intelligence (Fisint)] is defined as the collection and processing of emissions associated with the testing and operational deployment of aerospace, surface, and subsurface systems, which may have either military or civilian application. Fisint includes but is not limited to monitoring telemetry from ballistic missiles as well as manned and unmanned space vehicles, beaconry, electronic interrogators, tracking/fusing/arming/command systems, and video data links which relay data to a ground station concerning performance of space vehicles or weapons systems. As such, Fisint is the Sigint collection discipline primarily associated with the monitoring of foreign weapons research and development activities, including but not limited to ballistic missile testing.

Finally, in the last decade Sigint has become deeply involved with a new kind of electronic communications medium: digital data communications signals, which refers to the transmission of vast amounts of digital data among and between computer systems and networks. A good example of the traffic passing along this medium is electronic bank transfer data. NSA and its English-speaking Sigint partners refer to data traffic by the covername ‘Proforma’.

Concerning intrinsic qualities of sigint, Aid & Wiebes mention the following:

1. The first is that Sigint is a passive intelligence collection technique that generally is conducted without the target’s knowledge. Moreover, Sigint collects information against communications targets that are oftentimes thousands of miles away, thus negating the need for the intercept sites to be near the targets being monitored. This means, generally speaking, that Sigint involves relatively little political or physical risk. […]
2. Second, the objectivity and reliability of Sigint is great, but far from perfect. Former CIA Director Vice Admiral Stansfield Turner wrote in 1991 ‘electronic intercepts may be even more useful [than agents] in discerning intentions. For instance, if a foreign official writes about plans in a message and the United States intercepts it, if he discusses it and we record it with a listening device, those verbatim intercepts are likely to be more reliable than second-hand reports from an agent.’ A retired senior CIA officer opined that Humint can never be free from the biases and perceptions of its sources, that the information is oftentimes deemed tainted because it came from traitors motivated by greed or personal grievances, or that it was obtained by corrupting or seducing vulnerable human beings. But in its raw form, Sigint reproduces exactly what it records in an unvarnished, unbiased and undistorted fashion. […]
3. Third, unlike other sources, some but certainly not all Sigint intercepts can stand on their own without the need for analysis or correlation with other sources, although practitioners of the Sigint craft and ‘all-source’ intelligence analysts screech in dismay whenever this occurs. This led to the practice during the Cold War of the President of the United States and senior White House officials getting each morning a Top Secret intelligence summary from the CIA and an even more highly classified publication called the Black Book, containing the most important decrypts produced by NSA during the previous 24 hours, along with the Agency’s commentary. […]
4. Fourth, because of its reliability and the high-level attention that intelligence derived from Sigint received on both sides of the Iron Curtain, it proved to be (with apologies to U-2 and spy satellite aficionados) the premier source of information for national security officials and foreign policymakers during the Cold War. […]
5. Fifth, Sigint was usually the fastest source of current intelligence information available to consumers. A congressional intelligence committee official said of Sigint that ‘it’s there quickly when needed’.40 Lieutenant General Daniel O. Graham, the former Director of the Defense Intelligence Agency (DIA), was quoted as saying ‘Most collection agencies give us history. The NSA is giving us the present.’ […]
6. Sixth, Sigint produces more intelligence information on a broader range of subjects than any other intelligence source. In 1964 alone, NSA sent out approximately 150,000 finished intelligence reports and translations to its consumers in Washington, or more than 400 Sigint reports a day. […]
7. Seventh, Sigint never sleeps. Agents and their handlers must sleep (we are after all only human!), and darkness or adverse weather could shut down imagery collection systems for weeks at a time. But Sigint collects and produces intelligence 24 hours a day, 365 days a year, regardless of the weather or other environmental conditions.
8. Eighth, Sigint is flexible and more responsive to consumer tasking than most other intelligence sources. A 1998 congressional report stated that ‘much of NSA’s past strength has come from its localised creativity and quick-reaction capability’. You can quickly retarget Sigint, assuming that you possess the appropriate collection platforms and the manpower with the requisite skills to perform the mission. This made Sigint the source of choice during fast moving world crises during the Cold War. […]
9. Ninth, intelligence insiders argue that Sigint’s potential as an intelligence source is greater than all other intelligence collection disciplines. One successful solution of a major foreign cryptographic system can generate more intelligence information in a day than all other sources combined. […]
10. And tenth, relative to all other intelligence disciplines, many intelligence ‘insiders’ consider Sigint to be one of the most cost effective means of gathering intelligence. […]

Concerning problems and limitations of sigint, Aid & Wiebes mention the following:

• Secrecy of Sigint: Historically, because of the need to protect sensitive sources, Sigint intercepts were given extremely limited distribution with the highest levels of government and the military, and even then, only on a need-to-know basis.71 A declassified 1952 US Army memorandum states: ‘It is fully realised that enemy communications are probably the most sensitive of all intelligence sources, and that every precaution must be taken to protect the security of our efforts to exploit them.’72 […]
• Diminished Utility: The ability of consumers to use Sigint was strictly limited because of pervasive security considerations.83 For example, during the Korean War, American Top Secret intelligence reports derived from Comint carried the following caveat emptor: ‘Certain restrictions prohibit the further dissemination of this information either direct or paraphrased. Pertinent order of battle information included herein, that is not confirmed by other sources will be passed to divisions on a “need to know basis” only and will not be included in any routine intelligence reports or summaries.’84 […]
• Failure to believe Sigint: Cold War history is replete with many examples of government officials, military commanders, and intelligence analysts who chose not to believe the Sigint they received. In part, this was because the reader did not understand the information they received, or trust the reliability of the Sigint source. More often then not, the Sigint was misused or ignored because it did not fit some preconceived notion already held by the reader. […]
• Over-Reliance on Sigint. There are numerous examples of intelligence officials and military commanders placing undue reliance on Sigint to the exclusion of other sources of intelligence information. […]
• Sigint Snobbery. As the importance of Sigint grew during the years after World War II, followed by the introduction of spy satellites in the 1960s, the value of Humint was rapidly marginalised within the American and British intelligence communities.96 This led to a pervasive sense of snobbery and self-infatuation by the denizens of the Sigint community in the West. Intelligence insiders referred to this elitism as the ‘Green Door’ syndrome. This led Humint partisans to complain that greater credence was almost always given to Sigint over Humint.97 […]
• The Fragmentary Nature of Sigint: Sigint usually will provide hundreds if not thousands of pieces of a complex puzzle, but rarely will it yield the entire puzzle. Much of the information obtained by Sigint is fragmentary and indirect, requiring that analysts patiently sift through hundreds or thousands of intercepts in order to piece together the pieces of a puzzle. Even then, the puzzle more often than not remains largely incomplete, as in the case of the much-touted Venona decrypts. The fragmentary nature of most decrypts make them extremely difficult to understand, much less use.100 […]
• Sigint Does Not Provide All the Answers. Generally, Sigint cannot measure a nation’s political will or morale, or detail the innermost workings of foreign governments. […]
• Lack of Timeliness: Although Sigint insiders pride themselves on being fast, sometimes they are not fast enough because of the time and effort required to process, analyse and report to consumers the results of Sigint collection.104 […]
• Too Much Information: Experience during the Cold War showed that NSA often did drown intelligence analysts in a sea of paper, such as during the 1968 Czech crisis and before the 1973 Middle East War. […]
• Lack of Sigint: In some instances during the Cold War, good operational and communications security by the Soviet Union and its allies ‘blacked out’ Sigint, although these instances were fewer than previously believed. For example, in 1959 the Algerian National Liberation Front (FLN), which was fighting for the independence of Algeria from France, changed all of its codes, making them impossible for the French Comint service to decrypt.109
• Deniability: Access to Sigint data can be denied by the use of encryption and other secure forms of communications, such as landline telephone and telegraph circuits, or more recently fibre-optic cables.110 For example, NSA lost much of its access to high-level Soviet communications traffic in the late 1940s and early 1950s when the Russian military shifted much of its high-level communications traffic to landlines.111 Recently introduced complex communications technologies, such as frequency hopping radio systems, have made the job of the Sigint intercept operator far more difficult then in the past.112 In recent years, Pakistani-backed guerrillas operating in the Indian state of Kashmir, calling themselves the Hizbul Mujahideen, have begun using frequency-hopping radios, burst transmission technology, citizen-band radios, satellite telephones, even sophisticated encryption technology, which has made it increasingly difficult for the Indian government’s Sigint services to monitor their communications traffic.113
• Fragility of the Source: Because it is dependent on extremely fragile and sensitive sources and methods, Sigint is particularly vulnerable to damage caused by treason, defections, news leaks, or poorly considered public statements by government officials.114 […]
• Communications Deception: Sigint is vulnerable to communications deception, although this is a very difficult and dangerous game to play.120 For example, the KGB decided not to play communications deception games with the Berlin Tunnel in order to protect their source inside MI6, George Blake.
• Lack of a Co-ordinated Sigint Effort: Competing bureaucracies were the bane of the American and Soviet Sigint efforts during the Cold War, resulting in massive duplication of effort and wasted resources. […]
• Technical Issues: Sigint’s ability to perform effectively is subject to the vagaries of atmospheric conditions and solar flare activities. For example, in the mid-1950s, the Canadian intercept site at Churchill in Manitoba was forced to shut down its operations for days at a time because atmospheric anomalies, which are common in the northern climes, prevented the station’s operators from hearing any high-frequency signals.129 Terrain is also a significant limiting factor. For example, Sigint intercept operators have historically experienced great difficulty copying radio signals emanating from urban areas, densely wooded terrain or in mountainous regions.130 Finally, radio interference coming from major urban areas or industrial activities in the vicinity of the listening post can wreak havoc with radio intercept operations.131 For example, the Canadian listening post at Inuvik in northern Canada had to be closed in April 1970 because radio interference from nearby oil exploration activity significantly affected the station’s ability to monitor HF radio signals coming from the Soviet Union.13

And a last note I’d like to keep here:

A 1973 memorandum to the Dutch Prime Minister described that nation’s Sigint organisation as ‘[T]he most valuable asset we have to collect an intelligence product that is valuable to all interested parties.’

EOF

Historic tidbit on Dutch sigint in the 1980s, from Richard Aldrich’s book GCHQ – The uncensored story Britain’s most secret intelligence agency (2010):

The idea of GCHQ teaming up with the Europeans was not a bad one. European sigint services such as those of the Norwegians, the Germans and the Dutch were highly professional, and had made many important contributions to Western intelligence down the years, not least during the Falklands War. They often displayed brilliant lateral thinking. When Soviet naval ships entered Dutch harbours in the 1980s, their hosts would often complain that the Soviet radar was interfering with local television broadcasts and insist on a snap technical inspection. The crafty Dutch used this opportunity to plant a small tracking device high up on the Soviet ships that was no more than the size of a brick. This tracking device was so successful that it became a standard technique across the Western secret services. Typically, a small group of British SBS personnel worked with SIS and GCHQ on similar tasks in the 1990s. [Footnote 17: Tomlinson, The Big Breach, p.77]

EOF

UPDATE 2015-07-02: the Dutch government released an intelligence bill into public consultation. Details here.

UPDATE 2014-10-07: the votes are in: all motions were adopted by the Senate, except the motion filed by senator Strik (GroenLinks). It’ll be interesting to see how the Dutch govt will respond to the Senate’s requests for an investigation on the independence and reliability of standardization bodies such as the IETF (perhaps due to the discussion on Kevin Igoe, associated with NSA, being co-chair of IETF’s Crypto Forum Research Group), NIST (of DUAL_EC fame) and the GSM Association.

On Tuesday September 23rd, the Dutch Senate discussed topics concerning privacy and intelligence & security services. The full transcripts are here (part 1; in Dutch) and here (part 2; in Dutch). The following motions were filed, and will be voted on during the plenary meeting of Tuesday October 7th (h/t @AndreasUdo):

• [ADOPTED] Senator Franken (CDA) filed a motion (.pdf, in Dutch) requesting the government to abstain from extending interception powers in a way that would permit “unconditional, indiscriminate and large-scale” surveillance of cable communications. Note that Dutch intelligence & security services are currently permitted to carry out bulk interception/search only of non-cablebound communications, such as HF radio and satellite. Oversight on the exercise on that power is currently broken. Nonetheless, the government is currently dreaming up a bill that may extend this power to include cable communications. Think of GCHQ’s Tempora and NSA’s DANCINGOASIS, but on way smaller budget and in a different intelligence culture.
• [ADOPTED] Senator De Vries (Labour Party) filed a motion (.pdf, in Dutch) requesting the government to investigate the independence and reliability of bodies that standardize security protocols, mentioning IETF, NIST, GSM Association as examples. Think of the DUAL_EC controversy here.
• [ADOPTED] Senator De Vries (Labour Party) filed a motion (.pdf, in Dutch) requesting the government to create safeguards concerning the decision-making on the disclosure or non-disclosure of vulnerabilities found by the Dutch intelligence & security services (think of the JSCU). The senator states that the decision to disclose or not disclose a vulnerability cannot be made by the services themselves, because the interest of all internet users has to be taken into account; thus implying that the services cannot be relied upon to take the interest of all internet users sufficiently into account.

In addition, the following motions were filed:

• [ADOPTED] Senator Franken (CDA) filed a motion (.pdf, in Dutch) requesting the government to ensure that the current and future legal framework and oversight mechanisms are compliant to the European Convention on Human Rights (ECHR) and EU legislation concerning data protection. In that same motion, the senator requested to government to protect citizens against observation by Dutch or foreign services in a way that violates the ECHR and to guarantee that the rule of law is not weakened as a result of extraterritorial use of a foreign law. N0 specific examples are mentioned, but one EO 12333 and FISA come to mind.
• [WITHDRAWN] Senator Strik (GroenLinks) filed a motion (.pdf) requesting the government to “investigate the usefulness and necessity of independent oversight on government institutions that are not covered by the Dutch Review Committee on the Intelligence and Security Services (CTIVD), but that do carry out similar tasks that involve infringement on the right to privacy”.
• [ADOPTED] Senator Gerkens (Socialist Party) filed a motion (.pdf, in Dutch) requesting the government to commission the Rathenau Institute to investigate the desirability of a committee that can advise on the ethical aspects of digitization; considering the Internet of Things, that will connect “everything and everyone”, will bring opportunities but also threats; considering that the effects of this digital development on society will be not only technological, but also societal, social-legal and social-psychological.

EOF